To help us better understand the SMB security needs and trends, Microsoft partnered with Bredin, a company specializing in SMB research and insights, to conduct a survey focused on security for businesses with 25 to 299 employees. As we share these insights below, and initial actions that can take to address them, SMBs can also find additional best practices to stay secure in the Be Cybersmart Kit.  

SMB Cybersecurity Research Report

Read the full report to learn more about how security is continuing to play an important role for SMBs.

Discover more

1. One in three SMBs have been victims of a cyberattack 

With cyberattacks on the rise, SMBs are increasingly affected. Research shows that 31% of SMBs have been victims of cyberattacks such as ransomware, phishing, or data breaches. Despite this, many SMBs still hold misconceptions that increase their risk and vulnerability. Some believe they are too small to be targeted by hackers or assume that compliance equates to security. It is crucial to understand that bad actors pose a threat to businesses of all sizes, and complacency in cybersecurity can lead to significant risks. 

How can SMBs approach this?

Microsoft, in collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA), has outlined four simple best practices to creates a strong cybersecurity foundation.

• Use strong passwords and consider a password manager.
• Turn on multifactor authentication.
• Learn to recognize and report phishing.
• Make sure to keep your software updated.

2. Cyberattacks cost SMBs more than $250,000 on average and up to $7,000,000 

The unexpected costs of a cyberattack can be devastating for an SMB and make it difficult to financially recover from. These costs can include expenses incurred for investigation and recovery efforts to resolve the incident, and associated fines related to a data breach. Cyberattacks not only present an immediate financial strain but can also have longer term impacts on an SMB. Diminished customer trust due to a cyberattack can cause broader reputational damage and lead to missed business opportunities in the future. It’s difficult to anticipate the impact of a cyberattack because the time it takes to recover can vary from one day to more than a month. While many SMBs are optimistic about their ability to withstand a cyberattack, some fail to accurately estimate the time needed to restore operations and resume normal business activities 

How can SMBs approach this?

SMBs can conduct a cybersecurity risk assessment to understand gaps in security and determine steps to resolve them. These assessments can help SMBs uncover areas open to attack to minimize them, ensure compliance with regulatory requirements, establish incident response plans, and more. Effectively and proactively planning can help minimize the financial, reputational, and operational costs associated with a cyberattack should one happen. Many organizations provide self-service assessments, and working with a security specialist or security service provider can bring additional expertise and guidance through the process as needed.

3. 81% of SMBs believe AI increases the need for additional security controls

The rapid advancement of AI technologies and the ease of use through simple user interfaces creates notable challenges for SMBs when used by employees. Without the proper tools in place to secure company data, AI use can lead to sensitive or confidential information getting in the wrong hands. Fortunately, more than half of companies currently not using AI security tools intend to implement them within the next six months for more advanced security. 

How can SMBs approach this?

Data security and data governance play a critical role in successful adoption and use of AI. Data security, which includes labeling and encrypting documents and information, can mitigate the chance of restricted information being referenced in AI prompts. Data governance, or the process of managing, understanding, and securing data, can help establish a framework to effectively organize data within.

4. 94% consider cybersecurity critical to their business 

Recognizing the critical importance of cybersecurity, 94% of SMBs consider it essential to their operations. While it was not always considered a top priority given limited resources and in-house expertise, the rise in cyberthreats and increased sophistication of cyberattacks now pose significant risks for SMBs that is largely recognized across the SMB space. Managing work data on personal devices, ransomware, and phishing and more are cited as top challenges that SMBs are facing. 

How can SMBs approach this?

For SMBs that want to get started with available resources to train and educate employees, security topics across Cybersecurity 101, Phishing, and more are provided through Microsoft’s Cybersecurity Awareness site.

5. Less than 30% of SMBs manage their security in-house 

Given the limited resources and in-house expertise within SMBs, many turn to security specialists for assistance. Less than 30% of SMBs manage security in-house and generally rely on security consultants or service providers to manage security needs. These security professionals provide crucial support in researching, selecting, and implementing cybersecurity solutions, ensuring that SMBs are protected from new threats. 

How can SMBs approach this?

Hiring a Managed Service Provider (MSP) is commonly used to supplement internal business operations. MSPs are organizations that help manage broad IT services, including security, and serve as strategic partners to improve efficiency and oversee day-to-day IT activities. Examples of security support can consist of researching and identifying the right security solution for a business based on specific needs and requirements. Additionally, MSPs can implement and manage the solution by configuring security policies and responding to incidents on the SMBs behalf. This model allows more time for SMBs to focus on core business objectives while MSPs keep the business protected.

6. 80% intend to increase their cybersecurity spending, with data protection as top area of spend 

Given the heightened importance of security, 80% of SMBs intend to increase cybersecurity spending. Top motivators are protection from financial losses and safeguards for client and customer data. It’s no surprise that data protection comes in as the top investment area with 65% of SMBs saying that is where increased spending will be allocated, validating the need for additional security with the rise of AI. Other top areas of spending include firewall services, phishing protection, ransomware and device protection, access control, and identity management.  

How can SMBs approach this?

Prioritizing these investments in the areas above, SMBs can improve security posture and reduce the risk of cyberattacks. Solutions such as Data Loss Prevention (DLP) help identify suspicious activity and prevent sensitive data from leaving leaking outside of the business, Endpoint Detection and Response (EDR) help protect devices and defend against threats, and Identity and Access Management (IAM) help ensure only the right people get access to the right information.

7. 68% of SMBs consider secure data access a challenge for remote workers 

The transition to hybrid work models has brought new security challenges for SMBs, and these issues will continue as hybrid work becomes a permanent fixture. With 68% of SMBs employing remote or hybrid workers, ensuring secure access for remote employees is increasingly critical. A significant 75% of SMBs are concerned about data loss on personal devices. To safeguard sensitive information in a hybrid work setting, it is vital to implement device security and management solutions so employees can securely work from anywhere.  

How can SMBs approach this?

Implement measures to protect data and internet-connected devices that include installing software updates immediately, ensuring mobile applications are downloaded from legitimate app stores, and refraining from sharing credentials over email or text, and only doing so over the phone in real-time.

Next steps with Microsoft Security

• Read the full report to learn more about how security is continuing to play an important role for SMBs.

• Get the Be Cybersmart Kit to help educate everyone in your organization with cybersecurity awareness resources.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post ​​7 cybersecurity trends and tips for small and medium businesses to stay protected appeared first on Microsoft Security Blog.

Microsoft Intune

Enhance security and IT efficiency with the Microsoft Intune Suite.

Learn more

The broad value of the Intune Suite

While the solutions of the Intune Suite launched at different points in time, three fundamental principles have been there from the beginning.

First, one place for workloads adjacent to Unified Endpoint Management. If you’re currently using a mix of third-party solutions, the integrated experience in Microsoft Intune provides security and efficiency on multiple levels. First, one unified solution means fewer integrations to manage across third parties, meaning fewer attack vectors for malicious actors. And second, on a deeper level, the broader Intune proposition (both Intune Suite and Intune) is integrated with Microsoft 365 and Microsoft Security solutions. This provides a consolidated and seamless experience for IT professionals with a single pane of glass for end-to-end endpoint management.

Second, all parts of the Intune Suite are ready to support your cloud and AI-enabled future. Intune Suite will help accelerate organizations’ digital transformation to cloud native and simplify their IT operations. Additionally, data from Intune Suite are consolidated with other Intune and security data, meaning complete visibility across the device estate, informing and improving emerging technologies like Microsoft Copilot for Security. The more interrelated data that Copilot can use, the more it can proactively advise on the next best action.

Lastly, Intune Suite is available in a single unified plan. So, rather than having separate solutions for remote assistance, privilege management, analytics, and more, these advanced solutions can all be consolidated and simplified into one. This provides value in two ways: directly, by reducing the overall licensing cost, as the cost of Intune Suite is less than purchasing separate solutions; and the economic value of the Intune Suite is also in indirect savings: no need to manage separate vendors, train IT admins on separate tools, or maintain costly on-premises public key infrastructure (PKI). The Intune Suite makes it easier for IT admins, reducing overhead costs.

“With what we get out of Intune Suite, we can eliminate other products that our customers need. It’s now a suite of many components that enable customers who want to consolidate solutions and save money.”

—Mattias Melkersen Kalvåg, Mobility and Windows Management Consultant at MINDCORE, and| Microsoft Certified Professional & MVP

From today: A comprehensive suite across applications, access needs, and support

Let’s get into specifics. For application security, Enterprise App Management helps you find, deploy, and update your enterprise apps. And Endpoint Privilege Management lets you manage elevation rules on a per-app basis so that even standard users can run approved privileged apps. Cloud PKI lets you manage certificates from the cloud in lieu of complex, on-premises PKI infrastructure. And Microsoft Tunnel for Mobile Application Management (MAM) is perfect for unenrolled, personal mobile devices, to help broker secure access to line of business apps. Advanced Analytics gives you data-rich insights across your endpoints. And Remote Help lets you view and control your PCs, Mac computers, and specialized mobile devices, right from the Intune admin center. Let us take each of those three product areas in turn.

Increase endpoint security with Enterprise App Management and Endpoint Privilege Management

Enterprise App Management gives you a new app catalog, allowing you to easily distribute managed apps, but also keep them patched and always up to date. With this initial release, you will be able to discover and deploy highly popular, pre-packaged apps, so you no longer need to scour the Internet to find their installation files, repackage, and upload them into Intune. Simply add and deploy the apps directly from their app publishers. You can also allow the apps you trust to self-update, and when a new update is available, it is just one click to update all your devices with that app installed. We will continuously expand and enrich the app catalog functionality in future releases to further advance your endpoint security posture and simplify operations. 

“I’m very excited about Enterprise App Management as it’s powered by a strong app catalog and natively integrated in Intune. This single pane of glass experience is what we’re all looking for.”

—Niklas Tinner, Microsoft MVP and Senior Endpoint Engineer at baseVISION AG

For more control over your apps, with Endpoint Privilege Management, you can scope temporary privilege elevation, based on approved apps and processes. Then, as a user in scope for this policy, you can elevate only the processes and apps that have been approved. For example, users can only run a single app for a short period of time as an administrator. Unlike other approaches that give local admin permissions or virtually unlimited scope, you can selectively allow a user to elevate in a one-off scenario by requesting Intune admin approval, without you needing to define the policy ahead of time.

“Endpoint Privilege Management offers tight integration into the operating system. And the focus that Microsoft has over only elevating specific actions and apps versus making you an admin for a period of time—this is security at its best, going for the least privileged access.”

—Michael Mardahl, Cloud Architect at Apento

Cloud PKI and Microsoft Tunnel for MAM powers secure access

With Cloud PKI, providing both root and issuing Certificate Authorities (CA) in the cloud, you can simply set up a PKI in minutes, manage the certificate lifecycle, reduce the need for extensive technical expertise and tools, and minimize the effort and cost of maintaining on-premises infrastructure. In addition, support for Bring-Your-Own CA is available, allowing you to anchor Intune’s Issuing CA to your own private CA. Certificates can be deployed automatically to Intune-managed devices for scenarios such as authentication to Wi-Fi, VPN, and more; a modern PKI management option that works well to secure access with Microsoft Entra certificate-based authentication. In the initial release, Cloud PKI will also work with your current Active Directory Certificate Services for SSL and TLS certificates, but you do not need to deploy certificate revocation lists, Intune certificate connectors, Network Device Enrollment Service (NDES) servers, or any reverse proxy infrastructure. You can issue, renew, or revoke certificates directly from the Intune admin center automatically or manually. 

Microsoft Tunnel for MAM helps secure mobile access to your private resources. Microsoft Tunnel for MAM works similarly to Microsoft Tunnel for managed devices; however, with this advanced solution, Microsoft Tunnel for MAM works with user-owned (non-enrolled) iOS and Android devices. Microsoft Tunnel for MAM provides secure VPN access at the app level, for just the apps and browser (including Microsoft Edge) your IT admin explicitly authorizes. So, for personally owned devices, the user can access approved apps, without your company’s data moving onto the user’s personal device. App protection policies protect the data within the apps, preventing unauthorized data leakage to other apps or cloud storage locations.

“Cloud PKI within the Intune Suite allows you to go cloud native in terms of certificate deployment, which means you can provision PKIs with just a few clicks—that’s a blessing for all the IT administrators. With this built-in service, Microsoft hosts everything for you to manage certificates.”  

—Niklas Tinner

Resolve support issues quicker with Advanced Analytics and Remote Help

Advanced Analytics in Intune is a powerful set of tools for actionable reporting and AI-driven analytics. It provides deep, near real-time insights into your connected devices and managed apps that help you understand, anticipate, and proactively improve the user experience. We continue to infuse AI and machine learning into our analytics products. For example, you can get ahead of battery degradation in your device fleet through our advanced statistical analysis and use that information to prioritize hardware updates. Intune Suite now includes real-time device querying on-demand using Kusto Query Language for individual devices, useful for troubleshooting and resolving support calls quicker.

With Remote Help, you can also streamline the way you remotely view and interact with your managed devices, for both user-requested or unattended sessions. As a help desk technician, you can securely connect to both enrolled and unenrolled devices. Users also have peace of mind in being able to validate the technician’s identity, to avoid help desk spoofing attempts. Right now, Remote Help works for remote viewing and controlling in Windows PCs and Android dedicated Enterprise devices, and supports remote viewing for macOS. Especially useful for frontline workers, Remote Help for Android allows help desk administrators to configure and troubleshoot unattended devices, meaning issues can be revolved off-shift.

“Remote Help takes away the requirement and the need for third-party remote help tools. Remote Help is native, it’s interactive, and you don’t have to worry about installing anything, it’s already there. It’s part of Intune, it’s part of the build.”

—Matthew Czarnoch, Cloud and Infrastructure Operations Manager at RLS (Registration and Licensing Services)

To see many of these new capabilities in action, we invite you to watch this new Microsoft Mechanics video.

Analyst recognition for Microsoft

With the additions to the Intune Suite now available, IT can power a more secure and productive future at an important time as AI comes online. Notably, analyst recognition is validating the importance of its value. For example, Microsoft again assumes the strongest leadership position in the Omdia Universe: Digital Workspace Management and Unified Endpoint Management Platforms 2024. Omdia wrote: “Microsoft is focused on reducing management costs by utilizing the Microsoft Intune Suite and integrating different solutions with it.” They added: “The company plans to invest in Endpoint Analytics and Security Copilot to introduce data-driven management, helping IT professionals shift from reactive, repetitive tasks to strategic ones by utilizing Endpoint Analytics and automation.” Omdia’s recognition follows that from others like Forrester, who named Microsoft as a Leader in The Forrester Wave™ for Unified Endpoint Management, Q4 2023.

Get started with consolidated endpoint management solutions with the Microsoft Intune Suite

The February 2024 release of the solutions in the Intune Suite marks a key milestone, offering a consolidated, comprehensive solution set together in a cost-effective bundle (and available as individual add-on solutions) for any plan that includes Intune. And in April 2024, they will also be available to organizations and agencies of the United States government community cloud. We look forward to hearing your reactions to the new Intune Suite.

• Microsoft Intune News at Microsoft Ignite 2023.
• Learn more about Microsoft Intune.
• Omdia Universe: Digital Workspace Management/Unified Endpoint Management Platforms 2024.
• Forrester Wave™ for Unified Endpoint Management, Q4 2023. 
• Microsoft Cloud PKI blog announcement at Microsoft Ignite 2023.
• Microsoft Intune Enterprise App Management blog announcement at Microsoft Ignite 2023.
• Microsoft Intune Advanced Analytics blog announcement at Microsoft Ignite 2023.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Ease the burden of managing and protecting endpoints with Microsoft advanced solutions, Dilip Radhakrishnan and Gideon Bibliowicz. April 5, 2022.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

The Forrester Wave™: Unified Endpoint Management, Q4 2023, Andrew Hewitt, Glen O’Donnell, Angela Lozada, Rachel Birrell. November 19, 2023.

The post 3 new ways the Microsoft Intune Suite offers security, simplification, and savings appeared first on Microsoft Security Blog.

Generative AI will empower individuals and organizations to increase productivity and accelerate their work, but these tools can also be susceptible to internal and external risk. Attackers are already using AI to launch, scale, and even automate new and sophisticated cyberattacks, all without writing a single line of code. Machine learning demands have increased as well, leading to an abundance of workload identities across corporate multicloud environments. This makes it more complex for identity and access professionals to secure, permission, and track a growing set of human and machine identities.

Adopting a comprehensive defense-in-depth strategy that spans identity, endpoint, and network can help your organization be better prepared for the opportunities and challenges we face in 2024 and beyond. To confidently secure identity and access at your organization, here are five areas worth prioritizing in the new year:

1. Empower your workforce with Microsoft Security Copilot.
2. Enforce least privilege access everywhere, including AI apps.
3. Get prepared for more sophisticated attacks.
4. Unify access policies across identity, endpoint, and network security.
5. Control identities and access for multicloud.

Our recommendations come from serving thousands of customers, collaborating with the industry, and continuously protecting the digital economy from a rapidly evolving threat landscape.

Microsoft Entra

Learn how unified multicloud identity and network access help you protect and verify identities, manage permissions, and enforce intelligent access policies, all in one place.

Explore Microsoft Entra

Priority 1: Empower your workforce with Microsoft Security Copilot

This year generative AI will become deeply infused into cybersecurity solutions and play a critical role in securing access. Identities, both human and machine, are multiplying at a faster rate than ever—as are identity-based attacks. Sifting through sign-in logs to investigate or remediate identity risks does not scale to the realities of cybersecurity talent shortages when there are more than 4,000 identity attacks per second.¹ To stay ahead of malicious actors, identity professionals need all the help they can get. Here’s where Microsoft Security Copilot can make a big difference at your organization and help cut through today’s noisy security landscape. Generative AI can meaningfully augment the talent and ingenuity of your identity experts with automations that work at machine-speed and intelligence.

Based on the latest Work Trend Index, business leaders are empowering workers with AI to increase productivity and help employees with repetitive and low value tasks.² Early adopters of Microsoft Security Copilot, our AI companion for cybersecurity teams, have seen a 44% increase in efficiency and 86% increase in quality of work.³ Identity teams can use natural language prompts in Copilot to reduce time spent on common tasks, such as troubleshooting sign-ins and minimizing gaps in identity lifecycle workflows. It can also strengthen and uplevel expertise in the team with more advanced capabilities like investigating users and sign-ins associated with security incidents while taking immediate corrective action. 

To get the most out of your AI investments, identity teams will need to build a consistent habit of using their AI companions. Once your workforce becomes comfortable using these tools, it is time to start building a company prompt library that outlines the specific queries commonly used for various company tasks, projects, and business processes. This will equip all current and future workers with an index of shortcuts that they can use to be productive immediately.

How to get started: Check out this Microsoft Learn training on the fundamentals of generative AI, and subscribe for updates on Microsoft Security Copilot to be the first to hear about new product innovations, the latest generative AI tips, and upcoming events.

Priority 2: Enforce least privilege access everywhere, including AI apps

One of the most common questions we hear is how to secure access to AI apps—especially those in corporate (sanctioned) and third-party (unsanctioned) environments. Insider risks like data leakage or spoilage can lead to tainted large language models, confidential data being shared in apps that are not monitored, or the creation of rogue user accounts that are easily compromised. The consequences of excessively permissioned users are especially damaging within sanctioned AI apps where users who are incorrectly permissioned can quickly gain access to and manipulate company data that was never meant for them.

Ultimately, organizations must secure their AI applications with the same identity and access governance rules they apply to the rest of their corporate resources. This can be done with an identity governance solution, which lets you define and roll out granular access policies for all your users and company resources, including the generative AI apps your organization decides to adopt. As a result, only the right people will have the right level of access to the right resources. The access lifecycle can be automated at scale through controls like identity verification, entitlement management, lifecycle workflows, access requests, reviews, and expirations. 

To enforce least privilege access, make sure that all sanctioned apps and services, including generative AI apps, are managed by your identity and access solution. Then, define or update your access policies with a tool like Microsoft Entra ID Governance that controls who, when, why, and how long users retain access to company resources. Use lifecycle workflows to automate user access policies so that any time a user’s status changes, they still maintain the correct level of access. Where applicable, extend custom governance rules and user experiences to any customer, vendor, contractor, or partner by integrating Microsoft Entra External ID, a customer identity and access management (CIAM) solution. For high-risk actions, require proof of identity in real-time using Microsoft Entra Verified ID. Microsoft Security Copilot also comes with built-in governance policies, tailored specifically for generative AI applications, to prevent misuse.

How to get started: Read the guide to securely govern AI and other business-critical applications in your environment. Make sure your governance strategy abides by least privilege access principles.

Priority 3: Get prepared for more sophisticated attacks

Not only are known attacks like password spray increasing in intensity, speed, and scale, but new attack techniques are being developed rapidly that pose a serious threat to unprepared teams. Multifactor authentication adds a layer of security, but cybercriminals can still find ways around it. More sophisticated attacks like token theft, cookie replay, and AI-powered phishing campaigns are also becoming more prevalent. Identity teams need to adapt to a new cyberthreat landscape where bad actors can automate the full lifecycle of a threat campaign—all without writing a single line of code.

To stay safe in today’s relentless identity threat landscape, we recommend taking a multi-layered approach. Start by implementing phishing-resistant multifactor authentication that is based on cryptography or biometrics such as Windows Hello, FIDO2 security keys, certificate-based authentication, and passkeys (both roaming and device-bound). These methods can help you combat more than 99% of identity attacks as well as advanced phishing and social engineering schemes.⁴ 

For sophisticated attacks like token theft and cookie replay, have in place a machine learning-powered identity protection tool and Secure Web Gateway (SWG) to detect a wide range of risk signals that flag unusual user behavior. Then use continuous access evaluation (CAE) with token protection features to respond to risk signals in real-time and block, challenge, limit, revoke, or allow user access. For new attacks like one-time password (OTP) bots that take advantage of multifactor authentication fatigue, educate employees about common social engineering tactics and use the Microsoft Authenticator app to suppress sign-in prompts when a multifactor authentication fatigue attack is detected. Finally, for high assurance scenarios, consider using verifiable credentials—digital identity claims from authoritative sources—to quickly verify an individual’s credentials and grant least privilege access with confidence. 

Customize your policies in the Microsoft Entra admin center to mandate strong, phishing resistant authentication for any scenario, including step up authentication with Microsoft Entra Verified ID. Make sure to implement an identity protection tool like Microsoft Entra ID Protection, which now has token protection capabilities, to detect and flag risky user signals that your risk-based CAE engine can actively respond to. Lastly, secure all internet traffic, including all software as a service (SaaS) apps, with Microsoft Entra Internet Access, an identity-centric SWG that shields users against malicious internet traffic and unsafe content.  

How to get started: To quick start your defense-in-depth campaign, we’ve developed default access policies that make it easy to implement security best practices, such as requiring multifactor authentication for all users. Check out these guides on requiring phishing-resistant multifactor authentication and planning your conditional access deployment. Finally, read up on our token protection, continuous access evaluation, and multifactor authentication fatigue suppression capabilities.

Priority 4: Unify access policies across identity, endpoint, and network security

In most organizations, the identity, endpoint, and network security functions are siloed, with teams using different technologies for managing access. This is problematic because it requires conditional access changes to be made in multiple places, increasing the chance of security holes, redundancies, and inconsistent access policies between teams. Identity, endpoint, and network tools need to be integrated under one policy engine, as neither category alone can protect all access points.

By adopting a Zero Trust security model that spans identity, endpoint, and network security, you can easily manage and enforce granular access policies in one place. This helps reduce operational complexity and can eliminate gaps in policy coverage. Plus, by enforcing universal conditional access policies from a single location, your policy engine can analyze a more diverse set of signals such as network, identity, endpoint, and application conditions before granting access to any resource—without making any code changes. 

Microsoft’s Security Service Edge (SSE) solution is identity-aware and is delivering a unique innovation to the SSE category by bringing together identity, endpoint, and network security access policies. The solution includes Microsoft Entra Internet Access, an SWG for safeguarding SaaS apps and internet traffic, as well as Microsoft Entra Private Access, a Zero Trust Network Access (ZTNA) solution for securing access to all applications and resources. When you unify your network and identity access policies, it is easier to secure access and manage your organization’s conditional access lifecycle.

How to get started: Read these blogs to learn why their identity-aware designs make Microsoft Entra Internet Access and Microsoft Entra Private Access unique to the SSE category. To learn about the different use cases and scenarios, configuration prerequisites, and how to enable secure access, go to the Microsoft Entra admin center. 

Priority 5: Control identities and access for multicloud

Today, as multicloud adoption increases, it is harder than ever to gain full visibility over which identities, human or machine, have access to what resources across your various clouds.  Plus, with the massive increase in AI-driven workloads, the number of machine identities being used in multicloud environments is quickly rising, outnumbering human identities 10 to 1.⁵ Many of these identities are created with excessive permissions and little to no governance, with less than 5% of permissions granted actually used, suggesting that a vast majority of machine identities are not abiding by least privilege access principles. As a result, attackers have shifted their attention to apps, homing in on workload identities as a vulnerable new threat vector. Organizations need a unified control center for managing workload identities and permissions across all their clouds.

Securing access to your multicloud infrastructure across all identity types starts with selecting the methodology that makes sense for your organization. Zero Trust provides an excellent, customizable framework that applies just as well to workload identities as it does to human identities. You can effectively apply these principles with a cloud infrastructure entitlement management (CIEM) platform, which provides deep insights into the permissions granted across your multicloud, how they are used, and the ability to right size those permissions. Extending these controls to your machine identities will require a purpose-built tool for workload identities that uses strong credentials, conditional access policies, anomaly and risk signal monitoring, access reviews, and location restrictions.

Unifying and streamlining the management of your organization’s multicloud starts with diagnosing the health of your multicloud infrastructure with Microsoft Entra Permissions Management, which will help you discover, detect, right-size, and govern your organization’s multicloud identities. Then, using Microsoft Entra Workload ID, migrate your workload identities to managed identities where possible and apply strong Zero Trust principles and conditional access controls to them.

How to get started: Start a Microsoft Entra Permissions Management free trial to assess the state of your organization’s multicloud environment, then take the recommended actions to remediate any access right risks. Also, use Microsoft Entra Workload ID to assign conditional access policies to all of your apps, services, and machine identities based on least privilege principles.

Our commitment to continued partnership with you

It is our hope that the strategies in this blog help you form an actionable roadmap for securing access at your organization—for everyone, to everything.

But access security is not a one-way street, it is your continuous feedback that enables us to provide truly customer-centric solutions to the identity and access problems we face in 2024 and beyond.  We are grateful for the continued partnership and dialogue with you—from day-to-day interactions, to joint deployment planning, to the direct feedback that informs our strategy. As always, we remain committed to building the products and tools you need to defend your organization throughout 2024 and beyond.

Learn more about Microsoft Entra, or recap the identity at Microsoft Ignite blog.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report, Microsoft. October 2023. 

²Work Trend Index Annual Report: Will AI Fix Work? Microsoft. May 9, 2023.

³Microsoft unveils expansion of AI for security and security for AI at Microsoft Ignite, Vasu Jakkal. November 15, 2023.

⁴How effective is multifactor authentication at deterring cyberattacks? Microsoft.

⁵2023 State of Cloud Permissions Risks report now published, Alex Simons. March 28, 2023.

The post 5 ways to secure identity and access for 2024 appeared first on Microsoft Security Blog.

Brooke: What are the top threats impacting organizations?

Matt: One of the big threats is business email compromise, with all the phishing happening of organizations and billions of dollars being stolen because of invoices being modified after attackers access the mailboxes of key employees.

Another threat is info-stealers. Essentially, ransomware involved criminal groups breaching organizations’ infrastructure, encrypting their files, and asking for ransom. Now, because more organizations are aware of that threat, they have become more proactive, and use backups. This is why criminal groups are switching to info-stealers, where they steal that sensitive information rather than randomly encrypting files. They are more strategic with the data they are stealing, so they can monetize the information. Ransomware actors even buy the credentials of companies on different forums or from other criminal groups.

Brooke: How can organizations reduce the risk of threats?

Matt: Reducing your risk is a continuous process because threats today are different from a few years ago and they are different from what they will be in one to three years.

Organizations must understand that there will never be zero risk. That is why it is important to be proactive when it comes to detection as well as have a strong, quick, and efficient incident response plan in place. We enable our users to proactively hunt for threats not only after breaches but also as a routine exercise as sometimes actors can be present in your network for months before they take any visible actions.

This plan should also include digital forensics—uncovering root causes and working those learnings back into the rest of the organization to remediate vulnerabilities, as well as improve the overall incident response plan, which is another strong way to reduce the risk of attack through similar methods.

Microsoft Incident Response

Your first call before, during, and after a cybersecurity incident.

Learn more

Brooke: How do you get leadership buy-in to build an incident response team?

Matt: To get budget, the chief information security officer needs to convince upper management of being prepared for a cyber breach, as it is inevitable. At organizations that understand the security risk, it may be easier to get budget, but then it is about how you deploy that budget. That comes down to the organization and leadership prioritizing what they want to focus on based on the actual threat model of the organization and areas where they know they are weak and want to improve.

The answer is going to differ from one organization to another, but the main thing is to make sure that leadership understands the risk of poor cybersecurity and a lack of preparedness for when a breach occurs. Fortunately, in 2023, there are enough stories in the press, movies, TV shows, and books to do the job for people.

Brooke: How does an organization develop an efficient incident response process?

Matt: First, each organization needs to understand its threat model, because each organization has different risks. The issues of a healthcare company and a financial institution are going to be completely different, and even the people targeting you would have different attack strategies.

Organizations need to focus on both detection and response capabilities. Detection involves being proactive, making sure you have visibility of your network and understand what is happening. If there is a threat, you detect it. The response part is why you have an incident response plan and digital forensics capabilities in place. If something is happening, you need to be able to investigate it immediately and thoroughly.

Organizations also need to understand their threat model and the profile of people that may be going after them. Based on that information, focus on a strategy for detection and a strategy for incident response. Threat intelligence is a component of both.

Everyone also needs to have a backup plan internally whenever they investigate because detection is great but not perfect.

Brooke: What do we need to know about incident response to protect ourselves?

Matt: Unfortunately, a lot of security processes involve humans, so if you are a large organization, automate as much as you can to avoid security people experiencing burnout and so your company can be more efficient.

If you are an organization developing software, make sure you have proper application security people in place. If you are handling data, make sure you have good controls in place. If you are a financial institution, you are going to need all of the above, so it really depends on the profile of the organization. It is about people being logical and not only relying on security products.

Brooke: Why is multifactor authentication so important?

Matt: With identity, we are talking about control. Multifactor authentication is great because it adds a layer to authentication. As long as we depend on passwords for authentication, multifactor authentication is a must because of the issues happening with spear phishing, business email compromise, and databases containing passwords being leaked.

Passwordless is the future of authentication. Until we move toward the direction of passwordless authentication, two-factor authentication is going to be a must.

Brooke: How do you sift through information about a threat effectively without burnout?

Matt: AI is good if you know and understand the data you have, which is not often the case. Information triage is always required. Organizations need to understand their needs properly and not simply be driven by checkbooks or just check boxes because of compliance.

A good first step is what we call a priority intelligence requirement. Data is always about context. You need to understand what type of data you have to categorize it and then that can be efficient. If you have a lot of information, it is good, but if you have data with no context, it is useless. That is why you need to always make sure you have the right context, and that what you are collecting is responding to your intelligence requirements.

Brooke: What is the best way to monitor tenant administrator accounts?

Matt: This goes back to building a proper threat model so organizations can identify potential infection vectors and how administrative accounts are being used. In a lot of cases, you may have administrative accounts that are completely forgotten or hidden somewhere. For example, an employee left, and that account was not disabled.

That is why I like authentication. More organizations are using single sign-on (SSO) technologies in addition to multifactor authentication. Another great way to do this is to avoid multiple accounts and centralize identity and control so it is easier to monitor. It is a difficult exercise because you may have multiple Microsoft Azure Active Directory accounts, multiple cloud providers, different accounts for accounting, or other things not inside the SSO. If you do a threat model, you can list all the ways of authentication that would require monitoring in the first place.

Brooke: What is your advice for incident response teams, whether one person or more?

Matt: Whether one person handles incident response, or you have a team of 10 people, you must understand what you do well but also your limitations. Understanding your limitations is often quite tricky because people do not like the exercise of discovering what is missing or requires improvement.

Sometimes, the security approach is generic and aligned with compliance checkboxes when it should be more practical. The more practical it is, the easier it is to make decisions. Understand your current capabilities and weaknesses, then focus on where you have gaps. Start with creating an incident response plan and aligning your internal stakeholders around it. Ensure it includes steps for what happens during and immediately after the breach and post-incident so that you can learn from the incident and come out stronger. If you just spend your time filtering and doing triage of data and information, it is like running in the sand backward.

Learn more

Learn more about Microsoft Incident Response.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Why a proactive detection and incident response plan is crucial for your organization appeared first on Microsoft Security Blog.

As you might imagine, the more identities become integral to how we work, the more they become a target. With just a single compromised account, attackers can quickly bypass existing security protocols and move laterally to increasingly sensitive accounts or resources. Privilege misuse and credential compromise have been two of the most common and damaging attack vectors organizations face, but identity threats are becoming increasingly sophisticated. Cybercriminals have evolved from brute force and password spray tactics to targeting the underlying identity infrastructure in an effort to slip through even the smallest gaps in protection.

Beyond the complexity of these attacks is their sheer volume. It’s estimated that more than 80 percent of breaches can be attributed to identity-based attacks, and as more and more cybercrime groups join nation-state actors in executing these types of attacks, that number is only going to grow.² To counter these ever-growing identity threats, a new security category has emerged: identity threat detection and response (ITDR).

What is ITDR?

At Microsoft, we see ITDR as an integrated partnership between two historically separate, but critically important, disciplines: identity and access management (IAM) and extended detection and response (XDR).

IAM is a foundational element of any organization’s security strategy, providing a baseline for identity security and helping IT departments control what company resources users can and cannot access. By using IAM best practices such as strong authentication, Conditional Access, and identity governance, organizations can reduce their overall attack surface area while also providing the information and context needed to detect breaches.

XDR solutions are designed to deliver a holistic, simplified, and efficient approach to protect organizations against advanced attacks. These solutions correlate identity signals with telemetry from other domains like endpoints, cloud applications, and collaboration tools, giving security operations center (SOC) teams a more complete view of the cyberattack kill chain. With this enhanced visibility, they can more effectively investigate threats and provide automated remediation across multiple domains using vast sets of intelligence and built-in AI.

IAM and XDR each provide immense benefits to organizations, but when working together in concert, they provide a robust and comprehensive ITDR solution.

Whether you are just starting on your ITDR journey or are already well on your way, Microsoft can help. In this blog post, we’ll talk through the critical areas of ITDR and bring insights from our leadership in both identity and security.

Microsoft Identity Threat Detection and Response

See how identity and access management and extended detection and response work together to improve your security strategy.

Learn more

Prevent identity attacks before they happen with secure adaptive access

The best-case scenario in any attack is that the bad actors are stopped before they can breach your security. When working with customers, we recommend they implement granular Conditional Access policies as a powerful first step in thwarting cybercriminals and keeping their organization safe.

Multifactor authentication, for instance, has been shown to reduce the risk of compromise from identity attacks by 99.9 percent. This is one of the most important steps and organization can take. Attackers are constantly evolving their tactics, looking for the smallest crack they can exploit, whether that be a human or workload identity they can compromise or misconfigured policies and identity infrastructure that let them gain even more control. That’s why we recommend you also use Conditional Access policies to protect non-human identities, whether applications, services, or containers. It’s critical to create more secure access policies and manage the lifecycles of different workload identities to prevent an attack.  

IT and identity practitioners need to analyze relevant risk signals from across their unique landscape and enforce universal Conditional Access policies in real time. The deep integration of our IAM and XDR platforms helps organizations do just that. Leveraging insights from the more than 65 trillion signals daily across Microsoft’s ecosystem, our identity protection capabilities detect things like atypical travel, unfamiliar sign-in properties, and leaked credentials. These capabilities then assign each sign-in attempt a risk score, which in turn can trigger pre-defined remediation efforts or block access entirely until an administrator can review. 

Detect advanced attacks with threat-level intelligence.

A robust identity posture is the first step toward identity security, helping to thwart the majority of attacks. Effective breach detection and response completes the story. Ever-evolving attack strategies and the impact of human error from multifactor authentication fatigue or social engineering attacks mean we must always “assume breach.” A recent survey found that 76 percent of businesses expect a successful attack to be executed within the next 12 months, highlighting why it is imperative to detect a breach quickly and accurately.³ To do this, you need powerful detections both at the identity level and across the entire cyber kill chain.

Our customers benefit from robust identity detections out of the box, each prioritized by potential impact and augmented with additional signals and insights into the latest attack strategies. By ingesting signals from on-premises Active Directory, Microsoft Azure Active Directory, and other third-party identity providers as well as the underlying identity infrastructure, like Active Directory Federation Services and Active Directory Certificate Services, SOC teams gain a comprehensive view of their identity landscape, user activities, and risk.

We help you harness the power of our best-of-breed identity detections by integrating our identity security capabilities directly into our XDR platform so SOC teams can see identity alerts and data within the context of broader security incidents. By correlating identity data with signals from across other security domains, not only is each individual alert increasingly more accurate but analysts also gain unprecedented insight into the entirety of an attack and its progression. 

Learn more about how to empower your SOC team to spot even the most advanced identity attacks.

Respond and remediate attacks faster with automatic attack disruption

Detecting a breach and remediating an attack are two very different things. The final piece of a successful ITDR strategy is the ability to stop in-progress attacks and limit lateral movement. At Microsoft, we have infused AI and machine learning into our security capabilities to help empower the SOC with intelligent automation that can disrupt attacks at machine speed.  

Analysts can confidently automate workflows and remediation tactics thanks to the high level of accuracy our correlated incidents provide. This effectively shifts the response time from hours or days to minutes or seconds. When a breach occurs, every second matters, and costs can soar to 80 percent higher when security AI and automation aren’t fully deployed.⁴

Human efficiency is also critical, so we have designed our portals with the needs of each unique persona in mind while enabling a seamless flow of information and workflow processes. By prioritizing everything from alerts to configurations and posture management, users can focus better on what is most important to them.

Find out how to stop advanced attacks at machine speed.  

Get started today

As the sophistication and prevalence of identity-based attacks continue to grow, identity protection and ITDR are becoming increasingly critical to modern cybersecurity. Partner with a proven leader in both identity and security to streamline your identity protection and deploy a successful ITDR strategy.

Learn more about Microsoft’s Identity Threat Detection and Response solution.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹2023 State of SaaSOps study, BetterCloud. 2023.

²Verizon Data Breach Investigation Report, Verizon. 2022.

³Cyber Risk Index (CRI), Trend Micro. 2023.

⁴Cost of a Data Breach Report, Ponemon Institute. 2021.

The post XDR meets IAM: Comprehensive identity threat detection and response with Microsoft appeared first on Microsoft Security Blog.

Successful BEC attacks cost organizations hundreds of millions of dollars annually. In 2022, the FBI’s Recovery Asset Team (RAT) initiated the Financial Fraud Kill Chain (FFKC) on 2,838 BEC complaints involving domestic transactions with potential losses of more than USD590 million.²  

BEC attacks stand apart in the cybercrime industry for their emphasis on social engineering and the art of deception. Between April 2022 and April 2023, Microsoft Threat Intelligence detected and investigated 35 million BEC attempts with an adjusted average of 156,000 attempts daily. 

Cyber Signals

Microsoft’s Digital Crimes Unit has observed a 38 percent increase in cybercrime as a service targeting business email between 2019 and 2022.

Read the report

Common BEC tactics

Threat actors’ BEC attempts can take many forms—including via phone calls, text messages, emails, or social media. Spoofing authentication request messages and impersonating individuals and companies are also common tactics. 

Instead of exploiting vulnerabilities in unpatched devices, BEC operators seek to exploit the daily sea of email traffic and other messages to lure victims into providing financial information, or taking direct action like unknowingly sending funds to money mule accounts that help criminals perform fraudulent money transfers.  

Unlike a “noisy” ransomware attack featuring disruptive extortion messages, BEC operators play a quiet confidence game using contrived deadlines and urgency to spur recipients who may be distracted or accustomed to these types of urgent requests. Instead of novel malware, BEC adversaries align their tactics to focus on tools improving the scale, plausibility, and in-box success rate of malicious messages. 

Microsoft observes a significant trend in attackers’ use of platforms like BulletProftLink, a popular service for creating industrial-scale malicious mail campaigns, which sells an end-to-end service including templates, hosting, and automated services for BEC. Adversaries using this CaaS are also provided with IP addresses to help guide BEC targeting.   

BulletProftLink’s decentralized gateway design, which includes Internet Computer blockchain nodes to host phishing and BEC sites, creates an even more sophisticated decentralized web offering that’s much harder to disrupt. Distributing these sites’ infrastructure across the complexity and evolving growth of public blockchains makes identifying them, and aligning takedown actions, more complex.  

While there have been several high-profile attacks that take advantage of residential IP addresses, Microsoft shares law enforcement and other organizations’ concern that this trend can be rapidly scaled, making it difficult to detect activity with traditional alarms or notifications.  

Although, threat actors have created specialized tools to facilitate BEC, including phishing kits and lists of verified email addresses targeting C-suite leaders, accounts payable leads, and other specific roles, there are methods that enterprises can employ to preempt attacks and mitigate risk.  

BEC attacks offer a great example of why cyber risk needs to be addressed in a cross-functional way with IT, compliance, and cyber risk officers at the table alongside executives and leaders, finance employees, human resource managers, and others with access to employee records like social security numbers, tax statements, contact information, and schedules.   

Recommendations to combat BEC

• Use a secure email solution: Today’s cloud platforms for email use AI capabilities like machine learning to enhance defenses, adding advanced phishing protection and suspicious forwarding detection. Cloud apps for email and productivity also offer the advantages of continuous, automatic software updates and centralized management of security policies.  

• Secure Identities to prohibit lateral movement: Protecting identities is a key pillar to combating BEC. Control access to apps and data with Zero Trust and automated identity governance.  

• Adopt a secure payment platform: Consider switching from emailed invoices to a system specifically designed to authenticate payments.  

• Train employees to spot warning signs: Continuously educate employees to spot fraudulent and other malicious emails, such as a mismatch in domain and email addresses, and the risk and cost associated with successful BEC attacks.  

Learn more

Read the fourth edition of Cyber Signals today.

For more threat intelligence insights and guidance including past issues of Cyber Signals, visit Security Insider. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

End notes

¹Cyber Signals, Microsoft.

²Internet Crime Complaint Center Releases 2022 Statistics, FBI.

The post Cyber Signals: Shifting tactics fuel surge in business email compromise appeared first on Microsoft Security Blog.

In 2022, Microsoft tracked 1,287 password attacks every second (more than 111 million per day).³ Phishing is an increasingly favored attack method, up 61 percent from 2021 to 2022.⁴ And our data for 2023 shows that this trend is continuing. Passwords should play no part in a future-looking credential strategy. That’s why you don’t need a password for Microsoft Accounts—hundreds of thousands of people have deleted their passwords completely.⁵

For stronger, streamlined security, Microsoft passwordless authentication can help your organization eliminate password vulnerabilities while providing simplified access across your entire enterprise. In honor of World Password Day, this blog will help you make the case to your organization that when it’s time to “verify explicitly” as part of a Zero Trust strategy, modern strong authentication using phishing-resistant passwordless credentials provide the best security and an excellent return on investment (ROI).

Go passwordless for simplicity, security, and savings

If you’ve read my blog on why no passwords are good passwords, you know my feelings on this subject. To quote myself: “Your password isn’t terrible. It’s definitely terrible, given the likelihood that it gets guessed, intercepted, phished, or reused.” As Microsoft Chief Information Security Officer Bret Arsenault likes to say, “Hackers don’t break in—they log in.”

Passwords alone are simply not sufficient protection. Old-fashioned multifactor authentication bolts a second factor onto a password to add a layer of protection, but the most popular of these—telephony—is also the most problematic (see my blog about hanging up on phone transports to understand why telephony is a poor option for multifactor authentication). Even with strong methods, like using Microsoft Authenticator to augment a password, you still have the vulnerability of the password itself. The best password is no password—and you can get there today with Windows Hello, security keys, or, my favorite, Microsoft Authenticator.

Figure 1. Identity protection methods are not made equal; certain protections are far more secure than others.

In 2022, Microsoft committed to the next step of making passwords a thing of the past by joining with the FIDO Alliance and other major platforms in supporting passkeys as a common passwordless sign-in method. Passkeys aim to not only replace passwords with something more cryptographically sound, but that’s also as easy and intuitive to use as a password. Passwordless technology, such as Windows Hello, that’s based on the Fast Identity Online (FIDO) standards, strengthens security by doing the verification on the device, rather than passing user credentials through an (often vulnerable) online connection. It also provides a simplified user experience, which can help boost productivity as well.

That was the goal when longtime Microsoft collaborator Accenture decided to simplify their user experience by removing the requirement for password authentication. With 738,000 employees spread across 49 countries, the company decided it was in its best interest to make their identity and access management (IAM) automated and easy. Accenture chose the Microsoft Authenticator app, Windows Hello for Business, and FIDO2 security keys as its passwordless authentication solutions. As described in their case study, the results are already being felt: “The adoption of passwordless has led to faster login times, more reliable experience, fewer failed authentications, and improved overall security posture.”⁶

Whether you’re part of a global organization like Accenture or a small startup, the authentication methods policy in Microsoft Azure Active Directory (Azure AD)—now part of Microsoft Entra—allows your IAM team to easily manage passwordless authentication for all users from a single pane of glass. Even better, a recent Forrester Consulting study found that a composite organization based on interviewed customers securing its business apps with Azure AD benefited from a three-year 240 percent ROI (a net present value of USD8.5 million over three years) while reducing the number of password reset requests to its help desk by a significant 75 percent annually.⁷

Multifactor authentication can’t do it all

A 2021 report by the Ponemon Institute found that phishing attacks were costing large United States-based companies an average of USD14.8 million annually.⁸ That’s way up from 2015’s figure of USD3.8 million. Microsoft alone blocked 70 billion email and identity attacks in 2022. But on the positive side, multifactor authentication has been shown to reduce the risk of compromise by 99.9 percent for identity attacks.⁹ That’s a pretty stellar statistic, but it’s not bulletproof; especially when considering that SMS is 40 percent less effective than stronger authentication methods.¹⁰ Attackers are always learning and improvising, as shown in the rise of multifactor authentication fatigue attacks. In this type of cyberattack:

1. The threat actor uses compromised credentials (often obtained through a phishing attack) to initiate an access attempt to a user’s account.
2. The attempt triggers a multifactor authentication push notification to the user’s device, such as “Did you just try to sign in? Yes or no.”
3. If the targeted person doesn’t accept, the attacker keeps at it—flooding the target with repeated prompts.
4. The victim becomes so overwhelmed or distracted, they finally click “yes.” Sometimes the attacker will also use social engineering, contacting the target through email, messaging, or phone pretending to be a member of the IT team.

One widely publicized multifactor authentication fatigue attack happened in September 2022, when an 18-year-old hacker used the compromised credentials of a contractor to gain access to a major rideshare company’s internal networks. Once inside, he was able to access tokens for the company’s cloud infrastructure and critical IAM service. Our research was ahead of this type of attack back in 2021 when we built multifactor authentication defenses into the Authenticator app, including number matching and additional context. To learn more, be sure to read my blog post: Defend your users from multifactor authentication fatigue attacks.

All identity protection rests on Zero Trust

Zero Trust is just another way of describing proactive security. Meaning, it’s the measures you should take before bad things happen, and it’s based on one simple principle: “Never trust; always verify.” In today’s decentralized, bring-your-own-device (BYOD), hybrid and remote workplace, Zero Trust provides a strong foundation for security based on three pillars:

• Verify explicitly: Authenticate every user based on all available data points—identity, location, device health, service or workload, data classification, and anomalies.
• Use least-privilege access: This means limiting access according to the user’s specific role and task. You should also apply risk-based policies and adaptive protection to help secure your data without hindering productivity.
• Assume breach: This allows your security team to minimize the blast radius and prevent lateral movement if a breach occurs. Maintaining end-to-end encryption and using analytics will also strengthen threat detection and improve your defenses.

And when it comes to “verify explicitly” as part of Zero Trust, no investment in the field of credentials is better than a passwordless journey; it literally moves the goalposts on the attackers.

May the Fourth be with you all!

Security year round

At Microsoft Security, we believe security is about people. Empowering users with strong, streamlined access from anywhere, anytime, on any device is part of that mission. Learn more about Microsoft passwordless authentication and how it can help your organization eliminate vulnerabilities while providing fast, safe access across your entire enterprise.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹World Password Day, National Day Calendar.

²Most common passwords: latest 2023 statistics, Paulius Masiliauskas. April 20, 2023.

³Microsoft Entra: 5 identity priorities for 2023, Joy Chik. January 9, 2023.

⁴Over 255m phishing attacks in 2022 so far, Security Magazine. October 26, 2022.

⁵The passwordless future is here for your Microsoft account, Vasu Jakkal. September 15, 2021.

⁶A passwordless enterprise journey, Accenture.

⁷The Total Economic Impact™ of Microsoft Entra, a commissioned study conducted by Forrester Consulting. March 2023.

⁸New Ponemon Institute Study Reveals Average Phishing Costs Soar to $14.8M Annually, Nearly Quadrupling Since 2015, GlobeNewswire. August 17, 2021.

⁹17 Essential multi-factor authentication (mfa) statistics [2023], Jack Flynn. February 6, 2023.

¹⁰How effective is multifactor authentication at deterring cyberattacks? Lucas Meyer, et al. May 1, 2023.

The post How Microsoft can help you go passwordless this World Password Day appeared first on Microsoft Security Blog.

Brooke: You are known as SheHacksPurple. How did you become interested in hacking?

Tanya: I started coding as a teenager. Both of my aunts and three of my uncles are computer scientists, so learning to code did not seem out of place. I thought, “Every woman codes. Isn’t that the way?”

At college, I studied computer science and then was a software developer until around 2015, when I switched full time to security. I became more obsessed with security and software during my last two years in software development. I wanted to fix the bug and work with the penetration tester. I hustled my security team where I worked and after a year, one of them said, “We are posting a job for a security person and the job is for you. It was never for anyone else.” I joined that team.

I started speaking at conferences because you get in free, and when working for the federal government, they did not have a ton of money to fly me to another country for some cool training as part of a conference. I started getting plane tickets sent from all around the world and I flew everywhere.

Microsoft reached out and said, “We want to hire a developer advocate who understands security,” and I said, “Is this a prank call? Come on, that’s not a real job. You don’t get paid to do my hobby.” And they are like, “Yes, you do.”

Brooke: How valuable are information security certifications or any other certifications?

Tanya: Certifications have value depending on where you are in your career and the types of jobs you are looking for. There are not many application security certifications. There is one from my company, We Hack Purple. It is not widely recognized.

If you want a specific type of job, studying for a certification will teach you a lot. If you are new in your career, it shows evidence that you know something. One of the problems when you get a job in information security is that there is no clear career path and the people hiring you do not have the technical expertise to know what to ask you.

I have no certifications except for the ones from We Hack Purple. I have a college diploma and I took courses from the University of Maryland. The work I got was based on experience and mentors vouching for me. When people ask “Should I get one?” I say that if you have an active GitHub where you find bugs and fix all of them, that is evidence of skill. Sometimes, a certification helps with that, but they are not all created equal, and it costs a lot of money.

Brooke: What can companies do to protect themselves from ransomware attacks?

Tanya: Every IT department, even if you are not afraid of ransomware, should do backups and practice rollbacks. I worked somewhere once, and we had a glitch where 2,000 people lost all their work for the day. We still had copies of everything from the day before on our local machines, but a backup had not been done the night before. The backup team said it would take a month to replace that one day of work. And they said, “We don’t even know if it will work and it will copy over everything you have done in the meantime, so let’s not bother.”

I said to my boss, “We are going to save so much money because clearly we do not need them. They never practice the backup. Think of how many more developers we can hire.” Doing backups is good, but even better is practicing rollbacks so you can roll back in a reasonable amount of time and roll back more than just files. We need to roll back everything.

At We Hack Purple, we back up my machine in a special backup that no one else is in because I’m the CEO and I create most of the content. We also have a backup in the cloud and another physical backup in a different location that we do every week. If ransomware happens, I have everything backed up. There are companies that get hit with ransomware and just think, “Go away” and then they just roll everything back in an hour.

It is important to ensure that your backups are not attached to your network. Everyone has their fancy backup drive still connected to their computer and the ransomware is like “Excellent. I shall now encrypt your backup.”

About 60 percent of small businesses go out of business in the month after a cyberattack.¹ Because we are such a small company, if we lose one of our people, that is a huge enough risk. But imagine we lose all their work. That is even worse.

Brooke: How can tech leaders limit the frequency and severity of a ransomware attack?

Tanya: Get training for your company on what ransomware looks like and how to defend yourselves. For instance, do not save to your local computer. Save to the cloud like everyone else. You can download local copies to your machine but emphasize what it is like to lose your work and how bad it would be.

I am getting everyone to turn on multifactor authentication because it is extra defense and could block an attack from being successful. I am a huge fan of password managers. At my company, everyone must use a password manager. They make up unique, long, and random passwords that human beings would never guess, and that computers have trouble guessing.

Helping employees protect themselves in their private life gives them even more practice using the password manager.

Brooke: At what part of a development cycle does security come in?

Tanya: We used to bring security in at the end and they would do a penetration test and it would be like shooting fish in a barrel. They would tell you all the things you have done wrong, but because it is close to go-time, they would fix one or two things, put a big bandage on it, and send it out the door.

For a long time, I would give conference talks, write blog articles, and say, “We need to shift security left,” and by left, I mean earlier in the system development lifecycle. It is cheaper, faster, and easier to fix security problems there, whether it be a design flaw or a security bug. But marketing teams got a hold of that and there are all sorts of products that have the word “shift” in the name. What they meant is buy our product, put it in your continuous integration/continuous deployment (CI/CD) pipeline, and all your dreams will come true. The term got co-opted.

Brooke: If you could impact one thing in security, what would it be and why?

Tanya: On a professional level, it would be that more universities and colleges start teaching secure coding. If they are going to work in information security, one of the classes should be about application security. I wrote my book “Alice and Bob Learn Application Security” hoping universities would teach it and they only want to teach it in cybersecurity programs. I am happy about that, but 100 percent of them refused to teach it to the computer science students and I said, “But they are the ones making all the bad code.”

On a personal level, I want information security to be inclusive of everyone. I want all the LGBTQIA people to show up. I want all the women to show up. I want people of every race and religion to show up. I want disabled people to show up. Everyone can contribute effectively, but there must be space for them.

Learn more

If you’re attending the RSA Conference, do not miss Tanya’s sessions: “Adding SAST to CI/CD, without losing any friends” on April 26, 2023, “DevSecOps worst practices” on April 27, 2023, and “Creating a great DevSecOps culture” on April 27, 2023. And to learn more about Microsoft’s DevSecOps and shift left security solutions, visit the DevSecOps tools and DevSecOps services and Microsoft Defender for DevOps pages.

Learn more about general data security from Microsoft.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹60 Percent of Companies Fail in 6 Months Because of This (It’s Not What You Think), Thomas Koulopoulos. May 11, 2017.

The post Why you should practice rollbacks to prevent data loss in a ransomware attack appeared first on Microsoft Security Blog.

Credential-based attacks begin with the process of stealing or obtaining credentials illegitimately. Often attackers target individuals who they believe have the credentials they need, then conduct social and dark web research on them. Phishing emails and websites created to target corporate targets only need to succeed once to gain credentials that can be sold to and shared with other bad actors.

Push-bombing is when an attacker uses a bot or script to trigger multiple access attempts with stolen or leaked credentials. The attempts trigger a rush of push notifications to the target user’s device, which should be denied. But multiple attempts can confuse a target and cause them to mistakenly allow authentication. Other times, multifactor authentication fatigue can weigh on the target, causing them to believe the access attempts are legitimate. Just one mistaken “allow” is all it takes for an attacker to gain access to an organization’s applications, networks, or files.

On average, people receive between 60 and 80 push notifications each day, with some of us viewing more than 200.³ The time it takes to swipe, tap, flag, click, save, and close every ding, buzz, pop-up, text, and tab takes a toll. Researchers believe the onslaught of notifications is causing us to get tired faster and lose focus, leaving us especially prone to distraction as the day wears on.⁴ This is what attackers count on. If an attacker gains the credentials to operate like a registered, legitimate user, identifying the intrusion and tracing their possible paths of destruction becomes paramount.

Late last year, a large enterprise customer asked Microsoft Incident Response to investigate an incursion into their on-premises Active Directory environment. Due to the risk of ongoing threats and the need for continued vigilance, the organization and attacker will be kept anonymous for this incident, and we will refer to it as “the inCREDible attack.” This credential-based incident highlights the critical need for establishing healthy habits in our security maintenance processes to combat the regular, repeated, and overwhelming credential attacks faced by today’s organizations.

In this report, we examine the factors contributing to the threat actor’s initial incursion and explore what could have happened without prompt, tactical mitigation efforts. Then we detail the required workstreams, recommended timing, and activities involved with regaining control and establishing a plan going forward. We’ll also explore four core steps customers can take to “eat their vegetables” and establish healthy habits that help minimize the risk of attack. And then we share five elements of a defense-in-depth approach that can help businesses maintain a robust defense against ransomware attacks.

Many attacks can be prevented—or at least made more difficult—through the implementation and maintenance of basic security controls. Organizations that “eat their vegetables” can strengthen their cybersecurity defenses and better protect against attacks. That means establishing a solid inventory of all technology assets, continually patching operating systems and software, and implementing comprehensive centralized log collection—all while following a well-defined retention policy. Read the report to go deeper into the details of the push-bombing attack, including the response activity, and lessons that other organizations can learn from this inCREDible case.

What is the Cyberattack Series?

With this Cyberattack Series, customers will discover how Microsoft incident responders investigate unique and notable exploits. For each attack story, we will share:

• How the attack happened
• How the breach was discovered
• Microsoft’s investigation and eviction of the threat actor
• Strategies to avoid similar attacks

Read the first blog in the Cyberattack Series, Solving one of NOBELIUM’s most novel attacks.

Learn more

To learn more about Microsoft Incident Response, visit our website or reach out to your Microsoft account manager or Premier Support contact.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2022, Microsoft. 2022.

²2022 Data Breach Investigation Report, Verizon. 2022.

³Batching smartphone notifications can improve well-being, Nicholas Fitz, et al. December 2019.

⁴Phone Notifications are Messing with your Brain, Molly Glick. April 29, 2022.

The post Healthy security habits to fight credential breaches: Cyberattack Series appeared first on Microsoft Security Blog.

As more organizations shift to a hybrid work model, cybersecurity leaders need a way to strengthen and secure growing boundaries. They are struggling now more than ever with a fragmented solution landscape and increased, more sophisticated threats to data security.

A Zero Trust architecture is a critical component to modernizing security programs and ensuring sensitive organizational data and identities are kept safe. Plus, it can help organizations stay in compliance with regulatory standards.

In this blog, we’ll discuss how implementing a Zero Trust framework helps organizations meet compliance and data security requirements, prevent, identify, and secure sensitive business data, and reduce business damage from a breach.

As regulatory and compliance requirements evolve in response to technological transformations, organizations must rapidly modernize their security posture to protect sensitive data and processes. A Zero Trust architecture is a comprehensive security strategy to help you secure your data and prepare your organization for future threats.

Prevent and reduce the impact of internal or external bad actors on business damage from a breach

Applying the Zero Trust principle of “assume breach” helps proactively minimize the impact of security attacks from internal and external bad actors by implementing specific security measures using all available data points and enforcing least privileged access to secure digital environments:

• Data classification and end-to-end encryption.
• Sequence detection and user context to detect critical insider risks.
• Policy configuration to prevent data loss.
• Automated threat detection and response.

Implementing redundant security mechanisms, collecting system telemetry and using it to detect anomalies, and—wherever possible—connecting that insight to automation empowers a business to prevent, respond, and remediate data security incidents efficiently.

Assuming breach involves organizations first determining if they have the right data security strategies and controls in place and if they can measure their breach risk. This also involves understanding both internal and external activity around sensitive data, wherever it lives and throughout its entire lifecycle. A Zero Trust lens can help organizations implement the right protection to detect and remediate modern and evolving cyber risks and vulnerabilities in a timely, preventative measure.

Managing insider risks provides insights into events that could potentially lead to data theft or other exfiltration activities happening inside of your organization. And by configuring dynamic policies with protective actions, you can prevent data from unauthorized use across apps, services, and devices, even in hybrid work environments. Implementing a Zero Trust architecture helps organizations confidently prevent sensitive data loss.

Identifying the business risk of a data breach and the resulting damage to reputations and relationships also reduces the impact of a major incident, such as serious risks to data security structure, financial health, and market reputation. A Zero Trust framework provides the visibility, controls, and redundancy necessary to quickly detect, deter, and defend against data security risks, and to secure sensitive data by proactively detecting and minimizing those risks.

Implementing a Zero Trust architecture ultimately bridges the gap between balancing data security and enabling productivity, without compromising either. Reduce the blast radius of security attacks and use proper access controls to strengthen security posture, which helps to minimize reputational damage, the financial costs of a security breach, cyber insurance premiums, and employee burnout among security teams.

Identify and protect sensitive business data and identities

Figure 1. Through a comprehensive Zero Trust approach, organizations can secure their most precious data and devices and prevent bad internal and external actors from breaching.

Identifying the most critical data and identities is important for a Zero Trust approach. A more robust security posture begins by understanding the organization’s security architecture before integrating controls and signaling across layers to apply and enforce unified policies. The Zero Trust architecture extends throughout the entire digital estate and serves as an integrated, unified security strategy to reduce the complexity and time-consuming aspects of end-to-end security.

Organizations must first gain visibility into what assets—such as identities, endpoints, apps, networks, infrastructure, and data—exist within their organization. Then, assess their current risk and identify which assets should be prioritized and which ones users are interacting with.

Securing sensitive data must involve these key steps:

• Gaining visibility into the existence (across multicloud, on-premises, and hybrid environments) and risks associated with how sensitive data is being used, accessed, and shared through built-in, ready-to-use machine learning models.
• Understanding insider risks by gaining insight into how users are interacting with sensitive data and leveraging sequence detection to understand user intent.
• Preventing data loss by preventing sensitive data from unauthorized use across apps, services, and devices.
• Leveraging dynamic controls to adjust data loss prevention policies to address the most critical data risks.

These steps enable organizations to adopt a comprehensive end-to-end strategy to manage security and apply protection actions—such as encryption, access restrictions, and visual markings—that safeguard your data, even if it leaves the devices, apps, infrastructure, and networks that the organization controls.

When data and sensitive content is understood, classified, and identified, organizations can:

• Inform and enforce policy decisions to block sharing of emails, attachments, or documents that contain sensitive data.
• Encrypt files with sensitivity labels on device endpoints.
• Auto-classify content with sensitivity labels through policy and machine learning.
• Detect sensitive data that travels inside and outside your digital estate and understand user context to better investigate and mitigate risks.

Fine-tuned adaptive access controls, such as requiring multifactor authentication or device security policies, based upon user context, device, location, and session risk information, move the security perimeter to where data lives and encourage strict control over digital identities and identity access. This enables the implementation of security controls within each layer of the security architecture to further segment access.

Policies and real-time signals are required to determine when to allow, block, or limit access, or require additional proofs like multifactor authentication so that organizations can improve boundaryless collaboration without putting their data at risk.

By adopting Zero Trust, organizations understand the context of user activity around sensitive data and can prevent unauthorized use or loss of data. Types of data security that help protect against data breaches and help meet regulatory requirements include:

• Data loss prevention to guard against unauthorized use of sensitive data.
• Encryption to make files unreadable for unauthorized users.
• Information protection to help classify sensitive data found in files and documents.
• Insider risk management to mitigate potentially risky user activity that may result in a data security incident.

Proactively meet regulatory requirements

Microsoft’s Zero Trust security framework can help your organization meet many regulatory and compliance standards by default, including compliance requirements surrounding data, compliance, and law. This involves securing data, including personally identifiable information, financial data, health information, and intellectual property, all of which are at high risk of theft, loss, or exfiltration. Thus, protecting sensitive data is imperative.

While these regulatory standards will differ depending on the organization, they help organizations meet both security and compliance requirements.

Some important regulations include:

• General Data Protection Regulation (GDPR)
• Health Insurance Portability and Accountability Act (HIPAA)
• California Consumer Privacy Act (CCPA)

Adopting a Zero Trust architecture can also help you exceed standards and requirements, which enhances proactive, preventative security protection and enables:

• A deeper, more consistent integration across all security pillars, which will simplify unified policy enforcement.
• Increased empowerment across all security teams, allowing for protection against more sophisticated and serious security attacks.
• A more efficient management of organizational security posture management through the simplification of configuring and managing various policies and improving on old security practices.
• Enhanced security to protect against IT skills shortages and staff capacity, ultimately breaking down the silos between security pillars and enabling organizations of different sizes and industries to adopt Zero Trust more easily.
• Cross-platform and cross-cloud security protection to enable visibility across all workflows and integrate with Microsoft Azure platforms.

A Zero Trust model helps with understanding the policies needed to comply with governance requirements. It enables continuous assessments—from taking inventory of data risks to implementing controls and staying current with regulations and certifications.

Zero Trust journey: How to get started

Organizations can get started by determining their place in the Zero Trust journey:

• Getting started (first stage): Using strong authentication methods such as multifactor authentication and single sign-on access to cloud apps.
• Advanced (significant progress): Using real-time insider risk analytics and proactively finding and fixing security issues to reduce threats.
• Optimal (most mature stage): Using automated threat detection and response across all security pillars to speed up threat detection and prevention.

Embrace Zero Trust security

Adopting an end-to-end Zero Trust strategy is a critical step your organization can take to modernize your security posture and exceed required regulatory and compliance standards. To learn more about implementing Zero Trust with Microsoft:

• Get started with our Zero Trust assessment tool.
• 5 reasons to adopt a Zero Trust security strategy for your business.
• Securely work from anywhere.
• Safeguard your most critical assets.
• Meet regulatory and compliance requirements.
• Minimize the impact of internal or external bad actors.
• Rapidly modernize your security posture.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Cost of a Data Breach Report 2022, IBM. 2022.

²Building a Holistic Insider Risk Management Program, Microsoft. 2022.

The post Stay compliant and protect sensitive data with Zero Trust security appeared first on Microsoft Security Blog.