If you asked Sean Adams, Justin Griffin, Sajith Balan, or Shyam Sunder Gogi to provide a one-word answer that describes their current focus, you’d get the same answer:

“Security.”

Adams, Griffin, Balan, and Gogi are all part of a team in Microsoft Digital, our internal IT organization, that’s implementing internet-first, policy-based security for every single wired network device here at Microsoft.

This immense effort spans our global network and ensures that every device connecting to our network—regardless of how or where—is identified, attested, authenticated, and placed on the proper network first.

“Our default network posture for any device that connects is internet-first,” Adams says. “The majority of tools Microsoft employees use are cloud-based and internet-friendly in our modern workplace, so it only makes sense. The concept of a corporate network where we inherently trust physically connected devices is long-gone—and good riddance.”

It’s one example of how we’re demonstrating our organization-wide commitment to security.

In May 2024, CEO Satya Nadella committed that we would prioritize security above all else here at Microsoft. At the center of that commitment  is our Microsoft Secure Future Initiative (SFI), which brings together every part of the company to advance cybersecurity protection across new products and our legacy infrastructure.

The SFI provides Microsoft with an overarching set of principles and pillars that we’re building upon with everything we do, from the broadest reaches of our cloud networking infrastructure to each individual wired network port in our buildings and datacenters.

Secure Future Initiative commitment

The SFI is the single largest cybersecurity initiative engineering project in our history, with more than 34,000 engineers committed to advancing the principles laid out in the SFI. Three principles define exactly how we’re prioritizing cybersecurity in our products and infrastructure.

• Secure by design. Security comes first when designing any product or service.
• Secure by default. Security protections are enabled and enforced by default, require no extra effort, and aren’t optional.
• Secure operations. Security controls and monitoring will be continuously improved to meet current and future cyberthreats.

These principles anchor our approach to security internally at Microsoft. We’re continuously applying what we’ve learned from incidents to improve our methods and practices, ensuring that security is paramount in everything we do, create, and provide.

Applying practical pillars

We apply these principles through our security pillars, which are to:

• Protect identities and secrets. Reduce the risk of unauthorized access by implementing and enforcing best-in-class standards across all identity and secrets infrastructure, plus user and application authentication and authorization.
• Protect tenants and isolate systems. Protect all our tenants and production environments using consistent, best-in-class security practices and strict isolation to minimize breadth of impact.
• Protect engineering systems. Protect software assets and continuously improve code security through governance of the software supply chain and engineering systems infrastructure.
• Monitor and detect cyberthreats. Provide comprehensive coverage and automatic detection of cyberthreats to our production infrastructure and services.
• Accelerate response and remediation. Prevent exploitation of vulnerabilities discovered by external and internal entities through comprehensive and timely remediation.
• Protect networks. Protect our production networks and implement network isolation of Microsoft and customer resources.

“The SFI aligns seamlessly with Zero Trust principles,” Balan says. “With Zero Trust, everything within the network is scrutinized and verified, which supports exactly how the SFI should impact our network. We started off with Zero Trust networking, which is now directly aligned with SFI. It’s about strengthening security while minimizing any employee disruption.”

Based on the principle of verified trust—to trust, you must first verify—Zero Trust eliminates the inherent trust that is assumed inside the traditional corporate network. Zero Trust architecture reduces risk across all environments by establishing strong identity verification, validating device compliance prior to granting access, and ensuring least privilege access to only explicitly authorized resources.

Zero Trust requires that every transaction between systems (user identity, device, network, and applications) be validated and proven trustworthy before the transaction can occur. In an ideal Zero Trust environment, the following behaviors are required:

• Identities are validated and secure with multifactor authentication (MFA) everywhere. Using multifactor authentication eliminates password expirations and eventually will eliminate passwords.
• Devices are managed and validated as healthy. Device health validation is required. All device types and operating systems must meet a required minimum health state as a condition of access to any Microsoft resource.
• Telemetry is pervasive. Pervasive data and telemetry are used to understand the current security state, identify gaps in coverage, validate the impact of new controls, and correlate data across all applications and services in the environment.
• Least privilege access is enforced. Limit access to only the applications, services, and infrastructure required to perform the job function.

Enforced security for wired networking

Our wired network connectivity policy is rooted in the SFI and Zero Trust. The security posture that this policy creates for every wired network device at Microsoft is critical to applying the principles of SFI and Zero Trust.

“Our wired network security puts physically connected devices in almost the exact same position as wireless devices,” Griffin says. “With Zero Trust, being physically connected means nothing, as far as security goes. Every device, every connection, every resource request is authenticated, authorized, and monitored, from end to end.”

Using the internet as the default network for devices is at the core of Microsoft’s wired network security. Unless the need is critical—and authorized—every device that connects to our network is routed to the internet, by default.

Griffin and the team have been working consistently for the past five years to implement comprehensive wired network security. The policy engines, networking hardware, and supporting technology for wired network security enforcement require time, effort, and—in many cases—physical presence to implement the solution properly.

The scope and impact are massive.

“This is probably the single largest network change our enterprise has ever seen,” Adams says.

With more than 700 buildings, 4,000 network switches, and almost 300,000 wired network devices, getting a device onto the appropriate network segment happens multiple times every second across our network.

The network segmentation strategy for wired network security is a critical component of the overall security framework. This strategy involves several key practices and principles to ensure robust security and efficient network management.

We use macro-segmentation to create distinct segments within the corporate network. This approach restricts access to only the necessary systems within each segment, thereby reducing the risk of unauthorized access and lateral movement within the network.

Micro-segmentation is applied to further isolate network resources. Least-privilege access policies ensure that users and devices have only the minimum level of access required for their roles. This principle extends to both on-premises environments and cloud resources, including infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) resources.

Our layered defense approach includes using monitoring tools, access control lists (ACLs), network security groups, network address translation (NAT) gateways, and bastions to secure the network environment. These measures help to detect and prevent malicious activities, ensuring that the network remains secure even in the face of potential threats.

Using iteration and consistency in implementation

Implementation of our wired network security used a phased approach, and it began more than five years ago.

During the COVID-19 pandemic, significant testing was conducted to ensure that the supporting network infrastructure could continue to function independently and support all devices and networks without interruption even when connectivity issues arose. The team created robust policies that allowed for seamless re-authentication and re-attestation after connectivity was restored.

In those initial phases, confirming configuration and monitoring results were important, so the team started small and learned from their progress.

“Using a phased approach isn’t new at Microsoft,” Gogi says. “However, our success in rolling out wired port security depended directly on how we planned and structured our phases or, more accurately, rings.”

The ring-based approach was designed to minimize disruptions and ensure that security measures were robust and reliable. Changes gradually rolled out in stages, starting with smaller, controlled environments before being expanded to the entire network. This approach allowed for continuous monitoring and adjustments, ensuring that any issues could be addressed promptly without affecting the entire network.

Adams highlights the importance of the iterative approach.

“At our scale, we had to be efficient and accurate,” he says. “Downtime was out of the question, and we certainly didn’t want gaps in service availability or applied security measures.”

Automation played a crucial role in the implementation process. Automated tools were developed to standardize configurations across all network switches, ensuring a consistent and predictable user experience. Standardizing through automation helped maintain adequate security measures while also making the deployment process more efficient.

Automating user-initiated device onboarding

Our GetConnected portal is an essential tool for securely connecting devices to our corporate network. The GetConnected portal, hosted on our internal corporate intranet site, ensures that all devices meet necessary security standards to protect employees, customers, and data.

The portal provides a centralized location for all network access needs, allowing our employees to:

• Register managed or personal devices to specific Microsoft networks
• Delete devices from Microsoft networks
• Move devices between different Microsoft networks
• Manage changes to both managed and personal devices

When connecting a managed device to the wired network in one of our buildings, devices are placed into an internet-connected segment with enterprise-quality connection and bandwidth. To access tools or services on the corporate network, devices must be registered at the GetConnected portal. The portal uses Microsoft Entra ID’s Conditional Access capabilities to enforce user access based on device groupings and user profiles, connecting the user-directed registration process to our cloud-based identity management systems.

Getting your wired network security right

Five years of network implementation comes with some lessons.

“We’ve learned a lot,” Adams says. “There are some best practices that can make implementation much more efficient and simplify the transition to a secure, internet first posture.”

These practices were not only instrumental in achieving the desired security outcomes but also in ensuring the seamless operation of the entire network infrastructure through implementation. Here are some key strategies and methodologies that proved to be critical in the successful deployment of wired network security at Microsoft:

Plan for global reach. Wired network security efforts must span across the entire infrastructure, encompassing data centers, offices, and remote locations. This ensures that all network segments, regardless of their geographical location, adhere to the same high standards of security.

Comprehensive asset management. Our teams have identified, inventoried, and attributed accountability for more than 99.3% of its physical assets. This foundational step is crucial for implementing effective network security measures.

“This is a critical component,” Balan says. “Device accountability is a first line of defense. Knowing who owns every device on the network ensures faster security response, targeted containment, and accountability. When incidents strike, attribution means quicker resolution and stronger protection.”

Service tagging and traffic identification. Service tagging for new IP address allocations helps to enable precise traffic identification across the network. This capability helps detect malicious activity and simplifies the management of ACLs for both infrastructure and services.

Harden network devices. We’ve put significant effort into hardening network devices and improving lifecycle management policies. This includes developing scalable and automated methods for secret rotation, making secrets unique per device, and implementing unique per-device authentication and one-time passwords for service accounts.

Use microsegmentation and access controls. Implementing microsegmentation ACLs further secures the management of the network. This approach limits access to a known scope of trusted production-ready locked-down machines, significantly reducing the impact of exposed secrets.

Embrace Zero Trust principles. Our entire network security strategy is aligned with Zero Trust principles, ensuring that every access request is thoroughly authenticated and authorized. This involves migrating resources to internet-facing environments and implementing strict access controls.

Scale efficiently with automation and standardization. Automation plays a critical role in maintaining a consistent and predictable user experience across all network switches. Standardizing configurations ensures that the network behaves uniformly at every site, facilitating efficient management and security.

Looking forward

Our future efforts in wired network security will continue to evolve, focusing on supporting Zero Trust principles and the Secure Foundation Initiative (SFI), enhancing security, improving user experience, and ensuring the resilience of our network infrastructure as we go.

We’re continuously improving the employee experience, building on the success of the GetConnected portal. We want to maintain a balance between security and employee experience as we improve the security posture of our network, ensuring that security measures don’t hinder productivity.

The team is excited about the future of wired network security and the SFI at Microsoft.

“This is a significant advancement in our security posture and demonstrates our commitment to protecting our assets against unauthorized access,” Balan says. “Our internet-first posture and alignment with Zero Trust principles ensure that we’ll continuously examine and iterate our network environment to improve our security posture and remain prepared for the future.”

Consider the following best practices when planning to implement wired network security:

• Plan for global reach by ensuring that your network security efforts span across all locations, including data centers, offices, and remote sites.
• Conduct comprehensive asset management by identifying, inventorying, and attributing accountability for physical assets to implement effective security measures.
• Use service tagging for new IP address allocations to enable precise traffic identification and simplify the management of ACLs.
• Harden your network devices by developing scalable and automated methods for secret rotation, unique per-device authentication, and one-time passwords for service accounts.
• Implement microsegmentation and access controls to limit access to trusted, production-ready, locked-down machines, thereby reducing the impact of exposed secrets.
• Embrace Zero Trust principles by thoroughly authenticating and authorizing every access request and migrating resources to internet-facing environments with strict access controls.
• Scale efficiently with automation and standardization to maintain a consistent and predictable user experience across all network switches and ensure uniform behavior at every site.

Get started with Microsoft Entra ID.

• Check out how we’re moving our network to the cloud with Azure.
• Keeping our network infrastructure healthy at Microsoft with an employee-built AI agent
• Learn how we’re finding and fixing network outages in minutes—not hours—with real-time telemetry at Microsoft.
• Check out how we’re verifying identity with our Zero Trust model internally here at Microsoft.
• Find out how we’re managing user identities and secure access at Microsoft.

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Boosting our Security First Initiative at Microsoft with a transformed approach to wired network security appeared first on Inside Track Blog.

As cybercriminals shift from wide-net approaches to focus on precision attacks against high-dollar targets, there is extra pressure for companies and governments to evaluate and defend themselves against ransomware attacks.

This is why Microsoft is driving new priorities to protect our company, our people, and our customers. We launched our Ransomware Elimination Program (REP)—a multi-stakeholder effort built upon Zero Trust—to better understand our risk profile and deploy additional controls, processes, and practices to improve resiliency against intrusion.

This allowed us to weave our many different ransomware systems and processes into a single agile framework that we use to holistically guard against attacks.

It’s made a big difference for us—we’re now better able to analyze our systems, understand capabilities, and innovate on some of the solutions we rely on to stay safe.

[Read blog two in our ransomware series: Why Microsoft uses a playbook to guard against ransomware. | Read blog three in our ransomware series: Building an anti-ransomware program at Microsoft focused on an Optimal Ransomware Resiliency State. | Learn more about human-operated ransomware. | Discover how Microsoft’s Zero Trust effort keeps the company secure.]

A new threat emerges

Ransomware today is a large and profitable business where technically skilled human operators work in unison to exploit high-value targets. Healthcare, government, utilities, businesses, and universities have all been victimized by gangs of hackers. It wasn’t always this way, though.

Historically, ransomware was a commodity effort, meaning attacks were automated and spread like a virus. Phishers spammed as many accounts as possible with the hopes of infecting a device with malware. Once inside the device, the ransomware encrypts files and folders, holding it hostage. Cybercriminals then extort the victim, selling restored access to the device.

By contrast, today’s human-operated ransomware attacks are a well-researched and coordinated effort to gain access to cloud and on-premises infrastructures. Cybercriminals work with intention, adapting and exploiting the environment as they move laterally in search of high-value business resources. And unlike commodity efforts, which can be cleaned up with malware remediation, human-operated ransomware poses a continuous threat. Left unchecked, the threat and costs associated will continue to grow.

The elimination of ransomware presents several challenges, with some of the most effective methods being out of our control. We can’t limit or remove motive; bad actors will always try to exploit others for gain. We can’t lock down the means either as hackers rely on the same tools and skills that developers utilize to bring good into this world.

What we can do is limit the opportunity and make it harder for ransomware to disrupt our lives.

Addressing the challenge with simple questions

Faced with addressing increasingly common attacks, we, the company’s internal enterprise security team, asked ourselves some basic questions, including, “How protected and resilient would we be if we were attacked,” and “How do we evolve past protecting against ransomware and aspire to a bigger goal of eliminating ransomware threats?”

Our foundation of Zero Trust provides a solid base to build upon. It ensures devices are registered, users are who they say they are, and verifies that devices are healthy and current. However, when it comes to ransomware, we realized there were opportunities to add additional controls and gain more stability across our systems.

We started investigating ourselves, looking for areas to improve, gaps to close, and ways to reduce risk.

We looked at everything. We looked at the tools, policies, and processes we have and made sure they were up and running. We checked configurations and adjusted settings to get the best outcomes. If we found a gap in place, we set out to fix it.

Put another way, we asked simple questions like, “What can we do, what should we do, and what can’t we do?”

Eliminating ransomware from the inside out

All that questioning led us to the conclusion that we needed to centralize our efforts.

Instead of each engineering or service group managing the threat on their own, we’d use a holistic, cohesive approach spanning devices and services. We developed a playbook, a way to test ransomware scenarios and build out a set of best practices for response, recovery, and remediation. We shifted our focus to catching human-operated ransomware in earlier stages, where it is less likely to cause real damage.

And, because human-operated ransomware is always changing, we knew this would need to be an ongoing effort. That’s why we created the Ransomware Elimination Program (REP).

The REP team drives the effort to boost resiliency across our company and for our customers. Within REP, we work towards creating an optimal ransomware resiliency state where Zero Trust is employed, Windows 11 is deployed, and tools like Microsoft Defender for Endpoint are configured with network and tamper protection in place.

Simplified, REP is about defining a requirement and building out implementations of core protections, pervasive backups, and comprehensive alerts across all our enterprise assets including identities, devices, services, and data stores.

It’s a perpetual alignment exercise in getting security information and event management (SIEM) up for the security operating center (SOC), enabling protections in Office 365, controlling standard and conditional access, and always asking, “What can we do, what should we do, and what can’t we do?”

Because Microsoft products are so pervasive across the planet, they’re also a main target for ransomware attacks. We want to make attacks against Windows, Microsoft Azure, and our other products as insurmountable as possible.

Making ransomware a top priority

REP’s most important impact is that it makes it harder for cyber criminals to commit ransomware attacks. We do this by incorporating industry trends and feedback from customers and continuing to build out our own security research and threat intelligence. At the same time, our increased resiliency––the ability to respond, recover, and remediate—diminishes the likelihood of attackers receiving any kind of reward.

Because we have centralized the response through the program, we’re also able to prioritize our efforts. Having the core practice of Zero Trust in place goes a long way toward making this possible. Evaluating our weaknesses and gaps is a constant project, but we’re also able to take the learnings we’ve gathered from these exercises and share it with our product and service teams to create better protections for the enterprise and the customer.

Ransomware is constantly evolving, and its elimination requires a holistic and cohesive approach. REP is an essential part of the front-line defense that protects devices against attacks.

• To be successful and robust, a centralized ransomware team should continuously evaluate gaps and adjust the framework.
• Having the framework in place for an optimal ransomware resiliency state focuses on some combination of Zero Trust but with a prioritization in place.
• Give your teams a playbook to run tabletop exercises and regularly test your readiness for a human-operated ransomware attack.

Stay tuned for the next blog post in our series where we’ll share our playbook for responding to ransomware.

• Read blog two in our ransomware series: Why Microsoft uses a playbook to guard against ransomware.
• Read blog three in our ransomware series: Building an anti-ransomware program at Microsoft focused on an Optimal Ransomware Resiliency State.
• Learn more about human-operated ransomware.
• Discover how Microsoft’s Zero Trust effort keeps the company secure.

The post Sharing how Microsoft protects against ransomware appeared first on Inside Track Blog.

Microsoft’s cloud-first strategy enables most Microsoft employees to directly access applications and services via the internet, but remote workers still use the company’s virtual private network (VPN) to access some corporate resources and applications when they’re outside of the office.

This became increasingly apparent when Microsoft prepared for its employees to work remotely in response to the global pandemic. VPN usage increased by 70 percent, which coincides with the significant spike in users working from home daily.

So then, how is Microsoft ensuring that its employees can securely access the applications they need?

With split tunneling and a Zero Trust security strategy.

As part of the company’s Zero Trust security strategy, employees in Microsoft Digital redesigned the VPN infrastructure by adopting a split-tunneled configuration that further enables the company’s workloads moving to the cloud.

“Adopting split tunneling has ensured that Microsoft employees can access core applications over the internet using Microsoft Azure and Microsoft Office 365,” says Steve Means, a principal cloud network engineering manager in Microsoft Digital. “This takes pressure off the VPN and gives employees more bandwidth to do their job securely.”

Eighty percent of remote working traffic flows to cloud endpoints where split tunneling is enabled, but the rest of the work that employees do remotely—which needs to be locked down on the corporate network—still goes through the company’s VPN.

“We need to make sure our VPN infrastructure has the same level of corporate network security as applications in the cloud,” says Carmichael Patton, a principal security architect on Microsoft’s Digital Security and Resilience team. “We’re applying the same Zero Trust principles to our VPN traffic, by applying conditional access to each connection.”

[Learn how Microsoft rebuilt its VPN infrastructure. Learn how Microsoft transitioned to modern access architecture with Zero Trust. Read how Microsoft is approaching Zero Trust Networking.]
For a transcript, please view the video on YouTube: https://www.youtube.com/watch?v=bleFoL0NkVM, select the “More actions” button (three dots icon) below the video, and then select “Show transcript.”

Securing remote workers with device management and conditional access

Moving most of the work that employees require to the cloud only became possible after the company adopted modern security controls that focus on securing devices.

“We no longer rely solely on the network to manage firewalls,” Patton says. “Instead, each application that an employee uses enforces its own security management—this means employees can only use an app after it verifies the health of their device.”

To support this transformed approach to security, Microsoft adopted a Zero Trust security model, which manages risk and secures working remotely by managing the device an employee uses.

“Before an employee can access an application, they must enroll their device, have relevant security policies, and have their device health validated,” Patton says. “This ensures that only registered devices that comply with company security policies can access corporate resources, which reduces the risk of malware and intruders.”

The team also recommends using a dynamic and scalable authentication mechanism, like Azure Active Directory, to avoid the trouble of certificates.

While most employees rely on our standard VPN infrastructure, Microsoft has specific scenarios that call for additional security when accessing company infrastructure or sensitive data. This is the case for Microsoft Digital employees in owner and contributor roles that are configured on a Microsoft Azure subscription as well as employees who make changes to customer-facing production services and systems like firewalls and network gear. To access corporate resources, these employees use Privileged Access Workstations, a dedicated operating system for sensitive tasks, to access a highly secure VPN infrastructure.

Phil Suver, a principal PM manager in Microsoft Digital, says working remotely during the global pandemic gives employees a sense of what the Zero Trust experience will be like when they return to the office.

“Hardened local area networks that previously accessed internal applications are a model of the past,” Suver says. “We see split tunneling as a gateway to prepare our workforce for our Zero Trust Networking posture, where user devices are highly protected from vulnerability and employees use the internet for their predominant workload.”

It’s also important to review your VPN structure for updates.

“When evaluating your VPN configuration, identify the highest compliance risks to your organization and make them the priority for controls, policies, and procedures,” Patton says. “Understand the security controls you give up by not flowing the connections through your internal infrastructure. Then, look at the controls you’re able to extend to the clients themselves, and find the right balance of risk and productivity that fits your organization.”

Keeping your devices up-to-date with split tunneling

Enterprises can also optimize patching and manage update compliance using services like Microsoft Endpoint Manager, Microsoft Intune, and Windows Update for Business. At Microsoft, a split-tunneled VPN configuration allows these services to keep devices current without requiring a VPN tunnel to do it.

“With a split-tunneled configuration, update traffic comes through the internet,” says Mike Carlson, a principal service engineering manager in Microsoft Digital. “This improves the user experience for employees by freeing up VPN bandwidth during patch and release cycles.”

At Microsoft, device updates fall into two categories: feature updates and quality updates. Feature updates occur every six months and encompass new operating system features, functionality, and major bug fixes. In contrast, monthly quality updates include security and reliability updates as well as small bug fixes. To balance both user experience and security, Microsoft’s current configuration of Windows Update for Business prompts Microsoft employees to update within 48 hours for quality updates and 7 days for feature updates.

“Not only can Windows Update for Business isolate update traffic from the VPN connection, but it can also provide better compliance management by using the deadline feature to adjust the timing of quality and feature updates,” Carlson says. “We can quickly drive compliance and have more time to focus on employees that may need additional support.”

Evaluating your VPN configuration

When your enterprise evaluates which VPN configuration works best for your company and users, you must evaluate their workflows.

“Some companies may need a full tunnel configuration, and others might want something cloud-based,” Means says. “If you’re a Microsoft customer, you can work with your sales team to request a customer engagement with a Microsoft expert to better understand our implementation and whether it would work for your enterprise.”

Means also said that it’s important to assess the legal requirements of the countries you operate in, which is done at Microsoft using Azure Traffic Manager. For example, split tunneling may not be the right configuration for countries with tighter controls over how traffic flows within and beyond their borders.

Suver also emphasized the importance of understanding the persona of your workforce, suggesting you should assess the workloads they may need to use remotely and their bandwidth capacity. You should also consider the maximum number of concurrent connections your VPN infrastructure supports and think through potential seasonal disruptions.

“Ensure that you’ve built for a snow day or a pandemic of a global nature,” Suver says. “We’ve had to send thousands of customer support agents to work from home. Typically, they didn’t use VPN to have voice conversations with customers. Because we sized and distributed our infrastructure for a global workforce, we were able to quickly adapt to the dramatic shift in workloads that have come from our employees working from home during the pandemic. Anticipate some of the changes in workflow that might occur, and test for those conditions.”

It’s also important to collect user connection and traffic data in a central location for your VPN infrastructure, to use modern visualization services like Microsoft Power BI to identify hot spots before they happen, and to plan for growth.

Means’s biggest piece of advice?

Focus on what your enterprise needs and go from there.

“Identify what you want to access and what you want to protect,” he says. “Then build to that model.”

Tips for retooling VPN at your company

Azure offers a native, highly-scalable VPN gateway, and the most common third-party VPN and Software-Defined Wide Area Network virtual appliances in the Azure Marketplace.

For more information on these and other Azure and Office network optimizing practices, please see:

• Office Connectivity Principles
• Network considerations for Teams
• Azure OpenVPN client
• Azure VPN Gateways
• Azure Point-to-site VPN
• VPN Network Virtual Appliances in the Azure Marketplace
• Publishing web applications using Azure Active Directory’s Application Proxy
• VPN split tunneling for Office 365
• How-to guides for common VPN platforms
• Updates for improving work-from-home employee access

• Here are some alternative ways for security professionals and IT to achieve modern security controls in remote work scenarios.
• Check our best practices and guidelines for security professionals on how to work remotely and stay secure.

Here are additional resources to learn more about how Microsoft applies networking best practices and supports a Zero Trust security strategy:

• Learn how Microsoft rebuilt its VPN infrastructure.
• Learn how Microsoft transitioned to modern access architecture with Zero Trust.
• Read how Microsoft is approaching Zero Trust Networking.

The post Using a Zero Trust strategy to secure Microsoft’s network during remote work appeared first on Inside Track Blog.

Attackers are more focused and targeted, they’re on a mission. It’s not a phishing email that spreads out to a bunch of random addresses and hopes someone clicks. That only nets you random targets. Human-operated ransomware aims for an enterprise and tries for big returns.

—Henry Duncan, senior security program manager, Digital Security and Resilience

As we discussed in our previous ransomware post, REP was purpose-built atop the philosophy of the philosophy of Zero Trust to give Microsoft a way to centralize defense, recovery, and resilience against ever changing cyberthreats. Core to the program is the ransomware playbook, our internal guide to ensure teams across the company take the right action to respond, recover, and remediate in the event of an attack. Adherence to the playbook limits the opportunity for attacks and minimizes the potential reward that criminals seek.

“Attackers are more focused and targeted, they’re on a mission,” says Henry Duncan, a senior security program manager on REP, part of DSR, the team responsible with protecting our enterprise so that we can deliver and operate secure products and services to our customers. “It’s not a phishing email that spreads out to a bunch of random addresses and hopes someone clicks. That only nets you random targets. Human-operated ransomware aims for an enterprise and tries for big returns.”

The longer threat actors are active in an environment and can move around, the greater the risk to the target. Each passing moment presents an opportunity to acquire more access to data through compromised accounts, or tamper with security and backup systems—and that means a higher likelihood of data being compromised and a larger ransom demand. Time is of the essence.

[Read blog one in our ransomware series: Sharing how Microsoft protects against ransomware. | Read blog three in our ransomware series: Building an anti-ransomware program at Microsoft focused on an Optimal Ransomware Resiliency State. | Learn more about human-operated ransomware. | Discover how Microsoft’s Zero Trust effort keeps the company secure.]

Writing the book on ransomware

When conceptualizing what it wanted the playbook to achieve, the REP team knew it needed to facilitate excellence in operational response readiness, have the flexibility and scope to address cyberattacks of any scale, and to align response processes across the company.

“We needed the playbook to articulate and visualize what everyone’s role in a process is,” Duncan says. “It’s not just a security thing; we have to get other teams involved, like legal, finance, and enterprise business continuity.”

Engaging with stakeholders from those organizations allowed the REP team to better understand the different methods used across the company to triage, contain, and escalate events. Such conversations and interviews were a vital learning opportunity, and when combined with industry and internal best practices, illuminated gaps and weaknesses and generated ideas to bridge them. Collaborative cross-team dialogue shaped the framework the team used to develop key processes, including what is used to recover critical services.

With this information synthesized, the REP team began structuring the ransomware playbook around addressing these four key questions:

• How prepared are we for a cyber event?
• What controls are in place to detect and identify malicious activity in our environment?
• What is the appropriate response from various teams to contain and recover from threats?
• How should a post-incident and root-cause analysis be performed?

The resulting document provides a unified and holistic response to cyberthreats for the company to use.

Walking the walk

“For a playbook to work, you need to test,” Duncan says. “It’s easy to think you’ve captured everything on the page, but we need to see what happens in practice.”

Performing simulations for a variety of scenarios demonstrated what might happen if an attack were to occur at Microsoft.

It’s hard to measure the significance and when to escalate events; are we talking about a handful of machines or a large critical system? Now we have processes to have a consistent plan for triaging and triggering events.

—Henry Duncan, senior security program manager, Digital Security and Resilience

Security professionals and stakeholders were put to the test. Detection and prevention systems were put through the wringer. Backup and restore functions were reviewed, ensuring the resiliency and recovery precautions needed to circumvent the leverage of cybercriminals were in place.

Not only did these live drills verify steps within the ransomware playbook, they also allowed the REP team to gather additional feedback, including ways to better categorize and triage ransomware.

“It’s hard to measure the significance and when to escalate events; are we talking about a handful of machines or a large critical system?” Duncan says. “Now we have processes to have a consistent plan for triaging and triggering events.”

Because ransomware continues to change, so must Microsoft’s response. The playbook is a living document, updated with regular reviews of testing and stakeholder engagement, enabling it to stay current with the quickly changing tactics of threat actors.

The benefits of playing it by the book

While the primary function of the ransomware playbook is to ensure Security Operation Centers (SOCs) and engineering teams across Microsoft have a documented process for responding to and recovering from ransomware, the playbook’s design has additional built-in benefits.

For instance, its detail clearly outlines who is responsible for what, creates visibility at the appropriate time, and clarifies escalation. The right process owners get the right information at the right time.

“You need visibility into how an event surfaces,” Duncan says. “Now we have a predictable mechanism to trigger incident response. Those definitions bring leadership into appropriate major events.”

In practice, Duncan and the REP team found the playbook to be a useful tool for continuous improvement. Regularly run internal tabletop exercises help DSR and the REP team measure Microsoft’s ability to effectively respond to specific types of attacks. Simulations and tests provide vital opportunities to expose issues, refine internal processes, and close the gap in eliminating ransomware. In using the playbook, Microsoft isn’t just more prepared against ransomware, but against security attacks in general.

This also happens to make the ransomware playbook a valuable training tool. Its adoption across the company is essential to a successful and holistic response to an attack. With training, the knowledge of roles and responsibilities, combined with muscle memory of the right actions to take ensures those involved are ready when put on the spot.

“We’ve also found that teams love the playbook as an onboarding tool,” Duncan says. “Anyone who joins Microsoft can know what the expectations are and loop that into their training. They’ll know how they fit into the ransomware equation.”

There’s a plan in place

Having the Ransomware Elimination Program along with the playbook gives teams across the company more visibility into the importance of ransomware. Microsoft now has a platform to share knowledge across organizations and centralize efforts to reduce the opportunity and reward for cybercriminals.

Human-operated ransomware is a full-time job for cybercriminals. None of us are perfect but being aware, having the right technology in place, and putting a plan in place reduces the likelihood and impact of an attack on the environment.

—Henry Duncan, senior security program manager, Digital Security and Resilience

“We can champion how people protect the environment while also involving them to improve response procedures,” Duncan says. “REP is the frontline of what an optimal ransomware resilience state should look like. That’s going to happen by working with different teams throughout Microsoft to research and understand the greatest risks.”

With a playbook at hand, there’s more confidence than ever that Microsoft’s people are prepared to detect and respond appropriately to malicious activity. The structure provided by REP and its playbook empowers Microsoft to capture important insights about its own resiliency, helping to drive future improvements. That’s critical, especially as ransomware continues to evolve.

“Human-operated ransomware is a full-time job for cybercriminals,” Duncan says. “None of us are perfect but being aware, having the right technology in place, and putting a plan in place reduces the likelihood and impact of an attack on the environment.”

While the ransomware playbook is internal to Microsoft, the REP team is investigating the best way to share its learnings so others can build their own.

• The ransomware playbook serves as a single source of truth for detecting, responding, and recovering to ransomware. It helps identify the strategy and preparation approach for resiliency
• Leverage your existing resources; you don’t have to start from scratch when developing a ransomware playbook
• Invite stakeholders to participate in the development of your ransomware playbook. It will create a more comprehensive and inclusive document, and will improve adoption
• Clarity of documentation is essential. Be sure to define expectations, roles, and responsibilities. Create diagrams and process flows whenever possible

• Read blog one in our ransomware series: Sharing how Microsoft protects against ransomware.
• Read blog three in our ransomware series: Building an anti-ransomware program at Microsoft focused on an Optimal Ransomware Resiliency State.
• Learn more about human-operated ransomware.
• Discover how Microsoft’s Zero Trust effort keeps the company secure.

The post Why Microsoft uses a playbook to guard against ransomware appeared first on Inside Track Blog.

Verified device health is a core pillar of our Microsoft Digital Zero Trust security model. Because unmanaged devices are an easy entry point for bad actors, ensuring that only healthy devices can access corporate applications and data is vital for enterprise security. As a fundamental part of our Zero Trust implementation, we require all user devices accessing corporate resources to be enrolled in device-management systems.

Verified devices support our broader framework for Zero Trust, alongside the other pillars of verified identity, verified access, and verified services.

[Explore verifying identity in a Zero Trust model. | Unpack implementing a Zero Trust security model at Microsoft. | Discover enabling remote work: Our remote infrastructure design and Zero Trust. | Watch our Enabling remote work infrastructure design using Zero Trust video.]

Verifying the device landscape at Microsoft

The device landscape at Microsoft is characterized by a wide variety of devices. We have more than 220,000 employees and additional vendors and partners, most of whom use multiple devices to connect to our corporate network. We have more than 650,000 unique devices enrolled in our device-management platforms, including devices running Windows, iOS, Android, and macOS. Our employees need to work from anywhere, including customer sites, cafes, and home offices. The transient nature of employee mobility poses challenges to data safety. To combat this, we are implementing device-management functionality to enable the mobile-employee experience—confirming identity and access while ensuring that the devices that access our corporate resources are in a verified healthy state according to the policies that govern safe access to Microsoft data.

Enforcing client device health

Device management is mandatory for any device accessing our corporate data. The Microsoft Endpoint Manager platform enables us to enroll devices, bring them to a managed state, monitor the devices’ health, and enforce compliance against a set of health policies before granting access to any corporate resources. Our device health policies verify all significant aspects of device state, including encryption, antimalware, minimum OS version, hardware configuration, and more. Microsoft Endpoint Manager also supports internet-based device enrollment, which is a requirement for the internet-first network focus in the Zero Trust model.

We’re using Microsoft Endpoint Manager to enforce health compliance across the various health signals and across multiple client device operating systems. Validating client device health is not a onetime process. Our policy-verification processes confirm device health each time a device tries to access corporate resources, much in the same way that we confirm the other pillars, including identity, access, and services. We’re using modern endpoint protection configuration on every managed device, including preboot and postboot protection and cross-platform coverage. Our modern management environment includes several critical components:

• Microsoft Azure Active Directory (Azure AD) for core identity and access functionality in Microsoft Intune and the other cloud-based components of our modern management model, including Microsoft Office 365, Microsoft Dynamics 365, and many other Microsoft cloud offerings.
• Microsoft Intune for policy-based configuration management, application control, and conditional-access management.
• Clearly defined mobile device management (MDM) policy. Policy-based configuration is the primary method for ensuring that devices have the appropriate settings to help keep the enterprise secure and enable productivity-enhancement features.
• Windows Update for Business is configured as the default for operating system and application updates for our modern-managed devices.
• Microsoft Defender for Endpoint (MDE) is configured to protect our devices, send compliance data to Azure AD Conditional Access, and supply event data to our security teams.
• Dynamic device and user targeting for MDM enables us to supply a more flexible and resilient environment for the application of MDM policies. It enables us to flexibly apply policies to devices as they move into different policy scopes.

Providing secure access methods for unmanaged devices

While our primary goal is to have users connect to company resources by using managed devices, we also realize that not every user’s circumstances allow for using a completely managed device. We’re using cloud-based desktop virtualization to provide virtual machine–based access to corporate data through a remote connection experience that enables our employees to connect to the data that they need from anywhere, using any device. Desktop virtualization enables us to supply a preconfigured, compliant operating system and application environment in a pre-deployed virtual machine that can be provisioned on demand.

Additionally, we’ve created a browser-based experience allowing access, with limited functionality, to some Microsoft 365 applications. For example, an employee can open Microsoft Outlook in their browser and read and reply to emails, but they will not be able to open any documents or browse any Microsoft websites without first enrolling their devices into management.

How we treat the devices that our employees and partners use to access corporate data is an integral component of our Zero Trust model. By verifying device health, we extend the enforcement capabilities of Zero Trust. A verified device, associated with a verified identity, has become the core checkpoint across our Zero Trust model. We’re currently working toward achieving better control over administrative permissions on client devices and a more seamless device enrollment and management process for every device, including Linux–based operating systems. As we continue to strengthen our processes for verifying device health, we’re strengthening our entire Zero Trust model.

• Explore verifying identity in a Zero Trust model.
• Unpack implementing a Zero Trust security model at Microsoft.
• Discover enabling remote work: Our remote infrastructure design and Zero Trust.
• Watch our Enabling remote work infrastructure design using Zero Trust video.

The post Verifying device health at Microsoft with Zero Trust appeared first on Inside Track Blog.

“We’ve made significant strides to create chip-to-cloud Zero Trust out of the box,” says David Weston, vice president of Enterprise and OS Security at Microsoft. “Windows 11 is redesigned for hybrid work and security with built-in hardware-based isolation, proven encryption, and our strongest protection against malware.”

This new baseline for protection is one of several reasons Microsoft upgraded to Windows 11.

In addition to a better user experience and improved productivity for hybrid work, the new hardware-backed security features create the foundation for new protections. This empowers us to not only protect our enterprise but also our customers.

[Discover how Microsoft uses Zero Trust to protect our users. Learn how new security features for Windows 11 help protect hybrid work. Find out about Windows 11 security by design from chip to the cloud. Get more information about how Secured-core devices protect against firmware attacks.]

How Windows 11 advanced our security journey

Security has always been the top priority here at Microsoft.

We process an average of 65 trillion signals per day, with 2.5 billion of them being endpoint queries, including more than 1,200 password attacks blocked per second. We can analyze these threats to get better at guarding our perimeter, but we can also put new protections in place to reduce the risk posed by persistent attacks.

In 2019, we announced Secured-core PCs designed to utilize firmware protections for Windows users. Enabled by Trusted Platform Module (TPM) 2.0 chips, Secured-core PCs protect encryption keys, user credentials, and other sensitive data behind a hardware barrier. This prevents bad actors and malware from accessing or altering user data and goes a long way in addressing the volume of security events we experience.

“Our data shows that these devices are more resilient to malware than PCs that don’t meet the Secured-core specifications,” Weston says. “TPM 2.0 is a critical building block for protecting user identities and data. For many enterprises, including Microsoft, TPM facilitates Zero Trust security by measuring the health of a device using hardware that is resilient to tampering common with software-only solutions.”

We’ve long used Zero Trust—always verify explicitly, offer least-privilege access, and assume breach—to keep our users and environment safe. Rather than behaving as though everything behind the corporate firewall is secure, Zero Trust reinforces a motto of “never trust, always verify.”

The additional layer of protection offered by TPM 2.0 makes it easier for us to strengthen Zero Trust. That’s why hardware plays a big part in Windows 11 security features. The hardware-backed features of Windows 11 create additional interference against malware, ransomware, and more sophisticated hardware-based attacks.

At a high level, Windows 11 enforced sets of functionalities that we needed anyway. It drove the environment to demonstrate that we were more secure by default. Now we can enforce security features in the Windows 11 pipeline to give users additional protections.

—Carmichael Patton, principal program manager, Digital Security and Resilience

Windows 11 is the alignment of hardware and software to elevate security capabilities. By enforcing a hardware requirement, we can now do more than ever to keep our users, products, and customers safe.

Setting a new baseline at Microsoft

While some security features were previously available via configuration, TPM 2.0 allows Windows 11 to protect users immediately, without IT admins or security professionals having to set specific policies.

“At a high level, Windows 11 enforced sets of functionalities that we needed anyway,” says Carmichael Patton, a principal program manager with Digital Security and Resilience, the organization responsible for protecting Microsoft and our products. “It drove the environment to demonstrate that we were more secure by default. Now we can enforce security features in the Windows 11 pipeline to give users additional protections.”

Thus, getting Windows 11 out to our users was a top priority.

Over the course of five weeks, we were able to deploy Windows 11 across 90 percent of eligible devices at Microsoft. Proving to be the least disruptive release to date, this effort assured our users would be immediately covered by baseline protections for a hybrid world.

We can now look across our enterprise and know that users running Windows 11 have a consistent level of protection in place.

The real impact of secure-by-default

Moving from configurable to built-in protection means that Windows 11 becomes the foundation for secure systems as you move up the stack.

It simplifies everything for everyone, including IT admins who may not also be security experts. You can change configurations and optimize Windows 11 protections based on your needs or rely on default security settings. Secure-by-default extends the same flexibility to users, allowing them to safely choose their own applications while still maintaining tight security.

—David Weston, vice president, Enterprise and OS Security

Applications, identity, and the cloud are able to build off the hardware root-of-trust that Windows 11 derives from TPM 2.0. Application security measures like Smart App Control and passwordless sign-in from Windows Hello for Business are all enabled due to hardware-backed protections in the operating system.

Secure-by-default does all of this without removing the important flexibility that has always been part of Windows.

“It simplifies everything for everyone, including IT admins who may not also be security experts,” Weston says. “You can change configurations and optimize Windows 11 protections based on your needs or rely on default security settings. Secure-by-default extends the same flexibility to users, allowing them to safely choose their own applications while still maintaining tight security.”

Going forward, IT admins working in Windows 11 no longer need to put extra effort in enabling and testing security features for performance compatibility. Windows 11 makes it easier for us to gain security value without extra work.

This is important when you consider productivity, one of the other drivers for Windows 11. We need to empower our users to stay productive wherever they are. These new security components go hand-in-hand with our productivity requirements. Our users stay safe without seeing any decline in quality, performance, or experience.

“With Windows 11, the focus is on productivity and thinking about security from the ground up,” Patton says. “We know we can do these amazing things, especially with security being front and center.”

Now that Windows 11 is deployed across Microsoft, we can take advantage of TPM 2.0 to bring even greater protections to our users, customers, and products. We’ve already seen this with the Windows 11 2022 update.

For example, Windows Defender App Control (WDAC) enables us to prevent scripting attacks while protecting users from running untrusted applications associated with malware. Other updates include improvements to IT policy and compliance through config lock: a feature that monitors and prevents configuration drift from occurring when users with local admin rights change settings.

These are the kinds of protections made possible with Windows 11.

“Future releases of Windows 11 will continue to add significant security updates that add even more protection from the chip to the cloud by combining modern hardware and software,” Weston says. “Windows 11 is a better way for everyone to collaborate, share, and present, all with the confidence of hardware-backed protections.”

• Learn about and upgrade to Windows 11.
• Learn more about the security benefits of Windows 11.

• Discover how Microsoft uses Zero Trust to protect our users.
• Learn how new security features for Windows 11 help protect hybrid work.
• Get more information about how Secured-core devices protect against firmware attacks.

The post Hardware-backed Windows 11 empowers Microsoft with secure-by-default baseline appeared first on Inside Track Blog.

Deploying Windows Hello for Business internally here at Microsoft has significantly increased our security when our employees and vendors access our corporate resources. This feature offers a streamlined user sign-in experience—it replaces passwords with strong two-factor authentication by combining an enrolled device with a PIN or biometric user input for sign in. Windows Hello was easy to implement within our existing identity infrastructure and is compatible for use within our remote access solution.

The Windows Hello for Business feature can replace passwords with strong two-factor authentication that combines an enrolled device with a PIN or biometric (fingerprint or facial recognition) user input to sign in. We—the Microsoft Digital Employee Experience team—streamlined the deployment of this feature as an enterprise credential to improve our user sign-in experience and to increase the security of accessing corporate resources.

Using this feature, users can authenticate to a Microsoft account, an Active Directory account, or a Microsoft Azure Active Directory (Azure AD) account.

The Windows Hello for Business feature is a public key or certificate-based authentication approach that goes beyond passwords. This form of authentication relies on key pairs that can replace passwords and are resistant to breaches, thefts, and phishing.

Other benefits of this feature include:

• It supports our Zero Trust security model. Emphasizes an identity-driven security solution by centering on securing user identity with strong authentication as well as eliminating passwords.
• It uses existing infrastructure. We configured Windows Hello to support smart card–like scenarios by using a certificate-based deployment. Our security policies already enforced secure access to corporate resources with two-factor authentication, including smart cards and Microsoft Azure Multi-Factor Authentication. Windows Hello is currently enabled, and we anticipate an increase in usage as more biometric-capable devices become available in the market.
• It uses a PIN. Replace passwords with a stronger authentication. Users can now sign in to a device using a PIN that could be backed by a trusted platform module (TPM) chip.
• It provides easy certificate renewal. Certificate renewals automatically occur when a user signs in with their PIN before the lifetime threshold is reached.
• It permits single sign on. After a user signs in with their PIN, the user has access to email, SharePoint sites, when using the latest Office 365 versions, and business applications without being asked for credentials again.
• It is compatible with remote access. When using a certificate-based PIN, users can connect remotely using a Microsoft Digital Employee Experience VPN without the need for multi-factor authentication with phone verification.
• It supports Windows Hello. If users have compatible biometric hardware, they can set up biometrics sign-in to swipe their finger or a take a quick look at the device camera.

Our deployment environment for the Windows Hello for Business feature include:

• Server: Microsoft Azure AD subscription and Microsoft Azure AD Connect to extend on-premises directory to Azure AD:
  • For certificate-based: Active Directory Certificate Services (AD CS), Active Directory Federation Services (AD FS) Network Device Enrollment Service (NDES), and Microsoft Intune
• Client: A device, preferably with an initialized and owned TPM.

For more information about integrating on-premises identities with Microsoft Azure AD, see Integrating your on-premises identities with Microsoft Azure Active Directory.
For a transcript, please view the video on YouTube: https://www.youtube.com/watch?v=3k4Mduc9eUQ, select the “More actions” button (three dots icon) below the video, and then select “Show transcript.”

Enrollment and setup

Windows Hello for Business user enrollment steps vary, based on our deployed scenarios. For all scenarios, users will need to use their smart card or multi-factor authentication with a verification option—such as a phone call or verification on a mobile app, such as Microsoft Authenticator, in addition to their user name and password—to complete the enrollment.

The Windows Hello for Business feature supports the following enrollment scenarios:

• On-premises Active Directory domain–joined devices. Users sign in with their domain account, the Group Policy is applied, the device is registered with Microsoft Azure Active Directory, and then the user creates a PIN.
• Microsoft Azure AD–joined devices managed by Microsoft Intune. Users must enroll in device management (or add a work account) through Microsoft Intune. After their device is enrolled and the policies are applied, the PIN credential provisioning process begins and users receive the prompt to create their PIN.

Requirements

• Two-factor authentication is required for PIN creation using one of the existing methods (virtual smart card, physical smart card, or multi-factor authentication with phone verification).
• A PIN that is at least six characters long.
• A connection to the internet or Microsoft corporate network.

Physical architecture

Our Windows domain-joined devices were already synchronized with Microsoft Azure AD through Microsoft Azure AD Connect, and we already had a public key infrastructure (PKI) in place. Already having PKI reduced the amount of change required in our environment to enable the Windows Hello for Business feature.

To deploy user certificates based on Windows Hello keys, we used AD FS, AD CS, and Group Policy.

Server roles and services

In our implementation, the following servers and roles work together to enable Windows Hello as a corporate credential:

• Microsoft Azure AD subscription with Microsoft Azure Active Directory Device Registration Service to register devices with Azure Active Directory.
• Microsoft Intune is used to enroll devices joined to Microsoft Azure Active Directory.
• AD FS is used for federated identities and Microsoft Azure AD Application Proxy for secure remote access of web applications hosted on-premises. AD FS Registration Authority is used to handle certificate issuances and renewals for devices that are joined to the domain.
• PKI includes NDES servers (with policy module) and certificate authorities (with smart card EKU—enhanced key usage—template), used for the issuance, renewal, and revocation of Windows Hello for Business certificates.

Domain-joined service workflow

The following workflow applies to any Windows 10 computers joined to our AD DS domain.

• Our domain-joined devices pull a Group Policy object that configures certificate enrollment, PIN-enablement, and notification tasks.
• After users sign out and sign in again, or if they select the pop-up notification when it displays, a PIN creation workflow runs, and they must configure their new PIN.
• During the next sign-in, the user is prompted to configure Windows Hello for Business, confirm their identity using multifactor authentication, and create a PIN. A private key is created and registered in Microsoft Azure AD. The user can also initiate the Windows Hello setup process from the Settings app at any time.
  • If the client and infrastructure support Instant-On, a key-receipt verification package is downloaded and a certificate request is sent to the AD FS registration authority. AD FS confirms valid key ownership and submits the request on behalf of the user to an AD CS certification authority.
• The certificate is delivered to the computer.

Microsoft Azure Active Directory–joined service workflow

• Windows Intune pushes a device policy to Microsoft Azure Active Directory devices that contains the URL of the NDES server and the challenge generated by Intune. A policy has already been pushed to the device by the Intune service. This policy contains the URL of the NDES server and the challenge generated by Intune.
• During the next sign-in, the user is prompted to configure Windows Hello for Business, confirm their identity using multifactor authentication, and create a PIN. A private key is created and registered in Microsoft Azure AD. The user can also initiate the Windows Hello setup process from the Settings app at any time.
• The device contacts the internet-facing NDES server using the URL from the NDES server and provides the challenge response. The NDES server validates the challenge with the CRP and receives a “true” or “false” to challenge verification.
  • If the challenge response is “true,” the NDES server communicates with the certificate authority (CA) to get a certificate for the device. Appropriate ports need to be open between the NDES server and the CA for this to happen.
• The NDES server delivers the certificate to the computer.

Setting policies

Our Microsoft Digital Employee Experience team used domain-based Group Policies to push out policy-based settings to configure our Windows 10 domain-joined devices to provision Windows Hello user credentials when users sign in to Windows. Non-domain joined devices receive their policies from Intune. We also used these settings to define the complexity and length of the PIN that our users generate at registration and to control whether Windows Hello was enabled.

We had the option to configure whether we would accept certificate-based Windows Hello for Business with PIN as a software-backed credential. We chose to enable Windows Hello for Business with a hardware-required option, which means that keys are generated on the TPM.

Policies for Microsoft Active Directory domain–joined clients

You must create and deploy a Group Policy object using the settings found under User Configuration > Administrative Templates > Windows Components Windows Hello for Business.

The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. Both the Enable Windows Hello for Business setting and the Use certificate for on-premises authentication setting must be enabled.

Windows 10 also provides PIN complexity settings for control over PIN creation and management. Beginning with Windows 10 version 1703, the policy settings are found under Computer Configuration > Administrative Templates System > PIN Complexity.

Policies for Microsoft Azure Active Directory–joined clients

To use the Windows Hello/Windows Hello for Business certificate-based sign-in, configure the certificate profile (Assets & Compliance > Compliance Settings > Company Resource Access > Certificate Profiles). Select a template that has smart card sign-in extended key usage. Note that to set the minimum key size set, this certificate template should be configured in the Simple Certificate Enrollment Protocol (SCEP) Enrollment page—then you can use the Windows Hello for Business and Certificate Properties page to set the minimum key size set to 2048.

To set up the desired policy, we also need to create a new Windows Hello for Business profile (Assets & Compliance > Compliance Settings > Company Resource Access > Windows Hello for Business profiles) and specify the following required options:

• Use Windows Hello for Business
• Use a hardware security device
• Use biometrics
• PIN Complexity

User enrollment experience

When a domain-joined computer running Windows 10 Anniversary Update or later pulls Group Policy settings from a domain controller, certificate enrollment policies and the Windows Hello for Business policies are applied to the Windows 10 computer, provided all the criteria for policy application are met.

Client signs out and signs in (and unlocks) the device

The user unlocks their device, and the certificate enrollment process is triggered.

Certificate enrollment process

After a PIN is successfully created, the scheduled task runs (triggered by Event ID 300, which is “Key registration was successful.”). It checks for an existing certificate. If the user doesn’t have one, the task sends the requests for a new challenge.

At this point, Windows 10 calls on the specified Certificate Services server through AD FS and requests a challenge with an expiration time. If the PIN is cached, the certificate enrollment is triggered.

Certificate renewal behavior

We have configured PIN credential certificates to have a lifetime of 90 days from when they are issued. Renewals will happen approximately 30 days before they expire. When a user next enters their Windows Hello for Business PIN within the 30 days prior to its expiration, a new certificate will be automatically provisioned on their device.

Certificate renewal is governed by Group Policy settings for auto-enrollment. The system checks for certificate lifetime percentage and compares it against the renewal threshold. If it’s beyond the set threshold, a certificate renewal starts.

Microsoft Intune specifics

The Open Mobile Alliance Device Management client talks to the Microsoft Intune mobile device management server using SyncML. Policies are routed, and then the user receives the Simple Certificate Enrollment Protocol profile, as configured in our hybrid environment, deployed through Microsoft Intune. Within 10 minutes, the user should receive a certificate. If that fails, the user needs to manually sync.

Service management

We manage identity as a service at Microsoft and are responsible for deciding when to bring in new types of credentials and when to phase out others. When we were considering adding the Windows Hello for Business feature, we had to figure out how to introduce the new credential to our users, and to explain to them why they should use it.

Measuring service health

We’re in the process of creating end-to-end telemetry to measure the service health of Windows Hello for Business. For now, we’re monitoring the performance and status of all our servers. We’re also expanding the service, so adoption and usage numbers are very important metrics that demonstrate the success of our service. We also track the number and types of help desk issues that we see.

We use custom reports created from certificate servers and custom telemetry service metrics to collect prerequisites, and key and certificate issuance times for troubleshooting. Detailed reports about other aspects of the service can also be generated from Microsoft Intune.

We configure a user’s certificate to expire, and certificate renewals are issued with the same key. When necessary, the certificates can be revoked directly though Microsoft Intune, which provides easier administration.

TPM issues

OEM BIOS initialization instructions and TPM lockout policies are OEM-specific. We performed steps to identify and document the potential issues for each hardware provider. We also communicated to our users that clearing a TPM will cause their private key to not work in Windows Hello for Business.

Preventing PIN enrollment problems

Some of the common issues we saw with users creating their PINs could have been avoided with better communication. These issues include users not understanding the prerequisites, or the expected delays in onboarding scenarios. To help avoid this issue, we created a productivity guide to walk users through the steps.

Monitoring end-to-end service health

Windows Hello for Business relies on several underlying services: Microsoft Azure AD, AD FS, Microsoft Intune, NDES, and CA. All of these services need to be healthy and available. Certificate issuance delays can be hard to troubleshoot, but monitoring the health and performance of the supporting services can help.

• Unpack verifying identity in a Zero Trust model internally at Microsoft.
• Discover enabling a modern support experience at Microsoft.
• Explore improving security by protecting elevated-privilege accounts at Microsoft.

Active Directory and Microsoft Azure Active Directory

• Integrating your on-premises identities with Azure Active Directory
• Connect domain-joined devices to Azure AD for Windows 10 experiences
• Azure AD Join on Windows 10 devices

Management

• Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)
• PART 2 – SCEP certificate enrolling using ConfigMgr 2012, CRP, NDES and Windows Intune

Policy Management

• Using a Policy Module with the Network Device Enrollment Service

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Implementing strong user authentication with Windows Hello for Business appeared first on Inside Track Blog.

Highlighted in the third edition of the Microsoft Digital Defense Report, ransomware and extortion are considered nation-level threats due to the sophistication and boldness of attacks and their financial impact. No business, organization, or government can be considered safe from the crosshairs of ransomware threat actors. Experts estimate that ransomware’s cost to the world could reach $234 billion within the next decade.

To defend against the evolving ransomware landscape, Microsoft created the Optimal Ransomware Resiliency State (ORRS), a key component of its Ransomware Elimination Program.

This post, the third in our series on ransomware, overviews the concept of ORRS and the steps that you can take to build a ransomware resiliency state of your own.

[Read blog one in our ransomware series: Sharing how Microsoft protects against ransomware. | Read blog two in our ransomware series: Why Microsoft uses a playbook to guard against ransomware.]

What is ORRS?

Optimal Ransomware Resiliency State is the term that the Ransomware Elimination Program team uses to describe our aspiration to defeat ransomware attacks—today and in the future.

Optimal means we’re doing everything we can do—all the ORRS-required capabilities and controls are in place and verified.

—Monty LaRue, principal program manager, Ransomware Elimination Program team

Specifically, ORRS is the outcome of meeting the requirements covering an extensive set of protection and operational capabilities. Built on the foundation of Zero Trust, our ORRS consists of the collection of requirements for training, capabilities, and controls aligned to the NIST Cybersecurity framework and supported by continuously improved processes and practices. These requirements are common across Microsoft’s business, service, and product groups. Their complete implementation produces an organization-wide state of readiness that protects and defends the company and its customers, while also minimizing exposure and increasing resiliency to ransomware attacks.

“Optimal means we’re doing everything we can do—all the ORRS-required capabilities and controls are in place and verified,” says Monty LaRue, the principal program manager on the Ransomware Elimination Program team.

“It’s about achieving that optimal state through the deployment and operationalization of products, like Microsoft Defender for Endpoint for devices, covering our assets, applications, and infrastructure. We consider training and awareness to be a crucial part of ORRS. It’s essential that everyone knows how to recognize threats and how to respond appropriately. Our toolkit includes, incident response plans and playbooks, phishing education and simulation, and other simulation exercises.”

Partnerships are key to producing optimal resiliency

The role of partnerships and teamwork cannot be understated in the development and maintenance of our Optimal Ransomware Resiliency State. The approach must be holistic and cohesive, closing gaps and seams where possible.

Collaboration and open lines of communication with key stakeholders across Microsoft ensure that products and systems with protection needs are accounted for; likewise, Microsoft’s Ransomware team provides requirements to partnering teams to ensure they are equipped and running the latest defensive measures to minimize their attack surface. All involved parties have a deep understanding of their role in keeping the enterprise and our customers safe.

“We’re looking at Microsoft 365, Windows, and Azure,” LaRue says. “We’re looking at the people running MacOS, Linux, and personal devices within Microsoft. If the platforms and foundations follow Zero Trust principles and highly resilient to ransomware attacks, everything built on top shares that benefit.”

The REP team also has close ties to Microsoft’s threat intelligence and research teams, which provide information on the threat landscape and how attackers’ techniques, tactics, and procedures evolve and trend on a regular basis. They also work with internal Security Operation Centers (SOCs), which monitor threat actors and provide insights via attack data and post-mortems.

The more you prevent and protect, the less you have to respond and recover. The further you are in an attack sequence, the more complex and expensive it is to respond and recover.

—Monty LaRue, principal program manager, Ransomware Elimination Program team

Maintaining our Optimal Ransomware Resiliency State also involves using existing technology, such as Microsoft Defender suite, with a continuous improvement approach to take advantage of their latest capabilities and threat information. Learnings and insights from the ransomware program team flow back to the product and engineering teams in the form of enhancements or new requirements and features, helping to further improve our commercial products and services. One example of this is the detection of abnormal file activities, such as encryption or exfiltration, for data stores and backups in commercial services such as OneDrive, SharePoint, and Microsoft Azure which extends beyond Microsoft’s walls to protect all customers.

The practice of continuous improvement is also applied to the response procedures that make up the ransomware incident response playbook. Tabletop exercises based on new threats and information help to uncover gaps in response procedures, while simulations stress test the response system to ensure the involved security professionals have response readiness excellence should an attack ever breach our protective capabilities and controls.

Our commitment to company-wide alignment reduces the risk of a successful attack and the chance of a resulting payoff. “The more you prevent and protect, the less you have to respond and recover,” LaRue says. “The further you are in an attack sequence, the more complex and expensive it is to respond and recover.”

Building toward an optimal state

As we’ve seen throughout this series, ransomware is evolving and attackers are opportunistic. The goalposts for protection continue to shift, and ransomware’s impact on the world shows no signs of slowing. Because of this, there is no universal optimal resiliency state. Every organization’s situation is unique, from level of exposure to threats, to capabilities and services deployed, to protection needs, so every organization’s optimal state must be tailored to their business and risk tolerances.

“The Optimal Ransomware Resiliency State means different things to each organization, it’s different depending on whether your systems are physical, in the cloud, or hybrid, if you provide high availability services or large data stores, and if you work with highly confidential or sensitive data in regulated environments,” LaRue says.

The task of building an optimal ransomware resiliency state begins with a comprehensive inventory of the current state—and that means asking a lot of questions and doing verifications. Start with an understanding of which business-critical systems and services across the organization must be defended and why. It also means understanding the systems themselves, their dependencies, which configurations and controls are enabled, as well as the state of existing ransomware readiness capabilities. Such an inventory can shed light on high-value targets and the unforeseen risks to them exposing potential weaknesses and highlighting strengths.

The process of establishing your current state is insightful and has the potential to be humbling, but it encourages taking the next steps in developing your ORRS roadmap. This may include investments in training for response readiness or new technologies to reduce attack surface risk, but all optimal resiliency states require implementing a continuous improvement process to keep the organization and those that depend on it safe now and in the future.

Microsoft’s investment in the Ransomware Elimination Program highlights our commitment to defeating successful ransomware attacks. Establishing our ORRS provides us with learnings and guides us to improving our security posture, which helps the company produce secure and dependable products and services.

Ransomware may be one of the biggest security threats to your organization. Taking up the challenge to develop your own ransomware resiliency state will put you on a path forward to protecting and defending what matters most.

• You will define optimal for your organization, but attackers will always be looking for new avenues. You must be able to shift focus and update ORRS quickly to match the threat and attacker’s agility.
• Ransomware elimination starts with a shared understanding, frameworks e.g., Zero Trust, and defining your ORRS. Core protections such as MFA, pervasive backups, comprehensive telemetry and alerts, as part of a holistic, cohesive effort that spans devices and services are crucial in responding to cyberthreats like ransomware.
• Implementing tamper-resistant security capabilities and controls, and attack surface reductions reduces your malware related risks.
• Understanding the right investments is difficult, especially when threats and attackers are moving fast. Engage early and often within your organization to understand your assets, risks, and state as you define your ORRS and implement capabilities, controls, processes, and practices.

• Read blog one in our ransomware series: Sharing how Microsoft protects against ransomware.
• Read blog two in our ransomware series: Why Microsoft uses a playbook to guard against ransomware.
• Learn more about human-operated ransomware.
• Discover how Microsoft’s Zero Trust effort keeps the company secure.
• Find out how Microsoft is building a safer world together with our partners.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Building an anti-ransomware program at Microsoft focused on an Optimal Ransomware Resiliency State appeared first on Inside Track Blog.

However, for companies considering the adoption of GenAI, there are a multitude of challenges and risks that must be navigated. These range from data exposure or exfiltration where your company’s sensitive data can be accessed by unintended audiences to direct attacks on the models and data sources that underpin them. Not acting and waiting until the world of GenAI settles down poses its own risk. Employees eager to try out the latest and greatest will start using GenAI tools and products that aren’t vetted for use in your enterprise’s environment. It’s safe to say that we’re not just in the era of Shadow IT but Shadow AI, too.

Add to that the fact that threat actors have begun to use these tools in their activities, and you get a real sense that navigating the cyberthreat landscape of today and tomorrow will be increasingly difficult—and potentially headache-inducing!

Here at Microsoft, our Digital Security & Resilience (DSR) organization’s Securing Generative AI program has focused on solving this problem since day one: How do we enable our employees to take advantage of the next generation of tools and technologies that enable them to be productive, while maintaining safety and security?

Building a framework for using GenAI securely

At any given moment, there are dozens of teams working on GenAI projects across Microsoft and dozens of new AI tools that employees are eager and excited to use to boost their productivity or use to be more creative.

When establishing our Securing AI program, we wanted to use as many of our existing systems and structures for the development, implementation, and release of software within Microsoft as possible. Rather than start from scratch, we looked at processes and workstreams that were already established and familiar for our employees and worked to integrate AI rules and guidance into those processes, such as the Security Development Lifecycle (SDL), and the Responsible AI Impact Assessment template.

Successfully managing the secure roll-out of a technology of this scale and importance takes the collaboration and cooperation of hundreds of people across the company, with representatives from diverse disciplines ranging from engineers and researchers working on the cutting edge of AI technology, to compliance and legal specialists, through to privacy advocates.

We work extensively with our partners in Microsoft Security, Aether (AI Ethics and Effects in Engineering and Research), the advisory body for Microsoft leadership on AI ethics and effects, and the extended community of Responsible AI. We also work with security champions who are embedded in teams and divisions across the enterprise. Together, this extended community helps develop, test, and validate the guidance and rules that AI experiences must adhere to for our employees to safely use them.

One of the most popular frameworks for successful change management is the simple three-legged stool. It’s a simple metaphor, emphasizing the need for even efforts across the domains of technology, processes, and people. We’ve focused our efforts to secure GenAI on strengthening and reinforcing the data governance for our technologies, integrating AI security into existing systems and processes, and addressing the human factor by fostering collaboration and community with our employees. The recent announcement of the Secure Future Initiative with its six security pillars emphasizes security as a top priority across the company to advance cybersecurity protections.

Incorporating AI-focused security into existing development and release practices

The SDL has been central to our development and release cycle at Microsoft for more than a decade, ensuring that what we develop is secure by design, by default, and secure in deployment. We focused on strengthening the SDL to handle the security risks posed by the technology underlying GenAI.

We’ve worked to enhance embedded security requirements for AI, particularly in monitoring and threat detection. Mandating audit logging at the platform level for all systems provides visibility into which resources are accessed, which models are used, and the type and sensitivity of the data accessed during interactions with our various Copilot offerings. This is crucial for all AI systems, including large language models (LLMs), small language models (SLMs), and multimodal models (MMMs) that focus on partial or total task completion.

Preventative measures are an equally important part of our journey to securing GenAI, and there’s no shortage of work that’s been done on this front. Our threat modeling standards and red teaming for GenAI systems have been revamped to help engineers and developers consider threats and vulnerabilities tied to AI. All systems involving GenAI must go through this process before being deployed to our data tenant for our employees to use. Our standards are under constant review and are updated based on the discoveries from our researchers and the Microsoft Security Response Center.

By integrating AI into these existing processes and systems, we help ensure that our people are thinking about the potential risks and liabilities involved in GenAI throughout the development and release cycle—not only after a security event has occurred.

Improving data governance

While keeping Gen-AI models and AI systems safe from threats and harms is a top priority, this alone is insufficient for us to consider GenAI as secure and safe. We also see data governance as essential to prevent improper access, improper use, and to reduce the chance of data exfiltration—accidental or otherwise.

At the heart of our data governance strategy is a multi-part expansion of our labeling and classification efforts, which applies at both the model level and the user level.

We set default labels across our platforms and the containers that store them using Purview Information Protection to ensure consistent and accurate tagging of sensitive data by default. We also employ auto-labeling policies where appropriate for confidential or highly confidential documents based on the information they contain. Data hygiene is an essential part of this framework; removing outdated records held in containers such as SharePoint reduces the risk of hallucinations or surfacing incorrect information and is something we reinforce through periodic attestation.

To prevent data exfiltration, we rely on our Purview Data Loss Prevention (DLP) policies to identify sensitive information types and automatically apply the appropriate policies at the controls at the application or service level (e.g. Microsoft 365), and Defender for Cloud Apps (DCA) to detect the use of risky websites and applications, and if necessary, block access to them. By combining these methods, we’re able to reduce the risk of sensitive data leaving our corporate perimeter—accidentally or otherwise.

Encouraging deep collaboration and sharing of best practices

So far, we’ve covered the management of GenAI technologies and how we ensure that these tools are safe and secure to use. Now it’s time to turn our attention to our people, the employees who work with and build with these GenAI systems.

We believe that anyone should be able to use GenAI tools confidently, knowing that they are safe and secure. But doing so requires essential knowledge, which might not be entirely self-evident. We’ve taken a three-pronged approach to solving this need with training, purpose-made resource materials, and opportunities for our people to develop their skills.

All employees and contract staff working at Microsoft must take our three-part mandatory companywide security training released throughout the year. The safe use of GenAI is comprehensively covered, including guidance on what AI tools to use and when to use them. Additionally, we’ve added extensive guidance and documentation to our internal digital security portal ranging from what to be mindful of when working with LLMs to the tools which are best suited to various tasks and projects.

With so many of our employees wanting to learn how to use GenAI tools, we’ve worked with teams across the company to create resources and venues where our employees can roll up their sleeves and work with AI hands-on in a way that’s safe and secure. Hackathons are a big deal at Microsoft, and we’ve partnered with several events including the main flagship event, which draws in more than 50,000 attendees. The Skill-Up AI presentation series hosted by our partners at the Microsoft Garage allows curious employees to learn the safe and secure way to use the latest GenAI technologies not only in their everyday work, but also in their creative endeavors. By integrating guidance into the learning journey, we help enable safe use of GenAI without stifling creativity.

Here are our suggestions on how to empower your employees with GenAI while also keeping your company secure:

• Understand the challenges and risks associated with adopting GenAI technology at your company. Good places to start are assessing the potential for data exposure, direct attacks on models and data sources, and the risks associated with Shadow AI.
• Develop resources and guidance for your employees to educate them on the risks of using AI. Fostering collaboration and a strong community in support of secure use of GenAI.
• If applicable, incorporate AI-focused security into existing development and release practices. Check out the Security Development Lifecycle (SDL) and the Responsible AI Impact Assessment template for inspiration.
• Work to bolster your data governance policies. We strongly recommend starting with labeling and classification efforts, employing auto-labeling policies, and improving data hygiene. Consider tools such as Purview Data Loss Prevention (DLP) and Defender for Cloud Apps to prevent data exfiltration and limit improper data access.

Learn more about our overall approach to GenAI governance internally here at Microsoft.

• Learn how we’re providing further transparency on our responsible AI efforts at Microsoft.
• See how we’re staying ahead of threat actors in the age of AI.
• Learn more about implementing a Zero Trust security model at Microsoft.
• Start reducing your organization’s Shadow IT risk in 3 steps.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Empowering our employees with generative AI while keeping the company secure appeared first on Inside Track Blog.

We describe it as self-service with guardrails.

Giving employees that level of freedom relies on a robust governance strategy across our data estate that features employee-facing sensitivity labels for Microsoft 365 groups, SharePoint sites, Microsoft Teams, Viva Engage communities, and any other workspace or file employees create and use. The result of good governance is that employees can confidently take action in a self-service environment without the risk of revealing sensitive information.

If you’re considering updating your organization’s governance strategy, our work in this space can be a roadmap for your journey.

[Learn how we’re using sensitivity labeling to secure our meetings in Microsoft Teams Premium. Find out how we use self-service sensitivity labels in Microsoft 365. Check out how we’re getting the most out of generative AI at Microsoft with good Governance.]

We had to really step back and think about data delineation in a way that’s meaningful to the business and our employees. Labeling provides a way for us to impose policies onto objects and containers to prevent or contain any oversharing of sensitive content.

— David Johnson, principal PM architect, Microsoft Digital

What’s at stake: The importance of getting self-service right

To operate according to zero trust principles, we need a coherent system that lets us see, label, and protect data. Otherwise, the burden of data loss prevention falls solely on employees, who would have to exercise individual discretion whenever they’re deciding how to house and share potentially sensitive content.

That’s a heavy burden to put on people every time they deal with working files.

“We had to really step back and think about data delineation in a way that’s meaningful to the business and our employees,” says David Johnson, principal PM architect for Microsoft Digital (MSD), the company’s IT organization. “Labeling provides a way for us to impose policies onto objects and containers to prevent or contain any oversharing of sensitive content.”

Aside from protecting internal content, customer data, and proprietary information, the principal risk is introducing vulnerability into our data estate by leaving access credentials out in the open. For example, internal documentation might include intellectual property, like source code.

“We have a lot of security investments in protecting our data centers and sources because they’re where our most sensitive information lives, and credentials are a big part of accessing them,” says Maithili Dandige, partner group product manager with Microsoft Security and Compliance.

If malicious actors can access those credentials or other sensitive information, they can do a lot of damage. Properly classifying, labeling, and protecting files and containers is the best way to ensure sensitive information and credentials don’t get compromised.

User-centric sensitivity labels

Our IT professionals within MSD—the organization that supports, protects, and empowers the company through technology—collaborated with a cross-disciplinary team to get our governance structures right.

“We spent a massive amount of time with the oversight committee,” says Faye Harold, principal program manager for information protection services within Microsoft Security and Risk. “That involved our legal team, HR, security, and MSD to define what each label meant.”

It’s important to strike a balance between the depth necessary for supporting an array of data governance controls and the simplicity to ensure labeling isn’t burdensome for users.

At Microsoft, we use four labels for container and file classification:

• Highly confidential: We only share Microsoft’s most critical data with named recipients.
• Confidential: Any items crucial to achieving Microsoft’s goals feature limited distribution on a need-to-know basis.
• General: Daily work like personal settings and postal codes can be shared internally throughout Microsoft.
• Public: We share unrestricted data meant for public consumption freely. That includes information like publicly released source code and openly announced financials.

The way to approach sensitivity labeling is to ask what problem it solves. Labeling dictates the automated controls you apply to certain items, like encryption, watermarking, or whether employees can share an item with someone outside our organization.

— Maithili Dandige, partner group product manager, Microsoft Security and Compliance

The administrators responsible for workspaces like SharePoint sites set default labels. That serves as a foundation for appropriate access and circulation for objects within those containers. It takes the burden of labeling off employees.

“The way to approach sensitivity labeling is to ask what problem it solves,” Dandige says. “Labeling dictates the automated controls you apply to certain items, like encryption, watermarking, or whether employees can share an item with someone outside our organization.”

The sensitivity labels users and admins apply map to several different categories of policies that anticipate and mitigate data loss and risk. They communicate four key areas:

• Privacy level. Labels determine whether the workspace is broadly available internally or is a private site.
• External permissions. Guest allowance is administered via the group’s classification, allowing specified partners to access teams when appropriate.
• Sharing guidelines. We tie important governance policies to the container’s label. For example, can an employee share this workspace outside of Microsoft? Is this group limited to a specific division or team? Is it restricted to specific people? The label establishes these rules.
• Conditional access. While not implemented at Microsoft, tying identity and device verification to container labels introduces additional governance controls.

Within MSD, we’ve put a lot of thought into how each of our labels aligns with relevant policies. For example, when a container receives the default label of “Confidential,” guest membership and sharing are disabled. That provides rights protection for the file, even if it leaves the SharePoint site where the employee created it. You can see more of the logic behind our sensitivity labels and their policies below.

If a container owner needs different policies for a set of files to provide greater external access, they can self-service new groups without accidentally violating our governance practices.

Microsoft Purview, our suite of data estate management tools, is central to these governance efforts. It accomplishes three sets of tasks: mapping our labeling structure onto the relevant policies, verifying them against our standards, and backstopping self-service data loss prevention practices through automation.

Automation is particularly useful. We’ve configured Microsoft Purview Information Protection to scan automatically for wayward credentials, malicious user behaviors, and other sensitive information in items without the proper protections. When Purview detects a violation, our governance team receives alerts that prompt them to contain the risk by upgrading an item’s sensitivity label or requiring employees to remedy the issue.

The result is a system that allows flexibility for employees to self-manage their digital workspaces while providing guardrails that help our governance experts take appropriate actions without overtaxing their time and resources.

A blueprint for effective data governance

So how can you start your own governance journey? Many of the lessons we’ve learned will be adaptable across different business settings.

Your labeling, policies, and overall governance strategy won’t be identical to ours. But by putting thought into your organization’s unique needs and the problems you’re trying to solve, the labeling features of Microsoft 365 and the data governance capabilities provided by Microsoft Purview will have most of the tools you need without having to build solutions from scratch.

Break things down into where your data is as an overall estate, how it’s currently protected, and the most precious data that’s unprotected. Then you can form a plan.

— Faye Harold, principal program manager for information protection services, Microsoft Security and Risk

Start by getting a firm grasp on the condition of your data estate.

“Break things down into where your data is as an overall estate, how it’s currently protected, and the most precious data that’s unprotected,” Harold says. “Then you can form a plan.”

After you have a solid overview of your data estate, you can apply a concerted strategy to labeling and governance. Here’s a ten-step blueprint to consider for structuring your efforts.

Ten steps for getting tenant data governance right

We think you might find it easier to label your containers before you start thinking about how to label emails and files or think about auto-labeling.

	Give employees the ability to create new workspaces across your Microsoft 365 applications. By maintaining all data on a unified Microsoft 365 tenant, you ensure that your governance strategy applies to any new workspaces.		Limit your taxonomy to a maximum of five parent labels and five sub-labels. That way, employees won’t feel overwhelmed by the volume of different options.
	Make your labels simple and legible. For example, a “Business-critical” label might imply confidentiality, but every employee’s work feels critical to them. On the other hand, there’s very little doubt about what “Highly confidential” or “Public” mean.		Label your data containers for segmentation to ensure your data isn’t overexposed by default. Consider setting your container label defaults to the “Private: no guests” setting.
	Derive file labels from their parent container labels. That consistency boosts security at multiple levels and ensures that deviations from the default are exceptions, not the norm.		Train your employees to handle and label sensitive data to increase accuracy and ensure they recognize labeling cues across your productivity suite.
	Trust your employees to apply sensitivity labels, but also verify them. Check against data loss prevention standards and use auto-labeling and quarantining through Microsoft Purview automation.		Use strong lifecycle management policies that require employees to attest containers, creating a chain of accountability.
	Limit oversharing at the source by enabling company-shareable links rather than forcing employees to add large groups for access. For highly confidential items, limit sharing to employees on a “need-to-know” basis.		Use Microsoft Graph Data Connect extraction in conjunction with Microsoft Purview to catch and report oversharing after the fact. When you find irregularities, contain the vulnerability or require the responsible party to repair it themselves.

Overall, it’s important to be thoughtful about your governance strategy at each stage of this process. For a deeper dive into how we tackled these challenges and inspiration for your own initiatives, review our technical overview of Microsoft’s self-service sensitivity labeling efforts.

Extending governance throughout our productivity suite

Since we implemented our governance strategy and sensitivity labeling taxonomy, we’ve extended it internally throughout our Microsoft 365 productivity suite to solidify data protection across several different scenarios. Each one showcases a way that a unified data estate with consistent governance empowers employees and unlocks new technologies as it keeps our company’s data safe.

• Proper governance and labeling ensure that Copilot for Microsoft 365 stays within bounds when sourcing information in support of employee productivity.
• Since the widespread emergence of generative AI and the application of these technologies across Microsoft, good governance is helping us get the benefits of this technology without risking overexposure through an information free-for-all.
• We’ve added a new layer of security to Microsoft Teams Premium meetings that activates specific configurations based on a meeting’s level of sensitivity.
• Our Microsoft Teams meeting data is now subject to robust retention rules determined by the labels we apply, with implications for recordings, transcriptions, and intelligent recaps via Copilot.

These are just a few examples of how sensitivity labels paired with effective data governance are unlocking new capabilities across the Microsoft 365 suite, and our journey continues. By taking steps to apply good governance to your own data estate and building an effective labeling strategy, you can enable self-service for your employees and empower self-determination while maintaining security and minimizing risk.

Here are some tips for getting started with labeling at your company:

• Assemble an oversight committee: Bring in professionals from all relevant disciplines, including HR, legal, security, IT, and anyone else who can share relevant expertise.
• Make a plan: Be intentional about addressing your unique needs around control and governance.
• Self-service requires accountability: Set up systems like attestation, site permissions reports, and guest access reviews that trace back to employees.
• People tend to take the easiest path: Make the IT-preferred path the best and easiest so that it doesn’t erect roadblocks.
• Educate employees: Support your labeling implementation by making sure users know how and when to share files.
• Encourage focused sites: Site owners don’t always have adequate knowledge of what they host.
• Make it simple: Ensure the system you develop makes sense to employees in the easiest possible terms.

Get started with labeling at your company.

• Learn how we’re using sensitivity labeling to secure our meetings in Microsoft Teams Premium.
• Find out how we use self-service sensitivity labels in Microsoft 365.
• Check out how we’re getting the most out of generative AI at Microsoft with good Governance.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Empowering employee self-service with guardrails: How we’re using sensitivity labels to make Microsoft more secure appeared first on Inside Track Blog.

Windows 11, built on the same foundation as Windows 10, came to us at a time when Microsoft needed to manage a distributed workforce. Historically speaking, it’s not easy to roll out a new operating system across an enterprise as large and complex as ours, but the similarities to Windows 10 meant Windows 11 could leverage existing deployment capabilities, scenarios, and tools. Utilizing these familiar tools and processes allowed us to deploy to 90 percent of eligible devices in five weeks, making the Windows 11 deployment the easiest and least disruptive release experienced to date.

“In nearly every way, Windows 11 Enterprise deploys just like any other Windows 10 feature update,” says Nathalie D’Hers, corporate vice president of Microsoft Digital Employee Experience, the organization that powers, protects, and transforms the company. “When you look at the data, our time to deploy, and the number of support contacts, Windows 11 is the most successful Windows deployment in our history.”

We’ve had a great experience with Windows 11. Our migration was smooth and keeping it up to date has been even easier.

—Nathalie D’Hers, corporate vice president, Microsoft Digital Employee Experience

It took our Microsoft Digital Employee Experience team fewer IT resources than ever to move to Windows 11. Most importantly, it wasn’t a burden on our employees. Our Windows 11 deployment enabled us to protect our environment, empower our people, and do so without embarking on an expensive or complicated venture.

“We’ve had a great experience with Windows 11,” D’Hers says. “Our migration was smooth and keeping it up to date has been even easier.”

[Take a look at our rich set of content that chronicles our move to Windows 11. Learn more about Microsoft’s speedy upgrade to Windows 11. Discover the new Windows 11 security features are designed for hybrid work.]

Why was it so important for us to move to Windows 11?

It’s easy to look at Microsoft and say, “Sure, you’re a giant tech company, you have all these hardware and IT resources, it must be so easy for you to stay current!”

It’s not that simple.

In our attempt to become an evergreen platform, an operating system-as-a-service, we recognized a need to promote a hardware baseline that would ensure specific productivity and secure-by-default functions are available to users. These requirements meant that some devices running Windows 10 would not be eligible, thus a need to delineate products. Windows 11 would run side-by-side with Windows 10, albeit on devices that met the hardware requirements.

Still, when all is said and done, Windows 11 is based on all the same fundamentals as Windows 10.

And there are a lot of benefits to this.

It allows us to promote adoption without the risk of our apps suddenly breaking. App compatibility between Windows 10 and Windows 11 is more than 99 percent.

In fact, Windows 11 and Windows 10 are so similar, we can run them side-by-side with the same tools. That’s why we were able to manage the Windows 11 Enterprise deployment like previous Windows 10 updates using Windows Update for Business deployment service policies.

Windows 11 is definitely an upgrade from Windows 10, but rolled out and adopted like a typical update. The baseline hardware requirements enable us to provide our people with a more secure and productive environment. We quickly experienced the benefits of Windows 11 security enhancements and new productivity tools to enable exceptional work.

A more efficient experience

Prior to migrating to Windows Update for Business deployment service, deploying Windows feature updates would be a complicated, long-term project.

“We had to create multiple packages, both 64- and 32-bit versions and for each of the supported languages used in our environment,” says Markus Gonis, a service engineer and deployment lead with Microsoft Digital Employee Experience. “Each package was tested and then deployed to multiple distribution points globally for each update. The deployment also relied on a task sequence to download and install the updates on devices which could easily be disrupted.”

This effort could take weeks or even several months.

Furthermore, the process was costly, requiring physical infrastructure dependencies for hosting packages. Gearing up for a new release would also require additional augmented staffing to help run the deployments. To top it off, network and VPN bandwidth limitations could create frustrating delays and interruptions for employees trying to install an update depending on their location.

Moving to Windows Update for Business policies saved both time and money without hurting adoption. The first release to benefit, the Windows 10 October 2018 Update, saw 95 percent adoption within 10 weeks of a feature update being made available to devices. It’s only gotten better since then.

Windows Update for Business deployment service reduced administrative overhead considerably by eliminating the need to manually create deployment waves.

—Markus Gonis, service engineer and deployment lead, Microsoft Digital Employee Experience

The service eliminated the need for packaging, replication, and publishing activities. All in, Microsoft Digital Employee Experience saved 120 hours of work per deployment along with an additional 90 hours in testing. Further savings were achieved by reducing the reliance on augmented staff to support deployments.

By the time Windows 11 was ready for release in 2021, we had access to Windows Update for Business deployment service.

“This made setting up the deployment even easier,” Gonis says. “Windows Update for Business deployment service reduced administrative overhead considerably by eliminating the need to manually create deployment waves.”

Windows Update for Business deployment service calculates the number of devices based on the initial configuration and deploys more frequently and efficiently to the population. Supplementing this effort, Windows Update for Business reports show us what to target, making it easy to exclude ineligible devices.

A device is your connection to your work experience, especially when you can’t go into the office. Your device shouldn’t get in the way of what you’re doing, so we wanted to make sure our employees had a good upgrade experience.

—Nathalie D’Hers, corporate vice president, Microsoft Digital Employee Experience

Knowing that the Windows 11 Enterprise deployment would be managed by the same technology and processes we rely on for feature updates made it a safe decision. Knowing that it could be done without incurring significant costs made it an easy one.

A faster experience

There is another reason we were so confident in the Windows 11 Enterprise deployment. We knew users would benefit from new productivity features without having the upgrade cut into their day.

“A device is your connection to your work experience, especially when you can’t go into the office,” D’Hers says. “Your device shouldn’t get in the way of what you’re doing, so we wanted to make sure our employees had a good upgrade experience.”

We knew certain features in Windows 11—including an improved user interface, tighter integration of Microsoft Teams across apps, and snap layouts—would help our people stay engaged throughout their day. We also knew users would avoid the upgrade if it prevented them from doing their work or became a nuisance.

To create a disruption-free experience, Windows 11 simply downloads and installs in the background and alerts the user when the device is ready. A quick restart finishes the installation, which can be scheduled to take place during non-work hours. As soon as 20 minutes later, the employee is up and running in Windows 11.

The improved update experience, flexibility, and increased end-user control around the update was an enormous success with our people. User sentiment scores for the Windows 11 Enterprise deployment averaged a full 18 points higher than the latest Windows 10 release. This is the highest satisfaction score we have ever seen for a deployment, and it’s significantly higher than the highest score ever received pre-Windows Update for Business, which was 112.

”There were no major incidents reported through support channels directly related to the Windows 11 update nor the deployment,” Gonis says. “The overall incident count unique to Windows 11 was limited to 398 across the entire 225,000 device deployment, with any additional incidents associated with random infrastructure or device management issues that one typically experiences in an enterprise environment.”

Overall, this represents a 40 percent decrease in helpdesk incidents compared to pre-Windows Update for Business deployments.

Each successive version of Windows has brought refinement and optimization to the deployment process. Windows 11 built on this refinement to become the best experience to date. By making the deployment process quick and easy, users gain important productivity features while also taking advantage of new baseline protections.

Secure by default

Windows 11 is about security from the ground up.

“It’s strategic level-setting,” says Carmichael Patton, a principal program manager with Digital Security and Resilience, the division responsible for protecting the company and our products. “At a high level, Windows 11 enforces sets of functionalities we need to make the environment secure by default.”

Windows has always let you install whatever you want from wherever. We can now use hardware-backed features in Windows 11 to put policies in place that still enable users to have flexibility in choosing their own applications without compromising security.

—Carmichael Patton, principal program manager, Digital Security and Resilience

To be eligible for a Windows 11 upgrade, a device must meet certain hardware specifications, including TPM 2.0. Because of these new hardware requirements, encryption keys, user credentials, and other vital information are protected from unauthorized access and tampering.

As a result, we can take existing security features found in Windows and allow them to reach their full potential. Windows 11 empowers users to have the same great Windows experience they expect without concession.

“Windows has always let you install whatever you want from wherever,” Patton says, noting that this important level of control is also a way malware can get on your device. “We can now use hardware-backed features in Windows 11 to put policies in place that still enable users to have flexibility in choosing their own applications without compromising security.”

Windows 11 continually updates this app control policy so that common and known safe apps are permitted while dangerous, unknown, and potentially malicious apps are blocked.

The same hardware-backed protections extend to user identities. Windows Defender Credential Guard and credential isolation with Local Security Authority (LSA) protection are now enabled by default on Windows 11 Enterprise edition. Both protections make it harder for attackers to infiltrate devices and steal a user’s identity.

Microsoft Defender SmartScreen can detect and warn users who are about to enter passwords into an app or website that’s known to be compromised. The feature further improves user security by promoting good password hygiene and alerts users when they perform unsafe credential practices, like saving passwords in a text file.

Updating Windows 11 is getting even faster with the download and install phases shortening from 90 to an average of 60 minutes in the background and an average 20-minute final restart. Most people at Microsoft have a device that can run Windows 11 and, by March, we reached a 97 percent compliance rate.

—Markus Gonis, service engineer and deployment lead, Microsoft Digital Employee Experience

“Windows 10 could do a lot by configuration but not by default,” Patton says. “Windows 11 moved us to having more features be secure by default. Each new release adds more secure-by-default features.”

Now that we have this security baseline provided by hardware and software synergies, we can enforce security functions in the pipeline for Windows 11.

The Windows 11 experience

We’re now a year into Windows 11 including deploying its first major update, and we can see how deployments continue to become faster, more efficient, and less disruptive. This is in large part because we do not need to adopt any new device management tools or processes. We can run Windows 11 alongside Windows 10 using the same systems.

“Updating Windows 11 is getting even faster with the download and install phases shortening from 90 to an average of 60 minutes in the background and an average 20-minute final restart,” Gonis says. “Most people at Microsoft have a device that can run Windows 11 and, by March, we reached a 97 percent compliance rate.”

Deployment of the Windows 11 2022 Update was even faster than the original release, with over 90 percent adoption in just under five weeks. Excitement around the release resulted in a 50 percent increase in employees installing the update prior to its public release.

This means users are getting the security and productivity features they need to have the best experience possible now and in the future.

Modern hardware running a modern operating system will result in a better experience for everyone involved. Windows 11 serves as a baseline that allows us to easily see the state of security at Microsoft. By lifting the hardware floor, we can ensure users have consistent performance and protection in place.

• Windows 11 strengthens your security posture, allowing you to offload legacy security solutions and centralize administration.
• Consistency in system integrations and user experiences between Windows 10 and Windows 11 makes it easy to transition without having to adopt new applications or management solutions.
• Windows Autopilot allows OEMs to automatically register devices in Intune, avoiding manual steps and allowing an organization to preconfigure new devices before distributing them to employees.
• Windows Update for Business deployment service allows IT administrators to easily segment devices, organizations, and teams to better target deployments. This makes exceptions easier to manage.

• Take a look at our rich set of content that chronicles our move to Windows 11.
• Learn more about our internal deployment of the first major update to Windows 11.
• Read our initial story on upgrading to Windows 11.
• Discover the new Windows 11 security features are designed for hybrid work.
• Get the inside scoop on Microsoft’s app compatibility promise for Windows 11.

The post Looking back at deployment of Windows 11 at Microsoft appeared first on Inside Track Blog.

While we use Microsoft products to secure our systems, infrastructure, data, and identities, the Foundational Five are product agnostic and can be scaled to meet the needs and requirements of organizations of any size. This is especially important for smaller organizations, with 70 percent of encounters with human-operated ransomware happening in organizations with fewer than 500 employees, according to the Microsoft Digital Defense Report 2023.

Our Foundational Five are:

1. Move to modern authentication with phishing-resistant multi-factor authentication.
2. Always use automatic cloud backup and file syncing.
3. Work towards having threat- and risk-free environments.
4. Upgrade your posture management to improve the health of your devices, services, and assets.
5. Apply least privileged access standards to your full technology stack.

Modern authentication with phishing-resistant multi-factor authentication

It’s a well-known fact that today’s threat actors don’t break in, they sign in. Whether done through illicitly acquired credentials, brute force attacks, or phishing, inadequate protective measures for authentication are like leaving the front door wide open for attackers to walk through.

Microsoft Incident Response observed that 21 percent of customers who experienced ransomware didn’t have MFA or didn’t mandate MFA for privileged accounts, while 37 percent didn’t have advanced MFA protection mechanisms enabled.

—2023 Microsoft Digital Defense Report

The growth in password-based identity attacks on Microsoft Entra is startling, with a 10-fold increase observed between 2022 and 2023. While the use of multi-factor authentication (MFA) adds an extra layer of security, threat actors are increasingly turning to techniques such as MFA bombing to catch unwitting users off guard. Earlier in 2023, we observed 6,000 MFA fatigue attempts per day on customer identities. This is why we strongly advise using phishing-resistant MFA.

Phishing-resistant MFA differs from traditional MFA by binding the token to the legitimate user’s device. Windows Hello for Business and FIDO2 services, like physical tokens and Passkey, are examples of technologies that can be used for added protection. When combined with conditional access policies and step-up authentication, this can be an effective method to protect users who have access to sensitive resources or high-risk roles.

Microsoft Incident Response observed that 21 percent of customers who experienced ransomware didn’t have MFA or didn’t mandate MFA for privileged accounts, while 37 percent didn’t have advanced MFA protection mechanisms enabled.

Phishing-resistant MFA with conditional access can help prevent:

• Spear phishing: Attackers craft tailored phishing emails that are sophisticated and challenging to identify, aiming to deceive specific individuals.
• Remote Desktop Protocol (RDP) brute force attacks: Unauthorized remote access to resources is attempted through the exploitation of stolen credentials.
• Local password storage: Measures are in place to prevent passwords stored locally on devices from being read or downloaded.
• Unencrypted credential storage: Credentials are safeguarded against being stored without encryption, which would otherwise allow easy unauthorized access.
• Credential and cookie theft: Security protocols are enforced to protect against the theft of credentials or cookies directly from browsers.
• Unauthorized account creation: Systems are secured to prevent the unauthorized addition of new user accounts.

What we use:

Windows Hello for Business enhances multifactor authentication by offering secure sign-in capabilities and enabling a passwordless experience.

Authenticator app is a secure and encrypted application that facilitates multifactor authentication to safeguard access to accounts and services.

Entra ID serves as a comprehensive identity and access management solution.

Secure Service Edge functions as a unified security point for protecting data and users across all network traffic.

FIDO keys offer a form of hardware-based authentication that is resistant to phishing and other forms of account compromise.

Automatic cloud backup and file-syncing for user and business-critical data

Microsoft has observed that approximately 16 percent of human-operated ransomware activity involved both encryption and exfiltration, while 13 percent used exfiltration exclusively.

—2023 Microsoft Digital Defense Report

Much of the Foundational Five is about setting up preventative measures to secure your organization. But in the event of a successful breach, it’s important that your data remains secure and accessible. For many organizations that have suffered a ransomware attack the biggest costs associated are restoring business continuity, including access to the files and resources vital to your organization.

Setting up automatic cloud backup and file-syncing is one of the simplest ways to help achieve this, and arguably delivers the biggest bang for the buck in a ransomware prevention strategy. Active automatic backups can thwart common ransomware tactics including the disabling of system recovery capabilities and the deletion of , which are essential for business continuity. In some cases, it might be effective in preventing the exfiltration of documents, which can be used for data dumping, or double and triple extortion.

“Microsoft has observed that approximately 16 percent of human-operated ransomware activity involved both encryption and exfiltration, while 13 percent used exfiltration exclusively,” states the 2023 Microsoft Digital Defense Report.

We recommend at a minimum setting up automatic cloud backup and file-syncing on all user devices for key folders such as Desktop, Documents, and other locations where user data and business-critical data are stored.

Automatic cloud backup and file-syncing protects people from:

• Deletion of shadow copy files: These are built-in local backup copies in Windows that aid in device restoration in the event of a compromise.
• Disabling of recovery features: It ensures that features enabling individual device recovery remain active and cannot be turned off.
• Document exfiltration for double extortion: It protects against scenarios where malicious actors not only demand a ransom to decrypt files but also threaten to release sensitive documents publicly unless an additional ransom is paid.

What we use:

OneDrive for Business is used for cloud-based device backups, ensuring data recovery in case of device compromise.

Azure Backup Center (also known as Azure Cloud Backup) is used for the automated backup of Azure infrastructure and data, providing a reliable disaster recovery solution.

Threat- and risk-free environments

As there are always new and evolving cyber-risks, it’s a continual effort to create an environment that’s protected from ransomware by proactive measures. And while it might not be possible to guarantee an environment entirely free of threats and risks, it’s something worth striving towards.

Creating a threat- and risk-free environment starts with ensuring that the devices joining your network are healthy, and that controls are put in place to ensure vulnerabilities and threats are managed. We ensure this through the comprehensive use of endpoint detection and response (EDR) and our device management policy for all devices and operating systems. Our device health policy includes mandatory encryption, antimalware, tamper protection, specific mandatory hardware configurations, and minimum operating system version requirements. Devices that aren’t patched, updated, or properly configured are frequently exploited by threat actors and are vulnerable to cyberattacks. These devices aren’t allowed on our network—no exceptions permitted.

Threat- and risk-free environments protect against:

• Platform and supply chain-based attacks: These are sophisticated attacks that target vulnerabilities in the hardware and software supply chain, potentially compromising the integrity of platforms and services.
• Threat actor reconnaissance: This refers to the preliminary activities of threat actors to gather information about systems and networks, identifying potential vulnerabilities to exploit.
• Disabling of security features or systems: Prevent unauthorized attempts to disable or circumvent security measures that are in place to protect data and systems.
• Deployment of ransomware: By maintaining a secure posture, the environment is protected against the deployment of ransomware, which can encrypt data and disrupt operations, demanding a ransom for decryption.

What we use:

Microsoft Entra Privileged Identity Management is used for managing and monitoring privileged roles within our organization.

Microsoft Defender for Cloud offers comprehensive protection across cloud services to secure infrastructure and data.

Microsoft Defender for Endpoint provides advanced threat defense and post-breach detection for endpoints.

Microsoft Entra Identity Protection uses automated responses to detected identity risks, safeguarding user identities within the organization.

Posture management for compliance and the health of devices, services, and assets

The standards and policies an organization uses to protect against ransomware are only as good as the degree of adherence. This is where security posture management can help drive down the risk of a successful ransomware attack.

The monitoring of cloud-based systems and infrastructures creates visibility and improves control over policies and configurations. It highlights risks and misconfigurations, such as insecure secrets and keys, potential points of data exposure, and data flows and resources containing sensitive and shadow data to be discovered and remediated. Increasingly, remediation can be automated when triggered by security events.

Strong posture management can protect against:

• Exploitation of vulnerable services: This prevents attackers from taking advantage of services that have known weaknesses or aren’t regularly updated with patches.
• Unpatched vulnerabilities in applications: This ensures that applications are kept up to date with the latest security patches to mitigate the risk of exploitation.
• Scheduled tasks leading to system compromise: This controls and monitors scheduled tasks to prevent them from being used as a pathway for system compromise.

What we use:

Microsoft Defender for Endpoint provides advanced protection for enterprise endpoints with threat prevention, detection, and response capabilities.

Microsoft Defender for Cloud secures cloud services by safeguarding infrastructure and data against threats.

Azure Policy enforces organizational standards and monitors compliance, providing automated remediation for policy violations.

Least privileged access applied to the entire technology stack

Least privileged access (LPA) involves limiting access to only what’s necessary to perform the intended function. This includes concepts such as removing admin from a workstation, limiting access to on-premises and cloud environments, and restricting access to critical services to only specific administrative roles. It’s a way of reducing the cyber-attack surface, stopping the spread of malicious activity. Additionally, LPA helps to prevent privilege creep, which happens when users accumulate unnecessary access to accounts over time.

LPA can help prevent ransomware attacks by limiting the access rights of users and devices to only the resources they need to perform their tasks. Should a user or device be compromised by ransomware, the impact and spread of the infection is minimized. Ransomware often relies on exploiting vulnerabilities or stealing credentials to gain access to sensitive data and systems. By applying the principle of least privilege, organizations can reduce the attack surface and the potential damage of ransomware attacks.

We recommend applying LPA over the entire technology stack as it ensures complete protection of all parts including devices, users, applications, systems, and data. Comprehensive application will require a solution that can manage and secure privileged credentials and controls.

When applied to the entire stack, LPA protects against:

• Ransomware: By ensuring that users and devices have access only to the data and systems necessary for their roles, LPA prevents ransomware from encrypting or exfiltrating data.
• Privilege creep: LPA combats the accumulation of unnecessary privileges by users over time, which can be exploited by ransomware and other malicious software.
• Inappropriate access levels: Regular monitoring and reviews under LPA ensure that users and devices maintain appropriate access levels, reducing the risk of inappropriate access.

What we use:

Entra PIM manages roles and permissions, ensuring just-in-time access to critical resources in line with LPA.

Intune protects least privilege by enabling organizations to run users as standard while elevating privileges only when necessary.

Entra Conditional Access within Microsoft Entra secures resource access by enforcing rules based on user location, device status, and sign-in behavior.

Building an even stronger foundation

The Foundational Five are an excellent starting point to defending your enterprise against ransomware. However, it’s just the beginning of a broader, more involved strategy against cybercrime.

If your organization doesn’t already have one, consider developing a ransomware incident response playbook and pressure-test its efficacy with table-top exercises or attack simulations. Incident response preparedness has an outsized effect on business continuity and recovery.

Additionally, as phishing is a common starting point for ransomware threat actors, consider frequent phishing simulations, and education and awareness training for employees on topics including business email compromise and vendor email compromise—both of which are on the rise.

Here are some suggestions for getting started with the Foundational Five of ransomware elimination at your company:

• Progressively build up and invest in your ransomware elimination strategy. The goal is to make incremental improvements to reduce your attack surface area.
• While attackers commonly sign in using stolen credentials, MFA attacks are on the rise. Consider the use of phishing-resistant credentials such as FIDO2 tokens and ensure that users have the correct privileges to limit mobility.
• Ensure that the technologies and systems you have in place are properly configured and fully operational. Test your systems to ensure they’re working as expected.

• Read the Microsoft Digital Defense Report 2023 to learn more.
• Explore deploying ransomware protection for your Microsoft 365 tenant.
• Read more about defending your users from MFA fatigue attacks.
• Unpack verifying device health at Microsoft with Zero Trust.
• Discover transitioning to modern access architecture with Zero Trust.

Strengthen your security posture with Microsoft Azure.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Lessons learned at Microsoft: Five steps you can take to reduce your ransomware risk appeared first on Inside Track Blog.