Small businesses like yours rely on technology to streamline operations, respond to customer needs, and communicate with employees. You’re being asked to do more with less, and unfortunately, attackers often have the advantage; they need to find only one exploitable weakness.¹

While the growing threat of cybercrime can seem bleak, we are committed to taking it on and constantly innovating to deliver security solutions that protect small and medium-sized businesses from cyberattacks. I’m excited to share some of the features we’ve introduced to tighten your security and ease your mind.

Last year, we introduced Microsoft Defender for Business, aimed at safeguarding endpoints for businesses with up to 300 employees. To further extend our security capabilities, we announced Defender for Business in Microsoft 365 Business Premium, providing comprehensive productivity and security solutions on a single platform. In November 2022, we launched server security features built into Defender for Business, with enhanced protection for both Windows Server and Linux servers through the Microsoft Defender for Business server add-on.²

The continued evolution of Defender for Business

But we’re not stopping there. In fact, we’ve made major strides in simplifying our comprehensive security approach with Defender for Business with the following updates:

• Simplified insights with improved security summaries to help you better understand how secure you are across identity, devices, information, and apps. The report shows threats prevented by Defender for Business, current status from Microsoft Secure Score, and recommendations, all designed to help you increase security in key areas.
• Protect mobile devices without the need for device management or add-ons by using new capabilities built into a single integrated Defender for Business experience. The standalone device security solution now includes a preview release of mobile threat defense that provides iOS and Android devices with OS-level threat and vulnerability management, web protection, and app security to help you and your employees stay secure on the go.

We also recognize that managed service providers (MSPs) play a crucial role in securing small businesses at scale, as they provide the expertise and resources needed to protect against an ever-evolving threat landscape.

To support their efforts, we’re excited to announce that MSPs enrolled in the Cloud Solution Provider program can now manage multi-customer device exposure more effectively within Microsoft 365 Lighthouse. Partners can use the exposure score to discover which customers’ devices are most at risk because of vulnerabilities to active threats. It helps them to reduce customer exposure by providing patch recommendations for at-risk devices to make them current with the latest updates. They can also proactively improve customers’ device security in Defender for Business and Microsoft 365 Business Premium tenants.

Security for mobile devices at your fingertips

Mobile devices have become an essential part of small business strategy, increasing communication and collaboration, enhancing responsiveness, reducing operational costs, and making it much easier to work productively from anywhere.

However, this increased reliance on mobile devices has made small businesses vulnerable to cyberattacks, with their attack surfaces expanding in ways they may not realize. About 45 percent of small and medium-sized businesses said they had suffered a compromise involving a mobile device in the previous 12 months. Businesses with a global presence were even more susceptible, with 61 percent compromised.³

Many small businesses may not have the budget or experience to deploy device management technologies, even though it is the best way to secure mobile devices. Basic security typically protects against 98 percent of attacks but mobile device hygiene becomes a problem when the latest updates are not applied soon after release.⁴ It is increasingly urgent to adopt minimum standards to counter the rising level of threats in the digital ecosystem. This is especially true since 50 percent of small and medium-sized businesses say they let employees use unmanaged personal mobile devices to access work data.⁵

Defender for Business now simplifies security for mobile devices, protecting small businesses from threats such as malware and ransomware on iOS and Android—without the need for device management. This new Defender for Business capability, called Mobile Threat Defense, is now in public preview.

Mobile Threat Defense provides three key features that offer you peace of mind when managing mobile device security: operating system (OS) level threat and vulnerability management, web protection, and app security.

• Threat and vulnerability management can track mobile OS vulnerabilities to help IT professionals make sure devices are patched with the latest updates and help prevent active threats in the wild. 
• Web protection helps protect against phishing attacks and blocks unsafe websites that come through email, text messages, or apps.
• App security will alert when it detects a malicious app on the device that could steal data or disrupt the device.

Microsoft 365 Business Premium has included security for mobile devices since its launch as it uses Microsoft Intune for device management and security for iOS and Android devices.

Defender for Business spans the National Institute of Standards and Technology (NIST) cybersecurity framework of identifying, protecting, detecting and responding, and recovering.⁶ By adding device security to our standalone Defender for Business solution today, we deliver comprehensive device security for Windows, macOS, and now iOS and Android devices. This goes far beyond the capabilities of traditional antivirus solutions, which typically only protect a fraction of your business.

Simplified insights demonstrate the value of cybersecurity

Cyberthreats are not slowing down. That’s why it’s more important than ever for you to continue investing in cybersecurity and protect against the financial, operational, or reputational damage that can result from an attack. However, it can be difficult to understand the status of your business security.

We’re excited to bring new security summaries to Defender for Business, giving you insights into your security investments through Microsoft Secure Score. This summary enables you to make informed decisions about how to improve security in your environment and continuously improve your security status. By leveraging these report insights, small businesses can showcase the status of security, close gaps, and instill confidence in stakeholders.

See how Microsoft Defender for Business can help your business

Let us ease your worries about securing your business. Try Defender for Business as a standalone device security solution. You can also try Microsoft 365 Business Premium for a comprehensive productivity and security solution to see how it can benefit your company or reach out to your managed service provider for more information. You’ll also find more details on our TechCommunity blog. We encourage partners to learn more by joining our upcoming webinars.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Global Cybersecurity Outlook 2023, Insight Report, World Economic Forum, Accenture. January 2023.

²Server security made simple for small businesses, Jon Maunder, Microsoft Tech Community. November 8, 2022.

³2022 Mobile Security Index, Verizon. May 2022. 

⁴Microsoft Digital Defense Report 2022, Microsoft. 2022.

⁵Security in the new working environment, Microsoft Research. May 2022.

⁶Cybersecurity Framework, National Institute of Standards and Technology, US Department of Commerce.

The post Microsoft continues to innovate to help secure small businesses appeared first on Microsoft Security Blog.

With that kind of commitment, your business can almost feel like a second home. And just like you protect your physical home with an up-to-date security system and sturdy locks, it’s critical to modernize cybersecurity for your business. Forty-three percent of all cyberattacks now target small businesses, and sadly, 60 percent of those businesses will permanently close their doors within six months of the attack.¹ Those are staggering statistics, and they’re why we chose to include Microsoft Defender for Business with every subscription to Microsoft 365 Business Premium—because every business deserves access to enterprise-grade comprehensive security.

It’s always our ambition to make technology an equalizer, to enable a small business to compete with a larger business with the power of technology and close that gap.

—Brad Smith, Vice Chair and President at Microsoft

As part of Cybersecurity Awareness Month, Microsoft President Brad Smith joined the Administrator of the United States Small Business Administration (SBA), Isabella Casillas Guzman, at the inaugural Small Business Cyber Summit in October 2022 for an intimate fireside chat. The two discussed how small and medium-sized businesses (SMBs) can strengthen their cybersecurity capabilities on a limited budget. With that goal in mind, I’d like to extend an invitation for a free security evaluation consultation to learn where your business might be able to increase protection. In addition, this blog presents five simple actions that can help any business protect against cyberattacks—starting today.

1. Monitor everything around the clock with Microsoft Cloud capabilities

During his talk with Administrator Guzman, Brad Smith highlighted how moving to cloud-based security gives your business an edge in terms of making protection one less thing to worry about. “If everybody’s just trying to run their software on their own hardware in their own four walls, it means you have to do everything to maintain that hardware,” Brad Smith explained. “Whereas if you move to the cloud, that becomes our problem.”

The Microsoft Cloud currently tracks and analyzes 43 trillion threat signals daily.² That includes 35 ransomware families, and more than 250 unique nation-states, cybercriminals, and other threat actors. That enormous breadth and depth of protection are built into Microsoft 365 Business Premium. It delivers enterprise-grade protection against viruses, spam, unsafe attachments, suspicious links, and phishing attacks. You’ll also get constant protection against ransomware and malware attacks across your devices, along with antivirus and endpoint detection and response capabilities built in. That way, you can focus on making your business a success rather than chasing down cyberthreats.

2. Update the locks with Defender for Business

Break-ins in the neighborhood often give us the push we need to replace any worn-out locks or add a security light (or two). Similarly, protecting your business from cyberattacks starts with one simple step—updating your existing systems. Microsoft and other technology companies release updates on Patch Tuesday (the second Tuesday of each month, beginning at 10:00 AM PT), or whenever vulnerabilities are detected. “These [updates] are available free of charge,” Brad Smith emphasized. “But make sure your computers are configured so that they’re downloaded. That’s one of the most important things that people can do to protect themselves.”

Also, make sure your business maintains an up-to-date IT inventory. With the move to remote and hybrid work, the phenomenon of bring-your-own-device (also referred to as “BYOD”) is now common. Using more devices, especially from home networks, creates a larger attack surface with more endpoints and potential vulnerabilities. As part of Microsoft 365 Business Premium, Defender for Business has threat and vulnerability management built-in, allowing you to secure multiple devices with a single tool.

Businesses can further protect themselves with regular data backups. Ransomware attacks increased by 300 percent in 2021.³ The phenomenon of ransomware as a service (RaaS) shows that bad actors are now confident enough to take their operations retail, much like a legitimate business.⁴ But ransomware attacks against your business data can be thwarted by regularly creating backup copies of your important files. Automating your backups according to a set schedule can help your business maximize limited resources while avoiding potential human errors.

3. Hide your keys well with multifactor authentication

Most of us keep a spare house key hidden under a rock or potted plant, but everyone knows better than to put the key under the mat. It’s the same way with passwords: if it’s easy, someone will find it. “It shouldn’t be ABC123,” as Administrator Guzman summed it up. But a recent survey found that among the most common passwords still in use, “password” and “Qwerty” are at the top of the list.⁵ In every cybercriminal’s toolkit today is a kind of brute force attack known as password spray.⁶ Simply put, an attacker acquires a list of accounts and runs through a long list of common passwords attempting to get a match. Since most businesses have a naming standard for employees (for example, firstname.lastname@company.com), adversaries can often get halfway in your door just by using the information found on your website.

Popular internet browsers such as Microsoft Edge come with a built-in password generator that will create—and remember—a secure password for you. Or your business may choose to eliminate passwords entirely with a solution like Windows Hello or FIDO2 security keys that let users sign in using biometrics or a physical key or device. Short of going passwordless, multifactor authentication, also known as two-factor authentication, is your best bet to generate secure access for your business. Multifactor authentication requires users to verify their identity through an additional factor, such as a one-time password (OTP) sent over email or text message. Other verification factors include answering personal security questions or using face or voice recognition.

4. Don’t open the door to just anyone, defend against phishing

There’s a reason for the popularity of video doorbells—it’s simply unwise to open the front door without knowing who’s on the other side. For the same reason, every business should stay up-to-date on the latest phishing scams and social engineering scams that bad actors use to seek entry into your business. In 2022, the most common causes of cyberattacks are still malware (22 percent) and phishing (20 percent).⁷ Threat actors have figured out that people are the weak link—85 percent of breaches now involve a human element—and are ramping up the frequency and sophistication of their attacks.⁸ However, most phishing emails still rely on recognizable “hooks” that we can all learn to spot, such as:

• Request for user credentials or payment Information. Never click the link. Instead, type the business’ URL into your browser and go to your account directly.
• An unfamiliar tone or greeting. Phishing emails are often created offshore, so look for irregular syntax or tone that’s too formal, too familiar, or an odd mix of both.
• Grammar and spelling errors. Legitimate businesses take time to proofread their emails before sending them.
• Inconsistent email address or a “lookalike” domain name. A phishing email address or domain will usually be slightly off (for example, microsotf.com instead of microsoft.com).
• Threats or a sense of urgency. Scammers often try to scare you into clicking the link with headlines like: “Update your account information now or lose access!” If in doubt, type the URL in your browser and go to the site directly.
• Unrequested attachments. If you weren’t expecting an email from this sender, don’t click the attachment. Instead, open a new email (don’t respond) and inquire if the email and attachment are genuine.

When you receive a phishing email (we all do), remember to report it. In Microsoft Outlook for business, just select the suspicious message and choose Report from the top ribbon, then select Phishing. This will remove the message from your inbox and help us block more suspicious emails. Both Defender for Business and Microsoft Defender for Office 365 Plan 1 provide protection against advanced phishing, malware, spam, and business email compromise.⁹ Both come with built-in policies to get you up and running quickly, including simplified wizard-based onboarding for your Windows devices, servers, and apps.¹⁰

5. Stay informed about how to prevent break-ins with SMB security trainings

Local police and neighborhood watch groups often work together to educate residents about break-ins and how they can better protect their homes. No matter the size of your business, there are cybersecurity resources available to you as well.¹¹ The SBA offers best practices for preventing cyberattacks,¹² including a cybersecurity planning tool¹³ and ongoing virtual and in-person cybersecurity events¹⁴ for your area. Even if your only employee is yourself, cybersecurity training shouldn’t be looked upon as a one-and-done task. Threat actors are constantly learning and updating their skills, and so should we. 

Microsoft virtual security training for SMBs and the Microsoft Small Business Resource Center help SMBs arm themselves with the knowledge to prevent phishing attacks, safeguard remote devices, and protect against identity theft. Our SMB security trainings also present strategies for how to stay safe when working on-site and from home, including how to collaborate with colleagues more securely. As Brad Smith put it during his talk with Administrator Guzman, “At the end of the day, [cybersecurity] becomes a little bit like a seatbelt: we know it saves lives, but you do have to put it on.”

Microsoft is here for you

The underlying theme of Brad Smith’s talk for SMBs can be summed up in a few words—Microsoft has your back. Small businesses represent more than 99 percent of the United States economy, so we’re all in this together.¹⁵ Be sure to take advantage of Microsoft’s free security consultation, which includes actionable, data-driven insights into the security vulnerabilities in your environment. 

To learn more about cost-effective, easy-to-use security solutions, visit Security for your small or medium-sized business and find out how a Microsoft 365 Business Premium subscription can provide comprehensive security that’s optimized for SMBs (up to 300 users), or get Microsoft Defender for Business as a standalone device security solution. Both solutions integrate with Microsoft 365 Lighthouse; that way, Microsoft Cloud Solution Provider (CSP) partners can easily view security incidents across tenants in a unified portal. Whatever your budget and wherever your vision leads, we’re here to help you move forward—fearlessly.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Why small businesses are vulnerable to cyberattacks, Linda Comerford, May 25, 2022.

²Cyber Signals: Defend against the new ransomware landscape, Microsoft. August 22, 2022.

³DHS secretary warns ransomware attacks on the rise, targets include small businesses, Luke Barr. May 6, 2021.

⁴Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself, Microsoft. May 9, 2022.

⁵These are the 20 most common passwords leaked on the dark web—make sure none of them are yours, Tom Huddleston Jr. February 27, 2022.

⁶Protecting your organization against password spray attacks, Microsoft. April 23, 2020.

⁷50 Phishing Stats You Should Know In 2022, Caitlin Jones. September 7, 2022.

⁸Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know, Chuck Brooks. June 3, 2022.

⁹Microsoft launches Defender for Business to help protect small and medium businesses, Microsoft. May 2, 2022.

¹⁰Server security made simple for small businesses, Jon Maunder. November 8, 2022.

¹¹Shields Up guidance for all organizations, CISA.

¹²Strengthen your cybersecurity, SBA.

¹³Cyberplanner, FCC.

¹⁴Find cybersecurity events, SBA.

¹⁵How Small Businesses Drive The American Economy, Martin Rowinski. March 25, 2022.

The post Secure your business like you secure your home: 5 steps to protect against cybercrime appeared first on Microsoft Security Blog.

Increased security concerns with the changing SMB landscape

Microsoft surveyed more than 150 small and medium businesses in the United States in April 2022 to better understand the changing SMB security needs.³

More than 70 percent of SMBs said cyberthreats are becoming more of a business risk. With nearly one in four SMBs stating that they had a security breach in the last year, they have reason to be concerned. In fact, there has been a more than 300 percent increase in ransomware attacks, of which more than half were directed at small businesses.⁴

Despite facing similar risks as enterprises, SMBs often lack access to the right resources and tools. Many SMBs still rely on traditional antivirus solutions for their security. Although 80 percent of SMBs state they have some form of antivirus solution, 93 percent continue to have concerns about the increasing and evolving cyberattacks—with phishing, ransomware, and data protection being top of mind.  

What makes SMBs particularly vulnerable is that they often have fewer resources and lack specialized security staff. In fact, less than half of the SMBs surveyed have a dedicated IT security person in-house, and SMBs cite a lack of specialized security staff as their top security risk factor. Sophisticated enterprise security solutions are often prohibitively complex or too expensive—or both.

Delivering on security for all to help protect SMBs

At Microsoft Ignite, we shared our vision for security for all, believing that small and medium businesses should have affordable access to the same level of protection as enterprises. Today, we’re excited to take that vision a step further with the general availability of the standalone version of Microsoft Defender for Business. Defender for Business brings enterprise-grade endpoint security to SMBs, including endpoint detection and response (EDR) capabilities, with the ease of use and the pricing that small business customers and their partners expect.

Microsoft Defender for Business is already included as part of Microsoft 365 Business Premium, our comprehensive security and productivity solution for businesses with up to 300 employees. Customers can now purchase Defender for Business as a standalone solution. Server support will be coming later this year with an add-on solution.

Enterprise-grade security to protect against ransomware and other cyberthreats

To protect against the increasing volume and sophistication of cyberattacks such as ransomware, SMBs need elevated security. Many SMBs still rely on traditional antivirus, which provides only a single layer of protection by matching against signatures to protect against known threats. With Defender for Business, you get multi-layered protection, detection, and response, spanning the five phases of the National Institute of Standards and Technology (NIST) cybersecurity framework—identify, protect, detect, respond, and recover—to protect and remediate against known and unknown threats. Let’s look at the capabilities in detail:

Identify

• Threat and vulnerability management helps you to prioritize and focus on the weaknesses that pose the most urgent and highest risk to your business. By discovering, prioritizing, and remediating software vulnerabilities and misconfigurations, you can proactively build a secure foundation for your environment.

Protect

• Attack surface reduction options help to minimize your attack surface (like the places that your company is vulnerable to cyberattacks across your devices and applications), leaving bad actors with fewer ways to perform attacks.
• Next-generation protection helps to prevent and protect against threats at your front door with antimalware and antivirus protection—on your devices and in the cloud.

Detect and respond

• Endpoint detection and response provides behavioral-based detection and response alerts so you can identify persistent threats and remove them from your environment.

Recover

• Auto-investigation and remediation help to scale your security operations by examining alerts and taking immediate action to resolve attacks for you. By reducing alert volume and remediating threats, Defender for Business allows you to prioritize tasks and focus on more sophisticated threats.

Built for SMBs, easy to use, and cost-effective

We designed Defender for Business keeping the needs of SMBs in mind.

Because IT admins for SMB customers and partners are often juggling many roles at once, we wanted to provide a solution that was easy to set up and could detect and remediate threats automatically so you get time back to focus on running your business. Defender for Business comes with built-in policies to get you up and running quickly. We’ve also included a simplified wizard-based onboarding for Windows devices. Additional simplification for macOS, Android, and iOS is on the roadmap.

With automated investigation and remediation, we do the type of work handled by a dedicated Security Operations (SecOps) team by continuously detecting and automatically remediating most threats.

For Martin & Zerfoss, an independent insurance agency, security was top of mind. Partner Kite Technology Group recommended Defender for Business: “With Microsoft Defender for Business, we’re able to bring enterprise-grade security protection to our small and midsize business customers. We can now meet their current security requirements and prepare them for whatever comes tomorrow,” said Adam Atwell, Cloud Solutions Architect, Kite Technology Group.

He adds, “Automated investigation and remediation is a huge part of the product [because] it’s just happening in the background. Microsoft Defender for Business makes our security so simple.”

Benefits of Defender for Business for partners

SMBs often turn to partners for securing their IT environments, and rightly so. We recognize that securing SMB customers often means providing partners with tools to help them secure their customers efficiently.

Defender for Business and Microsoft 365 Business Premium give partners new opportunities to help secure customers at scale with value-add managed services. Both solutions integrate with Microsoft 365 Lighthouse, made generally available on March 1, 2022, so Microsoft Cloud Solution Provider (CSP) partners can view security incidents across tenants in a unified portal. WeSafe IT, a CSP partner from Sweden, was an early adopter of Defender for Business in Business Premium with Microsoft 365 Lighthouse. The company found that the integrated solution brought it comprehensive customer value and the ability to increase automation and earnings.

“We’ve found no other solution like Microsoft 365 Business Premium that manages such a complete span of functionality for small- to medium-sized businesses at anywhere near the cost or flexibility,” said Martin Liljenberg, Chief Technology Officer and co-founder, WeSafe. “From a partner perspective, it’s intuitive and effortless to apply to customer environments. MSPs that take advantage of Defender for Business can increase automation and earnings while providing their SMB customers better security and service.”

We’re also pleased to announce integrations of Remote Monitoring and Management (RMM) tools that managed service provider partners often use to secure their customers at scale. Datto RMM’s integration with Microsoft Defender for Business is now available for partners. ConnectWise RMM integration with Microsoft Intune and Microsoft 365 Business Premium is coming soon.

Microsoft Defender for Business and Microsoft 365 Business Premium are available from a variety of Microsoft Cloud Partners, including some of the most recognized names in the industry, such as ALSO, Crayon, Ingram Micro, Pax8, and TD Synnex.

For more details on the partner opportunity and benefits of Defender for Business and Microsoft 365 Business Premium, see our partner blog post.

See how Microsoft Defender for Business can help your business

If you work for a small or medium business, try Defender for Business for yourself to see how the solution can benefit your company or reach out to your partner for more information. You’ll also find more details in our TechCommunity blog. Partners can check out the Microsoft Partner blog and join our webinar on May 5, 2022.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹National Small Business Week, U.S Small Business Administration.

²Small and Medium Enterprises (SMEs) Finance, The World Bank.

³April 2022: Microsoft Small and Medium Business quantitative survey research: Security in the new environment.

⁴May 2021, Alejandro Mayorkas, Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, in an interview.

The post Microsoft launches Defender for Business to help protect small and medium businesses appeared first on Microsoft Security Blog.

The IDC MarketScape recognized Microsoft’s commitment to cross-platform support with Microsoft Defender for Endpoint, noting that “As telemetry is the rocket fuel for AI- and machine learning-infused endpoint security solutions, Microsoft’s breadth and volume are unequaled geographically and across customer segments (enterprise, small and midsize businesses, and consumer). With the support of macOS, iOS, and Android, Microsoft’s telemetry pool is expanding and diversifying. Microsoft’s expanded platform support also chips away at the long-standing advantage of endpoint security independent software vendors (ISVs).”

Microsoft’s vision for XDR was also cited as a differentiator, as Microsoft Defender for Endpoint is a key component of Microsoft 365 Defender, extending protection from devices to a single, integrated solution across all assets. “Microsoft’s strategic vantage point is more than its Windows operating system. Directory service of Active Directory, web browser of Microsoft Edge, and the ubiquitous business productivity apps of Office 365 provide Microsoft native visibility and control across common endpoint attack vectors. These security building blocks available through Microsoft licensing agreements (E3 and E5) and as standalone options have contributed to Microsoft’s market strength and momentum in modern endpoint security.”

Security for all

Everyone expects hackers to target big, lucrative targets. Modern endpoint security is a key component for any XDR strategy for enterprise security teams, along with identity, email, application, and cloud security protection. However, small businesses are also a popular target even if they are less prevalent in the headlines.

According to a recent SMB cybersecurity report, 55 percent of SMBs have experienced a cyberattack. Many SMB companies hold valuable information that can be exploited, such as customer and employee personal information, payment information, and more. Next-generation threats, like human-operated ransomware, are a danger to organizations of all sizes but are too rarely addressed by traditional endpoint protection platform (EPP) solutions.

As part of our commitment to security for all, Microsoft has renewed its pledge to bring enterprise security to SMBs and nonprofits, boosting cloud security programs and expanding intrusion prevention and detection tech to cover Amazon Web Services (AWS).

With the launch of Microsoft Defender for Business, Microsoft delivers capabilities such as antivirus, threat and vulnerability management, and endpoint detection and response (EDR), across a broad range of desktop and mobile platforms, including Windows, macOS, Android, and iOS.

Built on the foundation of Microsoft Defender for Endpoint, SMBs will be able to focus on addressing weaknesses that pose the highest risk to their environments, as well as to reduce attack surface with application control, ransomware mitigation, network and web protection, and firewall. The solution also provides next-generation protection (on devices and in the cloud) and automated investigation and remediation, while also allowing admins to automate workflows and integrate security data into existing solutions.

Defender for Business doesn’t require special security knowledge to install and use, and it comes with a simplified client configuration with recommended security policies enforced from the get-go

“We need to have security for all, security that protects everything,” said Vasu Jakkal, Corporate Vice President for Security, Compliance, and Identity. “Security is a team sport, after all.”

Learn More

Read more about Microsoft Defender for Business, which offers enterprise-grade endpoint protection that’s cost-effective and easy to use—designed especially for businesses with up to 300 employees.

Readers seeking complete endpoint security can learn more about Microsoft Defender for Endpoint, Microsoft’s industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, EDR, and mobile threat defense. Sign up for a free trial today.

You can download the excerpts of the following reports for more details:

• IDC MarketScape: Worldwide Modern Endpoint Security for Enterprises 2021 Vendor Assessment
• The IDC MarketScape: Worldwide Modern Endpoint Security for Small and Midsize Businesses 2021 Vendor Assessment

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

We thank our customers and partners for being on this journey with us.

¹IDC MarketScape: Worldwide Modern Endpoint Security for Enterprises 2021 Vendor Assessment, Doc #US48306021. November 2021.

²The IDC MarketScape: Worldwide Modern Endpoint Security for Small and Midsize Businesses 2021 Vendor Assessment, Doc #48304721. November 2021.

The post Microsoft named a Leader in IDC MarketScape for Modern Endpoint Security for Enterprise and Small and Midsize Businesses appeared first on Microsoft Security Blog.

It’s no secret why the DoD would want to tighten security on its supply chain. According to DoD officials, organizations in the DIB are under constant attack both from nation-states and rogue actors seeking sensitive information (like weapon systems designs). Any breach of a DIB contractor not only poses a risk to national security but also results in a significant loss to US taxpayers. According to a 2021 report by CyberSecurity Ventures², it’s estimated that cybercrime will cost businesses worldwide $10.5 trillion annually by 2025. Coincidentally, 2025 is the year every business in the DIB will be required to show compliance with CMMC if they want to continue doing business with the Pentagon. Learn more about Microsoft’s CMMC Acceleration Program and leverage these resources to get started on your compliance journey.

How does CMMC work?

While the CMMC Interim Rule allows companies to attest to their compliance with NIST 800-171, the ability to self-attest will eventually be retired. Starting in 2021, a phased-in approach will cause DoD contractors to need certification from an independent Certified Third-Party Assessor Organization (C3PAO). Certification provides the DoD with the assurance that a contractor (prime or sub) can be trusted to store Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). The CMMC model is created and managed by the DoD and confers a cybersecurity “maturity”—the efficacy of process and automation of practices—ranging from “basic” to “advanced.”

Far from being a one-and-done checkbox, CMMC compliance is ongoing and must be re-assessed every three years.

Figure 1: The five levels of CMMC.

• Level 1 certification primarily involves people and processes and is required for any company that deals with FCI not intended for public release. Most DIB suppliers will land in this category. Level 1 aligns best with commercial clouds.
• Level 3 is required for any company that handles CUI or is bound by International Trade in Arms Regulations (ITAR)—roughly 50,000 DIB contractors. However, market pressure may see some companies certify to Level 3 just for a competitive edge. Level 3 aligns best with government clouds.
• Level 5 is required for only a small segment of DIB contractors that are most likely to be targeted by advanced persistent threats (APT) and nation-state activity. Level 5 aligns best with government clouds.

Levels 2 and 4 are considered transitional; it’s not expected that contracts will require them.

In September 2021, the DoD will be overseeing 75 pilot contracts adhering to CMMC. By the same time in 2023, that number will reach 250, then up to 479 pilot contracts in 2024. By October 2025, every business in the DIB must be compliant with CMMC.

Microsoft knows compliance

Microsoft has been doing business with the DoD for four decades. Of the 350,000 companies in the DIB, 80 percent are small-to-medium-sized businesses (SMB). So, whether you’re a prime contractor working directly with the DoD, or a smaller subcontractor, Microsoft Office 365 Government plans can provide your business with all the features of Office 365 you expect—but in a segmented government community cloud (GCC). Plus, Microsoft lightens the burden of compliance by encrypting your data and enforcing strict access controls for employees, vendors, and subcontractors.

Microsoft Office 365 Government – GCC High is a sovereign cloud platform located in the Contiguous US (CONUS) that complies with US government requirements for cloud services. Office 365 Government – GCC High is designed specifically for use by the DoD and DIB, requiring that organizations be validated before they can deploy to this cloud. Along with all the expected features and capabilities of Office 365, deploying to GCC High ensures:

• Your content is segregated from customer content in commercial Office 365 services.
• Your organization’s content is stored within the US.
• Access to DIB content is restricted to screened Microsoft personnel who have passed rigorous background checks.
• Your cloud deployment complies with certifications and accreditations that are required for US public sector customers.

Microsoft Azure Government is a sovereign CONUS cloud platform that also offers hybrid flexibility—customers can maintain some data and functionality on-premises while enabling the broadest level of certifications of any cloud provider. Only US federal, state, local, and tribal governments and their partners have access to this dedicated instance, with operations controlled only by screened US citizens.

Figure 2: Microsoft 365 Government + Azure Government compliance.

Though different cloud platforms may have a level of cybersecurity maturity in alignment with CMMC, Microsoft recommends the US Sovereign Cloud with Azure Government and Microsoft 365 Government – GCC High in alignment with CMMC Levels 3 through 5. Microsoft Consulting Services can help you decide on the right platform to enable CMMC compliance for your organization.

Microsoft CMMC Acceleration Program

To help speed your journey to CMMC compliance, our CMMC Acceleration Program provides resources for partners and DIB companies alike. Our goal is to provide a baseline framework that can help close the gap for compliance of infrastructure, applications, and services hosted in Microsoft Azure, Microsoft 365, and Microsoft Dynamics 365. We work with partners and customers to help them mitigate risks and assist tenants with their shared customer responsibility, as well as provide solutions for assessment and certification.

Recent updates to Microsoft CMMC Acceleration Program include:

• Microsoft Product Placemat for CMMC: an interactive view representing how Microsoft cloud products and services satisfy requirements for CMMC practices.
• Azure Sentinel CMMC Workbook: provides a mechanism for viewing Microsoft Azure Sentinel log queries from across your Azure environment—Office 365, Teams, Intune, Windows Virtual Desktop, and more—helping you gain better visibility into your cloud architecture while reinforcing CMMC principles across all five maturity levels.
• Compliance Manager available in commercial and government cloud environments: helps organizations manage CMMC compliance requirements with greater ease and convenience, from taking inventory of data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.
• Azure Policy and blueprint sample for CMMC Level 3: Azure Policy and Azure Blueprints allow organizations to easily establish compliant environments via a centrally managed policy initiative. This helps avoid misconfigurations while practicing consistent resource governance.
• Quickly deploy DoD STIG-compliant images and visualize compliance using Azure: Security Technical Implementation Guides (STIGs) are secure configuration standards for installation and maintenance of DoD Information Assurance (IA)-enabled devices and systems. The Azure team has created sample solutions using first-party Azure tooling to deliver STIG automation and compliance reporting. Use these quickstart resources.
• Azure Blueprint for Azure Security Benchmark Foundation: enables developers and security administrators to create hardened environments for their application workloads, helping to implement Zero Trust controls across identities, devices, applications, data, infrastructure, and networks.

No provider can guarantee a positive adjudication, but Microsoft’s CMMC Acceleration Program can help improve your CMMC posture going into a formal review in accordance with CMMC Accreditation Body (AB) standards.

Zero Trust is key to CMMC

Microsoft is experienced in facilitating Zero Trust architectures in federal frameworks, a concept that’s critical to preventing attackers from elevating access within your environment. Zero Trust is built around three basic principles: verify, based on all available data points; use least-privileged access with just-in-time and just-enough-access (JIT/JEA); and assume breach to minimize blast radius and prevent lateral movement. Microsoft employs several references for implementing Zero Trust in federal information systems, including the National Institute of Standards and Technology (NIST) SP 800-207, Trusted Internet Connections (TIC) 3.0, and Continuous Diagnostics and Mitigation (CDM). We view these principles as technology-agnostic and apply them across endpoints, on-premises systems, cloud platforms, and operational technology (OT).

The Azure Sentinel: Zero Trust (TIC 3.0) Workbook provides an overlay of Microsoft security offerings onto Zero Trust models, enabling security analysts and managed security service providers (MSSPs) to gain awareness of their cloud security posture. This workbook features more than 76 control cards aligned to TIC 3.0 security capabilities and can augment security operations center (SOC) efforts through automation, AI, machine learning, query/alerting, visualizations, tailored recommendations, and documentation references. Each panel aligns to a specific control, providing an actionable path to help cover gaps and improve alerting, even incorporating third-party security solutions.

If your organization is interested in pursuing contracts with the DoD or its suppliers, it’s in your interest to be proactive about cybersecurity maturity. To learn more about how Microsoft can help your organization improve your compliance standing, visit our new CMMC homepage.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Cybersecurity Maturity Model Certification, CMMC Accreditation Body.

²2021 Report: Cyberwarfare in the C-Suite, Cybersecurity Ventures, 21 January 2021.

The post How to prepare for CMMC compliance as a defense industrial base supplier using the Microsoft cloud appeared first on Microsoft Security Blog.

Securing a remote workforce with fewer resources with Azure Active Directory

At Medius, we develop cloud-based spend management solutions, including the accounts payable workflow solution Medius AP Automation, formally known as MediusFlow (Microsoft offers an online tutorial on configuring Medius AP Automation for automatic user provisioning). We’re one of the largest Microsoft partners in the Nordics to build and offer an entire solution in Azure. Because we advocate the value of cloud for customers, we decided it was fitting to turn to the cloud solution offered by Azure AD to meet our identity requirements.

Providing a fully remote work environment

Our 3,500 customers typically want to restrict access to their financial documents by title or division. Since most have more than 200 employees, it would be cumbersome to manually set access for each employee. Being able to assign users through Azure AD using known Microsoft protocols is a big selling point of our spend management solution.

We can relate to our customers’ need for secure authentication in systems and applications; it’s important to us too. While headquartered in Sweden, Medius has offices in eight other countries and our employees work from across the globe. Teams are both distributed and virtual. It’s not unusual for project meetings with customers to include Medius employees from three countries. We’ve prioritized providing a fully remote environment, in part because the consulting nature of our business requires that some employees travel to customer sites.

That fully remote experience extends to offboarding. When employees leave Medius, Azure AD identity and access management makes it easier to abide by our HR processes, which are reviewed by external auditors. Each employee is associated with an active ID. When an employee is offboarded, we can disable accounts and block user access to everything at once from Azure AD.

Freeing up IT time with features and user self-service

As a small IT team, we couldn’t support Medius’ 400 employees without the increased security and high reliability offered by Azure AD. Time savings is among the biggest benefits of using Azure AD for secure management of users and identities. If a partner requires access, Medius can add them as a guest in Azure AD so the external identity is trusted in required Medius’ internal systems.

Azure AD serves as a trusted source of information that we can depend on in every situation. Rather than navigating islands of systems with unique identities, Azure AD is our single place for everything related to identity management. Because of that, we can help users in any time zone from wherever we’re working. However, users appreciate that the solution is user-friendly, and they can handle some identity tasks themselves. This frees up the IT service desk to focus on other work, and in a growing company, there’s plenty to do.

Users tell us they appreciate the simplicity of single sign-on, which allows them to log in with a single ID and password to SaaS apps like Salesforce, Zuora, Jira, Confluence, DocuSign, and Freshdesk. They also like the flexible integration, ease of use for frictionless workflow, and convenience of Azure AD multifactor authentication, which lets them verify their identity via multiple credentials.

Self-service password reset is another popular feature. We operate in just about every time zone, but our IT team is located in European time zones. Before self-service password reset, it could take as long as two days for an employee to have a password reset by the IT team. Now, employees can reset a forgotten or locked password themselves 24/7 and stay productive.

Connecting during the health crisis

Before the recent healthcare crisis sent employees home, Medius switched from Skype to Microsoft Teams, making it easier for everyone to remotely collaborate and share files. That’s been even more valuable now that in-person meetings are not possible.

Medius is a growing company that has been hiring throughout the crisis. With Azure AD, we can ship laptops directly to the homes of new employees and have them login remotely using Windows Autopilot, which is a collection of technologies to set up and pre-configure new devices.

Improving processes with support from Atea

Our partner Atea, one of the leading providers of IT infrastructure in the Nordic and Baltic regions, offers a full range of hardware and software from the world’s leading technology companies and a team of consultants. The company played a key role in our effort to migrate apps to Azure AD and ramp up new employees.

Atea has told us that they do a lot of work for their customers when it comes to migrating apps to the cloud, helping them to benefit from the security and time-saving benefits of Azure AD. For instance, the pre-defined instructions on configuring applications in the app gallery facilitate the process of setting up a new integration.

Atea calls the partnership with Microsoft “extremely important” and has appreciated seeing product roadmaps and gaining access to private previews, which help it shape future offerings.

We look forward to sharing our next big successes: the introduction of the Conditional Access feature and a broader rollout of passwordless identity authentication.

Voice of the Customer: Looking ahead

Many thanks to Jacob and Fredrik for sharing the benefits they’ve realized with Azure AD. Our customers have told us how valuable it is to learn from their peers. The Voice of the Customer blog series is designed to share our customers’ security and implementation insights more broadly. Bookmark the Microsoft Security blog Voice of the Customer so you don’t miss the next blog in this series!

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Medius’ small IT team supports distributed workforce with Azure Active Directory appeared first on Microsoft Security Blog.

In social engineering attacks, is less really more?

A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets. Macro-laced documents masqueraded as statements from legitimate businesses. The documents are then distributed via email to target victims in cities where the businesses are located.

With Windows Defender AV’s next gen defense, however, the size of the attack doesn’t really matter.

Several cloud-based machine learning algorithms detected and blocked the malicious documents at the onset, stopping the attack and protecting customers from what would have been the payload, info-stealing malware Ursnif.

The map below shows the location of the targets.

Figure 1. Geographic distribution of target victims

Highly localized social engineering attack

Here’s how the attack played out: Malicious, macro-enabled documents were delivered as email attachments to target small businesses and users. Each document had a file name that spoofed a legitimate business name and masqueraded as a statement from that business. In total, we saw 21 unique document file names used in this campaign.

The attackers sent these emails to intended victims in the city or general geographic area where the businesses are located. For example, the attachment named Dolan_Care_Statement.doc was sent almost exclusively to targets in Missouri. The document file name spoofs a known establishment in St. Louis. While we do not believe the establishment itself was affected or targeted by this attack, the document purports to be from the said establishment when it’s really not.

The intended effect is for recipients to get documents from local, very familiar business or service providers. It’s part of the social engineering scheme to increase likelihood that recipients will think the document is legitimate and take the bait, when in reality it is a malicious document.

Table 1. Top target cities of most common document file names

When recipients open the document, they are shown a message that tricks the person into enabling the macro.

Figure 2. Document tricks victim into enabling the macro

As is typical in social engineering attacks, this is not true. If the recipient does enable the macro, no content is shown. Instead the following process is launched to deobfuscate a PowerShell command.

Figure 3. Process to deobfuscate PowerShell

Figure 4. PowerShell command

The PowerShell script connects to any of 12 different URLs that all deliver the payload.

Figure 5. Deobfuscated PowerShell command

The payload is Ursnif, info-stealing malware. When run, Ursnif steals information about infected devices, as well as sensitive information like passwords. Notably, this infection sequence (i.e., cmd.exe process deobfuscates a PowerShell that in turn downloads the payload) is a common method used by other info-stealing malware like Emotet and Trickbot.

How machine learning stopped this small-scale, localized attack

As the malware campaign got under way, four different cloud-based machine learning models gave the verdict that the documents were malicious. These four models are among a diverse set of models that help ensure we catch a wide range of new and emerging threats. Different models have different areas of expertise; they use different algorithms and are trained on their unique set of features.

One of the models that gave the malicious verdict is a generic model designed to detect non-portable executable (PE) threats. We have found that models like this are effective in catching social engineering attacks, which typically use non-PE files like scripts and, as is the case for this campaign, macro-laced documents.

The said non-PE model is a simple averaged perceptron algorithm that uses various features, including expert features, fuzzy hashes of various file sections, and contextual data. The simplicity of the model makes it fast, enabling it to give split-second verdicts before suspicious files could execute. Our analysis into this specific model showed that the expert features and fuzzy hashes had the biggest impact in the model’s verdict and the eventual blocking of the attack.

Figure 6. Impact of features used by one ML model that detected the attack

Next-generation protection against malware campaigns regardless of size

Machine learning and artificial intelligence power Windows Defender Antivirus to detect and stop new and emerging attacks before they can wreak havoc. Every day, we protect customers from millions of distinct, first-seen malware. Our layered approach to intelligent, cloud-based protection employs a diverse set of machine learning models designed to catch the wide range of threats: from massive malware campaigns to small-scale, localized attacks.

The latter is a growing trend, and we continue to watch the threat landscape to keep machine learning effective against attacks. In a recent blog post, we discussed how we continue to harden machine learning defenses.

Windows Defender AV delivers the next-gen protection capabilities in the Windows Defender Advanced Threat Protection (Windows Defender ATP). Windows Defender ATP integrates attack surface reduction, next-gen protection, endpoint detection and response (EDR), automatic investigation and response, security posture, and advanced hunting capabilities. .

Because of this integration, antivirus detections, such as those related to this campaign, are surfaced in Windows Defender Security Center. Using EDR capabilities, security operations teams can then investigate and respond to the incident. Attack surface reduction rules also block this campaign, and these detections are likewise surfaced in Windows Defender ATP. To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

Across the whole Microsoft 365 threat protection, detections and other security signals are shared among Office 365 ATP, Windows Defender ATP, and Azure ATP. In this Ursnif campaign, the antivirus detection also enables the blocking of related emails in Office 365. This demonstrates how signal sharing and orchestration of remediation across solutions in Microsoft 365 results in better integrated threat protection.

Bhavna Soman
Windows Defender Research

Indicators of compromise (IOCs)

Infector:

Hashes
407a6c99581f428634f9d3b9ec4b79f79c29c79fdea5ea5e97ab3d280b2481a1
77bee1e5c383733efe9d79173ac1de83e8accabe0f2c2408ed3ffa561d46ffd7
e9426252473c88d6a6c5031fef610a803bce3090b868d9a29a38ce6fa5a4800a
f8de4ebcfb8aa7c7b84841efd9a5bcd0935c8c3ee8acf910b3f096a5e8039b1f

File names
CSC_Statement.doc
DBC_Statement.doc
DDG_Statement.doc
DJACC_Statement.doc
DKDS_Statement.doc
DMII_Statement.doc
dmo_statement.doc
DMS_Statement.doc
Dockery_Floorcovering_Statement.doc
Docktail_Bar_Statement.doc
doe_statement.doc
Dolan_Care_Statement.doc
Donovan_Construction_Statement.doc
Donovan_Engineering_Statement.doc
DSD_Statement.doc
dsh_statement.doc
realty_group_statement.doc
statement.doc
tri-lakes_motors_statement.doc
TSC_Statement.doc
UCP_Statement.doc

Payload (Ursnif)

Hashes
31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f
bd23a2eec4f94c07f4083455f022e4d58de0c2863fa6fa19d8f65bfe16fa19aa
75f31c9015e0f03f24808dca12dd90f4dfbbbd7e0a5626971c4056a07ea1b2b9
070d70d39f310d7b8842f645d3ba2d44b2f6a3d7347a95b3a47d34c8e955885d
15743d098267ce48e934ed0910bc299292754d02432ea775957c631170778d71

URLs
hxxp://vezopilan[.]com/tst/index[.]php?l=soho6[.]tkn
hxxp://cimoselin[.]com/tst/index[.]php?l=soho2[.]tkn
hxxp://cimoselin[.]com/tst/index[.]php?l=soho4[.]tkn
hxxp://vedoriska[.]com/tst/index[.]php?l=soho6[.]tkn
hxxp://baberonto[.]com/tst/index[.]php?l=soho3[.]tkn

hxxp://hertifical[.]com/tst/index[.]php?l=soho8[.]tkn
hxxp://hertifical[.]com/tst/index[.]php?l=soho6[.]tkn
hxxp://condizer[.]com/tst/index[.]php?l=soho1[.]tkn
hxxp://vezeronu[.]com/tst/index[.]php?l=soho2[.]tkn
hxxp://vezeronu[.]com/tst/index[.]php?l=soho5[.]tkn

hxxp://zedrevo[.]com/tst/index[.]php?l=soho8[.]tkn
hxxp://zedrevo[.]com/tst/index[.]php?l=soho10[.]tkn

*Note: The first four domains above are all registered in Russia and are hosted on the IP address 185[.]212[.]44[.]114. The other domains follow the same URL pattern and are also pushing Ursnif, but no registration info is available.

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Small businesses targeted by highly localized Ursnif campaign appeared first on Microsoft Security Blog.