The key to fighting ransomware at scale is Microsoft’s unwavering commitment to simplifying, automating, and augmenting security analyst workstreams to meet the demands of today’s and tomorrow’s cyberthreat environment. We are excited to announce that Gartner has named Microsoft a Leader in the 2024 Gartner^® Magic Quadrant™ for Endpoint Protection Platforms for the fifth consecutive time. Notably, Microsoft has moved to a tie for number 1 on the Vision Axis. We believe this announcement reflects Microsoft’s continued progress in helping organizations protect their endpoints against even the most sophisticated attacks, while driving continued efficiency for security operations center (SOC) teams.

Microsoft Defender for Endpoint is an endpoint security platform that helps organizations secure their digital estate using AI-powered, industry-leading endpoint detection and response across Windows, Linux, macOS, Android, iOS, and Internet of Things (IoT) devices. It is core to Microsoft Defender XDR and built on global threat intelligence—informed by more than 78 trillion daily signals and more than 10,000 security experts—empowering security teams to fend off sophisticated threats.²

Our customers and partners have been an invaluable part of this multiyear journey, and we are grateful for both their business and their partnership. Read the complimentary report providing more details on our positioning as a Leader.

Microsoft Defender for Endpoint is built from the ground up with operational resilience in mind. It starts with our agent architecture that follows best practices for Windows by limiting its reliance on kernel mode while protecting customers in real-time. It does not load content updates from files in the kernel mode driver. As an added safeguard, we deliver updates to customers applying Microsoft’s long-established safe deployment practices (SDP) model. Customers have full control over how these updates are delivered and how controls are applied to their device estate. This model of shared control helps provide security and resiliency. 

Over the last 12 months, Microsoft has delivered significant innovations that have helped defenders gain the upper hand against cyberthreats including: improved attack disruption, Microsoft Copilot for Security, a new Linux agent, simplified settings management, the unified security operations platform and Microsoft Defender Experts for XDR.

Automatic attack disruption, unique to Microsoft, is a self-defense capability that stops in-progress cyberattacks by analyzing the attacker’s intent, identifying compromised assets, and isolating or disabling assets like users or devices at machine speed. For example, in July 2024 we discovered the CVE-2024-37085 vulnerability. Numerous ransomware operators exploited it to encrypt the entire file system and move laterally in the network. Attack disruption fends off such sophisticated ransomware attempts by blocking lateral movement and remote encryption in a decentralized way across all your device estate—in just three minutes on average.³ This is a capability that Microsoft continues to invest in to disrupt more scenarios even earlier in the cyberattack chain.  

Microsoft Copilot for Security is the industry’s first generative AI that empowers security teams to protect at the speed and scale of AI, generally available as of April 2024. Embedded within the Defender XDR experience, it assists analysts by providing enriched context for faster and smarter decisions. It accelerates investigation, containment, and remediation with prescriptive step-by-step guidance. Analysts can now easily understand attacker actions with intuitive script analysis and launch complex Kusto Query Language (KQL) queries using plain language. The results from a randomized controlled trial based on 147 security professionals showed significant efficiency gains including speed and quality improvements when using Copilot for Security. Security professionals were up to 22% faster across all tasks, and more than 93% of users wanted to use Copilot again.

A new Linux agent has been built from scratch, using eBPF sensor technology to deliver the performance and stability needed for mission-critical server workloads while providing visibility into cyberthreats. We continue prioritizing innovations across every type of endpoint from Windows, Linux, macOS, iOS, Android, and IoT to provide the holistic endpoint security that organizations need.

Simplified setup and change management help analysts configure devices correctly to minimize threat exposure. With the general availability of simplified settings management, SOC analysts can manage security policies without leaving the Defender XDR portal.

Unified security operations platform brings the foundational tools a SOC needs into a single experience, with a consistent data model, unified capabilities, and broad protection. This unification helps SOCs close critical security gaps and streamline their operations, delivering better overall protection, reducing their response time, and improving overall efficiency. Defender for Endpoint is core to this platform, which combines “the power of leading solutions in security information and event management (SIEM), extended detection and response (XDR), and generative AI for security.” By working seamlessly across Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Copilot for Security, security analysts need only a single set of automation rules and playbooks. Plus, they can use plain language to execute complex tasks in an instant with Copilot for Security embedded in the platform.

Microsoft Defender Experts for XDR gives your security team coverage with around-the-clock access to Microsoft expertise. Recognizing that sophisticated cyberthreats go beyond the endpoint, Microsoft offers Microsoft Defender Experts for XDR. This managed service is available 24 hours a day, 7 days a week, helping organizations extend their SOC team to fully triage events and respond to incidents across domains.

Thank you to all our customers. You inspire us as together we work to create a safer world.

Learn more

If you’re not yet taking advantage of Microsoft’s leading endpoint security solution, visit Microsoft Defender for Endpoint and start a free trial today to evaluate our leading endpoint protection platform. 

Are you a regular user of Microsoft Defender for Endpoint? Review your experience on Gartner Peer Insights™ and get a $25 gift card.    

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹2024 Microsoft Digital Defense Report. Publishing October 15, 2024.

²Microsoft Digital Defense Report, Microsoft. 2023.

³Get end-to-end protection with Microsoft’s unified security operations platform, now in public preview, Rob Lefferts. April 3, 2024.

Gartner, Magic Quadrant for Endpoint Protection Platforms, Evgeny Mirolyubov, Franz Hinner, Deepak Mishra, Satarupa Patnaik, Chris Silva, September 23, 2024. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, MAGIC QUADRANT and PEER INSIGHTS are registered trademarks of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved. 

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

The post ​​Microsoft is named a Leader in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms appeared first on Microsoft Security Blog.

We are excited to share that Microsoft has again been ranked number one in market share in the IDC Worldwide Modern Endpoint Security Market Shares, 2023: Evolving to Address New Work Modalities (doc #US52341924, June 2024).

And with more than 25.8% of the market share, Microsoft has the endpoint security solution more customers use to defend their multiplatform devices than any other vendor. As depicted in Figure 1, that’s a 40.7% increase in share over the previous year. Thanks to the invaluable partnership with organizations of all sizes around the globe, this distinction comes in addition to Microsoft being recognized as a Leader in the 2024 IDC MarketScape reports for Worldwide Modern Endpoint Security across all three segments—enterprise², midsize³, and small businesses⁴—the only vendor positioned in the “Leaders” category in all three reports. 

Microsoft Defender for Endpoint

Help secure endpoints with industry-leading, multiplatform detection and response.

Learn more

Disrupt ransomware on any platform

For enterprises, Microsoft Defender for Endpoint delivers AI-powered endpoint security with industry-leading, multiplatform threat detection and response across all devices—spanning client, mobile, Internet of Things (IoT), and servers. It is purpose-built to protect against the unique threat profiles per platform including Windows, macOS, Linux, Android, and iOS. It’s a comprehensive endpoint security platform that helps fend off known and emerging cyberattacks, with capabilities that include:

• Vulnerability management.
• Protections tailored to each operating system.
• Next-generation antivirus.
• Built-in, auto-deployed deception techniques.
• Endpoint detection and response.
• Automatic attack disruption of ransomware.

And with more than 78 trillion daily signals and insights from more than 10,000 world-class experts, you can quickly detect, protect, respond to, and proactively hunt for cyberthreats to keep intruders at bay.⁵ Plus, its automatic attack disruption capabilities stop sophisticated attacks with high confidence, so you can disrupt cyberthreats early in the cyberattack chain and block lateral movement of bad actors across your devices.

For small and medium-sized businesses (SMBs), Microsoft Defender for Business goes beyond traditional antivirus protection. Defender for Business delivers many of the enterprise-grade security features from Defender for Endpoint in a way that is easy for SMBs to use without requiring security expertise. 70% of organizations encountering human-operated ransomware attacks have fewer than 500 employees, so choosing the right endpoint protection is imperative.¹ Defender for Business is designed to help you save money by consolidating multiple products into one security solution that’s optimized for your business—and includes out-of-the-box policies that streamline onboarding, simplified management controls for security operations, and monthly security summary reports to help you understand your security posture.

Stay one step ahead of the evolving threat landscape

Defender for Endpoint is core to Microsoft Defender XDR, making it seamless to extend the scope of your organization’s cyberthreat detection to include other layers of your security stack with incident-level visibility across the cyberattack chain. Disrupt advanced cyberattacks and accelerate response—across endpoints, IoT, hybrid identities, email and collaboration tools, software as a service (SaaS) apps, cloud workloads, and data insights.

Built-in, security-specific generative AI with Microsoft Copilot for Security makes it easy for security analysts to rapidly investigate and respond to incidents and help them learn new skills such as quickly reverse-engineering malicious scripts, getting guided response actions, using natural language to do advanced hunting, and more. Copilot is now embedded in Microsoft Defender XDR for Copilot customers.

Learn more

If you are not yet using Microsoft Defender for Endpoint, learn more on our website. If you a regular user of Microsoft Defender for Endpoint, please review your experience on Gartner Peer Insights™ and get a $25 gift card.

If your organization has less than 300 users, we also encourage you to explore Microsoft 365 Business Premium and Defender for Business.  

Learn how to supercharge your security operations with Microsoft Defender XDR.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2023.

²IDC MarketScape: Worldwide Modern Endpoint Security for Enterprises 2024 Vendor Assessment (doc #US50521223, January 2024).

³IDC MarketScape: Worldwide Modern Endpoint Security for Midsize Businesses 2024 Vendor Assessment (doc #US50521323, February 2024).

⁴IDC MarketScape: Worldwide Modern Endpoint Security for Small Businesses 2024 Vendor Assessment (doc #US50521424, March 2024).

⁵Microsoft Threat Intelligence.

The post Microsoft again ranked number one in modern endpoint security market share appeared first on Microsoft Security Blog.

PanelView Plus devices are graphic terminals, also known as human machine interface (HMI) and are used in the industrial space. These vulnerabilities can significantly impact organizations using the affected devices, as attackers could exploit these vulnerabilities to remotely execute code and disrupt operations.

We shared these findings with Rockwell Automation through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in May and July 2023. Rockwell published two advisories and released security patches in September and October 2023. We want to thank the Rockwell Automation product security team for their responsiveness in fixing this issue. We highly recommend PanelView Plus customers to apply these security patches.

The discovered vulnerabilities are summarized in the table below:

In this blog post, we will focus on the technical details of the CVE-2023-2071 remote code execution vulnerability and how it was discovered, as well as provide an overview of the protocol used for both the RCE and DoS vulnerabilities. Additionally, we will offer technical details about the vulnerability and demonstrate the exploitation method. By sharing this research with the larger security community, we aim to emphasize the importance of collaboration in the effort to secure platforms and devices.

Suspicious remote registry query

One of the primary responsibilities of the Microsoft Defender for IoT research team is to ensure that the product properly analyzes various operational technology (OT) and Internet of Things (IoT) protocols. During this process, we observed a legitimate packet capture of two devices communicating using the Common Industrial Protocol (CIP), with one device sending a request containing a path to a registry value named “ProductCode,” and the other device responding with what appeared to be the product code value. The lack of encryption and absence of prior authentication in the communication raised concerns, as it appeared to involve a remote registry query. Further investigation revealed that the requesting device was an engineering workstation, and the responding device was an HMI – specifically, PanelView Plus.

We hypothesized that this remote registry querying functionality could be abused by querying system keys to access secrets or even gain remote control. To validate this hypothesis, we needed to locate the code responsible for this functionality. Since the two devices communicated using the CIP, our first step was to understand the protocol in depth.

Object-oriented protocol for industrial automation applications

CIP is an industrial protocol designed for industrial automation applications. Various vendors in the industrial sector utilize this protocol, and the communication we observed took place over Ethernet/IP – a protocol that adapts CIP to standard Ethernet.

According to the official CIP documentation: “A CIP node is modeled as a collection of Objects. (…) A Class is a set of Objects that all represent the same kind of system component. An Object Instance is the actual representation of a particular Object within a Class.”

From this description, we can deduce that CIP is an object-oriented protocol, where messages are directed towards specific objects, identified by their Class ID and Object Instance ID. Additionally, the term “Service Code” is defined as: “An integer identification value which denotes an action request that can be directed at a particular object instance or object attribute”. Therefore, when messaging an object, we should also specify a Service Code, which informs the object what action it should perform.

The CIP specification outlines common Class IDs and Service IDs, as well as ranges for vendor-specific IDs.

Returning to the packet capture, we observed that both Service ID and Class ID values were vendor specific. This means that to understand the meaning of these Class and Service IDs and locate the code responsible for the functionality, we must analyze the HMI firmware.

Firmware analysis

According to Rockwell Automation’s online resources, PanelView Plus HMIs operate on the Windows 10 IoT (or Windows CE for older versions) operating system. We were able to extract the DLLs and executables related to Rockwell Automation from the most recent firmware. There are several DLLs responsible for receiving different Class IDs and processing their requests, one of which is responsible for processing the Class ID we observed in the packet capture.

Upon examining the functionality associated with this Class ID, we confirmed that it is indeed responsible for querying the registry and sending the value in the response. However, we also discovered that the code managing this functionality performs input verification, allowing the reading of registry values only from specific Rockwell keys.

Potentially exploitable custom class

Although our initial hypothesis was proven incorrect, this finding allowed us to gain valuable insights into Rockwell’s process of handling different CIP classes. Additionally, we learned how to identify the classes that a specific DLL is responsible for processing. This knowledge leads us to our second hypothesis: there might be another custom class, managed by the same DLL as the one responsible for the registry class, that could be exploited to gain remote control of the device.

Remote code execution

We began analyzing the DLL that handles the custom CIP class for reading and writing registry keys and discovered that this DLL also manages two other undocumented custom CIP classes from Rockwell. We decided to investigate these classes further to determine if they could be exploited for our attack and help validate our hypothesis.

Custom class 1

The first class we examined had an intriguing functionality: it accepts a path to a DLL file, a function name, and a third parameter as input. It then loads the DLL using LoadLibrary and calls the specified function using GetProcAddress, passing the third parameter as an argument.

This seemed like a possible avenue for executing arbitrary code. However, there was a catch: the class included a verification function that checked if the DLL name was remotehelper.dll and if the function name was one of the predefined values. If these conditions were not met, the class would return an error and not execute the function.

Custom class 2

Next, we examined the second class found within the same DLL. This class allowed reading and writing files on the device. It also included a verification function, but it was more permissive: it only checked whether the path for reading/writing began with a specific string. We realized that this class could potentially be exploited by uploading a malicious DLL to the device and place it in almost any location.

Exploitation approach

Having gained a comprehensive understanding of the vulnerabilities, we had an idea of how an attacker could utilize the two custom classes to launch code remotely on the device. The idea was to compile a DLL compatible with Windows 10 IoT, the operating system of the device. This DLL would contain the code we wanted to run on the device and would be exported under the name GetVersion, which is one of the valid function names that can be invoked by custom class 1. We would then use custom class 2 to upload our DLL to the device, placing it in a random folder and naming it remotehelper.dll. Finally, we would execute it using custom class 1.

To further explore how the vulnerability can be exploited, we decided to leverage an existing function in the original remotehelper.dll file. We discovered that this file had an export called InvokeExe, which allowed running any executable file on the device. However, this function was not in the list of valid function names for custom class 1, so we could not use it directly. To overcome this obstacle, we patched the remotehelper.dll file and altered one of the valid export names to point to the InvokeExe function. We then uploaded our patched DLL to the device, placing it in a different folder than the original. Subsequently, we used custom class 1 to invoke our patched DLL and run cmd.exe, which granted us a command shell on the device. We confirmed that the exploit was successful and that we had gained full control of the device.

Mitigation and protection guidance

Microsoft recommends the following measures to help protect organizations from attacks that take advantage of the PanelView Plus vulnerabilities shared in this blog post:

• Apply patches to affected devices in your network. FactoryTalk View ME v12/v13 and FactoryTalk® Linx v6.20/v6.30 on PanelView Plus are vulnerable to the discovered vulnerabilities. It is recommended to first identify the devices in your network that are impacted by those vulnerabilities. It is also recommended to install the following patches on the device:
  • PN1645 | FactoryTalk View Machine Edition Vulnerable to Remote Code Execution
  • PN1652 | FactoryTalk® Linx Vulnerable to Denial-of-Service and Information Disclosure
• Make sure all critical devices, such as PLCs, routers, PCs, etc., are disconnected from the internet and segmented, regardless of whether they run Rockwell’s FactoryTalk View.  
• Limit access to CIP devices to authorized components only. 

To assist with identifying impacted devices, Microsoft released a tool for scanning and performing forensics investigation on Rockwell Rslogix devices as part of its arsenal of open-source tools available on GitHub.

Microsoft Defender for IoT detections

Microsoft Defender for IoT provides the following protection measures against these vulnerabilities, associated exploits, and other malicious behavior:  

• Defender for IoT detects and classifies devices that use CIP.  
• Defender for IoT raises alerts on unauthorized access to devices using CIP, and abnormal behavior in these devices.  
• Defender for IoT raises alerts if a threat actor attempts to exploit these vulnerabilities. Alert type: “Suspicion of Malicious Activity”.

Yuval Gordon
Microsoft Threat Intelligence Community

References

• https://www.odva.org/wp-content/uploads/2020/06/PUB00123R1_Common-Industrial_Protocol_and_Family_of_CIP_Networks.pdf
• https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1652.html
• https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1645%20.html

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Vulnerabilities in PanelView Plus devices could lead to remote code execution appeared first on Microsoft Security Blog.

In our first post, we talked about why more of our customers are migrating to cloud-native endpoint management. Our second post presented a three-phase model for how customers can go cloud-native with Intune. In this final post, we’re focusing on what it really takes for organizations to make this valuable change—from the strategic leadership to the tactical execution.

Microsoft Intune

Your command center for endpoint management

Get started 

A change in vision

“Copilot…frees up my time to use my expertise to create more value, and spend less time on lower-value activities, and instead focus on what drives impact and drives change for our clients.”—Sally Penson, Head of Transforming Delivery, UK Insights

Microsoft Copilot for Security and Copilot in Intune signals a shift in the information technology and security landscape. While it is relatively easy to envision how individual tasks and routines may be changed by AI and automation, it is harder to see exactly how this will impact business in five years and beyond, but there’s little doubt it will be significant. Imagining what that impact may be is critical to understanding the opportunities and challenges ahead, and re-defining your capital “V” Vision for your enterprise is fundamental to making the most of it.

Historically, IT has been treated like an electrical utility—make sure that the information is flowing, and if it isn’t, get it back with as little disruption as possible. The future will be a very different place. As I see it, IT is at the start of a truly radical change. Routine maintenance and troubleshooting will be automated away or made easier. This leaves experienced technology experts with more time to focus. They will need to use their knowledge of your business and technology to become value-creators—this is the change in vision that will need to come from the top.

“Have a growth mindset and invest time into developing and learning the ever-evolving technology of cloud management.”—IT administrator, Thorlabs Inc.

BUILD A FOUNDATION FOR AI SUCCESSTechnology and data strategy 

Setting the stage for this transformation now—by expanding your corporate vision to encompass the new tech landscape—can help with the next level of change. But successful implementation will depend on how well you can help your IT professionals align their own vision of their roles, and of themselves, to the changing technology landscape. One theme we hear over and again—especially from customers who have spent years learning and mastering the complex controls and arcana of endpoint management—is “Why would I give up the total control I have now?” or “why fix what isn’t broken?”

These questions and concerns are common to those who have built and mastered their craft in the utility model: This is a complex system that I understand and manage expertly, and it enables the flow of information exactly as we need. This is a model that prioritizes knowledge of and experience with processes and tools. Experts should rightly be proud of their abilities, and some systems and processes simply can’t be updated. The challenge is that for the systems that can be updated, the processes, tools, maintenance, and the complexity of systems will be vastly different. In a world with Copilot and AI-aided automation, process will be secondary to data. The knowledge and experience of problem-solving and of how to harness technology to improve your business will become more valuable than the knowledge of tools. Instead of merely keeping the information flowing, IT teams will need to tap into that flow to find new efficiencies and business opportunities.

And while I am confident in the impacts we will see, I don’t want to leap too far into the future.

Changing the vision of the role of IT administrator isn’t going to happen overnight. The first change that can lay the groundwork for the new mindset the future will require is to prepare your organization to take advantage of the AI and automation that’s already here. That means going cloud-native and moving endpoint management to Intune. Less radical than the changes to come, but no less jarring—this move eliminates the need for a lot of specialized equipment and specialized knowledge of the tools that run it all. It also requires a re-imagining of security, policies, and approaches to endpoint management. Faced with having to start fresh in creating these policies, many choose the status quo. But as we talked about in our first post in this series, moving endpoints to the cloud grants access to the value-add of cloud management and the next generation of technologies. So a fresh mindset is needed, along with a fresh look at device configuration and compliance policies.

I make no assertions that such change is easily accomplished. In fact, we have customers with the directive to change the vision at the top who are stymied at the point of implementation. The human element, the vision an IT admin has for their own future, must be given consideration—and a plan.

A change in process

“It’s time to leave behind the old mindset and start from the beginning.”—IT administrator, Multinational Chemical Company

We have found that the combination of inertia and inherent complexity in making a change to endpoint management solutions causes a lot of hesitation. No one wants to be the one who pushes the button to make the information stop flowing—even if you assure them no such button exists. Customers who have had successful migrations to Intune overcome this hesitation by creating smaller pilot programs, rolling out changes incrementally, and identifying and organizing “champions”—stakeholders committed to the project who advocate for its adoption. Hewlett Packard Enterprise even shared their advice with us for this case study.

With this approach, potential negative outcomes are limited. Small wins can be quantified, and champions help with communicating clearly what’s happening to other stakeholders at every step, building trust and easing minds.

A change in our process

We have heard from customers that the power and flexibility of the Intune platform presents an array of options and configurations that can be daunting. It isn’t possible for our experts to embed with every customer every day—though the FastTrack and Customer Acceleration Teams provide great support and can consult on particularly complex scenarios. What those teams hear over and over is “just tell us what to do.” So we at Intune have decided to change our process a bit, to help our customers to change theirs.

As part of this new approach, we’ve created what we call “one-size-fits-most” guidance to help configure the basic settings companies need to get endpoints more secure and productive with Intune. We’ve also streamlined the Microsoft Intune documentation hub, highlighting this guidance and making the path to implementation a little clearer. Our hope is that the IT administrators tasked with actually making Intune “go” will have the confidence to do just that.

We have also cultivated a robust community around Intune, full of fellow IT administrators and support professionals—which can be a great resource when that “one-size” approach doesn’t quite fit. Find the Intune Tech Community, and engage our Intune customer success team on X or their Tech Community page.

For those whose job entails proving the return on investment (ROI) of Intune we’ve even published a new tool that helps you calculate your ROI with Intune.

Learn more about Microsoft Intune

• Read case studies from Hewlett Packard Enterprise, Petrobras, and AUDI AG.
• Read the Microsoft 365 change guide.
• Read the Microsoft Intune blog.
• Join the conversation on X at @MSIntune and LinkedIn.

The post How to achieve cloud-native endpoint management with Microsoft Intune appeared first on Microsoft Security Blog.

IDC MarketScape vendor analysis model is designed to provide an overview of the competitive fitness of ICT suppliers in a given market. The research methodology utilizes a rigorous scoring methodology based on both qualitative and quantitative criteria that results in a single graphical illustration of each vendor’s position within a given market. The Capabilities score measures vendor product, go-to-market and business execution in the short-term. The Strategy score measures alignment of vendor strategies with customer requirements in a 3-5-year timeframe. Vendor market share is represented by the size of the icons. 

Microsoft Defender for Endpoint is a comprehensive enterprise endpoint security platform that helps organizations secure their digital estate across Linux, macOS, Windows, iOS, Android, and Internet of Things (IoT). It provides AI-powered, industry-leading endpoint detection and response that is core to Microsoft Defender XDR that enables organizations to build a holistic approach with full visibility and signal correlation across security domains. Built on the industry’s broadest threat intelligence informed by more than 65 trillion daily signals and over 10,000 security experts, Defender for Endpoint empowers security teams to fend off sophisticated threats. With the scale and sophistication of enterprise device security in mind, these are some of the ways Defender for Endpoint uniquely empowers analysts:  

• Automatically disrupt ransomware: Terminate sophisticated cyberthreat campaigns like ransomware, business email compromise and adversary-in-the-middle early in the kill chain with automatic attack disruption — an industry-first, Microsoft-patented capability that helps you outmaneuver attackers.  
• Move at machine speed with Security Copilot: Use the industry’s first generative AI security product, embedded in Defender for Endpoint, that enables analysts to use natural language to speed up daily tasks such as investigating and responding to incidents, prioritizing alerts, and upskilling. 
• Put security posture into action: Your best offense is a secure defense, made possible with built-in vulnerability management capabilities like Microsoft Secure Score. Improve the collective security configuration state of your devices with in-console, prioritized recommendations optimized to reinforce best practices across the application, operating system, network, accounts, and controls. Validate your ideal configuration levels against benchmarks collected from vendors, security feeds, and Microsoft Security’s research teams. 
• Catch adversaries early on: Create early-stage, high-fidelity signals that force adversaries to be correct 100% of the time with built-in deception techniques and automatically generate and disperse decoys and lures at scale that resemble real users and assets in your organization. 

Small and medium businesses (SMBs) face an even more challenging landscape—with increasing cyberthreats, coupled with even more limited security staff or expertise. Built on the principle that SMBs need a similar level of protection as enterprises, Microsoft Defender for Business brings many enterprise-grade capabilities from Defender for Endpoint in a simplified and affordable package for organizations with 1-300 employees. Key capabilities for Defender for Business include endpoint detection and response (EDR) with industry first attack disruption, vulnerability management, attack surface reduction (ASR), next-generation antivirus, and automated investigation and response. It supports platforms such as Windows, MacOS, Android, iOS, and Linux. Many features have been optimized for SMBs and include: 

• Quickly and easily onboard your devices: Wizard-based onboarding gets you up and running quickly with out-of-the-box security policies that are “on by default” and a simplified management experience makes it easy for even non-technical users to manage security operations.  
• Get peace of mind with automatic attack disruption: AI-powered attack disruption helps automatically contain ransomware attacks by limiting lateral movement from compromised users or devices. This capability is on-by default, so it is easy for SMBs to stay protected. 
• Protect mobile devices from one solution: You can onboard iOS and Android onto Defender for Business without requiring additional device management solutions or costly add-ons. 
• Share security insights in a simple format: Monthly security summary reports help you better understand the security status of your identity, devices, data, and applications by seeing threats prevented and detected and recommendations to strengthen your security posture. 

Defender for Business is available as a standalone and as part of the Microsoft 365 Business Premium suite. Microsoft 365 Business Premium brings together Office apps, Microsoft 365 services and Teams, with comprehensive security. In addition to ransomware protection with Defender for Business, other key security capabilities include identity and access protection with Microsoft Entra ID Plan 1, safeguarding against phishing attacks and malware in email, OneDrive and Teams with Defender for Office 365, data protection with Microsoft Purview Information Protection, and device management with Microsoft Intune.  

Many SMB customers also rely on Managed Service Provider (MSP) partners to secure their environments. In recognition of the key role that partners play in serving SMB customers, Microsoft has made product investments to help enable partners to deliver security services at scale:

• Manage multiple customers in one place with Microsoft 365 Lighthouse: View security incidents and alerts, create and apply security baselines across all customers, and configure customized email alerts for delivery to users, groups, or third-party ticketing systems such as Professional Services Automation (PSA) systems. 
• Build out your security services: Use streaming APIs to stream device events for advanced hunting and attack disruption.  
• Integrate with 3rd party Managed Detection and Response services: Many MSPs do not have the in-house security resources to build their own security operations center (SOC). Integrate with leading Managed Detection and Response (MDR) services such as Blackpoint Cyber and ConnectWise.   

Learn More

Read more about our comprehensive set of security solutions for enterprise, midsize, and small business.  

• Microsoft Defender for Endpoint, Microsoft’s industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, EDR, and mobile threat defense. Sign up for a free trial today. 
• Microsoft Security solutions for SMBs, including Microsoft Defender for Business and Microsoft 365 Business Premium, offering enterprise-grade endpoint protection powered by AI—designed especially for businesses with up to 300 employees.  
• Partners can learn more about building managed services with Microsoft Defender for Business and Microsoft 365 Business Premium through our MDB Partner Kit and BP Partner Playbook. 
• Watch to see how Defender for Business and Microsoft 365 Business Premium can protect your business. 

You can also download the excerpts of the following reports for more details: 

[2]- IDC MarketScape: Worldwide Modern Endpoint Security for Enterprises 2024 Vendor Assessment (doc #US50521223, January 2024) 

[3]- IDC MarketScape: Worldwide Modern Endpoint Security for Midsize Businesses 2024 Vendor Assessment (doc #US50521323, February 2024) 

[4]- IDC MarketScape: Worldwide Modern Endpoint Security for Small Businesses 2024 Vendor Assessment (doc #US50521424, March 2024)  

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

Reference 

[1]- Microsoft Digital Defense Report, Microsoft. 2023. 

2 Likes

 Like

The post ​​Microsoft named as a Leader in three IDC MarketScapes for Modern Endpoint Security 2024 appeared first on Microsoft Security Blog.

Microsoft Intune

Enhance security and IT efficiency with the Microsoft Intune Suite.

Learn more

The broad value of the Intune Suite

While the solutions of the Intune Suite launched at different points in time, three fundamental principles have been there from the beginning.

First, one place for workloads adjacent to Unified Endpoint Management. If you’re currently using a mix of third-party solutions, the integrated experience in Microsoft Intune provides security and efficiency on multiple levels. First, one unified solution means fewer integrations to manage across third parties, meaning fewer attack vectors for malicious actors. And second, on a deeper level, the broader Intune proposition (both Intune Suite and Intune) is integrated with Microsoft 365 and Microsoft Security solutions. This provides a consolidated and seamless experience for IT professionals with a single pane of glass for end-to-end endpoint management.

Second, all parts of the Intune Suite are ready to support your cloud and AI-enabled future. Intune Suite will help accelerate organizations’ digital transformation to cloud native and simplify their IT operations. Additionally, data from Intune Suite are consolidated with other Intune and security data, meaning complete visibility across the device estate, informing and improving emerging technologies like Microsoft Copilot for Security. The more interrelated data that Copilot can use, the more it can proactively advise on the next best action.

Lastly, Intune Suite is available in a single unified plan. So, rather than having separate solutions for remote assistance, privilege management, analytics, and more, these advanced solutions can all be consolidated and simplified into one. This provides value in two ways: directly, by reducing the overall licensing cost, as the cost of Intune Suite is less than purchasing separate solutions; and the economic value of the Intune Suite is also in indirect savings: no need to manage separate vendors, train IT admins on separate tools, or maintain costly on-premises public key infrastructure (PKI). The Intune Suite makes it easier for IT admins, reducing overhead costs.

“With what we get out of Intune Suite, we can eliminate other products that our customers need. It’s now a suite of many components that enable customers who want to consolidate solutions and save money.”

—Mattias Melkersen Kalvåg, Mobility and Windows Management Consultant at MINDCORE, and| Microsoft Certified Professional & MVP

From today: A comprehensive suite across applications, access needs, and support

Let’s get into specifics. For application security, Enterprise App Management helps you find, deploy, and update your enterprise apps. And Endpoint Privilege Management lets you manage elevation rules on a per-app basis so that even standard users can run approved privileged apps. Cloud PKI lets you manage certificates from the cloud in lieu of complex, on-premises PKI infrastructure. And Microsoft Tunnel for Mobile Application Management (MAM) is perfect for unenrolled, personal mobile devices, to help broker secure access to line of business apps. Advanced Analytics gives you data-rich insights across your endpoints. And Remote Help lets you view and control your PCs, Mac computers, and specialized mobile devices, right from the Intune admin center. Let us take each of those three product areas in turn.

Increase endpoint security with Enterprise App Management and Endpoint Privilege Management

Enterprise App Management gives you a new app catalog, allowing you to easily distribute managed apps, but also keep them patched and always up to date. With this initial release, you will be able to discover and deploy highly popular, pre-packaged apps, so you no longer need to scour the Internet to find their installation files, repackage, and upload them into Intune. Simply add and deploy the apps directly from their app publishers. You can also allow the apps you trust to self-update, and when a new update is available, it is just one click to update all your devices with that app installed. We will continuously expand and enrich the app catalog functionality in future releases to further advance your endpoint security posture and simplify operations. 

“I’m very excited about Enterprise App Management as it’s powered by a strong app catalog and natively integrated in Intune. This single pane of glass experience is what we’re all looking for.”

—Niklas Tinner, Microsoft MVP and Senior Endpoint Engineer at baseVISION AG

For more control over your apps, with Endpoint Privilege Management, you can scope temporary privilege elevation, based on approved apps and processes. Then, as a user in scope for this policy, you can elevate only the processes and apps that have been approved. For example, users can only run a single app for a short period of time as an administrator. Unlike other approaches that give local admin permissions or virtually unlimited scope, you can selectively allow a user to elevate in a one-off scenario by requesting Intune admin approval, without you needing to define the policy ahead of time.

“Endpoint Privilege Management offers tight integration into the operating system. And the focus that Microsoft has over only elevating specific actions and apps versus making you an admin for a period of time—this is security at its best, going for the least privileged access.”

—Michael Mardahl, Cloud Architect at Apento

Cloud PKI and Microsoft Tunnel for MAM powers secure access

With Cloud PKI, providing both root and issuing Certificate Authorities (CA) in the cloud, you can simply set up a PKI in minutes, manage the certificate lifecycle, reduce the need for extensive technical expertise and tools, and minimize the effort and cost of maintaining on-premises infrastructure. In addition, support for Bring-Your-Own CA is available, allowing you to anchor Intune’s Issuing CA to your own private CA. Certificates can be deployed automatically to Intune-managed devices for scenarios such as authentication to Wi-Fi, VPN, and more; a modern PKI management option that works well to secure access with Microsoft Entra certificate-based authentication. In the initial release, Cloud PKI will also work with your current Active Directory Certificate Services for SSL and TLS certificates, but you do not need to deploy certificate revocation lists, Intune certificate connectors, Network Device Enrollment Service (NDES) servers, or any reverse proxy infrastructure. You can issue, renew, or revoke certificates directly from the Intune admin center automatically or manually. 

Microsoft Tunnel for MAM helps secure mobile access to your private resources. Microsoft Tunnel for MAM works similarly to Microsoft Tunnel for managed devices; however, with this advanced solution, Microsoft Tunnel for MAM works with user-owned (non-enrolled) iOS and Android devices. Microsoft Tunnel for MAM provides secure VPN access at the app level, for just the apps and browser (including Microsoft Edge) your IT admin explicitly authorizes. So, for personally owned devices, the user can access approved apps, without your company’s data moving onto the user’s personal device. App protection policies protect the data within the apps, preventing unauthorized data leakage to other apps or cloud storage locations.

“Cloud PKI within the Intune Suite allows you to go cloud native in terms of certificate deployment, which means you can provision PKIs with just a few clicks—that’s a blessing for all the IT administrators. With this built-in service, Microsoft hosts everything for you to manage certificates.”  

—Niklas Tinner

Resolve support issues quicker with Advanced Analytics and Remote Help

Advanced Analytics in Intune is a powerful set of tools for actionable reporting and AI-driven analytics. It provides deep, near real-time insights into your connected devices and managed apps that help you understand, anticipate, and proactively improve the user experience. We continue to infuse AI and machine learning into our analytics products. For example, you can get ahead of battery degradation in your device fleet through our advanced statistical analysis and use that information to prioritize hardware updates. Intune Suite now includes real-time device querying on-demand using Kusto Query Language for individual devices, useful for troubleshooting and resolving support calls quicker.

With Remote Help, you can also streamline the way you remotely view and interact with your managed devices, for both user-requested or unattended sessions. As a help desk technician, you can securely connect to both enrolled and unenrolled devices. Users also have peace of mind in being able to validate the technician’s identity, to avoid help desk spoofing attempts. Right now, Remote Help works for remote viewing and controlling in Windows PCs and Android dedicated Enterprise devices, and supports remote viewing for macOS. Especially useful for frontline workers, Remote Help for Android allows help desk administrators to configure and troubleshoot unattended devices, meaning issues can be revolved off-shift.

“Remote Help takes away the requirement and the need for third-party remote help tools. Remote Help is native, it’s interactive, and you don’t have to worry about installing anything, it’s already there. It’s part of Intune, it’s part of the build.”

—Matthew Czarnoch, Cloud and Infrastructure Operations Manager at RLS (Registration and Licensing Services)

To see many of these new capabilities in action, we invite you to watch this new Microsoft Mechanics video.

Analyst recognition for Microsoft

With the additions to the Intune Suite now available, IT can power a more secure and productive future at an important time as AI comes online. Notably, analyst recognition is validating the importance of its value. For example, Microsoft again assumes the strongest leadership position in the Omdia Universe: Digital Workspace Management and Unified Endpoint Management Platforms 2024. Omdia wrote: “Microsoft is focused on reducing management costs by utilizing the Microsoft Intune Suite and integrating different solutions with it.” They added: “The company plans to invest in Endpoint Analytics and Security Copilot to introduce data-driven management, helping IT professionals shift from reactive, repetitive tasks to strategic ones by utilizing Endpoint Analytics and automation.” Omdia’s recognition follows that from others like Forrester, who named Microsoft as a Leader in The Forrester Wave™ for Unified Endpoint Management, Q4 2023.

Get started with consolidated endpoint management solutions with the Microsoft Intune Suite

The February 2024 release of the solutions in the Intune Suite marks a key milestone, offering a consolidated, comprehensive solution set together in a cost-effective bundle (and available as individual add-on solutions) for any plan that includes Intune. And in April 2024, they will also be available to organizations and agencies of the United States government community cloud. We look forward to hearing your reactions to the new Intune Suite.

• Microsoft Intune News at Microsoft Ignite 2023.
• Learn more about Microsoft Intune.
• Omdia Universe: Digital Workspace Management/Unified Endpoint Management Platforms 2024.
• Forrester Wave™ for Unified Endpoint Management, Q4 2023. 
• Microsoft Cloud PKI blog announcement at Microsoft Ignite 2023.
• Microsoft Intune Enterprise App Management blog announcement at Microsoft Ignite 2023.
• Microsoft Intune Advanced Analytics blog announcement at Microsoft Ignite 2023.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Ease the burden of managing and protecting endpoints with Microsoft advanced solutions, Dilip Radhakrishnan and Gideon Bibliowicz. April 5, 2022.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

The Forrester Wave™: Unified Endpoint Management, Q4 2023, Andrew Hewitt, Glen O’Donnell, Angela Lozada, Rachel Birrell. November 19, 2023.

The post 3 new ways the Microsoft Intune Suite offers security, simplification, and savings appeared first on Microsoft Security Blog.

Today we are excited to announce that Gartner has named Microsoft a Leader in the 2023 Gartner^® Magic Quadrant™ for Endpoint Protection Platforms. We believe this recognition showcases Microsoft’s continued progress and excellence in helping organizations protect their endpoints against even the most sophisticated attacks and driving continued efficiency for SOC teams.

Microsoft Defender for Endpoint is an endpoint security platform that helps organizations secure their digital estate using AI-powered, industry-leading endpoint detection and response across all platforms, devices, and Internet of Things (IoT). It is core to Microsoft Defender XDR. Built on the industry’s broadest threat intelligence informed by more than 65 trillion daily signals and over 10,000 security experts, it empowers security teams to fend off sophisticated threats.¹

Figure 1. Gartner^® Magic Quadrant^TM for Endpoint Protection Platforms. Source: Gartner (December 2023).

Microsoft’s leadership in endpoint security reflects the close partnership forged with customers that has shaped our product development and innovation. Recent highlights include:

• Elevate your security posture: An organization’s best offense is a secure defense. Key to minimizing threat exposure is a combination of simplified security settings management to curtail misconfigurations (generally available as of November 2023), proactive vulnerability management to harden your defenses, and next-generation antivirus to neutralize malware at the perimeter. Defender for Endpoint is unique in providing built-in posture assessments and vulnerability management capabilities that continually evaluate an organization’s security posture and prioritizes remediation suggestions. Other security vendors treat these capabilities as a separate product that must be integrated, further burdening organizations that require such protections up front. Additionally, Defender for Endpoint’s next-generation antivirus, which has been tested and recognized in various industry tests, such as the 2023 MITRE Engenuity ATT&CK® Evaluations, fortifies the strong prevention stack to protect against endpoint-based threats.

• Protect against the most sophisticated threats: Drawing on vast threat intelligence informed by 65 trillion daily signals and more than 10,000 security experts around the globe, Microsoft possesses a unique vantage point on the emerging threat landscape.¹ Microsoft Defender XDR’s industry-first automatic attack disruption capability reflects this distinctive position, harnessing the seamless integration across the workloads (identities, endpoints, email, and software as a service [SaaS] apps) to disrupt advanced cyberthreats such as ransomware, business email compromise, and attacker-in-the-middle with high confidence. Attack disruption has rapidly evolved to now stopping human-operated attacks, on average within 3 minutes, with just Defender for Endpoint. Coupled with the new deception capabilities introduced in November 2023, automatic attack disruption can disrupt threat campaigns even earlier with the high-fidelity signal.

• Secure all devices across the enterprise: Defender for Endpoint continued to expand its coverage with network detection and enterprise IoT devices included at no added cost as a part of Microsoft 365 E5 and E5 Security plans. Cross-platform enhancements across macOS, Linux, and Windows regularly roll out, keeping customers at the forefront of available protections.

Endpoint security is at the core of the Microsoft Defender suite. The following recent innovations reinforce Microsoft’s leadership in helping SOCs scale protection and efficiency on a platform level.

• See and act on a complete view of the digital threat landscape with an AI-powered, unified security operations platform: In November 2023, we announced the industry’s first unified platform that will help close the talent gap for security and data professionals and accelerate SOC efficiency. Defender for Endpoint is core to this platform. It combines “the power of leading solutions in security information and event management (SIEM), extended detection and response (XDR), and generative AI for security.” By working seamlessly across Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Security Copilot, security analysts only need to work with a single set of automation rules and playbooks. Plus, they only need to use plain language to execute complex tasks in an instant with Security Copilot embedded in the platform.

• Give your security team coverage with around-the-clock access to Microsoft expertise: Recognizing that sophisticated threats go beyond the endpoint, Microsoft introduced Microsoft Defender Experts for XDR. This managed service is available 24 hours a day, 7 days a week, helping organizations extend their SOC team to fully triage events and respond to incidents across domains.

Download the complimentary report to get more details on our positioning as a Leader. Our customers and partners have been an invaluable part of this multiyear journey. We owe our immense gratitude to you.

Unmatched customer impact defending against ransomware

With capabilities unique to Microsoft Defender such as automatic attack disruption, the odds are starting to tilt in favor of defenders. For example, in August 2023, hackers compromised the devices of a medical research lab. With lives and millions of dollars in research at stake, the potential reward for hackers to encrypt the devices and demand a ransom was high. Automatic attack disruption immediately shut them out from accessing any of the lab’s devices. And the security analysts didn’t even have to lift a finger.

Thanks to the invaluable partnership and insights from organizations of all sizes around the globe, Microsoft has been named a Leader in every Gartner^® Magic Quadrant^TM for Endpoint Protection Platforms report since 2019. In 2024 customers will continue to see leading innovation as we further build on a strong foundation of AI-enabled capabilities to empower defenders and drive efficiencies for SOC teams with more automated disruption of advanced threats, Microsoft Security Copilot supported tasks, and more.

Are you a regular user of Microsoft Defender for Endpoint? Review your experience on Gartner Peer Insights™ and get a $25 gift card. 

Microsoft Defender for Endpoint

Protect every layer of your environment with a unified security operations platform embedded with Microsoft Security Copilot.

Learn more

Learn more

We know that diving deep into how a solution really works is key to making any investment. If you are not yet taking advantage of Microsoft’s leading endpoint security solution, visit Microsoft Defender for Endpoint and start a free trial today to start evaluating the leading endpoint protection platform.

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

Get the latest resources

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report, Microsoft. 2023.

Gartner, Magic Quadrant for Endpoint Protection Platforms, Evgeny Mirolyubov, Max Taggett, Franz Hinner, Nikul Patel, 31 December 2023.

Gartner is a registered trademark and service mark and Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Microsoft is named a Leader in the 2023 Gartner® Magic Quadrant™ for Endpoint Protection Platforms appeared first on Microsoft Security Blog.

Propelling business growth

The Forrester report recognizes the advances made to the Microsoft Intune platform in the last year:

This new platform approach aims to help customers simplify management, reduce costs, and transform experiences with AI and automation, all factors that enable Microsoft to vastly outperform others across key metrics like devices under management and revenue growth.

Moving to cloud management with Intune aids customers in applying Zero Trust security principles, improves user experience, and streamlines operations with AI and automation. Exemplary endpoint management doesn’t often get the credit for propelling business growth like research and development initiatives. But companies that reduce the administrative overhead on their talent have more hours and focused attention available to tackle more challenges and innovate. And “talent” isn’t just made up of users; IT and security teams can tackle more valuable projects after simplifying and automating management tasks for themselves. As just one example, new cloud-based controls to manage the local admin passwords for Windows devices make this critical security operation simpler and reduces the need for on-premises resources.

The report also made note of the Microsoft Intune Suite, saying “it includes new support for mobile application management (MAM)-only, ruggedized, remote control, privilege management, and DEX (digital experience) use cases.”

The Intune Suite extends the capabilities of Intune and powers better digital experiences. Solutions like Endpoint Privilege Management ease the burdens on help desks and keep users productive, and Remote Help makes real-time troubleshooting faster, easier, and more secure for users and administrators alike. The time saved and frustration spared keep everyone focused on progress rather than process.

Defining the endpoint management experience 

In The Unified Endpoint Management Landscape, Q3 2023 report, Forrester offers this market definition of unified endpoint management: “[Unified endpoint management] solutions help EUC (end user computing) professionals balance three priorities at once: exceptional DEX, cost-efficient management, and foundational threat prevention.” 

Exceptional digital experience

How is the Intune digital experience exceptional? Devices are verified as healthy and made more secure without impeding the flow of work—or even rising to the notice of the user. Zero-touch provisioning with Autopilot creates a seamless out-of-box experience. Single sign-on, recently added to Intune’s now-comprehensive MacOS management capabilities, reduces password fatigue and helps users get to work with fewer interruptions. Mobile application management allows users to use their own mobile and Windows devices to access secure resources without enrollment, allowing them greater freedom to work (and be inspired) where they see fit. That Intune works so well with Microsoft Entra ID, Microsoft Defender, Windows, and Windows 365, further enhances the experience of work with fewer hassles and greater peace of mind.

Cost-efficient management

As a truly unified platform, Intune allows admins to manage Windows, Linux, MacOS, Android, iOS, and specialty devices. This reduces the burden of consolidating data from multiple sources and of switching between tools for privilege management, update management, and user experience. Intune instead offers broad management and protection capabilities and true visibility into endpoint performance in one place. With the Intune Suite, the productivity of admins and users can be accelerated even more.

Many enterprises are able to realize the value of Intune at no additional cost as part of their Microsoft 365 licenses. Additional savings can be realized by consolidating specialized management tools with redundant features, by retiring on-premises infrastructure, and by moving to true cloud-native management. Automation of tasks with flows, PowerShell runbooks, and scripts extends efficiency into the day-to-day operations of administrators, and the ability to grant Conditional Access to bring-your-own devices eases the need for dedicated, company-owned devices for employees. The reduction in support tickets and security incidents afforded by the baselines and tools that keep devices compliant and hardened against threat reduce costs of remediation.

Foundational threat prevention

Microsoft Intune offers fundamental capabilities for creating and enforcing Zero Trust security at enterprise scale, and was given the top score in the Security category of the report. Device health compliance capabilities help keep potentially compromised devices from accessing sensitive resources. Privilege management and Conditional Access policy enforcement permit users to remain productive without increasing risk. The ability to define and enforce data protection policies at the device level keeps information flowing to the right places and helps prevent it from leaking to the wrong ones. Using Intune in concert with Microsoft Defender for Endpoint extends the security capabilities even further.

Strategic strength

The Forrester Wave™: Unified Endpoint Management, Q4 2023 report evaluates product strategy in addition to current features when identifying leaders, and Microsoft received the highest possible score in this area. According to the Forrester report, The Unified Endpoint Management Landscape, Q3 2023, “AI will fundamentally change the job of endpoint administrators, allowing them to query endpoints faster and more granularly, help inform policy decisions, and even replace scripting.”

Microsoft has begun to realize that future today with insights driven by machine learning already informing the Intune service. SOC and IT admins using Intune and the Intune Suite will see data from those services used by Microsoft Security Copilot, and expanded capabilities will emerge as the technology evolves.  

Innovation and improvements to Intune are driven by our engineers, partners, and customers. We’re grateful to all our stakeholders for the hard work, extensive feedback, and broad adoption of Intune (Forrester indicates Microsoft has the largest Market presence, too) that has enabled the solution to become a leader in unified endpoint management.

Microsoft Intune

Protect and manage endpoints in one place.

Learn more

Learn more

While we hope that this recognition gives confidence to all those who are interested in Intune, we know that diving deep into how a solution really works is key to making any investment. Check out Intune and Windows Tech Takeoff sessions to get technical breakdowns of existing workloads and explore what’s new.  You can also subscribe to our ongoing news by returning to the Microsoft Intune blog home then join the conversation on Twitter at @MSIntune and LinkedIn.

Learn more about Microsoft Intune.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as “Twitter”) (@MSFTSecurity) for the latest news and updates on cybersecurity.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. 

Forrester Wave™: Unified Endpoint Management, Q4 2023, Andrew Hewitt, Glen O’Donnell, Angela Lozada, Rachel Birrell. November 19, 2023. 

The post Forrester names Microsoft Intune a Leader in the 2023 Forrester Wave™ for Unified Endpoint Management appeared first on Microsoft Security Blog.

In the current offering category, Microsoft achieved the highest possible scores in the threat intelligence, suite automation, endpoint, including performance impact, runtime behavior detection and response protection, network cyberthreat detection, mobile device security, behavioral analysis capabilities, and vulnerability patching remediation criteria. Forrester also noted, “Being natively integrated into Windows minimizes the agent performance overhead…the Defender agent performs well on other operating systems (OS), and the agent’s runtime behavior protection functions integrate into conditional access methods that can provide device trust.”

Microsoft Defender for Endpoint

Discover and secure endpoint devices across your multiplatform enterprise.

Learn more

AI and SOC efficiency: core to our vision and roadmap

As Vasu Jakkal, Corporate Vice President, Security, Compliance, Identity, and Management, Microsoft, states in her blog, the global shortage of skilled security professionals and the continued, unprecedented cybersecurity threats faced by organizations have been key drivers to create and integrate new technologies to help tip the scales in favor of security teams.

AI is one such technology. Bringing its breakthroughs, such as generative AI, within reach of organizations of all sizes has been core to Microsoft Defender for Endpoint’s strategy. AI goes hand-in-hand with security operations center (SOC) efficiency that spans our vision of protecting every endpoint on the planet for organizations of all sizes to our roadmap of capabilities that empower security teams to outmaneuver sophisticated adversaries. Automatic attack disruption, Microsoft Security Copilot, and native settings management are just three examples of how our vision and roadmap are already transforming the SOC in recent months.

Disrupting ransomware early in the cyberattack chain with automatic attack disruption

Figure 1. How automatic attack disruption stops a ransomware attack.

Security teams need every advantage in the fight against ransomware. Introduced in November 2022, Microsoft 365 Defender’s unique, industry-first automatic attack disruption stops the most sophisticated cyberattack campaigns—such as ransomware, business email compromise, and attacker-in-the-middle—at machine speed by leveraging multidomain signals across the extended detection and response (XDR) platform. This capability combines our industry-leading detection with AI enforcement mechanisms to block cyberthreats and limit their spread within the organization. In October 2023, we introduced the next evolution of automatic attack disruption that stops human-operated cyberattacks earlier in the cyberattack chain in a decentralized way across devices. This industry-first, Microsoft-patented capability contains compromised users across devices just by deploying Defender for Endpoint, bringing this XDR AI-powered security within reach of even more organizations.

Accelerating investigation and response with Security Copilot

Figure 2. Microsoft 365 Defender portal showing Security Copilot within advanced hunting editor.

Security professionals are scarce, and we must empower them to disrupt cyberattackers’ traditional advantages. With this challenge in mind, we introduced Microsoft Security Copilot in March 2023. It is the industry’s first generative AI security product that allows security teams to move at machine speed. It combines OpenAI’s GPT-4 generative AI model with Microsoft’s security-specific model informed by our unique global threat intelligence and more than 65 trillion daily signals.¹ This month, organizations started gaining access to Security Copilot. Embedded within Microsoft 365 Defender’s existing analyst workflows, Security Copilot simplifies complex tasks with capabilities like guided response actions, and provides intuitive, actionable insight across the cyberthreat landscape such as summarized incidents in natural language.

Fast-tracking setup with simplified settings management

Figure 3. Security policy interface in the Microsoft 365 Defender portal.

Helping security teams move with speed and agility doesn’t always require AI. Security teams can now set up and configure Defender for Endpoint so much faster with simplified security settings management, announced in July 2023. The new streamlined approach is all contained within the unified Microsoft 365 Defender portal experience, supported across the multiplatform workloads of Windows, MacOS, and Linux. While the Microsoft Intune portal is no longer required as part of the setup experience, Microsoft Defender for Endpoint continues to work great with Intune, sharing a single consistent source of truth for endpoint security settings.  

In the coming months we look forward to introducing more AI-powered and efficiency-focused capabilities across all platforms.

Industry-leading endpoint security

Microsoft Defender for Endpoint is core to Microsoft 365 Defender, our XDR solution that spans identities, endpoints, cloud apps, email, and documents. Microsoft 365 Defender delivers intelligent, automated, and integrated security in a unified security operations experience, with detailed cyberthreat analytics and insights, unified threat hunting, and rapid detection and automation across domains—detecting and stopping cyberattacks anywhere in the cyberattack chain and eliminating persistent cyberthreats.

Our continued leadership in security is due in part to the close partnership we have with customers who give us continuous feedback in the product development process. We are grateful for their continued trust in us and are committed to delivering innovative security capabilities that help them secure their organizations.

Our mission is to empower security teams with the best security capabilities in the industry so that you can focus on what’s important: preventing and remediating cyberthreats.

You can download the report to get more details about our position as a Leader. We thank our customers and partners for being on this journey with us.

Recognition across the industry

Defender for Endpoint has consistently been recognized as delivering as an industry leader across analyst and customer evaluations:

• Gartner named Microsoft a Leader in the 2022 Gartner®Magic Quadrant™ for Endpoint Protection Platforms.
• IDC ranked Defender for Endpoint number one in marketshare in the IDC Worldwide Corporate Endpoint Security Market Shares report, 2022.
• Customers ranked Defender for Endpoint Tech Leader number one in Endpoint Detection and Response, Endpoint Protection Platforms, and Anti-Malware on PeerSpot.
• Customers ranked Defender for Endpoint number one for Endpoint Detection and Response Software, #1 for Endpoint Protection Platforms, on G2.

Learn more

Microsoft Defender for Endpoint is a comprehensive, AI-powered endpoint security across platforms, devices, and IoT. With our solution, organizations can automatically disrupt ransomware on any platform. If you are not yet taking advantage of Microsoft’s unrivaled cyberthreat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as “Twitter”) (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2023, Microsoft. 2023.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

Forrester Wave™: Endpoint Security, Q4 2023, Paddy Harrington, Merritt Maxim, Angela Lozada, Christine Turley. October 18, 2023.

Gartner, Magic Quadrant for Endpoint Protection Platforms, Peter Firstbrook, Chris Silva, 31 December 2022. Gartner is a registered trademark and service mark and Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

The post Forrester names Microsoft a Leader in the 2023 Endpoint Security Wave™ report appeared first on Microsoft Security Blog.

In past operations, Diamond Sleet and other North Korean threat actors have successfully carried out software supply chain attacks by infiltrating build environments. Given this, Microsoft assesses that this activity poses a particularly high risk to organizations who are affected. JetBrains has released an update to address this vulnerability and has developed a mitigation for users who are unable to update to the latest software version.

While the two threat actors are exploiting the same vulnerability, Microsoft observed Diamond Sleet and Onyx Sleet utilizing unique sets of tools and techniques following successful exploitation. Based on the profile of victim organizations affected by these intrusions, Microsoft assesses that the threat actors may be opportunistically compromising vulnerable servers. However, both actors have deployed malware and tools and utilized techniques that may enable persistent access to victim environments.

As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised and provides them with the information they need to secure their environments.

Who are Diamond Sleet and Onyx Sleet?

Diamond Sleet (ZINC) is a North Korean nation-state threat actor that prioritizes espionage, data theft, financial gain, and network destruction. The actor typically targets media, IT services, and defense-related entities around the world. Microsoft reported on Diamond Sleet’s targeting of security researchers in January 2021 and the actor’s weaponizing of open-source software in September 2022. In August 2023, Diamond Sleet conducted a software supply chain compromise of a German software provider.

Onyx Sleet (PLUTONIUM) is a North Korean nation-state threat actor that primarily targets defense and IT services organizations in South Korea, the United States, and India. Onyx Sleet employs a robust set of tools that they have developed to establish persistent access to victim environments and remain undetected. The actor frequently exploits N-day vulnerabilities as a means of gaining initial access to targeted organizations.

Diamond Sleet attack path 1: Deployment of ForestTiger backdoor

Following the successful compromise of TeamCity servers, Diamond Sleet utilizes PowerShell to download two payloads from legitimate infrastructure previously compromised by the threat actor. These two payloads, Forest64.exe and 4800-84DC-063A6A41C5C are stored in the C:\ProgramData directory.

When launched, Forest64.exe checks for the presence of the file named 4800-84DC-063A6A41C5C, then reads and decrypts the contents of that file using embedded, statically assigned key of ‘uTYNkfKxHiZrx3KJ’:

c:\ProgramData\Forest64.exe  uTYNkfKxHiZrx3KJ

Interestingly, this same value is specified as a parameter when the malware is invoked, but we did not see it utilized during our analysis. The same value and configuration name was also referenced in historical activity reported by Kaspersky’s Securelist on this malware, dubbed ForestTiger.

The decrypted content of 4800-84DC-063A6A41C5C is the configuration file for the malware, which contains additional parameters, such as the infrastructure used by the backdoor for command and control (C2). Microsoft observed Diamond Sleet using infrastructure previously compromised by the actor for C2.

Microsoft observed Forest64.exe then creating a scheduled task named Windows TeamCity Settings User Interface so it runs every time the system starts with the above referenced command parameter “uTYNkfKxHiZrx3KJ”. Microsoft also observed Diamond Sleet leveraging the ForestTiger backdoor to dump credentials via the LSASS memory. Microsoft Defender Antivirus detects this malware as ForestTiger.

Diamond Sleet attack path 2: Deploying payloads for use in DLL search-order hijacking attacks

Diamond Sleet leverages PowerShell on compromised servers to download a malicious DLL from attacker infrastructure. This malicious DLL is then staged in C:\ProgramData\ alongside a legitimate .exe file to carry out DLL search-order hijacking. Microsoft has observed these malicious DLL and legitimate EXE combinations used by the actor:

DSROLE.dll attack chain

When DSROLE.dll is loaded by wsmprovhost.exe, the DLL initiates a thread that enumerates and attempts to process files that exist in the same executing directory as the DLL. The first four bytes of candidate files are read and signify the size of the remaining buffer to read. Once the remaining data is read back, the bytes are reversed to reveal an executable payload that is staged in memory. The expected PE file should be a DLL with the specific export named ‘StartAction’. The address of this export is resolved and then launched in memory.

While the functionality of DSROLE.dll is ultimately decided by whatever payloads it deobfuscates and launches, Microsoft has observed the DLL being used to launch wksprt.exe, which communicates with C2 domains. Microsoft Defender Antivirus detects DSROLE.dll using the family name RollSling.

Version.dll attack chain

When loaded by clip.exe, Version.dll loads and decrypts the contents of readme.md, a file  downloaded alongside Version.dll from attacker-compromised infrastructure. The file readme.md contains data that is used as a multibyte XOR key to decrypt position-independent code (PIC) embedded in Version.dll. This PIC loads and launches the final-stage remote access trojan (RAT).

Once loaded in memory, the second-stage executable decrypts an embedded configuration file containing several URLs used by the malware for command and control. Shortly after the malware beacons to the callback URL, Microsoft has observed a separate process iexpress.exe created and communicating with other C2 domains. Microsoft Defender Antivirus detects Version.dll using the family name FeedLoad.

After successful compromise, Microsoft observed Diamond Sleet dumping credentials via the LSASS memory.

In some cases, Microsoft observed Diamond Sleet intrusions that utilized tools and techniques from both paths 1 and 2.

Onyx Sleet attack path: User account creation, system discovery, and payload deployment

Following successful exploitation using the TeamCity exploit, Onyx Sleet creates a new user account on compromised systems. This account, named krtbgt, is likely intended to impersonate the legitimate Windows account name KRBTGT, the Kerberos Ticket Granting Ticket. After creating the account, the threat actor adds it to the Local Administrators Group through net use:

net  localgroup administrators krtbgt /add

The threat actor also runs several system discovery commands on compromised systems, including:

net localgroup 'Remote Desktop Users’
net localgroup Administrators
cmd.exe "/c tasklist | findstr Sec"
cmd.exe "/c whoami"
cmd.exe "/c netstat -nabp tcp"
cmd.exe "/c ipconfig /all"
cmd.exe "/c systeminfo"

Next, the threat actor deploys a unique payload to compromised systems by downloading it from attacker-controlled infrastructure via PowerShell. Microsoft observed these file paths for the unique payload:

• C:\Windows\Temp\temp.exe
• C:\Windows\ADFS\bg\inetmgr.exe

This payload, when launched, loads and decrypts an embedded PE resource. This decrypted payload is then loaded into memory and launched directly. The inner payload is a proxy tool that helps establish a persistent connection between the compromised host and attacker-controlled infrastructure. Microsoft Defender Antivirus detects this proxy tool as HazyLoad.

Microsoft also observed the following post-compromise tools and techniques leveraged in this attack path:

• Using the attacker-controlled krtbgt account to sign into the compromised device via remote desktop protocol (RDP)
• Stopping the TeamCity service, likely in an attempt to prevent access by other threat actors
• Dumping credentials via the LSASS memory
• Deploying tools to retrieve credentials and other data stored by browsers

Recommended mitigation actions

Microsoft recommends the following mitigations to reduce the impact of this threat.

• Apply the update or mitigations released by JetBrains to address CVE-2023-42793.
• Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
• Block in-bound traffic from IPs specified in the IOC table.
• Use Microsoft Defender Antivirus to protect from this threat. Turn on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
• Take immediate action to address malicious activity on the impacted device. If malicious code has been launched, the attacker has likely taken complete control of the device. Immediately isolate the system and perform a reset of credentials and tokens.
• Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools that attackers might have dropped to enable credential access, lateral movement, and other attack activities.
• Ensure that “Safe DLL Search Mode” is set.
• Turn on the following attack surface reduction rule:
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion

Detections

Microsoft 365 Defender

Microsoft 365 Defender is becoming Microsoft Defender XDR. Learn more.

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the CVE-2023-42793 vulnerability leveraged in these attacks.

Microsoft Defender Antivirus

Microsoft Defender Antivirus customers should look for the following family names for activity related to these attacks:

• ForestTiger
• RollSling
• FeedLoad
• HazyLoad

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts could indicate activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.

• Diamond Sleet Actor activity detected
• Onyx Sleet Actor activity detected
• Possible exploitation of JetBrains TeamCity vulnerability
• Suspicious behavior by cmd.exe was observed
• Suspicious DLL loaded by an application
• Suspicious PowerShell download or encoded command execution
• Possible lateral movement involving suspicious file
• A script with suspicious content was observed
• Suspicious scheduled task

Hunting queries

Microsoft 365 Defender

Command and control using iexpress.exe or wksprt.exe

DeviceNetworkEvents
| where (InitiatingProcessFileName =~ "wksprt.exe" and InitiatingProcessCommandLine == "wksprt.exe") 
or (InitiatingProcessFileName =~ "iexpress.exe" and InitiatingProcessCommandLine == "iexpress.exe")

Search order hijack using Wsmprovhost.exe and DSROLE.dll

DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "wsmprovhost.exe"
| where FileName =~ "DSROLE.dll"
| where not(FolderPath has_any("system32", "syswow64"))

Search order hijack using clip.exe and Version.dll

DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "clip.exe"
| where FileName in~("version.dll")
| where not(FolderPath has_any("system32", "syswow64", "program files", "windows defender\\platform", "winsxs", "platform",
"trend micro"))

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.  

• PowerShell downloads
• Dumping LSASS Process into a File
• Anomalous Account Creation
• RDP Rare Connection
• Anomalous RDP Activity

Indicators of compromise (IOCs)

The list below provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

Diamond Sleet path 1

Diamond Sleet path 2

Onyx Sleet path

NOTE: These indicators should not be considered exhaustive for this observed activity.

References

• Following the Lazarus group by tracking DeathNote campaign | Securelist

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

The post Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability appeared first on Microsoft Security Blog.