One of the main principles of Agile and DevOps is “shift-left.” By this term, we mean the ability to anticipate some activities, make them more effective, and reduce their cost. For example, shifting-left quality means that you should anticipate testing to identify and fix bugs as early as possible. If we look at it through the lens of Microsoft Security Development Lifecycle, threat modeling is one of the best candidates for shifting left security. But how to do that? Threat modeling has traditionally been somewhat separate from DevOps automation processes. Therefore, we need new ways to make it an integral part of Agile and DevOps.

This is the story of a team of Microsoft Security experts who have joined forces with some of the most famous threat modeling experts from the community to address those concerns. The results are freely available in Integrating threat modeling with DevOps.

The importance of focusing on the return on investment

There is no single threat modeling process. Threat modeling represents a category of methodologies to evaluate the security of systems, identify their weaknesses, and select the best approaches to counter the potential attacks exploiting them. The Threat Modeling Manifesto represents one of the best sources to understand at a fundamental level what threat modeling is. It is designed with the non-expert in mind, but it also includes some profound considerations with significant implications for most experts.

Not all threat modeling methodologies are equal, though. Some of them focus on automating the process and allow non-experts to use them; consequently, they tend to map best practices and miss those threats that would be identified with a more holistic approach. Others rely too much on the threat modeler’s ability, causing the results to become more dependent on who is doing it. In both cases, the risk is to dilute the valuable insights with generic recommendations that the threat modeling initiative may be felt by some as a bland experience hardly worth the cost.

This is why it is so important to expand our goals and include the maximization of the value for those who consume the results of the threat model. For us, this means focusing on the return on the investment: Threat modeling has a cost, which sometimes is significant; this cost must be compensated by the perceived value of the experience. Ultimately, everything boils down to answering a single question: Can we define a threat modeling process focused on maximizing quality while lowering the costs of the threat modeling exercise?

The Hackathon project

A team of Microsoft employees covering different roles from around the company joined forces to answer this question. We dedicated three full days to finding this answer as part of a global Hackathon by Microsoft. Given that we identified efficiency as a crucial factor in achieving this result, we called our initiative the “Efficient Threat Modeling” project. The resulting paper collects the learnings from this experience, hoping that they can also be helpful to other organizations around the globe.

The best way to start

Microsoft has a long history and strong experience with threat modeling, and we recognize that it is impossible to achieve such an ambitious goal without help. Therefore, we invited some of the top threat modeling experts to present to us their considerations on the topic. We have had the pleasure of learning from the following experts (in alphabetical order):

• Altaz Valani, Director of Insight Research at Security Compass and a frequent speaker at events and conferences, and co-author of a paper on the future of threat modeling.¹
• Arun Prabhakar, security architect at Boston Consulting Group and co-author of the paper on the future of threat modeling.
• Avi Douglen, chief executive officer and founder of Bounce Security, and recently appointed to the role of director at the Open Web Application Security Project (OWASP).
• Brook S.E. Schoenfield, a renowned author of some great books on application security and threat modeling.
• Hasan Yasar, technical director and adjunct faculty member at Carnegie Mellon University’s Software Engineering Institute, and co-author of the same paper on the future of threat modeling.
• Izar Tarandach, renowned threat modeling expert, co-author with Matthew Coles of a threat modeling tool, pyTM, and of a great book on threat modeling for developers.
• Lotfi Ben Othmane, assistant teaching professor at the Department of Electrical and Computer Engineering, leading the Engineering Secure Smart Cyber-Physical Systems Lab at Iowa State University.
• Matthew Coles, renowned threat modeling expert and co-author with Izar Tarandach of pyTM, and author of a great book on threat modeling for developers.
• Michael Howard, Principal Product Manager, Microsoft, a leader and an inspiration for generations of security experts and the author of some of the best books on application security.

Avi, Brook, Izar, and Matthew are co-authors of the Threat Modeling Manifesto.

This initiative has led to producing a paper introducing the ideas discussed during the Hackathon by the participants. While some of those ideas have been inspired or even blatantly taken from the discussions with the said experts, the paper reflects the views of the Hackathon team. As such, the considerations presented there are not necessarily endorsed or even accepted by all our speakers. In any case, we owe them all a debt of gratitude.

The key learnings

Starting with such great inspirational speeches, we have had plenty of ideas to select from. Nevertheless, some of them have had a more substantial impact on us. The most important learning we have taken has been related to the need to focus on the DevOps process, given its prevalence. To us, this means not only the need to make the process available to members of the team, typically by simplifying and automating it, but also to ensure that the experience is deeply integrated with the existing DevOps processes.

Threat modeling should not become yet another burden but instead, an asset to facilitate the security requirements elicitation and collection, the design of secure solutions, the inclusion of activities in the Task and Bug Tracking tool of choice, and the evaluation of the residual risk given the current and future state of the solution.

We hope that at this point you are just curious as we are about how you can achieve those great results. Of course, we do not have all the answers, but unfortunately, this margin is too small to contain it. So, if you do not want to wait 358 years to get a glimpse at our findings, you have just to jump at Threat Modeling with DevOps, where we have collected them all.

Learn more

Learn more about Microsoft Security Development Lifecycle.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Evolving Threat Modeling for Agility and Business Value, Simone Curzi, Jack Freund, Arun Prabhakar, et al. 2021.

The post Mitigate risk by integrating threat modeling and DevOps processes appeared first on Microsoft Security Blog.

A Parent company can take several approaches to integrating the Acquisition within the organization’s IT environment. These include migrating the Acquisition’s services and users into the Parent’s IT environment or directly connecting the Acquisition’s IT environment through technical means. (See Figure 1.)

The first option has long-term security benefits, given that only selected elements of the Acquisition are incorporated into the Parent environment. On the other hand, depending on the complexity of both parties, this process can be time-consuming and costly.

The second option can be quicker to execute and reduce disruption to the operations of both parties; however, there may be hidden security and technical debt that may be costly to address in the long term.

So, what should an organization consider when determining the best plan of action for security in a merger or acquisition?

Figure 1. Two avenues IT leadership can take with mergers and acquisitions.

Security risks in mergers and acquisitions

It is common for a Parent to make the decision based solely on economic considerations driven by the costs of time and effort; however, there are significant cybersecurity considerations that should be factored into the decision-making process to ensure the long-term security of both the Parent and the Acquisition.

These include:

• Technical debt: Understand how much technical debt you will inherit. Every organization carries some technical debt, and the key in mergers and acquisitions is transparency. It is critical for a Parent to understand the technical debt it will be inheriting to understand how it will compound the Parent’s own technical debt and assist in quantifying any remediation costs.
• Existing security (not exclusive to cybersecurity): Consider how the two parties will consolidate key security capabilities, such as endpoint detection and response (EDR) tools or antivirus. Also consider how they both coordinate Security teams, such as security operations and security engineering, to avoid carrying numerous capabilities, tools, and data sources.
• Compliance and regulatory implications: Research how the Acquisition handles personally identifiable information (PII), like bank account numbers, and know the regulations it must abide by, its compliance procedures, and compliance history, including any regulatory violations. If the Acquisition is in a different country or region with stricter data privacy regulations, for instance, those are the ones both Parent and Acquisition should follow in relation to shared data.
• Misconfiguration and misutilization of existing systems: Review the configuration of systems at the Acquisition because they may have been set up incorrectly, perhaps due to complexity or a lack of accountability, or they may be insufficiently utilized because of incomplete deployment, or no one has the skills to use it. You may find that the misconfiguration slipped through because there’s no testing of new systems before they are introduced. That’s a serious issue because security misconfigurations become the Parent’s liabilities.           
• Identity: Enable multifactor authentication (MFA) flow and other identity controls. Security teams should review the identity configuration, which may be bypassed because it wasn’t architected in a way that works for both companies.
• Network: Evaluate how to connect legacy devices. In a merger or acquisition, it may not be possible to connect legacy devices with each other (for example, if a customer has devices that are not considered next-generation firewalls). With older firewalls, you lose the ability to apply security controls and logging isn’t as enhanced.
• Cloud: Check whether Microsoft Azure subscriptions have MFA enabled, ports that are open in Azure infrastructure as a service, and the controls for federated identities with other providers. Conditional Access policies may cancel each other out.
• Password Management: Consider who has more access—the threat actor or you? To help ensure it’s you, secure access to your data using Privileged Identity Management and Privileged Access Management tools.
• New threats: Anticipate new threats and new-to-you threats. A small manufacturer, for example, may not know of a large-scale security threat but once acquired by a global corporation, it could become a target. Threat actors may see an acquisition as an opportunity to access the Parent through the Acquisition.

The two most common avenues of risk are:

• Current actor persistence in the acquired environment: The actor’s already there and you’re giving them an opportunity to enter the Parent environment when you connect them. This is the most obvious and ideal path.
• The security architecture of the acquired environment: It’s too hard to go against the Parent environment directly because its security posture is simply too costly for an attacker to go after, given what they could potentially gain in value. Instead, a threat actor targets the Acquisition.

If a threat actor knows about a pending acquisition, they can do reconnaissance on the acquired company to see if its security posture is weaker than the Parent’s. It may be a more attractive target to gain access to the Parent through the weaker acquisition environment.

The Acquisition likely receives support from multiple service providers. If any of those service providers are compromised, a threat actor could move into the Acquisition’s environment and then gain access to the Parent. Carefully consider the connections you have with vendors because they could bring a potentially unknown compromise and introduce security vulnerabilities and architectural weaknesses.

Deeper due diligence is key

The due diligence processes each company undergoes when making an investment will vary depending on the company, industry, and region. While there is no universal standard, it is critical that companies get it right and understand potential areas of concern they may be inheriting.

Ultimately, your organization is acquiring whatever unknowns are present in that environment. So that’s why it is important to ask questions before, during, and after a merger and acquisition. Anything persistent and any open backdoors affecting your environment provide a direct path into the Parent organization.

Security questions to ask before a merger or acquisition

Both parties need to foster open and honest communication and share technical data. Commit to transparency. From the exploratory phase to the official merger and acquisition negotiation process, both parties should understand the expectations, so they don’t miss details during the merger or acquisition.

Mergers and acquisitions are dynamic and complex. To achieve the economic goals of mergers and acquisitions, business leaders must understand the attack surface they’re onboarding. Discovering and cataloging the partner company’s resources and digital assets, from within the corporate perimeter to the entire internet, is a critical step of any due diligence process. These include known and unknown assets, including resources developed outside the purview of security and IT teams, like shadow IT. These audits can’t be outsourced or done just for compliance. They are top priorities every executive needs to consider to future-proof their investments.

The first step is to establish a baseline set of known facts. Ask these questions during your initial discovery phase and as part of a proactive assessment:

• What is your basic security structure?
• What is your antivirus and is it up to date?
• What is your EDR solution?
• How are you managing identity protection?
• How are you managing data access protection?
• Does the acquired company meet the current security standards of the Parent?
• How are security issues triaged?
• Do you have a form of central logging (security information and event management; security orchestration, automation, and response) solution?
• How are you tracking and repairing your online vulnerabilities and compliance risks (unmanaged assets or those that have been forgotten)?

As you get deeper into the due diligence phases, ask these questions to understand their compromise history:

• What is your history of security compromise?
• When did these compromise(s) occur?
• What are the details?
• What are the root causes of those security compromises?
• How were the threats mitigated?
• Do you have a post-incident review process? What were the results?

After this disclosure, the most important question to ask is, “Did you remediate it?” If the Acquisition had a ransomware attack or other cyberattack, what happened? If the Acquisition had an unpatched vulnerability and was able to privilege-escalate to domain admin and deploy the ransomware, we ask, what is your patching?

Before setting up legal frameworks, disclose past events and understand how to remediate what caused them. Ignore this recommendation to avoid fireworks of the non-celebratory kind.

Security questions to ask after a merger or acquisition

Arguably, the greatest risk to mergers and acquisitions security is establishing trust relationships or merging hundreds or thousands of systems into the Parent company’s enterprise infrastructure. The health and configuration of those systems should be evaluated for security risks. The presence of any malware or advanced persistent threat (APT) backdoors in the subsidiary company can threaten the Parent company after the merger. Security misconfigurations and risky decisions become the Parent company’s liabilities. Also, threat profiles need to be re-evaluated to include any geopolitical changes caused by the mergers and acquisitions process. For example, a small parts manufacturer would not be expected to be aware of risks from larger known threat actors (such as Phineas Phisher²), but after being acquired by a global oil company, it would need to be.

Take the information gathered during the pre-merger question and answer session, including compromise exposures and an analysis of the Acquisition’s existing security posture against a reference standard, and decide how to integrate that environment into yours, along with detailing the necessary technical steps. To integrate the acquired company into your environment, you’ll need to bring its security posture to your level. The Parent company will have to implement basic security practices. Here are steps to evaluate and prioritize:

1. Assess existing systems that will be part of the acquisition and the risks associated.
2. Conduct remediation based on those results.
3. Understand the timeline for integrating the networks and know whether the data is located on-premises or in the cloud.
4. Learn the process for asset refresh and retirement of systems.
5. Conduct a penetration test or risk assessment and evaluate security policies and security gaps.

What actions should companies take?

The Microsoft Detection and Response Team (DART) has worked on incident response cases where companies were breached within an hour of completing a post-merger integration. In these cases, the threat actor’s subsidiary backdoor was granted two-way trust access to the Parent company’s Microsoft Azure Active Directory (Azure AD), third-party identity providers with any form of federation, and on-premise Active Directory forest.

DART has also had to explain to customers the probable connection between an APT actor’s backdoor uncovered in its environment, and the fact that its new Parent company’s bid was the lowest amount—to the dollar—that they were willing to accept during an acquisition. For these reasons and others, many of DART’s customers ask for security assessments before, during, or immediately after completing mergers and acquisitions.

Take these steps:

1. Set the expectations of disclosure and the level of information shared about security issues early in the talks. Make this a standard part of the exploratory process when setting up the legal framework of how the merger and acquisition will run.
2. Do a pre-mergers and acquisitions security assessment, whether a proactive threat hunt that includes cross-platform systems (Mac and Linux) and third-party identity providers, or an Azure AD security assessment, or an evaluation of the maturity of the environment’s security posture.
3. Focus on evaluating and improving security visibility and logging early in the mergers and acquisitions process. This allows first-party and third-party security teams to assess and react to security issues promptly. For mergers and acquisitions-related threats, focus first on securing identity, access control, and communications. 
4. Focus security and risk audits on cataloging the company’s resources and digital assets, including the company’s external attack surface, or catalog of internet-facing assets that an attacker could leverage to gain a foothold for an attack. External attack surface management (EASM) products can highlight a range of hygiene issues, corresponding indicators of compromise and vulnerabilities, and compliance issues, giving mergers and acquisitions teams the baseline they need to conduct a cyber risk assessment and drive post-mergers and acquisitions program.

Cybersecurity risk in mergers and acquisitions is an increasing issue for both IT security and business decision-makers. Giving the IT security teams sufficient time to do thorough assessments, due diligence, inventories, and putting more controls in place will determine how much of that risk can be mitigated.

Learn more

Leverage Microsoft Security Experts today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹The Role of Cybersecurity in Mergers and Acquisitions Diligence, Forescout. 2019.

²Hacker who hacked Hacking Team published DIY how-to guide, Ms. Smith, CSO. April 17, 2016.

The post Microsoft Security tips for mitigating risk in mergers and acquisitions appeared first on Microsoft Security Blog.

At Microsoft, we’re approaching cloud security with an infinite mindset. In a constantly changing world, we use threat intelligence, AI, and automation to create a virtuous cycle of signals to evolve and respond faster to bad actors and events. We bring this vision to life with Microsoft Defender for Cloud, our integrated cloud-native application protection solution for hybrid and multicloud environments. Defender for Cloud strengthens security posture, accelerates protection against modern threats, and reduces risk throughout the cloud application lifecycle so organizations can stay protected.

I am thrilled to announce new innovations in Microsoft Defender for Cloud to expand our vision for cloud security, including the previews of Microsoft Defender for DevOps and Microsoft Defender Cloud Security Posture Management (Defender CSPM).

• Unify DevOps security management across multiple pipeline environments with Defender for DevOps: Security teams will gain insights across multi-pipeline environments in a central console, including leading platforms like GitHub and Azure DevOps, with more to follow. Defender for DevOps can correlate with other contextual cloud security intelligence to prioritize remediation of code vulnerabilities throughout the application development lifecycle. 
• Gain full coverage, prioritize, and remediate the most critical risks with Defender CSPM: Defender CSPM builds on existing posture management capabilities in Defender for Cloud to help security teams get comprehensive coverage of their hybrid and multicloud environments, and prioritize and proactively remediate the most critical threats with contextual cloud security and attack path analysis.  

With these new capabilities, organizations can adopt an infinite approach to cloud security and do more with less.

Empower security teams with unified DevOps security management across multi-pipeline environments

Security teams have a fragmented view of their DevOps security posture due to many disconnected security tools, and multiple DevOps and cloud platforms throughout their organization. Security and development teams continue to operate in silos, and security tools are not equipped to keep pace with developer speed. These disjointed tool stacks lack the capabilities to provide business risk context and to effectively drive remediation in the development lifecycle. Security teams waste precious resources tracking down the right owners who can fix identified issues. The result is that security practitioners grapple with overwhelming amounts of security issues in production. As bad actors continue to break records exploiting zero-day vulnerabilities, security teams need a unified and integrated approach to securing their cloud applications throughout the lifecycle.¹

Defender for DevOps empowers security teams to unify, strengthen, and manage DevOps security to achieve more secure code development and strengthen their overall cloud security. It provides full visibility into the DevOps inventory and the security posture of application code and resource configurations across multi-pipeline and multicloud environments. Infrastructure-as-code and container image scanning help prevent cloud misconfigurations from ever reaching production environments. Security teams can streamline processes to fix security issues in code and get contextual insights connected from code to runtime resources, helping them prioritize and drive remediation in code.

Defender for DevOps integrates with GitHub Advanced Security to enable automated workflows across industry-leading platforms like GitHub and Azure DevOps, fostering stronger collaboration between SecOps and developer teams. Defender for DevOps is the result of close design partnerships with our customers on their journey to “shift left.” As one of our customers who participated in the creation of this product recently shared:

“If we shift left and bring security to the developers right away, code deployment will have tightened protection. Integrating DevSecOps results into Microsoft Defender for Cloud and having a single pane of glass that shows me what is in production, the code quality, and what is coming into the pipeline so that I don’t need to go into multiple places and reports to scan for code errors is going to be priceless for us.”

James Rajeshvincent, Managing Director Head of Platform Development at Rockefeller Capital Management

Proactively prioritize and remediate your most critical risk across multicloud resources

Security teams need to cut through the noise and quickly focus on the most critical issues that have a major business impact. But with multicloud deployments, multiple tools, and a lack of visibility into the threat or business value of each resource, it’s hard to know where to even begin remediation.

Defender CSPM helps businesses save time and focus on what matters with contextual insights and attack path analysis, built on top of the new intelligent cloud security graph. It provides comprehensive visibility with agentless scanning for real-time assessments across multicloud environments. Defender CSPM connects the dots for security teams, integrating insights from cloud workloads as well as signals from Defender for DevOps and Microsoft Defender External Attack Surface Management. Instead of sifting through long lists of vulnerable resources, customers can use the proactive attack path analysis to reduce recommendation noise by up to 99 percent and only focus on the most exploitable vulnerabilities along potential attack paths to begin remediation.

Security teams also get integrated recommendations from Microsoft Entra Permissions Management, the cloud infrastructure entitlement management (CIEM) solution from Microsoft, to understand the level of risk associated with the number of unused or excessive permissions across identities and resources. Also, the new Microsoft cloud security benchmark provides a standardized framework for fundamental cloud security principles, along with detailed technical guidance, so teams can implement best practices across cloud platforms. Microsoft is the only major cloud provider to offer a comprehensive cloud security benchmark across multiple clouds, now available in Defender for Cloud as a single pane of glass to consistently maintain your security compliance across clouds.

We have a thriving and passionate community of customers using Defender for Cloud to manage security across clouds. I am excited to introduce these new capabilities today and wanted to share an insight from one of our customers, Rabobank:

“It’s difficult to ensure that we have full insights from a security perspective when our platforms are so varied. We wanted protection and visibility everywhere. That’s why we use Defender for Cloud—it gives us single pane of glass visibility across our hybrid and multicloud environment.”

Raoul van der Voort, Global Service Owner, Cyber Defense Center, Rabobank

Learn more about Microsoft Defender for Cloud

From code to cloud, Microsoft Defender for Cloud is the platform, powered by intelligence, that will help you do more with less. Develop an infinite mindset to cloud security and learn more about the expansion of the security portfolio in Microsoft Defender for Cloud. Get started today with the preview of these new innovations.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹2021 has broken the record for zero-day hacking attacks, Patrick Howell O’Neill. September 23, 2021.

The post Introducing new Microsoft Defender for Cloud innovations to strengthen cloud-native protections appeared first on Microsoft Security Blog.

Eighty-two percent of breaches include (and often start with) user behavior.¹ Not all are phishing, but a majority of them are just that. Phishing is, and has been for many years, the cheapest and most reliable way for an attacker of any motivation (nation-state actors down to simple script-kiddie scammers) to establish a toehold in an organization. Social engineering and phishing are used for initial breach tactics, lateral movement, and elevation of privilege, and, in many cases, they directly lead to data exfiltration.

Worse, breaches cost companies a lot of time and money. Several security research companies have determined that the average data breach costs a company about USD4 million per incident.² Averting even a handful of breach events in any given year can save you millions of dollars and thousands of hours of valuable security operators’ time.

So, how does behavior play into this? Doesn’t my company spend a bunch of money every year on technical solutions to prevent those phishing attacks from making it through? Don’t we have detection and response capabilities that find and fix those breaches quickly? Any organization that cares about its data certainly should invest in exactly those capabilities, but the strategy is incomplete for a few reasons:

• Technical solutions never have and likely never will provide perfect protection. Humans are capable of incredibly creative and intuitive thinking. Attackers with even a passing understanding of how protective solutions work can easily find gaps and workarounds. Decades of breaches have shown us that any determined attacker will find a way in. Assume breach principles hold that organizations should assume that their ecosystems are breached, that they should not automatically trust their existing protection boundaries, and that they should invest in detection and response mechanisms in equal measure to prevention. This, Microsoft believes, is the most effective approach to mitigating organizational risk.
• Humans are the most valuable part of any organization’s mission. They make all the data. They derive all the most valuable insights. They integrate and maintain all the complicated systems that make up any modern enterprise. An attacker can go after systems to get to data, but the inherent fallibility of humans provides a much more malleable target. You can’t insulate the people in your organization from that risk because they are almost always the ones responsible for creating the asset in the first place. Attackers know that and almost always incorporate social engineering into their plans.
• Human behavior, especially as it relates to risk, is an incredibly complicated and nuanced process. It is probabilistic in nature, and attackers know that. Factors include the context in which the behavioral choice is made, the knowledge of the human, the attitudes and motivations of the person, externalities such as time pressures and adjacent choices, and the past experience of the human. Any of those factors can change day-to-day, and so a phishing attack that a user correctly identifies and avoids might not work today but would fail to detect in some other context.

With that in mind, in partnership with Microsoft, Terranova created the Gone Phishing Tournament, an online phishing initiative that uses real-world simulations to establish accurate phishing clickthrough rates and additional benchmarking statistics for user behaviors. With this opportunity, you will be able to drive effective behavior change and build a strong security-aware organizational culture with free, in-depth phishing simulation benchmarking data.

Given this context, why should an organization care about user behavior? One reason is that even small changes in behavior can result in significant reductions in risk and every data breach you avoid saves you literal millions of dollars. Admittedly, behavior change is hard. The security awareness business has been working to help educate users for decades now, and the human behavior risk portion of the overall risk pie remains large. We think the capabilities that modern solutions are bringing to bear are the beginning of a major shift in the industry. Some key capabilities to consider:

• You must measure something to move it. Phish susceptibility assessment is a core part of any security awareness program, and we think authentic simulation is the best way to measure real-world phishing risk behavior.
• Teaching is more than just telling. One of the reasons why effective security awareness programs focus so much on simulation is because it gives users the experience of an attack (safely). Doing something hands-on and experiencing it directly sticks in human brains much more effectively than just seeing or hearing a description of it.
• Life in organizations already includes a lot of formal learning, so you must find new, differentiated, and contextual ways to engage your people in learning experiences. Games, nudges, and social rewards systems educate without lecturing and bring an element of fun that helps the important messages stick.
• Everybody is at a different place in their journey. Look for solutions that allow you to differentiate learning based on what the user already knows, or what you think is going to be especially problematic for them.
• Security Awareness training has evolved most commonly to be a twice-yearly simulation with a five- to seven-minute video. This formula is usually manageable by organizations to execute, but it rarely produces desired results. Look for solutions that give you the ability to vary the frequency, targeting variations, payload variability, and training experiences. Some of your people might just need reminders twice a year, but many will need more frequent experiences to maintain behavioral alignment.

Every major organization on earth is in the same boat. User behavior risk is high, difficult to change, and exploited every day by attackers. Take the time to learn from each other. Participate in conferences. Make connections with people at other companies that are doing the same role. Engage with the solutions that you leverage and give those product teams feedback about what is and is not working. 

Knowledge is power when it comes to being cybersmart, and there are many ways to prepare yourself and your organization to be safer online and fight cyber threats. October will be Cybersecurity Awareness Month, and you will be able to take advantage of Microsoft’s expertise with several resources that will be made available by Microsoft Security.  

Stay tuned for Microsoft’s best practices on Cybersecurity Awareness Month and don’t forget to register for Terranova Security Gone Phishing Tournament. Let’s #BeCyberSmart together! 

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹2022 Data Breach Investigations Report, Verizon. 2022.

²How Much Does a Data Breach Cost?, Embroker. September 2, 2022.

The post Test your team’s security readiness with the Gone Phishing Tournament appeared first on Microsoft Security Blog.

Defender Experts for Hunting was created for customers who have a robust security operations center but want Microsoft to help them proactively hunt threats using Microsoft Defender data. Defender Experts for Hunting is a proactive threat hunting service that goes beyond the endpoint to hunt across endpoints, Microsoft Office 365, cloud applications, and identity. Our experts will investigate anything they find, then hand off the contextual alert information along with remediation instructions so you can quickly respond. Our Defender Experts for Hunting explainer video walks you through how it works.

Capabilities include:

• Threat hunting and analysis—Defender Experts look deeper to expose advanced threats and identify the scope and impact of malicious activity associated with human adversaries or hands-on-keyboard attacks.
• Defender Experts Notifications—Notifications show up as incidents in Microsoft 365 Defender, helping to improve your security operations’ incident response with specific information about the scope and method of entry.
• Experts on Demand—Click the “Ask Defender Experts” button in the Microsoft 365 Defender portal to get expert advice about threats your organization is facing. You can ask for help on a specific incident, nation-state actor, or attack vector.
• Hunter-trained AI—Defender Experts share their learning back into the automated tools they use to improve threat discovery and prioritization.
• Reports—An interactive report summarizing what we hunted and what we found.

Bridgewater Associates, the world’s largest hedge fund and one of Microsoft’s first customers to implement a Zero Trust framework, helped Microsoft develop Defender Experts for Hunting, contributing decades of knowledge on how to keep intellectual property and investment data secure. The firm now uses Defender Experts for Hunting to extend its security teams so they can focus on the most complex and immediate security issues. Igor Tsyganskiy, Chief Technology Officer at Bridgewater Associates, believes in working together to protect one another from threats.

“Cybersecurity is a cooperative rather than a competitive area,” he said. “It takes a village to keep us all safer…We are living in a digital world that is completely interconnected, and protecting ourselves singularly, separately from each other, is not going to work.”

More threats—not enough defenders

Modern adversaries are well-organized and possess skills and resources that can challenge even organizations without open cybersecurity roles. These adversaries are also relentless. Microsoft Security blocked more than 9.6 billion malware threats and more than 35.7 billion phishing and malicious emails in 2021. They’ve extended their attack focus from endpoints to identity, cloud apps, and email.

It’s getting harder every day for organizations to build and maintain a full security team, let alone one with the ever-expanding skillset required to meet the range of today’s security demands. Proactive threat hunting—one of the best ways to identify and respond to security threats—is time-consuming, and most security teams are too busy with alert triage and security posture improvement efforts to spend time on proactive hunting.

Additionally, organizations are struggling to recruit top security talent—more important than ever since cybercrime is expected to cost the world USD10.5 trillion a year by 2025 (a 75 percent increase from the USD6 trillion in 2021).¹ With one in three security jobs in the United States unfilled, cybersecurity employees often face huge workloads once hired. As a result, the average detection of a breach has been pushed out to 287 days as the number and impact of attacks continue to grow.²

Technology alone is not enough to fight cybercrime

Many companies don’t face daily security attacks but need deep experience with threat hunting when they do, according to Tsyganskiy.  

“To manage security on its own, a company must sustain a very large and growing team,” he said. “It’s like trying to maintain your own police force. Given the low frequency of the most sophisticated attacks, this is an insane misallocation of resources 90 percent of the time.”

Microsoft is uniquely positioned to help customers meet today’s security challenges. We secure devices, identities, apps, and clouds—the fundamental fabric of our customers’ lives—with the full scale of our comprehensive multicloud, multiplatform solutions. Plus, we understand today’s security challenges because we live this fight ourselves every single day.

Now, our security expertise is your security expertise.

How Microsoft Defender Experts for Hunting works

Every day at Microsoft, threat hunters work alongside advanced systems to analyze billions of signals, looking for threats that might affect customers. Due to the sheer volume of data, we’re meticulous about surfacing threats that customers need to be notified about as quickly and accurately as possible. 

How we hunt:

• Step 1: Microsoft Defender Experts monitor telemetry and look for malicious activity across the Microsoft 365 Defender platform associated with human adversaries or hands-on-keyboard attacks.
• Step 2: If a threat is found to be valid, analysts conduct a deep-dive investigation, harnessing machine learning and gathering threat details, including scope and method of entry, to help protect your organization’s endpoints, email, cloud apps, and identities.
• Step 3: Our AI system and human hunters prioritize threat signals. Defender expert notifications appear in Microsoft 365 Defender, alerting you to the threat and sharing threat details.

Get started

To start your proactive threat hunting journey with Microsoft Defender Experts for Hunting, please complete the customer interest form to request a follow-up from our field team. To learn more, visit the Defender Experts for Hunting product page, download the datasheet, or watch a short video.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Cybercrime To Cost The World USD10.5 Trillion Annually By 2025, Steve Morgan. November 13, 2020.

²Cost of a Data Breach Report 2021, IBM. 2021.

The post Microsoft Defender Experts for Hunting proactively hunts threats appeared first on Microsoft Security Blog.

The threat landscape is more sophisticated than ever and damages have soared—the Federal Bureau of Investigation’s 2021 IC3 report found that the cost of cybercrime now totals more than USD6.9 billion.¹ To counter these threats, Microsoft is continuously aggregating signal and threat intelligence across the digital estate, which is enabling us to track threat actors much more closely and to better understand their behavior over time. Today, Microsoft tracks 35 ransomware families, and more than 250 unique nation-states, cybercriminals, and other threat actors. Our cloud also processes and analyzes more than 43 trillion security signals every single day. This massive amount of intelligence derived from our platform and products gives us unique insights to help protect customers from the inside out. In addition, our acquisition of RiskIQ just over a year ago, has allowed us to provide customers unique visibility into threat actor activity, behavior patterns, and targeting. They can also map their digital environment and infrastructure to view their organization as an attacker would. That outside-in view delivers even deeper insights to help organizations predict malicious activity and secure unmanaged resources.

Building on our vision to provide unmatched, actionable threat intelligence, we’re thrilled to announce two new security products that provide deeper context into threat actor activity and help organizations lock down their infrastructure and reduce their overall attack surface:

• Track threat actor activity and patterns with Microsoft Defender Threat Intelligence. Security operations teams can uncover attacker infrastructure and accelerate investigation and remediation with more context, insights, and analysis than ever before. While threat intelligence is already built into the real-time detections of our platform and security products like the Microsoft Defender family and Microsoft Sentinel, this new offering provides direct access to real-time data from Microsoft’s unmatched security signals. Organizations can proactively hunt for threats more broadly in their environments, empower custom threat intelligence processes and investigations, and improve the performance of third-party security products. 
• See your business the way an attacker can with Microsoft Defender External Attack Surface Management. The new Defender External Attack Surface Management gives security teams the ability to discover unknown and unmanaged resources that are visible and accessible from the internet—essentially the same view an attacker has when selecting a target. Defender External Attack Surface Management helps customers discover unmanaged resources that could be potential entry points for an attacker.

These new threat intelligence offerings expand our growing security portfolio, offer deeper insights into threat actors and their behaviors, and help security teams accelerate the identification and prioritization of risks. Keep reading for more detail on these solutions, as well as the new detection and response capabilities for SAP from Microsoft Sentinel. Plus, find out where you can see a live product demo of all of our threat intelligence products at Black Hat.

Unmask your adversaries with Microsoft Defender Threat Intelligence 

Today, any device connected to the internet is susceptible to vulnerabilities. Understanding the gaps that can lead to vulnerabilities is key to building resilience.

Microsoft Defender Threat Intelligence maps the internet every day, providing security teams with the necessary information to understand adversaries and their attack techniques. Customers can access a library of raw threat intelligence detailing adversaries by name, correlating their tools, tactics, and procedures (TTPs), and can see active updates within the portal as new information is distilled from Microsoft’s security signals and experts. Defender Threat Intelligence lifts the veil on the attacker and threat family behavior and helps security teams find, remove, and block hidden adversary tools within their organization.

This depth of threat intelligence is created from the security research teams formerly at RiskIQ with Microsoft’s nation-state tracking team, Microsoft Threat Intelligence Center (MSTIC), and the Microsoft 365 Defender security research teams. The volume, scale, and depth of intelligence is designed to empower security operations centers (SOCs) to understand the specific threats their organization faces and to harden their security posture accordingly. This intelligence also enhances the detection capabilities of Microsoft Sentinel and the family of Microsoft Defender products.

Microsoft recognizes the importance of working together as a security community to help protect the digital world from threats. As such, the existing free edition will continue to be available. And as we look ahead, we’re excited to continue our journey of innovation and integration. Look for more news later this year on the expanding capabilities of our portfolio.  

Discover your vulnerabilities with Microsoft Defender External Attack Surface Management

Organizations need to see their business the way an attacker can so they can eliminate gaps and strengthen their security posture to help reduce the potential for attack. Many businesses have internet-facing assets they may not be aware of or have simply forgotten about. These are often created by shadow IT, mergers, and acquisitions, incomplete cataloging, business partners’ exposure, or simply rapid business growth. 

Microsoft Defender External Attack Surface Management scans the internet and its connections every day. This builds a complete catalog of a customer’s environment, discovering internet-facing resources—even the agentless and unmanaged assets. Continuous monitoring, without the need for agents or credentials, prioritizes new vulnerabilities. With a complete view of the organization, customers can take recommended steps to mitigate risk by bringing these unknown resources, endpoints, and assets under secure management within their security information and event management (SIEM) and extended detection and response (XDR) tools.  

Protect business-critical information within SAP with Microsoft Sentinel 

In the spirit of continuous innovation and bringing as much of the environment under secure management as possible, we are proud to announce the new Microsoft Sentinel solution for SAP. Security teams can now monitor, detect, and respond to SAP alerts, such as privilege escalation and suspicious downloads, all from our cloud-native SIEM. Business-specific risks can be unique and complicated. With the Microsoft Sentinel solution for SAP, customers can build custom detections for the threats they face and reduce the risk of catastrophic interruption.

Learn more

To learn more about these products, join us at Black Hat USA and see live demos at the Microsoft Booth 2340 from August 10 to 11, 2022. You can also register now for the Stop Ransomware with Microsoft Security digital event on September 15, 2022, to watch in-depth demos of the latest threat intelligence technology.  

Explore our new solutions:

• Microsoft Defender Threat Intelligence
• Microsoft Defender External Attack Surface Management

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Internet Crime Report 2021, Internet Crime Complaint Center, Federal Bureau of Investigation. 2021.

The post Microsoft announces new solutions for threat intelligence and attack surface management appeared first on Microsoft Security Blog.

Brooke: How did you become passionate about Arm as a processing language and how is it gaining momentum in security?

Maria: While working as a penetration tester, I attended a conference where security researcher Marion Marschalek gave a talk about reverse-engineering the computer worm Stuxnet and I was fascinated. I built up the courage to ask her to teach me. This is when I learned about x86 assembly and malware analysis. I got interested in Arm assembly and realized that I had way more Arm-based devices around me than x86 processors.

When I started studying the Arm architecture, the only devices based on Arm were IoT and mobile devices. Digging into it more, I realized that Arm was working on a 64-bit architecture and could take off in the desktop and server world. I was anticipating this shift. Arm is a very scalable platform and offers significant advantages over other processors, like power consumption and performance. Apple switched all their Macs to the Arm processing language. That raised the bar for high-powered yet energy-efficient computers. This shift puts pressure on other vendors that want to compete with laptops that are just as efficient and that have battery life that lasts just as long. It didn’t take long for Microsoft to catch up, with the SQ1 processor for Windows on Arm. Microsoft Azure recently implemented an entire cloud service. It’s gaining momentum because the architecture has become more powerful. It’s a new era.

There’s a huge gap in educational resources for people to learn about Arm. That’s why my current job involves training security teams on Arm reverse-engineering and exploitation. I also wrote a book about Arm assembly and reverse-engineering to fill that gap in a digestible format with lots of graphics. I’ve been working on it for two years and it’s about to be published. I hope that this book will help a lot of people ease their way into becoming proficient in something that is rather dry and hard to learn on your own.

Brooke: What is the biggest challenge facing security professionals today?

Maria: The biggest challenge is keeping up with new technologies and changes. From my work as a penetration tester, you get a new gig and new clients with a new product that uses a completely different stack of technologies, and you have to quickly familiarize yourself with it. Different technologies mean different attack vectors. That goes in every direction of security research. I know great reverse-engineers who have spent their whole career reverse-engineering malware and product components based on x86. If the architecture of these components changes, everything changes. If you are used to reading x86_64 assembly and are suddenly presented with a completely different assembly language, it’s like trying to understand Spanish if you are familiar only with French.  

Organizations expect their security teams to keep up with these rapid changes. How will these security teams find the time to learn and stay on top of it all? It’s not reasonable to expect security professionals to learn outside of work hours when they should focus on their family and maintaining a healthy work-life balance because it’s easy to burn out in our industry.

Brooke: What are some signs of burnout that security leaders can look out for?

Maria: Last year, I experienced my first major burnout. I was taking on way too many responsibilities. As a result, I had to take a couple of months off of work to recover. I always thought, “When I burn out, I’ll take a week off and go on vacation.” It’s not as easy as that. It starts off very subtle and is very difficult to notice before it’s too late.

Some of the causes of burnout—and why I advocate for training—is if your employee feels they don’t have any impact, feels overwhelmed or like they can’t keep up, feels like they are expected to figure it all out in their free time, or doesn’t get the time to work on interesting things that feed their curiosity. In our field, we constantly see someone coming up with something really cool and think, “I wish I could do that.” But yet, we rarely get the time to explore and learn new skills and techniques, especially when they don’t directly correlate with our current role. Security leaders need to help their team nourish their inner curiosity and give them enough breaks and research time, and the opportunity to learn.

Also, people in the process of getting burnout have a hard time saying no. If you give them new tasks, they’re going to say, “Sure!” because they feel like they’re not contributing enough and that they need to prove themselves. As a manager, ask the right questions and monitor their workload. You get more out of someone if they work a little slower but don’t burn out. If they must take sick days off or are so anxious or depressed by the end of the week that they barely get any work done, you’re not getting your results either. If they do less in a focused and balanced way with a clear mind, they will produce more value. Keep your employees happy and motivated; don’t treat them like workhorses.

Brooke: Should the opportunity to study and grow be considered a recruitment and retention tool?

Maria: Yes. People in our profession are generally very curious and driven. Otherwise, they wouldn’t be in this field. They are very eager to learn. If you feed the curiosity of your security team and give them new learning opportunities, you might be surprised at what they come up with. It makes them more versatile, confident, and motivated. Every security area overlaps with another, so they might come up with an idea that you haven’t thought of, which could lead to security advancements internally.

At my first company, I was working as a penetration tester and wanted to attend a training course about forensics, because we’d had a couple of forensics incidents, and they would send us penetration testers, even the ones who had little knowledge in forensics. But they said they wouldn’t pay for it, mainly because they didn’t want to invest in their employees and were scared that this investment would lead to them leaving the company. I ended up leaving the company because they would not give me continuous educational opportunities and expected employees to learn everything in their free time instead of investing in their skill development.  

Brooke: What would you recommend to Chief Security Officers (CSOs) filling cybersecurity roles?

Maria: You’re better off if you hire for potential and character. You can always train people. Hire for potential and pick people who are fast learners, are curious, and have demonstrated that they have invested in their own skill development as best as they could. Train them internally and send them to security conferences where they can meet like-minded people and learn. If you’re waiting for the perfect candidate, it’s rather hard to find enough people for the job. If you train them up, you have a better chance of filling all the spots.

You can outsource certain security teams, like penetration testing and incident response, as many organizations do, but it’s risky to not have an in-house security team. If an incident happens and your people are not skilled enough to respond to it, you may try to contract with an external firm, but they could be overflowing with projects because it’s a global incident. CSOs should expand their own security teams and leave room for skill development, not just in their own niche but also nurture their interests. It’s the organization’s responsibility to provide the resources and space for employees to evolve their skills.

Brooke: What is the biggest threat to organizations right now?

Maria: If you focus on one threat, it will become irrelevant in no time. The biggest threat is the rapidly changing environment and that security professionals might fall behind. So, when it’s time to act, they are not able to. Your security team is the backbone of your security posture. If you neglect that, you will not be able to keep up with evolving trends. I have seen people being sent to security incidents last minute who had to pull that off on the fly and work all day, every day for weeks on short notice with no prior knowledge. Things are always so rapidly changing that it’s all about how quickly you can respond. Do you have the resources to respond to what’s being thrown at you?

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Black Hat USA 2022, Black Hat.

²Upcoming Book Series: Arm Exploitation, Maria Markstedter.

The post How security leaders can help their teams avoid burnout appeared first on Microsoft Security Blog.

This means extending data protection across all aspects of a business: people, places, processes, and products. Risk and security practitioners will benefit from an end-to-end data governance solution to help protect data, manage risks, and satisfy regulatory requirements. Let’s explore how to introduce a comprehensive approach to data protection within your organization.

1. Identifying and protecting sensitive data

Information protection starts with data discovery, understanding your data landscape, and identifying important data across your hybrid environment. The next priority is protection, working to strike a balance between security and productivity. The third is data loss prevention (DLP). One of the biggest DLP challenges is responding to data exfiltration from within an organization. A holistic approach can detect such threats sooner, especially when coupled with an effective insider risk solution and program.

2. Identifying and managing insider risks

Investigating and remediating both malicious and inadvertent activities within your organization is critically important. In conjunction with DLP, insider risk management can offer the context necessary to better employ policies to help enforce the rules and identify risks.

3. Managing compliance

When prioritizing which data to protect, enterprises must also consider internal and external requirements that dictate how their data is handled. Not abiding by regulations could mean costly fines and increased risk. A compliance manager solution can help with everything from taking inventory of data protection risks and staying current on regulations to reporting for auditors. It should be included in a holistic solution.

Expertise from the new season of Uncovering Hidden Risks

Interested in exploring this data protection approach but not sure how to get started? Future episodes of the Uncovering Hidden Risks podcast will give risk, security practitioners, and C-suite leaders an expert resource as they tackle important questions and reduce their overall risk.

Launching in March 2022, the third season of the podcast will offer monthly episodes featuring an expert panel of Microsoft leaders and community influencers. Podcast episodes will explore: 

• Risk management and data protection.  
• Data governance.
• Industry trends.
• Customer challenges.

This series joins security-focused Microsoft podcasts Security Unlocked, Security Unlocked: CISO Series with Bret Arsenault, and Afternoon Cyber Tea with Ann Johnson on the CyberWire platform. Uncovering Hidden Risk episodes will also be syndicated across your favorite podcast platforms including iTunes, Spotify, Google Podcasts, and Stitcher. Look forward to more details in a future blog post. 

Explore holistic data protection

A holistic approach to data protection can help your organization adapt to changes in your risk landscape. That approach involves discovering and protecting your organization’s sensitive data, managing insider risk, and managing compliance across departments. Our intelligent suite of products and features can make this process easier. Microsoft’s security solutions are positioned to help your organization protect data, mitigate insider risks, and address regulations and standards.

Learn more

• Explore Microsoft Security’s information protection and governance solution.
• Leverage our risk management products to protect your business.
• Get started with compliance management today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Discover 3 ways to take a holistic approach to data protection appeared first on Microsoft Security Blog.

There is a marked interest in securing AI systems from adversaries. Counterfit has been heavily downloaded and explored by organizations of all sizes—from startups to governments and large-scale organizations—to proactively secure their AI systems. From a different vantage point, the Machine Learning Evasion Competition we organized to help security professionals exercise their muscles to defend and attack AI systems in a realistic setting saw record participation, doubling the amount of participants and techniques than the previous year.

This interest demonstrates the growth mindset and opportunity in securing AI systems. But how do we harness interest into action that can raise the security posture of AI systems? When the rubber hits the road, how can a security engineer think about mitigating the risk of an AI system being compromised?

AI security risk assessment framework

The deficit is clear: according to Gartner® Market Guide for AI Trust, Risk and Security Management published in September 2021, “AI poses new trust, risk and security management requirements that conventional controls do not address.”¹ To address this gap, we did not want to invent a new process. We acknowledge that security professionals are already overwhelmed. Moreover, we believe that even though the attacks on AI systems pose a new security risk, current software security practices are relevant and can be adapted to manage this novel risk. To that end, we fashioned our AI security risk assessment in the spirit of the current security risk assessment frameworks.

We believe that to comprehensively assess the security risk for an AI system, we need to look at the entire lifecycle of system development and deployment. An overreliance on securing machine learning models through academic adversarial machine learning oversimplifies the problem in practice. This means, to truly secure the AI model, we need to account for securing the entire supply chain and management of AI systems.

Through our own operations experience in building and red teaming models at Microsoft, we recognize that securing AI systems is a team sport. AI researchers design model architectures. Machine learning engineers build data ingestion, model training, and deployment pipelines. Security architects establish appropriate security policies. Security analysts respond to threats. To that end, we envisioned a framework that would involve participation from each of these stakeholders.

“Designing and developing secure AI is a cornerstone of AI product development at Boston Consulting Group (BCG). As the societal need to secure our AI systems becomes increasingly apparent, assets like Microsoft’s AI security risk management framework can be foundational contributions. We already implement best practices found in this framework in the AI systems we develop for our clients and are excited that Microsoft has developed and open sourced this framework for the benefit of the entire industry.”—Jack Molloy, Senior Security Engineer, BCG

As a result of our Microsoft-wide collaboration, our framework features the following characteristics:

1. Provides a comprehensive perspective to AI system security. We looked at each element of the AI system lifecycle in a production setting: from data collection, data processing, to model deployment. We also accounted for AI supply chains, as well as the controls and policies with respect to backup, recovery, and contingency planning related to AI systems.
2. Outlines machine learning threats and recommendations to abate them. To directly help engineers and security professionals, we enumerated the threat statement at each step of the AI system building process. Next, we provided a set of best practices that overlay and reinforce existing software security practices in the context of securing AI systems.
3. Enables organizations to conduct risk assessments. The framework provides the ability to gather information about the current state of security of AI systems in an organization, perform gap analysis, and track the progress of the security posture.

Updates to Counterfit

To help security professionals get a broader view of the security posture of the AI systems, we have also significantly expanded Counterfit. The first release of Counterfit wrapped two popular frameworks—Adversarial Robustness Toolbox (ART) and TextAttack—to provide evasion attacks against models operating on tabular, image, and textual inputs. With the new release, Counterfit now features the following:

• An extensible architecture that simplifies integration of new attack frameworks.
• Attacks that include both access to the internals of the machine learning model and with just query access to the machine learning model.
• Threat paradigms that include evasion, model inversion, model inference, and model extraction.
• In addition to algorithmic attacks provided, common corruption attacks through AugLy are also included.
• Attacks are supported for models that accept tabular data, images, text, HTML, or Windows executable files as input.

Learn More

These efforts are part of broader investment at Microsoft to empower engineers to securely develop and deploy AI systems. We recommend using it alongside the following resources:

• For security analysts to orient to threats against AI systems, Microsoft, in collaboration with MITRE, released an ATT&CK style Adversarial Threat Matrix complete with case studies of attacks on production machine learning systems, which has evolved into MITRE ATLAS.
• For security incident responders, we released our own bug bar to systematically triage attacks on machine learning systems.
• For developers, we released threat modeling guidance specifically for machine learning systems.
• For engineers and policymakers, Microsoft, in collaboration with Berkman Klein Center at Harvard University, released a taxonomy documenting various machine learning failure modes.
• For security professionals, Microsoft open sourced Counterfit to help with assessing the posture of AI systems.
• For the broader security community, Microsoft hosted the annual Machine Learning Evasion Competition.
• For Azure machine learning customers, we provided guidance on enterprise security and governance.

This is a living framework. If you have questions or feedback, please contact us.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹ Gartner, Market Guide for AI Trust, Risk and Security Management, Avivah Litan, et al., 1 September 2021 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

The post Best practices for AI security risk management appeared first on Microsoft Security Blog.

Comprehensive security

Vasu Jakkal, Corporate Vice President (CVP) of Microsoft Security, Compliance, and Identity, sat down with Phil Montgomery, General Manager for Security Product Marketing GTM, at the 2021 Gartner Security and Risk Summit for a wide-ranging fireside chat on the evolving state of cybersecurity. Phil started by addressing the elephant in the room—how the past 18 months have altered the security landscape in ways we’re still trying to understand.

“When the pandemic started, businesses had to become digital overnight,” Vasu points out. “With employees turning to personal devices to get the job done, that meant we had an exponential increase in the amount of digital attack surfaces. We saw an incredible increase in the sophistication and frequency of cyberattacks.” Vasu cites the attack on Colonial Pipeline as an example of how attacks have become more sophisticated and relentless in 2021. She also cites the phenomenon of cybercriminals expanding their operations by offering ransomware as a service. “Organizations are facing new economic challenges along with those brought by hybrid environments—multi-cloud and multi-platform,” she reiterates. “All these factors have come together to increase the complexity we face in cybersecurity.”

“You can’t secure a door and leave a window open. You have to think about your security posture as an interdependent whole—both external and internal threats.”—Vasu Jakkal, CVP of Microsoft Security, Compliance, and Identity

Eliminating complexity is one reason why Microsoft chose to integrate Microsoft Sentinel, our cloud-native SIEM + SOAR solution, and Microsoft Defender, our extended detection and response (XDR) tool. Integrating the two solutions simplifies detection and response by providing a bird’s-eye view of your digital estate, as well as enabling your security operations center (SOC) to investigate and resolve incidents at a granular level. “That kind of visibility and rapid response can really make a difference in the early stages of a ransomware attack,” Vasu stresses. “The reality today is if you’re connected; you’re vulnerable. The only way to protect a remote workforce is to have left-to-right and top-to-bottom security. That means security, compliance, identity, device management, and privacy are all interdependent.”

Beyond the technology, Vasu also points out: “The number one thing every security leader should be doing right now is building and practicing a plan with all essential members of your team. Do you have a great communications plan? Do you have a great response plan?” She also stressed the importance of training and empowering employees at every level of the organization to identify suspicious activity and escalate it.

Zero Trust comes of age in 2021

Earlier this month at the 2021 Forrester Security and Risk Forum, Microsoft CVP of Program Management Alex Simons also sat down for another fireside chat with Nupur Goyal, Microsoft Group Product Marketing Manager for Identity Security and Zero Trust. Alex also was struck by the rapid changes in enterprise security over the past 18 months. “If you think about the world we were in before [the pandemic],” he explains, “you were mostly protecting desktop PCs and laptops; most of your apps were on-premise. You didn’t have to worry about nation-state attackers. That’s why it’s important for enterprises to move away from the old perimeter-based security model to a Zero Trust approach.”

“The thing to remember about a Zero Trust approach, as the saying goes: you don’t have to eat the whole elephant at once. Just gradually expand multifactor authentication across your employees, beginning with those that have the access to the most important applications.”—Alex Simons, Microsoft CVP of Program Management

For some organizations, Zero Trust requires a big shift in thinking. It’s a mindset that assumes all activity, even by known users, could be an attempt to breach your systems. Alex cites attackers who are now targeting identities—both through users and the software itself—as a new threat to consider. “You really need a system that can look at what your users and their devices are doing,” he explains. “That includes all the software services that can access your resources. It really has to be a comprehensive approach. The workload identities, the ones that are your software, that’s a new thing. And you want to make sure you have a good plan in place for that.”

Alex recommends organizations begin by applying multifactor authentication to all privileged admin accounts. He also pointed out the importance of making sure that every device accessing your resources is well-managed. “Microsoft Endpoint Manager and Microsoft Defender for Endpoint help achieve that. You want to be sure every device is encrypted and protected with a PIN, but also you want each to be in a clean state from an antivirus standpoint.”

Roughly 76 percent of Microsoft customers have already begun Zero Trust implementation. Because we’re now in a boundary-less world of hybrid work, Zero Trust is exactly the security approach that’s needed. The foundation of Zero Trust is based on the three guiding principles: verify explicitly, use least-privilege access, and assume breach. Microsoft is building an identity platform to simplify and secure all relationships among employees, partners, customers, workloads, and smart devices—whether you’re a developer, an IT administrator, or a user. “There are 579 attacks happening every second,” Vasu adds. “So, effective security has to start with a strong identity foundation. We see identity as the ‘trust fabric’ of this new boundaryless collaboration.”

Managing compliance, risk, and privacy

For organizations across every sector, a tremendous amount of data is accessed, processed, and stored every day. This, along with an ever-growing universe of data regulations, is creating complexity and compliance risk. “We have personal data, which is in movement and in flux all the time,” Vasu explains. “The lines between work and home networks are all blurring. So that creates a lot of pressure about how to protect data, and how to ensure that all regulations are being followed.”

Many organizations use manual processes to discover how much personal data they have stored. There’s often a lack of actionable insights to help mitigate security and privacy risks. That’s why Microsoft recently announced privacy management for Microsoft 365. This new solution helps organizations identify critical privacy risks, automate privacy operations, and empower employees to be smart when they’re handling sensitive data.

For chief information security officers (CISOs) and risk officers, Vasu proposes a four-fold solution for balancing compliance and privacy: First, know your data. “Who’s accessing your data?” she asks. “How is your data moving? Do you have the right label? Do you have the right sensitivities? How are you protecting against insider risk? Do you have the right permissions level?” Second, establish a baseline of activity and measure anomalies to that baseline. You can’t just look at the world through the auditors’ eyes—pass or fail. You need to help your team see how they’re making progress. Third, partner with providers who can help you stay on top of changes in laws and regulations in all markets where you operate. Fourth, establish a collaborative process internally to address the risks when they arise. “It’s not just a security problem; it’s an organizational problem,” she stresses. That means ensuring that HR, legal, compliance, and risk teams are all working with your security operations center.

Zero Trust is not just about outside-in protection; it’s also inside-out. Organizations need to build compliance protections into processes to defend against insider threats. “You can’t secure a door and leave a window open,” is how Vasu sums it up. “You have to think about your security posture as an interdependent whole—both external and internal threats.” Organizations can take an easy first step just by implementing passwordless technologies like Windows Hello for desktops or the Microsoft Authenticator app for mobile devices.

Building tomorrow’s talent

For almost every two cybersecurity jobs in the United States today, a third job is sitting empty because of a shortage of skilled people. That’s why Microsoft is launching a national campaign with United States community colleges to help skill and recruit 250,000 people into the cybersecurity workforce by 2025:

• Community colleges are everywhere. There are 1,044 community colleges located in every state and territory, and in every setting: urban, suburban, rural, and tribal.
• Community colleges are more affordable. Tuition averages just $3,770 annually (versus $10,560 for four-year public colleges). Moreover, 59 percent of community college students can access financial aid.
• Community colleges are diverse. Students at community colleges are 40 percent Black or African American or Hispanic. In addition, 29 percent are among their family’s first generation to attend college, while 20 percent are students with disabilities, and 5 percent are veterans. And 57 percent of students at community colleges are women.

“In March of this year, we announced Microsoft’s Career Connector,” Vasu explains, “a service that will help place 50,000 job seekers skilled by Microsoft’s nonprofit and learning partners in the Microsoft ecosystem over the next three years.” Career Connector has a specific focus on women and underrepresented minorities in technology. “I’m proud to report that our global skills initiative has reached more than 30 million people in 249 countries,” she adds. Microsoft is also extending through the end of 2021 all the free courses and low-cost certifications offered in our global skilling initiative through Microsoft Learn. To help fill talent gaps in compliance, Microsoft also offers certification courses for security, compliance, and identity. “No matter who you are, you can be a defender.”

The attackers in today’s asymmetric cyberwar come from all backgrounds, ethnicities, and regions. For that reason, we as defenders need to be just as diverse. “Along with diversity, inclusion goes hand in hand,” Vasu explains. “It’s important that we commit to hiring from places we may have not thought about before, to build a place where everyone feels like they belong.” She sees solving the talent shortage as a three-step process: get more people aware of cybersecurity; help them build the skills they need; and create spaces where everyone feels they can do their best work. As Vasu sees it: “Ultimately, security is all about humans. Whether you’ve been in the workforce for 30 years and want a change, or you’re just starting your career; either way, there’s a place for you here.”

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft unpacks comprehensive security at Gartner and Forrester virtual events appeared first on Microsoft Security Blog.