Our ability to respond to the crisis was greatly enhanced by how prepared Microsoft was to have its employees work from home. Having an entire company suddenly shift to remote working comes with its own challenges—it’s a lot more complex than making sure an employee’s laptop and home Wi-Fi are secure.

Jared Spataro, corporate vice president for Microsoft 365, and Nathalie D’Hers, Corporate Vice President of Employee Experience, shared nine things that our larger IT team, Microsoft Digital, is doing to enable remote work at Microsoft. What I found most interesting about their conversation is how many of those nine things tie back to our Zero Trust initiative.

Specifically, our Zero Trust strategy calls for strong identity authentication everywhere by confirming that all our users are validated using multifactor authentication (MFA). It requires that all devices employees use for work are managed and healthy. It accomplishes this by using Microsoft Intune for device management. It also relies on pervasive telemetry to monitor the performance and health of all services, applications, and networks.

Another way to think of Zero Trust is as a requirement for constant verification. Throughout the process, Microsoft continuously monitors all access to corporate services, applications, and network connections.

Our security strategy has been focused on Zero Trust security principles for a while now. The strategy helps us navigate supporting the vast majority of our employees as they work from home. Our ability to ensure that all of our employees are using MFA and continuously verifying that all devices on our network are managed and healthy has allowed us to accelerate our adoption of our Zero Trust strategy and to move away from a perimeter based security model.

For most of our users, we’ve been able to move away from using virtual private network (VPN) to access our line of business applications. We have moved most of our line of business (LOB) applications to Microsoft Azure, where they are internet accessible. Applications that we are not able to move to Microsoft Azure are being published with an internet proxy. Finally, we use virtualization via Windows Virtual Desktop to provide our employees, vendors, and guests with the ability to access Microsoft applications in a more constrained environment that restricts movement to other Microsoft resources and network resources.

The result is that our employees can remotely access most of our LOB applications without needing to use VPN. This meant Microsoft was very well positioned when it came time to ask our employees to work from home.

We haven’t finished deploying our Zero Trust vision, but our framework is in place, and that’s helping us successfully support our remote-working employees.

If your company is transitioning its workforce to remote working and you don’t already have these same elements in place, it’s probably overwhelming to think about where to begin. We suggest you start by implementing MFA. If you don’t have the necessary hardware to leverage biometrics, you can start with an app like Microsoft Authenticator. This step is the single best thing you can do to secure your environment.

One of the benefits of our approach to Zero Trust is that it gives each company the ability to align security strategy with the cloud-first strategy that we are seeing in the industry. If you want to know more about our approach, read Using a Zero Trust strategy to secure Microsoft’s network during remote work. You’ll find more content about our Zero Trust strategy by visiting this Transitioning to modern access architecture with Zero Trust content suite and by reading this Implementing a Zero Trust security Model at Microsoft article.

The post Microsoft helps employees work securely from home using a Zero Trust strategy appeared first on Inside Track Blog.

Bret Arsenault, corporate vice president and chief information security officer at Microsoft, and security experts from his DSR team at Microsoft attended RSAC 2020 to share how they are responding to security challenges, lessons learned, and proven practices that you can use in your organization.

[Learn how Microsoft transitioned to modern access architecture with Zero Trust. Learn how Microsoft implemented a Zero Trust security model.]

Zero Trust for the real world

There are seven billion devices connected to the internet, and 60 percent of organizations have a formal bring-your-own-device (BYOD) program in place.

“The way we work has also changed,” says Nupur Goyal, a Zero Trust product marketing lead at Microsoft. “With the emergence of a mobile workforce, cloud technology, and ubiquitous access to information, it has become more and more challenging to protect corporate data.”

Coined by the security industry, Zero Trust is a modern approach to security that Microsoft and other enterprises are adopting—don’t assume trust, verify it. The Zero Trust security model treats all requests and every access attempt as though they originate from an untrusted network. However, employees should still have a seamless experience when accessing the resources they need without impeding productivity.

“We have to validate an employee’s identity and device health before giving them access to the files they need,” says Carmichael Patton, a principal program manager in DSR. “As threats evolve, we have to pivot to protect customer data.”

Goyal and Patton shared Microsoft’s implementation strategy, which is geared to ensure that data and application access is specific to an employee’s job function. Organization policy is automatically enforced at the time of access and continuously throughout the session when possible. All devices are enrolled and managed in a device management system, and the network access is routed based on the user’s role. Finally, all controls and policies are backed by rich data insights that reduce the risk of unauthorized lateral movement across the corporate network.

[Check out the slide deck from this RSA session about Zero Trust for the real world.]

Cloud-powered compromise blast analysis

Hackers don’t break in—they log in. To combat this, the security operations center (SOC) at Microsoft operates on a massive scale to support 250,000 active users with even more active devices and Azure user accounts.

“When it comes to protecting identity, our people are our biggest asset and our biggest liability based on how they act,” says Sarah Handler, a program manager at Microsoft. “Our goal is to take the systems and tools we have and use them to nudge user behavior in a way that won’t compromise our systems.”

Kristina Laidler, the senior director of Security Operations and Incident Response at Microsoft, has worked with the SOC to protect Microsoft from adversaries. One challenge is the high volume of data and signals. To address this, the SOC team filters billions of events using machine learning and behavioral analytics to approximately 100 cases a day that the SOC team can triage, investigate, and remediate.

“We have to make sure that the SOC team isn’t looking at false positives, and the things getting through are high fidelity,” Laidler says. “We want to work at the speed of attack. We know attackers are moving fast, and we have to work faster.”

Laidler and Handler have also implemented new analysis methods for identity compromise using cloud logs, security information and event management tools, and advanced telemetry. To prevent future identity threats, Laidler also discussed some technical controls for identity protection such as filters to prevent users from creating predictable passwords with seasons, years, or regional sports teams.

“Using user entity behavioral analytics, we have developed a lot of contextual knowledge about how our users and adversaries act, and we’ve built detections based on those patterns,” Laidler says.

Laidler and Handler also shared their lessons learned. A salient piece of advice is to ask for more from your cloud provider.

“We have such a huge focus on making sure we’re getting feedback and the story from the trenches,” Handler says. “That’s how we build better solutions.”

[Check out the full RSA session on how Microsoft’s Identity Security and Protection team collaborated with Microsoft Digital to implement new blast analysis methods for identity compromise.]

Breaking password dependencies: Challenges in the final mile at Microsoft

Director of Identity Security Alex Weinert and Lee Walker, a principal program manager in DSR Identity and Access, shared the lessons learned of Microsoft’s journey to eliminate passwords and practical guidance to help with yours.

Weinert’s team worked with Walker’s team to eliminate legacy authentication at Microsoft, and they’re currently blocking 1.5 million legacy authorization attempts per day. Getting to this point didn’t happen overnight. The company has been using multi-factor authentication (MFA) using smartcards, phone authorization, Windows Hello for Business, and FIDO2. In 2019, Microsoft required MFA for all employees, but some employees still used legacy authentication. Disabling legacy authentication was a process, and Walker’s team needed to talk to the owners of applications that used legacy authorization, keep 90 days of history to track where owners signed in with legacy authorization, and simulate policies to predict breaking scenarios.

Weinert advised attendees to capture logs of when users sign in, find legacy traffic, and talk to business owners in those organizations.

“You have to figure out what application is behind that sign-in, understand how and why it’s used, and work to replace it or contain it,“ Weinert says. “Recognize that your plan will evolve based on these conversations.”

Weinert also encouraged attendees to decide not if, but when to start, especially because Microsoft Exchange is removing support for basic authorization in October 2020.

“You don’t need to be faster than the bear, but you don’t want to be the slowest runner either,” Weinert says. “Learn from our painful mistakes. You can flip the switches, but the hard part is the humans.”

[Check out the slide deck from this RSA session on Microsoft’s journey to move away from passwords.]

Microsoft’s security team changes the employee training playbook

All Microsoft employees are accountable for keeping the company’s data and customers safe. Ken Sexsmith, director of Security Education and Awareness in DSR, and his team are changing the way that Microsoft approaches training by making it approachable and fun for employees through enterprise-wide training, behavioral campaigns, and phishing simulations.

“We are on the frontlines of driving digital transformation through behavior and culture change,” Sexsmith says. “We saw an opportunity to take an innovative approach to security training, and we had full support from leadership.”

The team takes a multi-pronged approach to change employee behavior by motivating, reinforcing, and applying behavior changes. Sexsmith’s team does this through awareness campaigns and security training, which strengthen security and privacy best practices.

“Within an hour, you lose 50 percent of the information that you were just told,” Sexsmith says. “Within 24 hours, 70 percent of that information has escaped. As adult learners, we have to continue to reinforce that knowledge.”

For companies or teams who are trying to change their approach to security education, Sexsmith suggests that attendees start by identifying listening systems to understand the biggest risks at the company, and finding engaging ways to communicate them to employees. The team has also been sharing the impact of their training and continue to solicit feedback that informs future versions.

• Learn how Microsoft transitioned to modern access architecture with Zero Trust.
• Learn how Microsoft implemented a Zero Trust security model.

The post How Microsoft is transforming the way it fights security threats appeared first on Inside Track Blog.