Start your journey with Microsoft towards quantum-safety.

View the questionnaire

We believe the first step every organization should take toward quantum safety is to be aware of the need to organize, plan, and begin an impact assessment. We recommend prioritizing symmetric encryption where applicable and subsequently adopting post-quantum cryptography (PQC) for asymmetric encryption once standardized and approved by relevant setting bodies and governments, as recommended by cybersecurity agencies globally. Furthermore, we are exploring and experimenting with additional classical and quantum security solution layers through internal experiments, POCs, and collaborations with partners. 

Given that preparing for such an objective will be a multi-year and iterative process that requires strategic foresight, it’s crucial for organizations to start investing time in their planning and execution efforts today. Thanks to our extensive experience in quantum engineering and expertise as a service and security provider, we can serve as a trusted partner to navigate this process across industry and government. 

Tomorrow’s quantum computers threaten today’s data 

In our previous blog post, we discussed the limitations of current quantum computers in terms of breaking today’s encryption technology. In parallel, the emergence of scaled quantum computers with specific algorithms—such as Shor’s algorithm—could put public key encryption at risk and compromise sensitive information. 

While it may take at least 1 million qubits for a quantum computer to break certain encryption algorithms using Shor’s algorithm, today’s long-term and sensitive data could already be at risk: bad actors could carry out a “Harvest Now, Decrypt Later” scenario by recording data today and decrypting it later when cryptographically relevant quantum computers become available. Therefore, knowing which data to secure now is a first step on the path to a quantum-safe future.  

Microsoft’s commitment to keeping our customers and partners secure 

Putting our recommendations into practice, we have taken a comprehensive approach to quantum safety. Because quantum will have a material impact on today’s classical encryption of both hardware and software, we’ve invested time and efforts to set cross-company goals and establish accountability at the most senior levels of our organization. This led to the establishment of the Microsoft Quantum Safe Program, which aims to accelerate and advance all quantum-safe efforts across Microsoft from both technical and business perspectives. The program focuses on Microsoft’s transition to quantum safety and the adoption of PQC algorithms across our products, services, and datacenters. Additionally, it aims to assist and empower our customers and partners on their own journey to quantum safety across their processes, priorities, and requirements.  

As the first step and highest priority, we are ensuring the compliance of our existing symmetric key encryption and hash function algorithms. Symmetric algorithms, such as Advanced Encryption Standard (AES), and hash functions, such as Secure Hash Algorithm (SHA), are resilient to quantum attacks, and can therefore still be used in deployed systems. At Microsoft, we are already using protocols based on symmetric encryption, such as Media Access Control Security (MACsec) point-to-point protocol. 

On top of symmetric encryption, we will prioritize PQC algorithms—still in the process of being standardized by global bodies such as the National Institute of Standards and Technology (NIST), International Standards Organization (ISO), and Internet Engineering Task Force (IETF)—to handle future threats where asymmetric encryption is currently used. Today, much of the internet’s data, from e-commerce to Wi-Fi access, is kept secure by public key, or asymmetric key cryptography. Currently used public key algorithms rely on complex mathematical problems considered infeasible for classical computers to break, but that are a perfect task for quantum computers running Shor’s algorithm. This undermines the effectiveness of public key algorithms like RSA and Elliptic Curve Cryptography (ECC), and means that PQC algorithms will need to be deployed quickly once standardized, starting with hybrid encryption schemes in tandem with classical algorithms to accelerate adoption. 

Empowering and collaborating with the global community 

We see the effort to achieve quantum safety as a collaborative effort, and this is why we invest heavily in our ecosystems, global partnerships, and close collaborations with standards-setting bodies, academia, and industry partners alike to foster continuous innovation in the quantum security landscape. The standardization of PQC algorithms, driven by NIST’s efforts, is a key step to achieving PQC compliance.

Because we believe that PQC adoption is the ideal path to follow, we’re collaborating with standard-setting bodies while conducting experiments and assessments to facilitate the adoption of these algorithms across our services and products as needed.  As an example, we are participating in the NIST/NCCoE Migration to PQC to demonstrate vulnerable cryptography detection and drive PQC experiments and integration capabilities. Those efforts, along with our participation in the Open Quantum Safe project, will allow the members to implement and test PQC candidates together, so we can be ready for adoption once the final specs are out.  

Furthermore, as part of our investment to empower and collaborate with the global security community, we co-authored FrodoKEM, a quantum-safe key encapsulation mechanism that has been selected, together with Kyber and Classic McEliece, to be part of the first international ISO standard for PQC (in addition, we are participating as co-editors of the standard). We also recently submitted SQISign, a new quantum-safe signature scheme that we co-authored with several industry and academia partners, to NIST’s call for additional signature schemes. Lastly, we continue to actively participate as founding members of the new post-quantum cryptography coalition by MITRE and will help to drive progress toward a broader understanding of the public adoption of PQC and NIST’s recommendations. 

While we continue to conduct research to further develop state-of-the-art security solutions, we are also exploring the potential of other classical and quantum technologies, such as Quantum Key Distribution (QKD). Holistically, at the core of our mission is a commitment to achieving quantum-safety and ensuring the security of our customers.

Getting started with your PQC transition today  

To support our customers in preparing for and navigating their quantum-safe journey, we offer assistance and guidance: we invite you to start your path with us by filling out this questionnaire. Based on your responses, we can understand your status and priorities, and provide the necessary support, including access to experts.  

As a first step, we recommend starting with a comprehensive planning process and a definition of your organization’s criteria for what constitutes your critical areas and sensitive information, alongside a cryptography inventory and impact assessment of your essential data, code, cryptographic technologies, and the critical services of your organization. This will help you to identify any asymmetric encryption in use that will need to be replaced with the latest PQC standardized algorithms. This process is especially important to identify critical areas and systems that involve or protect sensitive data with a value that extends beyond 10 years and should be prioritized in migrating to PQC. 

By considering which data and code need to be secured now, and which may become less relevant over time, as well as uncovering specific instances where cryptography could be used inappropriately or not ideally, your organization will have a better understanding of where to best mitigate potential risks as a quantum future approaches. This will enable you to confidently make the switch to the latest PQC standardized algorithms and safeguard your sensitive data for years to come. 

Explore CodeQL  

To help, we are contributing to CodeQL: a next-generation program code analysis tool provided by GitHub in collaboration with organizations including NIST and NCCoE. With CodeQL, we are building out a comprehensive set of detections that can empower users to create a complete inventory of all encryption usage within the application layer, helping to produce a cryptographic bill of materials and identify legacy cryptography that requires remediation. This tool can thus help create a cryptography inventory and impact assessment that will drive operational planning and create understanding and clarity around the timeline, resources, and level of risk for which to account.

Try now the Crypto Experience for Resource Estimator  

Furthermore, we recently launched the Crypto Experience for Azure Quantum Resource Estimator. Drawing on published research from Microsoft, this new interactive cryptography experience will show you why a symmetric key could remain safe from quantum attacks, but the current public key is vulnerable. And because it is integrated with Copilot in Azure Quantum, you can use the universal user interface of natural language to ask, learn, and explore more topics within the intersection of quantum computing and cryptography.  

The opportunity to usher in a quantum, and quantum-safe, future is immense. We see how the collective genius of scientists and businesses will revolutionize the building blocks of everyday products to usher in a new era of innovation and growth in many fields. That’s what motivates us at Microsoft to drive new breakthroughs and empower every person and every organization on the planet. Our commitment to our customers, partners, and ecosystem to become quantum-safe and remain secure has never been stronger. We are accountable for having our products and services quantum-resistant and safe and will support and guide our customers through this journey to quantum safety. 

Learn more

• Start your journey with Microsoft towards quantum-safety by filling out this questionnaire. 
• Learn more about our vision of quantum networking.
• Explore the Open Quantum Safe project for prototyping and evaluating quantum-resistant cryptography.
• Visit the Azure Quantum website and check out the Microsoft Quantum Innovator Series webinars.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as “Twitter”) (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Starting your journey to become quantum-safe appeared first on Microsoft Security Blog.

As the threat surface increases with remote and hybrid work, security professionals are being asked to protect more with less. Tight budgets and timelines often leave little time to share knowledge, grow skills, or nurture the next generation of defenders.

That’s why I’m proud to announce a new annual security event designed to empower our community—join us on March 28, 2023, for Microsoft Secure. Register today.

Security is human-first and tech-driven

I’m continuously awed and humbled by the ingenuity and dedication shown by cyber defenders at every level of our partner and customer ecosystem. The first iteration of Microsoft Secure will kick off an annual event designed to build on that spirit of ingenuity. Technology helps our security professionals do more, and it’s always powered by people­­—the quietly fearless security professionals who make everything possible and the CISOs in boardrooms fielding security questions from colleagues. Microsoft Secure is for you.

Discover the latest comprehensive security innovations designed for you

Microsoft Secure will kick off at 8:30 AM PT with conversations on the state of the industry between Microsoft leaders helping to deliver the products security teams use daily. I have the honor of delivering this year’s keynote, along with Charlie Bell, Executive Vice President, Microsoft Security, and we will share insights on how an AI-powered future in cybersecurity can create a safer world for all—you won’t want to miss this. Other speakers joining me include Joy Chik, President, Identity and Network Access, Microsoft, Bret Arsenault, Corporate Vice President and Chief Information Security Officer, Microsoft, and and John Lambert, Corporate Vice President, Distinguished Engineer, Microsoft Security Research.

Innovation sessions highlighting our latest product updates across security, compliance, identity, management, and privacy will follow our keynotes. And around midday, you can attend breakout sessions, hands-on workshops, and product deep dives organized around four themes:

1. Discover technology across cloud security, security information and event management and extended detection and response, and threat intelligence enabled by AI.  
2. Enable smarter, real-time access decisions for all identities and cloud-managed endpoints.  
3. Minimize insider risk and safeguard sensitive information across platforms, app, and clouds.
4. Guard against threats like ransomware with Zero Trust architecture and built-in security.

For more interactive learning, join these live-open discussions and engagement opportunities, including Ask the Experts, Table Topics, and Connection Zone forums. Plus, our team will provide insights and answers to your questions in the event chat in real-time throughout the day.  

Join your security community at this new event

Deep dive with your peers into six hours of fresh announcements, innovations, and comprehensive security strategies. By joining our very first Microsoft Secure, you’ll:  

• Be among the first to see what an AI-powered future means for cybersecurity to help you protect more with less.
• Gain insights from industry experts to help you defend today and shape the future of security for tomorrow.
• Dive into deep technical content in the breakout sessions featuring extended detection and response, multicloud security, cloud-managed endpoints, Zero Trust, built-in security configurations, and more.
• Connect with your peers in a live question and answer chat and have your most pressing security questions answered by Microsoft experts.

Join us at Microsoft Secure to get the simplified, comprehensive protection you need to innovate and grow. Together, let’s create a safer world for all.

Register now for Microsoft Secure.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Learn what an AI-driven future means for cybersecurity at Microsoft Secure appeared first on Microsoft Security Blog.

Our customers have been clear in voicing their need for a unified, comprehensive solution for data security and management, one that’s as scalable as their business needs. In the Go Beyond Data Protection with Microsoft Purview digital event on February 7, 2023, Alym Rayani, General Manager of Compliance and Privacy Marketing at Microsoft, and I will discuss Microsoft’s approach to data security, including how to create a defense-in-depth approach to protect your organization’s data. We’ll also introduce some groundbreaking innovations for our Microsoft Purview product line—such as Adaptive Protection for data powered by machine learning—and invite new customers to sign up for a free trial. We remain guided by our core belief that security is a team sport. So in this blog, I’ll address how our newest innovations can help your team keep your data safe while empowering productivity and collaboration. We’ll also look at steps you can take to build a layered data security defense within your organization.

A new approach for a new data landscape

We’ve all seen how the ongoing shift to a hybrid and multicloud environment is changing how organizations collaborate and access data. Considering the massive amounts of data generated and stored today, it’s easy to see how this creates a business liability. More than 80 percent of organizations rate theft or loss of personal data and intellectual property as high-impact insider risks.³ Often the risk stems from organizations making do with one-size-fits-all, content-centric data-protection policies that end up creating alert noise. This signal overload leaves admins scrambling as they manually adjust policy scope and triage alerts to identify critical risks. Fine-tuning broad, static policies can become a never-ending project that overwhelms security teams. What’s needed is a more adaptive solution to help organizations address the most critical risks dynamically, efficiently prioritizing their limited security resources on the highest risks and minimizing the impact of potential data security incidents.

Adaptive Protection in Microsoft Purview is the solution. This new capability, now in preview, leverages Insider Risk Management machine learning to understand how users are interacting with data, identify risky activities that may result in data security incidents, then automatically tailor Data Loss Prevention (DLP) controls based on the risk detected. With Adaptive Protection, DLP policies become dynamic, ensuring that the most effective policy—such as blocking data sharing—is applied only to high-risk users, while low-risk users can maintain their productivity. The result: your security operations team is now more efficient and empowered to do more with less.

Adaptive Protection in action

Let’s take a look at how Adaptive Protection can benefit your organization in everyday use. Imagine there’s a company named Contoso where Rebecca and Chris work together on a confidential project. Rebecca and Chris both try to print a file related to that project. Rebecca gets a policy tip to educate her that the file contains confidential information and that she will need to provide a business justification before printing. But when Chris tries to print the file, he gets blocked outright by Contoso’s endpoint DLP policy. 

So, why do Rebecca and Chris have different experiences? The security team at Contoso uses Adaptive Protection, which detected that Chris has a privileged admin role at Contoso, and he had previously taken a series of exfiltration actions that may result in potential data security incidents. As Chris’s risk level increased, a stricter DLP policy was automatically applied to him to help mitigate those risks and minimize potential negative data security impacts early on. On the other hand, Rebecca has only a moderate risk level, so Adaptive Protection can educate her on proper data-handling practices while not blocking her ability to collaborate. This also influences positive behavior changes and reduces organizational data risks. For both Rebecca and Chris, the policy controls constantly adjust. In this way, when a user’s risk level changes, an appropriate policy is dynamically applied to match the new risk level.

With Adaptive Protection, Contoso’s security team no longer needs to spend time painstakingly adding or removing users based on events, such as an employee leaving or working on a confidential project, to prevent data breaches. In this way, Adaptive Protection not only helps reduce the security team’s workload, but also makes DLP more effective by optimizing the policies continuously.

Adaptive Protection in Microsoft Purview integrates the breadth of intelligence in Insider Risk Management with the depth of protection in DLP, empowering security teams to focus on building strategic data security initiatives and maturing their data security programs. Machine learning enables Adaptive Protection controls to automatically respond, so your organization can protect more (with less) while still maintaining workplace productivity. You can learn more about Adaptive Protection and watch the demo in this Microsoft Mechanics video.

Fortify your data security with a multilayered, cloud-scale approach

As I speak with customers, I continue to hear about their difficulties in managing a patchwork of data-governance solutions across a multicloud and multiplatform environment. Today’s hybrid workspaces require data to be accessed from a plethora of devices, apps, and services from around the world. With so many platforms and access points, it’s more critical than ever to have strong protections against data theft and leakage. For today’s environment, a defense-in-depth approach offers the best protection to fortify your data security. There are five components to this strategy, all of which can be enacted in whatever order suits your organization’s unique needs and possible regulatory requirements.

1. Identify the data landscape: Before you can protect your sensitive data, you need to discover where it lives and how it’s accessed. That requires a solution that provides complete visibility into your entire data estate, whether on-premises, hybrid, or multicloud. Microsoft Purview offers a single pane of glass to view and manage your entire data estate from one place. As a unified solution, Microsoft Purview empowers you to easily create a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage. Now in preview are more than 300 new, ready-to-use trainable classifiers for source code discovery, along with 23 new pre-trained out-of-the-box trainable classifiers that cover core business categories, such as finance, operations, human resources, and more.
2. Protect sensitive data: Along with creating a holistic map, you’ll need to protect your data—both at rest and in transit. That’s where accurately labeling and classifying your data comes into play, so you can gain insights into how it’s being accessed, stored, and shared. Accurately tracking data will help prevent it from falling prey to leaks and breaches. Microsoft Purview Information Protection includes built-in labeling and data protection for Microsoft 365 apps and other Microsoft services, including sensitivity labels for Outlook appointments, invites, and Microsoft Teams chats. Microsoft Purview Information Protection also empowers users to apply customized protection policies, such as rights management, encryption, and more.
3. Manage risks: Even when your data is mapped and labeled appropriately, you’ll need to take into account user context around the data and activities that may result in potential data security incidents. As I noted earlier, internal threats accounted for almost 35 percent of unauthorized access breaches during the third quarter of 2022.² The best approach to addressing insider risk is a holistic approach bringing together the right people, processes, training, and tools. Microsoft Purview Insider Risk Management leverages built-in machine learning models to help detect the most critical risks and provides enriched investigation tools to accelerate time to respond to potential data security incidents, such as data leaks and data theft. Recent updates include sequence detection starting with downloads from third-party sites and a new trend chart to show a user’s cumulative data exfiltration activities. And to help reduce noise and ensure safe and compliant communications, we’ve added a policy condition to exclude email blasts (such as bulk newsletters) from Microsoft Purview Communication Compliance policies.
4. Prevent data loss: This includes unauthorized use of data. More than 85 percent of organizations do not feel confident they can detect and prevent the loss of sensitive data.⁴ An effective data loss protection solution needs to balance protection and productivity. It’s critical to ensure the proper access controls are in place and policies are set to prevent actions like improperly saving, storing, or printing sensitive data. Microsoft Purview Data Loss Prevention offers native, built-in protection against unauthorized data sharing, along with monitoring the use of sensitive data on endpoints, apps, and services. DLP controls can be extended to macOS endpoints, non-Microsoft apps through Microsoft Defender for Cloud apps, and to Google Chrome, providing comprehensive coverage across customers’ environments. We now also support in preview DLP controls in Firefox with the Microsoft Purview Extension for Firefox. And now with the general availability of the Microsoft Purview Data Loss Prevention migration assistant, you’re able to automatically detect your current policy configurations and create equivalent policies with minimal effort.
5. Govern the data lifecycle: As data governance shifts toward business teams becoming stewards of their own data, it’s important that organizations create a unified approach across the enterprise. This kind of proactive lifecycle management leads to better data security and helps ensure that data is responsibly democratized for the user, where it can drive business value. Microsoft Purview Data Lifecycle Management can help accomplish this by providing a unified data-governance service that simplifies the management of your on-premises, multicloud, and software as a service (SaaS) data. Now in preview, simulation mode for retention labels will help you test and fine-tune automatic labeling before broad deployment.

And lastly, we’re making it easier for you to assess and monitor your compliance posture with integration between Microsoft Purview Compliance Manager and Microsoft Defender for Cloud. This new integration enables your security operations center to ingest any assessment in Defender for Cloud, simplifying your work by bringing together multiple services in a single pane of glass.

Data protection that keeps you moving forward fearlessly

Data is the oxygen of digital transformation. And in the same way that oxygen both sustains life and feeds a fire, each organization must strike a balance between ready access to data and securing its combustible elements. At Microsoft, we don’t believe your business should have to sacrifice productivity for greater data protection. This is where Adaptive Protection in Microsoft Purview excels—empowering your security operations center to efficiently safeguard sensitive data with the power of machine learning and cloud technology—without interfering with business processes. If you’re not already a Microsoft Purview customer, be sure to sign up for a free trial. 

Mark your calendar for Microsoft Secure on March 28, 2023, where you’ll hear about even more Microsoft Purview innovations. This new digital event will bring together customers, partners, and the defender community to learn and share comprehensive strategies across security, compliance, identity, management, and privacy. We’ll cover important topics such as the threat landscape, how Microsoft defends itself and its customers, the challenges security teams face daily, and the future of security innovation. Register now.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹How Much Data Is Created Every Day in 2022? Jacquelyn Bulao. January 26, 2023.

²Insider threat peaks to highest level in Q3 2022, Maria Henriquez. November 2022.

³Build a Holistic Insider Risk Management Program, Microsoft. October 2022.

⁴2021 Verizon Data Breach Report. 2021.

The post Introducing Adaptive Protection in Microsoft Purview—People-centric data protection for a multiplatform world appeared first on Microsoft Security Blog.

The downside? Using multiple cloud platforms can create inconsistent infrastructures that don’t scale across environments. This can lead to teams working in silos—bringing increased complexity, additional costs, network security gaps, and risks to business-critical applications and data. It’s not unheard of for some organizations to own 80 to 100 different security tools stitched across hybrid and multicloud environments, while still wondering: are we secure? In this blog, we’ll help you answer that question by detailing four qualities a multicloud data-protection solution should provide and how Microsoft Purview can help unify security, compliance, and data protection across your enterprise.

Multiple clouds require unified data protection

Enabling multicloud integration and automation at scale is essential for fostering a robust partner ecosystem. Since 89 percent of enterprise customers have moved to a multicloud environment, maintaining security across your expanding data estate is necessary.¹ Patchwork solutions can create vulnerabilities; whereas, a comprehensive solution is able to deliver seamless data protection and data governance across your entire digital estate.

Look for a multicloud security and data-protection solution that:

1. Unifies auto-discovery and protection of sensitive data. Your multicloud data-protection solution should provide comprehensive security and compliance tools that span both first- and third-party apps and services to include Personally Identifiable Information (PII), such as home addresses, date of birth, and Social Security Numbers. Look for features such as built-in sensitivity labeling within applications and services, including popup user notifications that help guide users on security best practices. These features help ensure all sensitive data is correctly classified and labeled so that files can’t be exfiltrated without proper permissions.
   
   A data-protection solution with rights management and automatic encryption of emails (and attachments), as well as co-authoring of encrypted documents, will help to ensure secure collaboration. Your multicloud security tool should be flexible enough to allow manual labeling of some sensitive files for leadership-only access (like mergers and acquisitions projects), while also enabling admins to automatically label and protect business files stored in Microsoft SharePoint or Microsoft Teams (like Confidential labels for Finance or HR records). This tool should also be able to scan and classify on-premises file shares, as well as cloud applications and services.
2. Protects sensitive files and documents from being exfiltrated to third-party applications and services. More than 40 percent of corporate data is dark.² Meaning, it’s not classified, protected, or governed. This invites risk in the form of sensitive data leakage, which can harm your reputation and, in the case of leaked PII, lead to costly litigation. Your multicloud security solution should be able to classify files and documents, apply sensitivity labels, provide sharing controls and file governance, and use near real-time data loss prevention policies to prevent data leakage across third-party apps.
3. Uses automated data discovery across structured and unstructured data. Every organization needs to be able to securely share data both internally and with partners and customers. That’s why your data protection solution needs to provide data scanning and classification for all types of assets across multicloud and on-premises environments. Metadata and descriptions of data assets should be integrated into a holistic map of your data estate. Atop this map, purpose-built apps can create environments for data discovery, access management, and insights about your data landscape.
4. Applies Zero Trust principles to your entire digital estate. This includes strong multifactor authentication to verify user identities, as well as ensuring all endpoints are in compliance. Your data-protection solution should also ensure that governance and compliance policies are built in, and continuous risk assessment and forensics capabilities are implemented. Other key functions should include classifying, labeling, and encrypting emails and documents, as well as adaptive access to software as a service (SaaS) applications and on-premises applications.

Integrate for comprehensive protection

Overcoming the siloed approach in a multicloud environment can be a challenge. However, the risks are too great to make do with ad-hoc, patchwork security solutions. Beyond PII, also at stake is your business’s intellectual property (IP), financial statements, organizational structures, employee contacts, and other information that could be targeted with ransomware, phishing, and password attacks.

Microsoft Purview’s information protection and governance capabilities help your organization address potential data vulnerabilities across a multicloud environment by integrating information protection and data lifecycle management, along with data loss prevention, insider risk management, and eDiscovery. Microsoft Purview’s data governance portal helps manage your entire data landscape—on-premises, multicloud, and SaaS—allowing you to create a comprehensive, up-to-date map of your data wherever it resides. This unified governance enables data curators and security admins to keep your data secure; all while empowering users to find the trustworthy data they need.

Microsoft Priva adds another layer of protection with privacy risk management, helping to identify data-privacy risks and automate mitigation wherever the data lives. To accommodate individuals making requests to review or manage their personal data about themselves, Microsoft Priva Subject Rights Requests includes the Microsoft Graph subject rights requests API. This powerful API helps your organization do more with less by automating searches across Microsoft Exchange, Microsoft OneDrive, SharePoint, or Teams.

And to protect the business-critical apps you rely on, Microsoft Defender for Cloud Apps helps you classify sensitive information using real-time controls that monitor data accessed across your multicloud environment. As a cloud access security broker (CASB), Defender for Cloud Apps blocks attacks against your apps using automated identity governance, and it integrates seamlessly with Microsoft Entra Permissions Management to root out and remediate permission risks.

Look for a built-in data protection solution

Any data-protection solution needs to address the four areas discussed—unified discovery and protection, protection against data exfiltration, control of unstructured data, and a foundation of Zero Trust—across hybrid and multicloud environments. Both Microsoft 365 and Microsoft Azure are purpose-built with Zero Trust as a core architectural principle. And with comprehensive, integrated solutions for information protection, data governance, risk management, and compliance, Microsoft Purview builds on all four pillars—so you can move forward, fearless.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹How Many Companies Use Cloud Computing in 2022? All You Need To Know, Jacquelyn Bulao, Tech Jury, November 26, 2022.

²Unlocking the hidden value of dark data, Maria Korolov, CIO. August 11, 2022.

The post 4 things to look for in a multicloud data protection solution appeared first on Microsoft Security Blog.

To qualify for funding, the following strategic elements are required to be included in Cybersecurity Plans, based upon the National Institute of Standards and Technologies (NIST) Cybersecurity Framework (CSF):

• Implement multifactor authentication (MFA).
• Implement enhanced logging.
• Data encryption for data at rest and in transit.
• End the use of unsupported or end-of-life software and hardware that are accessible from the internet.
• Prohibit the use of known, fixed, or default passwords and credentials.

SLTT governments have many options across a variety of vendors for the products and solutions that meet the above criteria. It is essential to have a detailed plan and well-structured strategy to advance applications for federal funding. In support of these efforts, we want to call attention to the following offerings from Microsoft that can help SLTT governments make their case for federal funding in these key areas.

Implement multifactor authentication

Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra, offers an array of MFA methods, be it in the form of a single multifactor authenticator or the form of two single-factor authenticators (read the full list of supported multifactor authentication methods). To set the bar higher, SLTT governments can further strengthen their MFA and enforce the use of phishing-resistant MFA using Azure AD certificate-based authentication, FIDO2 security keys, Conditional Access Authentication Strengths, or Windows Hello for Business. Products like Microsoft Intune can make it easy to configure Windows Hello for Business, supporting your organization’s move to MFA. Azure AD’s External Identities cross-tenant access settings are an ideal way to securely collaborate with external users coming from other Azure AD organizations and other Microsoft Azure clouds. Cross-tenant access settings give you granular control over how external users from other Azure AD organizations collaborate with you (inbound access) and how your users collaborate with other Azure AD organizations (outbound access). These settings also let you trust MFA and device claims (compliant claims and hybrid Azure AD joined claims) from other Azure AD organizations.

Implement enhanced logging

Microsoft Sentinel provides capabilities to centralize log data from other software and systems to track incidents and events across the enterprise. An expansive hub of rich integrations allows for the ingestion, enrichment, and delivery of log data, including cloud access security broker, identity, endpoint, network and operational technology (OT) security, and IT capabilities with bi-directional integrations. Archived logs allow for the storage of data for up to seven years to meet compliance requirements.

For Windows devices, you can collect diagnostic logs remotely and without interrupting the user with Microsoft Intune by device or in bulk.  

Data encryption for data at rest and in transit

Data at rest encryption for Microsoft 365 provides Customer Key-based encryption across multiple Microsoft 365 workloads. Tenant administrators can configure a single data encryption policy using customer-managed keys and assign it to the tenant. Once assigned, the tenant-level encryption policy starts encrypting all customer data for multiple Microsoft 365 workloads.

With Microsoft Purview Advanced Message Encryption, you can control sensitive emails shared outside the organization with automatic policies. You configure these policies to identify sensitive information types, such as personally identifiable information, financial, or health IDs, or you can use keywords to enhance protection. Once configured, you can pair policies with custom-branded email templates and then add an expiration date for extra control of emails that fit the policy.  

Microsoft Intune also helps you enforce data protection on your devices to be compliant with your organization’s policies. This combined with Conditional Access policies helps verify that when data leaves your organization, it can only go to compliant devices that are encrypted and meet the standards defined by your organization (including data-at-rest protection). Intune also can configure and enforce encryption on Windows endpoints with BitLocker specifically and require encryption across the mobile device landscape.

Prohibit use of known, fixed, or default passwords and credentials

SLTT governments are required to change password policies that are proven ineffective, such as complex passwords that are rotated often. This includes the removal of the requirement for special characters and numbers, along with time-based password rotation policies. Instead, consider doing the following:

• Use password protection to enforce the blocking of a common list of weak passwords that Microsoft maintains. You can also add custom banned passwords.
• Use self-service password reset to help users reset passwords as needed, such as after an account recovery or credential compromise.
• Use Azure AD Identity Protection to be alerted about compromised credentials so you can take immediate action.

How Microsoft Security solutions help support grant applicants

The products mentioned are several suggested offerings of which SLTT governments can take advantage when considering their applications for federal cybersecurity grant funding. For further information on other required elements and how Microsoft solutions map to the NIST CSF, organizations can read the US Cybersecurity Grant Readiness Assessment and Microsoft Technical Reference Guide.

Microsoft partners with governments around the world to ensure the safety and integrity of their critical systems. We are committed to assisting our SLTT government customers in improving the state of cybersecurity for their regions and the people they serve.

Additional resources for SLTT customers: 

• Download the US Cybersecurity Grant Readiness Assessment & Microsoft Technical Reference Guide. 
• Check out the webinar with Conquest and Microsoft discussing this IIJA state and local cybersecurity grant program.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Discover Microsoft Security solutions for SLTT government grant readiness appeared first on Microsoft Security Blog.

Corporate governance scoring is increasingly important to boards of directors, executive leadership, and the investment community. If we want to enlist the support of a stakeholder, we have to talk about the things that are important to them. Sales revenue is important to sellers. Data breach risk gets the attention of the chief information security officer (CISO). Governance scores often affect executive compensation and the way an analyst rates a company’s stock. They are important to the board.     

If the IT security team communicates in terms of improving a corporate governance score, it will get their attention. Boards have a lot of demands on their attention as they prioritize the many risks and opportunities they need to navigate. Moving the needle on a benchmark they already care about helps them prioritize IT security. 

Corporate governance benchmarks, such as the Institutional Shareholder Services (ISS) ESG Governance QualityScore, are a focus area for boards, management, and investment analysts.¹ This is a language that they speak. If we want to advocate with these stakeholders, framing our IT security investments and actions in terms of an increased QualityScore is an effective way to do this.

Leaders in the corporate governance space have recognized the part that IT security plays in corporate governance and have included this in their scoring methodology. Cybersecurity is identified as a focus area in Principles of Corporate Governance for the board risk oversight and management strategic planning responsibilities,² as well as an evolving governance challenge in the Harvard Law School Forum on corporate governance.³ Security, particularly concerning data breaches, is identified by the Corporate Finance Institute as one of the principles of corporate governance.⁴

We’ll identify the specific ways that IT security governance can impact a company’s ISS Governance QualityScore, potentially driving analyst recognition, shareholder value, and executive compensation. This can help inform the board as they consider relative priorities and investments in IT security.

While the discussion is applicable to all geographies and segments, the scoring example we’ll use is for a United States-based company in the Standard and Poor’s (S&P) 500 index.

How corporate governance scores are calculated

The ISS ESG Governance QualityScore is a data-driven scoring and screening solution designed to help institutional investors monitor portfolio company governance. The ISS Governance QualityScore global coverage is applied to approximately 7,000 companies, including those represented in S&P 500, STOXX 600, Russell 3000, Nikkei 400, and others around the world.

The companies’ annual meeting notes, regulatory filings, and other public-facing information are reviewed quarterly and in real-time for some events to update the QualityScore.

The methodology is made available on the ISS website.⁵

To improve the organization’s QualityScore and map the impact of IT security investments and activities, it is important to understand the factors (questions) and how a score is calculated.

The topics scored include:

• Board structure.
• Compensation.
• Shareholder rights.
• Audit and risk oversight.

The audit and risk oversight section is where the IT security-related factors are located. We’ll focus our discussion on how to map and raise these factors.

A raw score based on the factors is calculated and ranked relative to companies in the same index or region to promote an “apples to apples” comparison, with a number from 1 to 10 assigned to each category. Figure 1 shows an example of a raw score and category score for each category for a United States-based company in the S&P 500.

Table 1. Score methodology example for S&P 500 United States-based company.

Table 2. Questions scored in each category for a United States-based company.

For the United States, there are 141 factors scored. Twenty-one are for the Audit and Risk Oversight category. Of these, 11 are related to information security. Thus, more than half of this category’s raw score that will be scaled to create the 1 to 10 QualityScore for the Audit and Risk Oversight category is related to IT security.

The definition of IT security-related questions differs from what an IT security and compliance professional will have encountered from working with the ISO, the NIST, or similar security standards. We’ll look at this next.

IT security conversation with the board and executives through the corporate governance lens

The factors used for the governance score are different from what we’d encounter in an IT audit. They don’t cover the fulsome controls and defense in depth that we’d expect as IT security professionals. Some are likely part of key performance indicators (KPIs) already tracked, such as those relating to awareness and training, financials, and breaches.

When a strategic plan or business case for an investment is presented to leadership, it can be mapped to the QualityScore factors. An improvement in the governance score can be forecasted.

An example is provided below for the implementation of Microsoft Purview Audit (Premium). This tool is a part of Microsoft 365, is easily deployed, and has no user impact or change management requirements. In the event of a credentials compromise, it provides forensic information to understand if there was a breach of sensitive information, what documents may have been accessed by the bad actor, and provides retention of audit data for long periods of time.

Table 3. Example Mapping of Microsoft Purview Audit (Premium) to ISS Governance QualityScore.

Alignment with the Governance QualityScore goes beyond the support of security solutions and investments.

Some of what the company may already have in place, like security training, standards-based audit, metrics, and reporting is part of the scoring. Communicating this so that it is reflected in the governance score increases the company’s return on investment and leadership’s awareness of the contributions of the security team.

The score will be boosted by having senior leadership regularly brief the board on information security matters.

Adding a board member with security experience will also boost the score. These will give the security function the attention and investment that it needs from leadership to increase the company’s security posture.

Conclusion

Showing how a company’s Governance QualityScore benefits from their investment in security demonstrates additional return on investment and wins support for the security program from a range of stakeholders. Stakeholders that may not recognize the value of IT security controls and processes or understand IT security risk may recognize the financial and brand value of an increased governance score.

As time goes on, the expectations for IT security to be part of corporate governance will increase. The focus on the breach will likely be broadened to a more holistic perspective. Additional factors will be considered and the impact of IT security on the overall scoring will increase.

Consider demonstrating how an IT security investment or activity will raise your company’s governance score along with other aspects of the business case and risk management when presenting to leadership to make a fulsome case for action.

Learn more about data governance for enterprise companies.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. This document is not intended to communicate legal advice or a legal or regulatory compliance opinion. Each customer’s situation is unique, and legal and regulatory compliance should be assessed in consultation with their legal counsel.

¹Institutional Shareholder Services ESG Governance QualityScore, ISS. March 31, 2022.

²Principles of Corporate Governance, Harvard Law School Forum on Corporate Governance. September 8, 2016.

³Cybersecurity: An Evolving Governance Challenge, Harvard Law School Forum on Corporate Governance. March 15, 2020.

⁴Corporate Governance, Corporate Finance Institute. May 8, 2022.

⁵Governance QualityScore, ISS.

The post IT security: An opportunity to raise corporate governance scores appeared first on Microsoft Security Blog.

Defending against a major cyberattack requires the same level of readiness that you need for any major crisis, according to Microsoft 365 Security Chief of Staff Elizabeth Stephens, a 19-year Marine Corps veteran who served in three combat deployments. There’s a mission. There’s a plan of action. And there’s an expert team ready to go. Stephens was part of a dedicated response team that was mobilized in response to the NOBELIUM nation-state attack in December 2020.

“All of the teams came together in a way that very much reminded me of the way my Marine Corps came together,” said Stephens. “The way we respond is very much like first responders. We pride ourselves on being able to come together regardless of our areas of specialty and expertise and fill in the gaps between each other very quickly to get a mission completed. [It’s about] selflessness and the sense of, if we weren’t defending then who else was going to?”

As explained in our first post in the series, How nation-state attackers like NOBELIUM are changing cybersecurity, these sophisticated actors are working to further a given country’s interests through cyberespionage or intelligence-gathering efforts. The multi-pronged attack, which included supply chain compromise from NOBELIUM, a Russian-linked group of hackers, is widely recognized as the most sophisticated nation-state cyberattack in history. When an attack of this magnitude is discovered, the response is equally significant. In the second post in the series, The hunt for NOBELIUM, the most sophisticated nation-state attack in history, we covered the initial industry-wide investigation and gathering of data to understand the attack.

In the third episode of our “Decoding NOBELIUM” series, we reveal new details about how Microsoft worked to disrupt the adversary and safeguard the organizations: notifying and supporting impacted customers, deploying novel prevention rapidly, and providing detection measures to protect all of its customers against the threat.

Notifying customers of the NOBELIUM attack

Customers needed to be notified quickly so they could investigate and understand the scope of the attack inside their environments. Once the threat hunters began isolating threat markers for NOBELIUM activity, they could effectively identify and contact impacted customers. The security community, traditionally, tells customers that they will never receive a phone call from defenders—and to view any calls suspiciously. In this case, with attackers having access to victim environments, there was no safe alternative. Making a call with the difficult news of a sophisticated incursion would be hard enough, but in some instances, they had to find creative ways to validate that it was, in fact, Microsoft on the phone. As part of the notification, the team shared information and guidance about the attack to enable the customer to further investigate the scope and act to begin remediation. The news of NOBELIUM’s activity understandably stunned customers.

“To see the look on people’s faces as the gravity of that [situation] settled in, was certainly sobering for me and my team, but it was also a tremendous incentive to keep going until we could get to the very bottom of it,” said Franklin, Microsoft Identity Security Response Team Lead.

Building product detections to support customers

Those customer contacts were just part of Microsoft’s response to this attack. Microsoft’s threat hunters continued to pore over massive amounts of aggregated telemetry—including user, email, collaboration tools, endpoint, cloud activity, and cloud application security—to identify more subtle attack markers. Called tactics, techniques, and procedures (TTP), these markers were used to track NOBELIUM’s movements.

“By taking a holistic view, we are able to track attackers that move from domain to domain and that is usually where they get lost in the noise, in the transitions,” said Michael Shalev, Principal Program Manager for Microsoft 365 Defender.

The team identified more than 70 TTPs associated with the NOBELIUM attack that we shared publicly. Together, they painted a picture of how the NOBELIUM group operated. Microsoft teams determined which TTPs were specific to an organization, and which were found across the impacted organizations. They quickly used these TTPs to build automated detections into security products so impacted organizations could “return their network and assets to a healthy state” and unimpacted organizations could protect themselves from similar threats, Shalev explained.

Releasing detections into security products in response to a specific attack isn’t new; Microsoft regularly releases detections into security products in response to attacks. But the release volume after the NOBELIUM incident was unprecedented. During a three-week period, Microsoft researchers released multiple detections a day—in the form of targeted custom queries shared through blog posts or updates released directly into the products to enable real-time action. “Seconds count when responding to an attack like this,” said Partner Product Manager Sarah Fender of Microsoft Sentinel, Microsoft’s cloud-native security information and event management platform.

For example, the threat hunters discovered specific techniques that NOBELIUM used to evade security software and analyst tools. As there can be benign reasons to turn off sensors or logging, the TTP research was critical to detecting when the activity was malicious. In response, the Microsoft Defender for Endpoint team developed new anti-tampering policies, hunting queries, and detections to identify and send alerts on these specific NOBELIUM-related activities.

“You really have to meet the customer where they are because the attack is so significant that they’re all going to need help in different sorts of ways,” said Cristin Goodwin, Associate General Counsel for the Microsoft Digital Security Unit.

Cybersecurity strategies and available resources

In the third episode of our “Decoding NOBELIUM” series, security professionals share insights on defending customers after NOBELIUM’s discovery. Watch the episode for guidance on effective cybersecurity hygiene. Look out for the final post in the NOBELIUM nation-state attack series, where we will offer a fuller breakdown of the NOBELIUM attack and share predictions and tips for the future of cybersecurity. Read our previous posts in this series:

• How nation-state attackers like NOBELIUM are changing cybersecurity
• The hunt for NOBELIUM, the most sophisticated nation-state attack in history

Microsoft is committed to helping organizations stay protected from cyberattacks whether cybercriminal or nation-state. Consistent with our mission to provide security for all, Microsoft will use our leading threat intelligence and a global team of dedicated cybersecurity defenders to help protect our customers and the world. Just two recent examples of Microsoft’s efforts to combat nation-state attacks include a September 2021 discovery, an investigation of a NOBELIUM malware referred to as FoggyWeb, and our May 2021 profiling of NOBELIUM’s early-stage toolset compromising EnvyScout, BoomBox, NativeZone, and VaporRage.

For immediate support, visit the Microsoft Security Response Center where you can report an issue and get guidance from the latest security reports and Microsoft Security Response Center blogs.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Behind the unprecedented effort to protect customers against the NOBELIUM nation-state attack appeared first on Microsoft Security Blog.

archTIS’ NC Protect has integrated with Microsoft Information Protection (MIP) to empower IT and business owners to easily create secure teams and channels and enable guest access, enforcing Zero Trust policies at the file, chat, and message level to prevent accidental sharing, misuse, and data loss.

Human error is a vulnerability to your security

Many organizations struggle to keep track of data and ensure their information security, sharing, and usage policies are being followed. This can pose a serious risk when you consider 63 percent of insider-related incidents are the result of negligence and simple human error, with another 23 percent related to criminal insiders.²

From sharing confidential files or sensitive information with the wrong recipient to including regulated or confidential data in a chat, these costly mistakes are hard to avoid if you rely upon user behavior and training to protect your data. Worse, some organizations try to solve the problem by turning off information sharing and guest access in Teams altogether.

Better together: NC Protect and Microsoft Information Protection

NC Protect leverages Microsoft security investments to further prevent data loss and insider threats with data-centric information security that applies Zero Trust principles to dynamically adjust access and information protection in Microsoft Teams.

By combining MIP sensitivity labels and Microsoft Azure Active Directory (Azure AD) attributes with NC Protect’s dynamic user- and attribute-based policies to control access, usage, and sharing, customers benefit from expanded protection and control over Teams collaboration to:

• Leverage MIP sensitivity labels in combination with other file and user attributes from Azure AD and Active Directory to dynamically adjust access to and control of what users can see, how they can use and share information, and with whom at the file and chat level.
• Empower team owners to set team and channel security using custom default rulesets from within the Teams app with just a few clicks, without any IT knowledge or skills to ensure internal and external users can collaborate securely.
• Gain additional information protection capabilities for Teams including secure personalized watermarks, read-only access through a zero-footprint file viewer, flexible information barriers, and IT-friendly private channels.
• Extend adaptive access, usage, and sharing policies across other Microsoft 365 apps for granular, dynamic information protection and next-generation data loss prevention (DLP).

Combining the power of MIP with NC Protect ensures granular policy-based control to secure collaboration and allows customers to realize the full value of their existing Microsoft investments.

How it works

NC Protect dynamically adjusts file security based on real-time comparison of user and file attributes to make sure that users view, use, and share files according to an organization’s regulations and policies. NC Protect leverages a file’s MIP sensitivity label as one of the attributes used to determine access and the level of protection needed based on the conditions at the time of access. With NC Protect, dynamically restrict access, usage, and sharing rights based on the file’s classification and the user’s current location, device, and security clearance.

Learn more

Learn more about the NC Protect integration with MIP and Teams and other Microsoft 365 apps, including demonstrations of how NC Protect’s dynamic attribute-based access control better protects against insider threats:

• Watch NC Protect for Microsoft Teams.
• Watch Simplified Access and Security Provisioning for Microsoft Teams.
• Watch NC Protect with Azure Information Protection.
• Find NC Protect for Teams, SharePoint, and O365 Apps in Microsoft Azure Marketplace.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

About archTIS

archTIS Limited (ASX:AR9) is a global provider of innovative software solutions for the secure collaboration of sensitive information. The company’s award-winning data-centric information security solutions protect the world’s most sensitive content in government, defense, supply chain, enterprises, and regulated industries through attribute-based access and control (ABAC) policies. archTIS products include Kojensi, a multi-government certified platform for the secure access, sharing, and collaboration of sensitive and classified information; and NC Protect for enhanced information protection for file access and sharing, messaging, and emailing of sensitive and classified content across Microsoft 365 apps, Dropbox, Nutanix Files, and Windows file shares. For more information visit the archTIS website or follow archTIS on Twitter.

¹Watch out Zoom: Microsoft Teams now has more than 115 million daily users, Owen Hughes, TechRepublic. 28 October 2020.

²The Cost of Insider Threats, IBM Security. 2020.

The post archTIS and Microsoft: Zero Trust information security for Microsoft Teams appeared first on Microsoft Security Blog.

Natalia: What is journalistic security? 

Runa: Being a reporter is not a 9-to-5 job. You’re not just a reporter when you step through the doors of The Washington Post or The Wall Street Journal or CNN. It becomes something that you do before work, at the office, at home, or after work at the bar. In some ways, you’re always on the job, so securing a journalist is about securing their life and identity. You’re not just securing the accounts and the systems that they’re using at work, which would fall under the enterprise; you’re securing the accounts and the systems that they use on a personal basis.

In addition, reporters travel. They cover protests and war zones. You will have to account for their physical and emotional safety. Journalistic security for me is effectively the umbrella term for digital security, physical security, and emotional safety.

Natalia: What is unique about securing a media organization?  

Runa: A media organization, whether it’s a smaller nonprofit newsroom or a larger enterprise, needs the same type of security tools and processes as any other organization. However, with a media organization, you must consider the impact. We’re not just talking about data belonging to the enterprise being encrypted or stolen and dumped online; we’re also talking about data from subscribers, readers, and sources. As a result, the potential ramifications of an attack against a media organization—whether it’s a targeted attack, like a nation-state actor looking for the sources of a story, or opportunistic ransomware—can be greater and involve far more people in a more sensitive context. Privacy-preserving monitoring is also important for newsrooms. I believe in helping the journalist understand what’s happening on their devices. If we aren’t teaching them to threat model and think about the digital security risks of their stories and communications with sources, we’re going to have a gap.

The other major difference is the pace. Newsrooms are incredibly deadline-driven, and security’s job is to enable journalists to do their job safely, not block their work. If a journalist tells their security team that they’re going to North Korea and need to secure setup, the team needs to shift their to-do list around to accommodate that—whether it means providing training or new hardware.

Natalia: What’s the biggest challenge to securing a media organization? 

Runa: The one thing that continues to be a challenge for media organizations is the lack of trust and collaboration between the internal IT and security teams and the newsroom. The newsroom doesn’t necessarily trust or go to those departments for help or tools to secure reporters, their material, and their work. If you’re building a defensive posture, you can’t secure what you don’t understand. If you don’t have a good relationship with the newsroom or know what kind of work they do, you’re going to have gaps. I’ve found it helpful to involve the newsroom when making decisions around tools and processes that impact their work. Involving the newsroom in discussions that affect it, even if they’re technical, will do a lot to build a trusting relationship.

Natalia: How do you build a process to evaluate and mitigate risk?  

Runa: If you’re writing about the best chocolate chip cookies, you’re probably fine. You’re probably not going to run into any issues with sources or harassment. If you decide to report on politics though, chances are you’ll face the risk of online threats and harassment that could escalate to physical threats and harassment. The context for a specific project and story becomes a set of risks that need to be accounted for.

Typically, the physical risk assessment process has already been established. Newsrooms have been sending reporters on risky assignments, such as to war zones, for a long time. In most newsrooms, a reporter will talk to the editor and assess the risk of any work-related travel. They get input from their physical security adviser, legal, and HR.

Building a similar process for the digital space becomes a challenge of education and awareness. In some cases, newsrooms have established and documented well-functioning processes, and security teams can become part of that decision tree. In other cases, you must start by introducing yourself to the newsroom and making sure people know you’re there to help. I’ve talked with news organizations in the United States, United Kingdom, and Norway that have cross-functional teams with representatives from the newsroom, IT, security, HR, communications, and legal to ensure no stories fall through the cracks.

Natalia: What processes, protocols, or technologies do you use to protect journalists and their investigations?

Runa: In a newsroom, you typically have “desks.” You have the investigations desk. You have style. You have sports. Different desks will have different needs from a technology and education perspective. Whenever I’m talking to a newsroom, I try to first cover security basics. We’re talking passwords, multifactor authentication updates, and phishing. I cover the baseline; then look at the kind of work each desk is doing to drill in more. For investigations, this could involve setting up a tool to receive tips from the public, or air-gapped (offline) machines to securely review information.

For international travel, it could involve establishing an internal process with the IT team so a journalist can quickly request a new laptop or a new phone. In many cases, the tools that end up being used are popular and well-known. The journalist usually must use the same tools as the source.

Making the security team available to the newsroom also goes a long way. Reporters know how to ask questions—whether they’re doing an interview or trying to understand how a password manager works, or how to use a YubiKey. Give them an opportunity to ask questions through an internal chat channel or weekly meetings. It all goes back to relationship building and awareness.

Natalia: How has working in journalistic security shaped your perspective on security? 

Runa: When I first started working for The Tor Project, which develops free and open-source software for online anonymity, I was curious about how it’s possible to use lines of code to achieve that. I didn’t think much about the people who use it or what they use it for. But through that work, I learned a lot about the global impact The Tor Project has: from activists and journalists to security researchers and law enforcement. In interacting with reporters, I had to accept that there’s a difference between the ideal setup from a security standpoint and what’s going to get the job done. It would be great to give everyone a laptop with Tails or Qubes OS configured, but are they going to be able to use it for their work? At what point do we say that we’ve found a happy middle between securing the data or systems, enabling the reporter, and accepting risk?

Natalia: How can we continue to enhance security in the newsroom?  

Runa: We need more of a focus on security attacks that target and impact media organizations and reporters. Typically, when you read information about security attacks, it usually highlights the industries affected. You’ll see references to government, education, and healthcare, but what about media?

If you’re working at a media organization trying to understand what kind of digital threats you’re facing, where do you go to find information? I would love to see an organization or individual build a resource with a timeline of the kind of digital attacks we’ve seen against media organizations in the United States from 2015 to 2021. This would be a way to get a pulse on what’s happening to educate journalists of the risks, identify impact and risk to operations, and inform leadership.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How security can keep media and sources safe appeared first on Microsoft Security Blog.

While this began as a nation-state attack, the vulnerabilities are being exploited by other criminal organizations, including new ransomware attacks, with the potential for other malicious activities.

This is now what we consider a broad attack, and the severity of these exploits means protecting your systems is critical. While Microsoft has regular methods for providing tools to update software, this extraordinary situation calls for a heightened approach. In addition to our regular software updates, we are also providing specific updates for older and out-of-support software with the intent to make it as easy as possible to quickly protect your business.

The first step is making sure all relevant security updates are applied to every system. Find the version of Exchange Server you are running and apply the update. This will provide protection for known attacks and give your organization time to update servers to a version that has a full security update.

The next critical step is to identify whether any systems have been compromised, and if so, remove them from the network. We have provided a recommended series of steps and tools to help — including scripts that will let you scan for signs of compromise, a new version of the Microsoft Safety Scanner to identify suspected malware, and a new set of indicators of compromise that is updated in real time and shared broadly. These tools are available now, and we encourage all customers to deploy them.

Our customer service team has been working around the clock alongside hosting companies and our partner community to raise awareness with potentially affected customers. With the help of the community, we are working to raise awareness about these critical updates and tools with more than 400,000 customers.

To illustrate the scope of this attack and show the progress made in updating systems, we’ve been working with RiskIQ. Based on telemetry from RiskIQ, we saw a total universe of nearly 400,000 Exchange servers on March 1. By March 9 there were a bit more than 100,000 servers still vulnerable. That number has been dropping steadily, with only about 82,000 left to be updated. We released one additional set of updates on March 11, and with this, we have released updates covering more than 95% of all versions exposed on the Internet.

Finally, groups trying to take advantage of this vulnerability are attempting to implant ransomware and other malware that could interrupt business continuity. To best protect against this, we encourage all customers to review the ransomware guidance from the U.S. Cybersecurity Agency and Infrastructure Security as well as Microsoft’s own guidance on how to prepare for and protect against this sort of exploit.

This is the second time in the last four months that nation state actors have engaged in cyberattacks with the potential to affect businesses and organizations of all sizes. We continue to monitor these sophisticated attacks closely and apply the breadth and depth of our technology, human expertise, and threat intelligence to better prevent, detect, and respond.

Microsoft is deeply committed to supporting our customers against these attacks, to innovating on our security approach, and to partnering closely with governments and the security industry to help keep our customers and communities secure.

The post Protecting on-premises Exchange Servers against recent attacks appeared first on Microsoft Security Blog.