The Microsoft Authenticator is getting a backend upgrade in which it now be able suppresses risky sign notifications in an attempt to mitigate against “MFA fatigue” caused by this new attack tactic called MFA bombing. As a big internal advocate of passwordless within my own organisation this is great news…
What is MFA Bombing
“MFA Bombing”, is an attack method in which attackers continually try to logon from unfamiliar locations causing an influx of MFA prompts aimed to truck the user to click accept and allow the sign in since they get sick of dismissing notifications. This is known as MFA bombing attacks.
Microsoft say that this new policy should address the root cause of this growing security breach method.
How Microsoft Authenticator protects against MFA Bombing
In response to this, Microsoft’s Authenticator app will now automatically suppress notifications that come from “risky signins” based on number matching, a MFA method that requires users to verify their identity by entering a numerical code displayed on the screen.
This is aimed to protect users that use the “approve only method” but acts on any method used. Microsoft will now suppress Authenticator notifications when a request is deemed to pose potential risks, such as when the request originates from an unfamiliar location or is exhibiting other anomalies such as repetitive requests (or bombing).
We now suppress Authenticator notifications when a request displays potential risks, such as when it originates from an unfamiliar location or is exhibiting other anomalies. This approach significantly reduces user inconvenience by eliminating irrelevant authentication prompts.
Microsoft.
With this feature, and in the event of a login request that looks risky, the standard notification will not be sent to the users device via the authenticator app. Instead, the user (or attacker) will receive a notification on screen (where they are trying to logon) and be told to “Open your Authenticator app and enter the number shown to sign in,”.
When the user opens the Authenticator App, the request will be available for the user and they can sign in…..
Since no notification will be shown on the users mobile authenticator app, if the request was not made by the user, no notification will be displayed so the request will time out.
This significantly reduces user inconvenience by eliminating irrelevant and known risky authentication prompts.
Microsoft recommend “number matching”
Whilst these additional protections are great, it’s recommended that organisations look to implement number matching (if not enabled by default) to enhances the security of the sign-in process by requiring users to enter a sequence of numbers that are displayed on the sign-in screen when approving an MFA request in the Authenticator app. This has a number of immediate benefits over simple approve/deny options including:
It prevents accidental approvals by making sure that you are aware of the sign-in request and have access to the sign-in screen.
It defends against MFA fatigue attacks, which are spamming attempts to trick people into approving access requests by sending you multiple notifications.
It provides an additional layer of security by verifying that the device or app that generates the numbers is the same as the one that receives the approval request.
The implementation of number matching, is a grest way forward and has been extremely successfully in preventing attackers that engaging in MFA fatigue / bombing attacks.
Combined with the new suppression technology for known attacks , Microsoft say that this change has already prevented more than 6 million MFA notifications since September 2023.
Number matching in MFA is available for the Microsoft Authenticator app and can be enabled by IT admins for different scenarios, such as multifactor authentication, self-service password reset, combined registration, AD FS adapter, and NPS extension.
Microsoft hosted a live Surface and AI event on Thursday 21st September where they announced a lot of new and exciting features and products across its various platforms and services. In this blog post, I have tried to summarise the most notable ones and explain how they might benefit you and your organisation.
Disclaimer (and product plug) - Since this was an AI event in whole, I also want to state that other than some slight tweaks, this blog post was written by Bing Enterprise Chat - Microsoft Designer created the image. The whole thing took less that 10 minutes.
Copilot: Your AI Assistant at Work and Beyond
Copilot is a new feature that uses artificial intelligence (AI) to help you with various tasks, such as drafting emails, summarizing texts, creating images, and more. You can access Copilot from Windows 11, Microsoft 365, Edge, and Bing, and chat with it in natural language. Copilot will understand your intent and provide relevant assistance based on the context and your data.
For example, you can ask Copilot to draft an email for you with a specific tone, or to generate a graphic art based on your description. You can also use Copilot to answer questions, troubleshoot your PC, control your settings, and access recommendations. Copilot is designed to save you time, reduce your cognitive load, and ignite your creativity.
Copilot will be generally available for enterprise customers on November 1st, and for a select group of consumers and small business customers as part of the Early Access Program (EAP). It will initially be limited to three hundred licenses and will cost $30 per user per month.
Windows 11: The Most Powerful and Personal Windows Ever
Windows 11 is the latest (and IMO best) version of the Microsoft’s desktop operating system that powers millions of devices around the world. Windows 11 offers a fresh and modern design, improved performance, and security, and a more personalised and connected experience. They announced the latest update coming next week (Sept 26th). Some of the new features in Windows 11 will include:
An updated Start menu that gives you quick access to your apps, documents, and settings.
An updated Taskbar that lets you easily switch between multiple instances of each app, hide the time and date, and end tasks with a right-click.
A new Dev Home that helps you set up your development environment by downloading apps, packages, or repositories, connecting to your developer accounts and tools, and accessing experimental features in WSL.
A new Dev Drive that provides a fast and secure storage volume for developers, with a file system that delivers both performance and security.
A new WinGet Configuration that simplifies the setup process for developers by reducing it to a single command.
New Gallery in File Explorer that makes it easy to access your photo collection across all your devices.
A new Snipping Tool that lets you record your screen with audio and mic support, copy and redact text from a screenshot, and edit your images with Paint.
A new Photos app that has new editing capabilities to achieve stylish background blur effects and makes it easier to find specific images backed up in OneDrive.
Updated Narrator that uses natural human voices in new languages, and lets you use voice access to log in to your PC and access other areas on the lock screen.
Refreshed Notepad app that automatically saves your session state, allowing you to close Notepad without any interrupting dialogs and then pick up where you left off when you return.
A new Instant Games feature that lets you play your favorite casual games directly from the Microsoft Store without the need to download and install them on your device.
Windows Copilot – Your Copilot for Windows.
Windows 11 also announced general availability of Windows 365 Boot and Windows 365 Switch, which allow you to log into your Windows 365 Cloud PC as the primary Windows experience on the device or easily switch between the Cloud PC and the local desktop. Windows 365 is a cloud PC service that lets you stream a full Windows experience from anywhere on any device and is fully managed from Intune.
This update will start rolling out as a free update on September 26th.
Surface: The Ultimate Devices for Work and Play
Surface is Microsoft’s line of devices that combine innovative design, powerful performance, and versatile functionality. Surface devices are built to work seamlessly with Windows 11 and Microsoft 365, offering the best productivity and creativity tools for work and play. I am a massive fan of Surface
The new / refreshed Surface devices include:
Surface Laptop Studio 2: The most powerful Surface ever built, with the latest Intel Core processors, NVIDIA Studio tools for creators, touchscreen display, and flexible design with three unique postures.
Surface Laptop Go 3: The lightest and most portable Surface Laptop, with touchscreen display, premium features like an incredible typing experience and a Fingerprint Power Button, and four stylish colours.
Surface Go 4: The baby Surface Pro is this time, available only for corporate and not consumer market (why??), the device is the same dimensions as before but is more repairable (the most repairable and sustainable device int he Surface Fleet). It ditches the 4GB RAM option (good) and brings a higher spec entry level processor. Pricing increases too which is a shame as is ditching consumer market. These are great for school kids.
Surface Hub 3: The ultimate collaboration device for teams, with a large interactive display that runs the Microsoft Teams Rooms experience. Surface Hub 3 pairs seamlessly with Teams-certified devices and supports Hub on day one. There was also an upgrade announced for Surface Hub 2S customers to upgrade to Surface Hub 3,
The new Surface devices are available for pre-ordering now.
Microsoft 365: The World’s Productivity Cloud
Microsoft 365 is a cloud-based subscription service that offers the best productivity apps for work and life. Microsoft 365 includes apps like Outlook, Word, Excel, PowerPoint, OneNote, OneDrive, Teams, Stream, Loop, Clipchamp, and more.
Microsoft 365 Copilot (which will be available from 1st November) is an add-on service at $30 per user per month and provides in-built AI-powered features and services that help you get more done across all your Office 365 apps and services – with support also coming to Microsoft Designer, Loop and Clipchamp and more.
Some of the new features and services in Microsoft 365 include:
Copilot in Outlook, Excel, Word, Loop, OneNote, Stream, and OneDrive: Copilot is integrated into various Microsoft 365 apps to provide AI assistance for different tasks. For example, you can use Copilot in Outlook to draft emails, in Excel to create charts, in Word to summarize documents, in Loop to generate content blocks, in OneNote to take notes, in Stream to transcribe videos, and in OneDrive to find files.
Generative Expand, Fill, and Erase in Microsoft Designer: These features let you manipulate images in creative ways, such as expanding the canvas, filling in missing areas, or erasing unwanted objects. Generative Erase is generally available now, and Generative Fill and Expand are coming soon.
Copilot Lab: Copilot Lab is a feature that lets you learn how to use Copilot effectively, share your favorite prompts with coworkers, and get inspired by other users. Copilot Lab will be accessible to all Microsoft 365 Copilot users once it’s generally available in November.
Mobile Application Management (MAM) for Windows: This feature allows employees to access organisational resources through Microsoft Edge from an unmanaged device, while giving IT the ability to control the conditions under which the resources can be accessed.
Bing and Edge: The Smartest Way to Search and Browse
Bing and Edge are Microsoft’s search engine and web browser that offer a fast, secure, and personalized way to search and browse the web. Bing and Edge use AI to provide relevant information and assistance based on your needs and preferences.
Some of the new features and improvements in Bing and Edge include:
DALL-E 3 in Bing Image Creator and Microsoft Designer integration: Bing Image Creator is a feature that lets you create images from text descriptions using AI. Bing Image Creator is now powered by DALL-E 3, which produces more realistic and detailed images. You can also access Bing Image Creator directly from Microsoft Designer for further editing.
Content Credentials: Content Credentials is a feature that uses cryptographic methods to add an invisible digital watermark to all AI-generated images in Bing. This helps you verify the origin and authenticity of the images. Content Credentials will be supported in Bing Image Creator, Microsoft Designer, and Paint soon.
Bing Chat Enterprise: Bing Chat Enterprise is a feature that lets you chat with Copilot from the Edge mobile app. You can also use multimodal visual search and Image Creator from Bing Chat Enterprise.
Copilot in Microsoft Shopping: Copilot in Microsoft Shopping is a feature that helps you find what you’re looking for more quickly. You can ask for information on an item, and Bing will ask additional questions to learn more. Then, Bing will use that information to provide more tailored recommendations. This feature will be available soon on both PC and mobile.
Personalised Answers: Personalised Answers is a feature that uses your chat history to inform your results. For example, if you’ve used Bing to track your favorite soccer team, next time you’re planning a trip it can proactively tell you if the team is playing in your destination city. Personalized Answers will begin to roll out soon.
Microsoft Advertising: The Best Way to Reach Your Customers
Microsoft Advertising is a platform that helps businesses connect with their customers across the web. Microsoft Advertising offers various solutions and tools to create effective and engaging ads that reach the right audience at the right time.
Some of the new features and improvements in Microsoft Advertising include:
Copilot in the Microsoft Advertising Platform: Copilot in the Microsoft Advertising Platform is a feature that simplifies and enhances every aspect of your experience with the platform. You can use Copilot to create campaigns, get content recommendations, optimize your performance, and more. This feature will be coming soon.
Compare & Decide Ads: Compare & Decide Ads are a new type of ads that pull relevant data of various products or services into a succinct table. This helps users easily evaluate different options based on their criteria. Compare & Decide Ads will be available for cars initially and will be brought to closed beta in early 2024.
Conclusion
These are just some of the highlights from the Microsoft September 2023 News. There are many more features and products that we didn’t cover here, but you can find them on the current web page context. I hope you are excited about these new developments, and I would love to hear what you are most excited about.
Cisco has announced that it will acquire Splunk, a cybersecurity and observability platform platform for $28 billion.
Cisco say that acquisition is expected to help them create the next generation of AI-enabled security and observability solutions, moving organisations from threat detection and response to threat prediction and prevention.
This will help build on the extensive full stack observability platforms Cisco have already including Thousand Eyes and Cisco App Dymanics.
We’re excited to bring Cisco and Splunk together. Our combined capabilities will drive the next generation of AI-enabled security and observability…. From threat detection and response to threat prediction and prevention, we will help make organizations of all sizes more secure and resilient.”
Chuck Robbins | CEO | Cisco
This is the biggest acquisition in Cisco’s history and a massive push into software and artificial intelligence-powered data analysis. With three two complimentary services coming together it should help Cisco achieve it’s mission to “securely connect everything to make anything possible, and move from threat detection and response to threat prediction and prevention”.
Splunk President and CEO Gary Steele will join Cisco’s Executive Leadership Team reporting to Chuck Robbins.
What is Cisco’s Full Stack Observability offering?
Cisco’s Full-Stack Observability (FSO) solutions bring together performace and availability data from on-premises, cloud and SaaS applications allowing organisations to monitor traditional and modern applications, track performance of cloud-native applications, and correlate network metrics with application performance data and provide real-time insights and recommended actions for any performance related issues along with the potential. Impact to the business.
Cisco Full-Stack Observability is comprised of a single platform that brings together multiple solutions such including AppDynamics, ThousandEyes, and Cisco Secure Application. Splunk will soon be added to this!
The platform is open and extensible, API-driven, focused on OpenTelemetry, and anchored on Metrics, Events, Logs, and Traces (MELT).
You can find more information about Cisco Full-Stack Observability solutions on the Cisco website
Microsoft have announced that organisations with Microsoft 365 E5 subscriptions will soon be getting a new “service plan” called “Defender for IoT – Enterprise IoT Security – Enterprise IoT Security”.
As spotted in the Microsoft 365 Message [ID: MC673712] update over the weekend, this service plan will provide both Microsoft 365 E5 customers and those who have the Microsoft M365 E3 add-on [E5 Security] with real-time device discovery, continuous monitoring, and vulnerability management capabilities for up to 5x Enterprise IoT devices (such as printers, scanners, cameras, Smart TVs, VoIP phones) per user license [so an organisation with 2,500 devices will get support for cross the organisation. Additional per-per device licenses will also be available for purchase.
The Internet of Things (IoT) supports billions of connected devices that use both operational technology (OT) and IoT networks. IoT/OT devices and networks are often built using specialized protocols and may prioritise operational challenges over security.
When IoT/OT devices can’t be protected by traditional security monitoring systems, each new wave of innovation increases the risk and attack surfaces across those IoT devices and OT networks.
Microsoft
This will start to roll-out next month (October 2023) and provides tools and insights for protect enterprise IoT networks, including:
Tools and insights for protect enterprise IoT networks
Agentless IoT device monitoring
Support for cloud, on-premises, and hybrid OT networks
Support for modern and proprietary Operations technology (OT) protocols
Lightweight security micro-agents which allow IT to build security straight into IoT operations and innovations.
Read more on Securing IoT devices for “Defender for IoT – Enterprise IoT Security“
Cisco has added ransomware detection and recovery support to its recently unveiled Extended Detection and Response (XDR) system.
Ransomware is a type of malicious software that encrypts the end user’s device and data and demands a ransom for its decryption. Ransomware attacks can cause considerable damage to businesses and organisations, disrupting their operations and compromising their data. To combat this threat, Cisco has now introduced a new solution that integrates with their new Extended Detection and Response (XDR) solution with Cohesity’s DataProtect and DataHawk offerings.
Cisco’s XDR system is a cloud-based platform that combines multiple security products and telemetry sources to detect, analyse, and respond to threats across the network and endpoints. As Cisco announced the General Availability of their XDR platform, they also announce that they have added ransomware detection and recovery support to their XDR system, enabling Security Operations Center (SOC) teams to automatically protect and restore business-critical data in the event of a ransomware attack.
This feature is made possible by integrating Cisco’s XDR system with Cohesity’s DataProtect and DataHawk offerings, which are well established and trusted, infrastructure and enterprise data backup and recovery solutions. These provide configurable recovery points and mass recovery for systems assigned to a protection plan and can preserve potentially infected virtual machines for forensic investigation and protect enterprise workloads from future attacks.
Cisco said that the exponential growth of ransomware and cyber extortion has made a platform approach crucial to effectively counter adversaries. It also noted that during the second quarter of 2023, the Cisco Talos Incident Response team responded to the highest number of ransomware engagements in more than a year.
The integration of Cisco’s XDR system and Cohesity’s solutions is designed to help Security Operations Centre (SOC) teams and IT to automatically detect, snapshot, and restore business-critical data at the very first signs of a ransomware outbreak; often before it has had a chance to move laterally through the network to reach the high–value assets.
In the announcement, Cisco and Cohesity said that they already have a long-standing partnership, with over 460 joint customers. Cisco have said that the Cohesity Cloud Services package will also be able to be sold by their Cisco channel partners like Cisilionlater in 2023. The Cohesity Cloud Services include data security and management as well as threat defense, data isolation and backup/recovery. Cisco have also said that the software can be deployed and hosted on both Microsoft Azure and Amazon Web Services (AWS) via their marketplaces.
This brings more features to Cisco’s XDR service (a competitive landscape where they compete against the likes of Microsoft, Sentinel One and Palo Alto) and brings together a myriad first-party Cisco, and third-party security products to control network access, analyse incidents, remediate threats, and automate response all from a single cloud-based interface. The offering gathers six telemetry sources that SOC operators say are critical for an XDR solution: endpoint, network, firewall, email, identity, and DNS, Cisco stated in the announcement.
Part of Cisco’s growing Security Portfolio
The Cisco Security portfolio is a comprehensive set of solutions that work together to provide seamless interoperability with your security infrastructure, including third-party technologies. Their growing portfolio covers various aspects of security, such as network security, user and endpoint protection, cloud edge, advanced malware protection, email security, web security and workload security. The Cisco XDR system is part of this portfolio and integrates with other Cisco products and services to detect, analyse, and respond to threats across the network and endpoints.
Cisco XDR system can leverage the threat intelligence from Cisco Talos – the cloud-based platform known as Cisco SecureX, as well as the backup and recovery solutions from Cohesity to provide a powerful and proactive defense against ransomware and other advanced threats. Cisco XDR system also supports third-party integrations with other security vendors, including Microsoft, Splunk and many others.
Cisco have, and continue to invest heavily in their end-to-end security portfolio and their XDR solution (as of December 2022) is on the cusp of moving into the Leaders Quadrant in the Gartner Magic Quadrant for Endpoint Protection.
Cisco's XDR play competes against other industry leading XDR vendors including Sentinel One Microsoft Defender, Crowdstrike Falcon, Palo Alto Cortex XDR and Trend Micro Vision One.
Cisco are on the verge of become a leader in the Gartner Magic Quadrant for Endpoint Protection.
Conclusion
Ransomware is a serious threat that requires a comprehensive and proactive solution. Cisco’s XDR system, integrated with Cohesity’s DataProtect and DataHawk offerings, provides a powerful way to detect, prevent, and recover from ransomware attacks.
For organisations with a fragmented security portfolio and those heavily invested in Cisco infrastructure, Cisco’s XDR can be an excellent choice for organisations that need to increase visibility and simplify the detection and remediation time with the integration of XDR with the rest of their Cisco Security portfolio – enhancing the visibility, automation, and effectiveness of security operations.
Cisco has just published their 2023 Global Networking Trends Report. This report covers some of the emerging networking trends in the multi-cloud world, and how they affect the IT operations and security of organisations. The report is twenty-one pages long and covers some interesting trends and observations from more than 2,500 IT leaders in 13 countries across North America, Latin America, Asia Pacific, and Western Europe (including the UK).
Image (c) Cisco
My key take aways from the report
Hybrid work and multi-cloud adoption are driving the need for innovative approaches to securely connect remote workers to corporate data and assets distributed across multi-cloud environments with a huge need (40% of respondents) to de-silo operations and bring together network and security controls and visibility.
Cisco says that “providingsecure access to applicationsdistributed across multiple cloud platforms” is the top challenge cited by 41% of networking professionals, followed by gaining end-to-end visibility into network performance and security (37%).
Growth and demand for SASE. SASE (Secure Access Service Edge) is a convergence architecture that delivers simplified and consistent security and performance for multi-cloud access and hybrid work. Cisco are a leading vendor in the SASE space which combines SD-WAN (Software-Defined Wide Area Network) and SSE (Security Service Edge) into a single, integrated SaaS security offering.
In the report, Cisco highlighted that 47% of respondents expect to connect their branches and remote clients using a SASE model by mid 2025, while 59% said that they will be prioritising centralising and consolidating cloud security over the same period.
Extending SD-WAN connectivity consistently across multiple clouds can automate cloud-agnostic connectivity and optimize the application experience. 53% of respondents prioritise integration with cloud service providers for this purpose5.
End-to-end network visibility and predictive analytics are essential for ensuring a consistent user experience across the complex digital service delivery chain, especially around SaaS apps with 51% of respondents prioritising end-to-end network telemetry and visibility. 47% of respondents said they will be prioritising predictive network analytics.
More organisations are multi-cloud than ever before with 92% of organisations reporting that they use more than one public cloud service (includes SaaS, IaaS and PaaS).
How Cisco Technology can help address these challenges
Cisco provide a comprehensive portfolio of products that can help organisations address many of the challenges of multi-cloud networking and security which fall into the SASE and SD-WAN categories. These include:
Cisco SD-WAN with edge security stack or SD-WAN with Umbrella Cloud Security (SASE) both leverage the Cisco Identity Service Engine’s Security Group Access Control Lists for segmentation policy management and enforcement across the WAN.
Cisco SD-WAN integrated with Cisco Umbrella SIG for a cloud-delivered SASE model that seamlessly secures access wherever users and applications reside.
Cisco Cloudlock, – Cisco’s cloud-native cloud access security broker (CASB) that helps secure your use of SaaS applications
The Cisco SD-WAN and these SSE collaborations provide a range of SASE deployment options for our Partners and Managed Service Providers (MSPs), allowing them to utilize a mix of networking and cloud security solutions to offer multiple managed options to enterprises at various stages of their SASE journey 3.
Cisco Secure Access Service Edge (SASE) is a cloud-native platform that combines SD-WAN, SWG (Secure Web Gateway), ZTNA (Zero Trust Network Access), DNS-layer security, CASB (Cloud Access Security Broker).
The table below shows the key challenges discussed in the report and the corresponding solutions from Cisco that can help address them:
Challenge
Solution
Providing secure access to applications distributed across multiple clouds
SASE (Secure Access Service Edge), a convergence architecture that delivers simplified and consistent security and performance for multi-cloud access and hybrid work. SASE It combines SD-WAN (Software-Defined Wide Area Network) and SSE (Security Service Edge) within Cisco’s cloud platform
Gaining end-to-end visibility into network performance and security
Cloud-based network detection and response solutions, such as Cisco Secure Cloud Analytics, which provides visibility and threat detection for an organisations’ network across public, private, and hybrid cloud environments.
Extending SD-WAN connectivity consistently across multiple clouds
SD-WAN multi-cloud integrations, which allow networking and cloud teams to accelerate and automate extensions from enterprise sites to various cloud providers and other enterprise sites through Internet, interconnect, or colocation and cloud provider networks.
Siloed cloud, network, and security operations
Cloud-centric operating model, which brings cloud operating model principles to the network and across the entire cloud/network IT stack, enabling more integrated workflows and better collaboration between network, security, and cloud operations.
Visibility into end user experience and performance of multiple Cloud SaaS apps
Cisco ThousandEyes provides real-time and historic view into the availability of thousands of different SaaS apps. It allows IT to monitor all employee’s user’s digital experience against software as a service and on-prem applications, regardless of where users are, through the essential elements of your SASE architecture. With ThousandEyes, organisations can gain back visibility and control over SaaS applications and ensure that they are performing optimally.
Table 1 – How Cisco technology addresses the challenges of securing and managing Networking and Security across multi-cloud environments,
Summary
Cloud is the new data center, Internet is the new network, and cloud offerings dominate applications. By gaining a view of global Internet health and the performance of top SaaS applications, IT teams can proactively detect and remediate major unexpected network or application issues affecting them as soon as they happen.
Based on the report, Cisco say that organisations can mitigate against many of the challenges discussed by adopting a cloud-centric operating model that brings cloud operating model principles to the network and across their entire cloud/network IT stack. This can enable more integrated workflows and better collaboration between network, security, and cloud operations.
Today, Microsoft have announced the next milestone in their expanded vision for the unified secure access with some huge changes to their unified access and security offering Entra which has now become the brand name for all things identity and access management. Along with that is a name change to Azure Active Directory to Entra ID.
Is Azure AD discontinued?
No… This is a name change that is a result of the shift to a truly end to end multi cloud identity and access solution that spans beyond simply Microsoft 365 and Azure. The name change is designed to reflect it’s new and enhanced capabilities.
In the last 12 months, we saw an average of more than 4,000 password attacks per second, an almost threefold increase from the 1,287 attacks per second we saw the previous year.
Microsoft Security Intelligence Report
With this they have announced they are expanding their Microsoft Entra suite into the Security Service Edge (SSE) category with the launch of two new products.
Microsoft Security Service Edge
Microsoft Entra Internet Access and
Microsoft Entra Private Access.
Microsoft Entra Internet Access is an identity-centric Secure Web Gateway that protects access to internet, software as a service (SaaS), and Microsoft 365 apps and resources. It extends Conditional Access policies with network conditions to protect against malicious internet traffic and other threats from the open internet.
Microsoft Entra Private Access is an identity centric Zero Trust Network Access that secures access to private apps and resources. Designed to reduce operational complexity and cost by replacing legacy VPNs with simple yet granular security to ensure that any user can quickly and seamlessly connect to private apps across hybrid and multi cloud environments, private networks, and data centers from any device, from any location and from any network.
The goal and vision of Microsoft here is to help organisations secure access to any app or resource, from anywhere. Microsoft say in their security blog that the flexible work arrangements we have become accustomed too, along with continued increase cloud adoption continue to put strain on traditional and legacy corporate networks and network security approaches. Using VPNs to backhaul traffic to the legacy network security stack weakens security posture and damages the user experience while using siloed solutions and access policies leaves security gaps.
Both are now in preview….
The renaming of Azure Active Directory (Azure AD) to Microsoft Entra ID was also announced which Microsoft say has been done as Microsoft to simplify the product naming conventions and to unify their expanded product family. The change was made as Azure AD now supports multi-cloud meaning the name Azure AD no longer represented the breadth of its offerings.
Azure AD is now Entra ID
Personally not a fan of the name change even though their reasoning makes sense… Everyone knows what Azure AD is (or maybe that’s the problem… they think they do!)… Even Microsoft Teams wasn’t sure about it.!
😂
Microsoft say that that the currently capabilities and licensing plans, sign-in URLs, and APIs will remain unchanged, and all existing deployments, configurations, and integrations will continue to work as before.
You can read more about these recent changes and announcements here.
Cisco have announced that they are to acquire Armorblox, a leading email security house whose portfolio (which is centred around email protection) includes email security, DLP, data encryption, impersonation protection, fraud protection, URL, and ransomware protection.
What do Armorblox do?
Founded in 2017 and now with over 58,000 customers, Armorblox protects organisations against data loss and targeted email attacks like business email compromise, vendor fraud, and account takeovers. Their tools leverage Generative AI and Large Language Models (LLMs). They have scored highly in the Gartner Peer Insights report and have invested heavily in their interoperability through APIs.
Armorblox are also part of the Microsoft Intelligent Security Association and has deep integrations with Microsoft Sentinel which will play well with Cisco’s goal to work more closely with Microsoft.
Cisco say that “Through this acquisition though, we see many exciting broad security use cases and possibilities to unlock“.
Armorblox seamlessly integrates over APIs with existing security stacks, making life easier for security teams. Our comprehensive security solution leverages large language models, such as GPT, and a broad set of deep learning algorithms to accurately detect today’s targeted threats, protect key business workflows, and reduce manual work for security teams through automated processes.
Armorblox
Cisilion plan to leverage this investment to bring new AI powered security offerings to their existing portfolio across as well as enable them to leapfrog their competition and offer compelling, integrated, and advanced threat protection.
I’m excited to see the ways in which Cisco leverage this acquisition to bolster security across all their offerings. Assimilating and embedding the technologies they aquire is one of their huge strengths.
Another Gartner Quadrant another winning result – as yet again, Microsoft continues it’s move up the quadrant – this year storming ahead of their competition in the Endpoint protection category with Defender for Endpoint.
Microsoft Defender for Endpoint is designed to protect every endpoint platform an organisation may use including Windows, Linux, macOS, Android, and iOS. Earlier this year, Microsoft introduced Microsoft Defender for Business which was positioned to provide smaller businesses with a streamlined way to protect their organisations with enterprise-grade security at a price point that is attractive to businesses of this size.
Gartner Magic Quadrant for Endpoint Protection Platforms
Why Microsoft Defender
For years, third-party endpoint protection and antivirus vendors have positioned there products as “needed” to protect Windows, as the past 5 years has shown, Microsoft is now probably the biggest the secuity company you didnt know existed with virtually every product catagory they have (from endpoint, to CASB) being gatner magic quadrant leaders.
Further more, as organisations look to consolidate tools, reduce admin overhead and “do more with less”, more organisations are looking at leveraging their investment in Microsoft 365 E5 by taking advantage of the extensive set of security tools included within their subscription. It’s not just about cost either – there is no compromise as Microsoft continues to make enormous investments (to the tune of four billion per annum) to ensure that they have the best security and compliance propositions in the market with products that continue to develop to meet customer expectations and the every growing threat landscape.
What is Microsoft Defender for Endpoint?
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. A new Microsoft Defender Vulnerability Management add-on is also available for Defender for Endpoint Plan 2 users.
The Microsoft Defender for Endpoint (DFE) features 6 key components (which vary depending on the licensing you have).
Core Defender Vulnerability Management
Built-in core vulnerability management capabilities use a modern risk-based approach to the discovery, assessment, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
Attack Surface Reduction
Provides first line of defence in the stack, by ensuring configuration settings are properly set and exploit mitigation techniques are applied, the capabilities resist attacks and exploitation. This also includes network protection and web protection, which regulate access to malicious IP addresses, domains, and URLs.
Next Generation Protection
Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats.
Endpoint Detection and Response (EDR)
This detects, investigates, and responds to advanced threats that may have made it past the first two security pillars. Advanced hunting provides a query-based threat-hunting tool that lets you proactively find breaches and create custom detections.
Automated Investigation and Remediation
In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender for Endpoint offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
Microsoft Secure Score for Devices
Defender for Endpoint includes Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of the organisation
Microsoft Threat Experts
Microsoft Defender for Endpoint’s new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centres (SOCs) to identify and respond to threats quickly and accurately.
Key components of Microsoft Defender for Endpoint
Integration across the wider Microsoft Stack
Defender for Endpoint naturally integrates extensively with various other Microsoft solutions, including:
Microsoft Defender for Cloud
Microsoft Sentinel
Microsoft Intune
Microsoft Defender for Cloud Apps
Microsoft Defender for Identity
Microsoft Defender for Office
Defender for Endpoint – Business v Plan 1 vs Plan
Defender for Endpoint is now available in three plans:
Defender for Business
Defender for Endpoint Plan 1
Defender for Endpoint Plan 2 (formerly known as Defender for Endpoint).
In a blog post following Microsoft’s Q2 earning report this week, Microsoft shared how their security revenue had grown 33% from 2022 to 2023 and now stands at $20Billion driven massively by their global partners who have been helping customers strengthen their security posture while saving money through vendor consolidation. Microsoft stated that security remains the number one investment for businesses is where organisations spend the most, and easily justifiable for companies.
To put this into perspective, the $5 billion increase in Microsoft’s security business over the past twelve months is larger than the revenue generated by every pure-play cybersecurity vendor other than Palo Alto, which expects to hit $6.85 billion growth when they publish their results later this year.
“We are taking share across all major categories we serve…..customers are consolidating on our security stack in order to reduce risk, complexity and cost.” – Satya Nadella.
Even in this economically challenging time, organisations still see security as the top priority.
Vasu Jakkal | CVP of Security, Compliance, Identity, & Management | Microsoft
Every Growing Market
According to McKinsey & Company, the cybersecurity market is now worth $2 trillion as more businesses realise that they lack the levels and breath of protection and detection measures to keep their data, identities, applications, devices, and networks and safe whilst the number of attacks continue to rise at alarming rates.
Despite Microsoft’s huge growth in this area, Microsoft pointed out that there is still a global shortage of cybersecurity professionals across the globe and in the USA alone, there are ~4 million unfilled cybersecurity jobs currently open, with salaries hugely inflated due to the high demand for these roles.
Organisations can save lots of money
In the Microsoft earnings call, Satya Nadella, called out their focus in helping customer “do more with less” saying that “this is a place where customers can save lots of money’ He talked about Microsoft’s breadth, depth, and integrated security portfolio, stating boldly that “Microsoft is the only vendor that has integrated tools spanning identity, security, compliance, device management and privacy“.
Much of the value and cost savings Microsoft saves their customers is through their productivity suite bundles, such as Microsoft 365 E5, which combines advanced security, privacy, and compliance, along with Teams voice and rich analytics. Recent customers to go all-in on E5 licenses include IKEA, NTT, Boots, Rio Tinto and Marks and Spencer, and leading global law firm Baker McKenzie.
Data from 2021/2022 Forester report.
Microsoft also provide dedicated Security and Compliance add-on suites as well, as the ability to purchase their security offerings as point products such including their Enterprise Mobility and Security suite which grew 16% to more than 241 billion seats.
Microsoft is the only vendor that has integrated tools spanning identity, security, compliance, device management and privacy
Satya Nadella | CEO | Microsoft
Microsoft called out an example of $4.46 billion, British Sports retailer Frasers Group, for its decision to consolidate tools and services from ten separate cybersecurity vendors to just Microsoft.
In another example, $2.76 billion, American digital media player manufacturer Roku moved its entire identity and access management business to the cloud with Azure Active Directory.
Market Bolstering Stats
SEIM: In October 2022, Microsoft Sentinel shot to the top of Gartner’s SIEM Magic Quadrant, zooming past IBM, Splunk, Securonix and Exabeam .
Identity & Access Management: IDC say Microsoft have 23.8% market share of the $13.6 billion identity and access management market, with Okta at a distant second at 9.2%.
Endpoint Security: Microsoft had 11.2% of the market in 2021 and 12.4% in 2022. Only CrowdStrike had a larger slice of the endpoint security market at 12.6% but has a lower growth. CrowdStrike, Microsoft &Trend Micro were of in April 22 Forrester Wave for EDR providers.
“Microsoft is the “only company” that offers “integrated end-to-end tools spanning identity, security, compliance, device management and privacy, informed and trained on over 65 trillion signals each day.”
Satya Nadella | CEO | Microsoft
The Role of Microsoft Partners
Despite the global shortage of Cyber Security professionals, Microsoft’s pointed out that their security business is surging partly due to the work many of their global Modern Work and Security partners are driving. Microsoft continues to invest significantly in partner skills enablement along with resources and funding to help their partners to help their customers. This ranges from funded discover and usage workshops, technology enablement funding, end user adoption funding (to help users work more securely), technical training initiatives, third party vendor displacement support and more.
As such Microsoft partners can certify and specialise in different security and compliance areas, helping their customers find partners that can help them understand their risk profile, identity weaknesses or risks, deploy and adopt new tools and platforms and migrate from point product to improve their security whilst reducing cost.
Organisations can reach out to their Microsoft representative or speak to their Microsoft Partner for more information
Microsoft technology (through the help of their partners) can save the average 10,000 seat organisation more than $8.3M per annum through investing in Microsoft 365 E5 and Sentinel according to research conducted by Forrester.
On a recent fireside chat that I hosted, most organisations on my panel discussed how they were improving their security through investment in Microsoft 365 E5 with the help of their partners.
The Microsoft Security Portfolio
Microsoft has organised their security portfolio (which spans more than fifty product categories overall) into six product lines.
Defender: The Defender portfolio includes Microsoft 365 Defender (Microsoft’s extended detection and response (XDR) platform for securing endpoints, email, applications, identities, and data, as well as their Defender solutions for endpoint, Cloud, IoT, vulnerability management, threat intelligence, DevOps and external attack surface management.
Sentinel: Microsoft’s SEIM platform
Entra: Microsoft’s identity management and security portfolio, which includes Azure AD
Purview: Data protection, data loss prevention, inside risk management
Priva: Their new privacy risk management solution following their acquisition of RiskIQ
Note: Whilst Microsoft do not have dedicated products that cover the network infrastructure, SIP, WAN and Wireless LAN spaces, but work in partnership with leading infrastructure vendors such as Cisco to provide seamless identity and access integration.
Microsoft is the only vendor that has integrated tools spanning identity, security, compliance, device management and privacy
Satya Nadella | CEO | Microsoft
Microsoft Security 2023
You can read more on the official Microsoft security blog post here.
Microsoft now claims that they handle, process and act upon more than forty-three trillion daily threat signals.
This blog, however, does not go into the specific features and security across Microsoft 365 and Azure, but instead explores the fact that despite the extensive array of security services, tools, and products that Microsoft offer, Microsoft report that only about a quarter of their customers are actively using the core security products they’ve invested in.
Only about a quarter of our customers are actively using the core Microsoft security products that they have invested in.
Microsoft (& Forrester)
This of course can mean that organisation might:
Have unnecessary security gaps, protection weaknesses and risk exposure
Be wasting money (through Microsoft protection services bought but not enabled)
Be buying twice (or more) through duplicate tools and services.
Have a more complex protection strategy than is necessary
Not be aware of Microsoft’s comprehensive multi-cloud security offerings
This blog shares some of the collective thoughts, and discussions I had with my customer advisory panel in our September fireside chat which focussed on the pros, cons, questions, and concerns around embracing the end-to-end protection across Microsoft 365 and beyond vs using point products and third-party security add-ons.
I’ve also included some (hopefully) useful links and content at the end of this blog.
Here’s the summary of the discussion points from my recent fireside chat.
1. Microsoft Security – What is in the SKU?
Speaking to the panel on my recent Fireside Chat, I believe that most organisations don’t know enough about the breadth and depth of the Microsoft 365 Security Stack they have bought and invested in.
We use a variety of Microsoft 365 licenses but need a better understanding of what is included in, and what are we might be missing by not investing and adopting the wider Microsoft 365 E5.
Rowland Hills | COO | Leathwaite Human Capital Limited.
This is due, in part, to the constant change, enhancements and investment [$4b a year in R&D] with regards the changing threat landscape and the death and breadth of tools of available within Microsoft 365 E5. Add to this the renaming of Microsoft products (they do far too much IMO).
There’s a plethora of tools within the Microsoft 365 E5 licence. Understanding what those tools do, what is included, what they can replace and how they fit together is the biggest challenge for us. The stack is constantly changing, and new products are added or renamed so it is hard to keep up.
Jas Bassi | Head of Solutions Delivery | Gately Legal
2. Does having too many different security vendors lead to unnecessary complexity?
The Cyber Security market is huge. In a recent KPMG survey of 500 CEOs, 18% said that cyber security When I was first an IT consultant in the early noughties, security was always about having strong passwords and the best “black box device” to protect on-premises stuff! Be it, firewalls, mail security, web filters, VPN, IPS etc that protect aspects of an organisation’s internal network or Data Centre environment.
The average organisation has over seventy security products from thirty-five different vendors.
Gartner | 2021
As the world has, and continues to shift to a perimeter less, multi-cloud and distributed workforce (with home working creating thousands of “offices of one”), many organisations now struggle with not only the ever-expanding threat landscape and increasing talent shortage, but the growing number of vendor solutions, their associated mounting costs, cross over of product, and features.
In a world of highly distributed data and disappearing perimeters, today’s enterprises are struggling not only with the expanding threat landscape, but the growing solutions landscape and their associated complexity and mounting costs.
Forrester
Complexity is the new enemy, meaning that silos and multi-vendor point products are the bane of Security Operations. Not only are they costly, but their features also overlap, they don’t necessarily integrate and in most cases, there is no single pane of glass or “intelligence” across the platforms.
This not only causes complexity and cost, but above all does not provide a holistic view of security and threats across their organisation without the use of yet more expensive tools and connectors into a SEIM platform.
We see this quite often with our customers too – particular in the case where Microsoft 365 has been organically deployed. We often see that customers, whilst heavily invested in Microsoft 365 continuing to invest and use a plethora of third-party tools and thus are not realising the true value and protection of the extensive and integrated Microsoft 365 Security Suite.
This is not just about cost either. Having too many tools addressing point solutions, combined with no holistic view of security can cause too much “noise” and alerts meaning real potential threats are ignored or get lost. This is the primary reason Microsoft cite for why “only one quarter of their customers are actively using the core security products they’ve purchased“.
As well as the advantages of a joined up and integrated security portfolio, any organisation that has, or is embracing the Microsoft Cloud, can recognise cost savings of over 52% and see ROI of 92% (according to Microsoft & Gartner) by adopting the vast array of security services within their Microsoft 365 subscription and/or by displacing legacy point products.
Organisations can typically save 52% on their security by using Microsoft 365 E5 Security compared to point products and solutions.
2021 Microsoft Zero Trust Solutions – Total Economic Value Report
3. “In my opinion” Microsoft Security is world class
It doesn’t have to be this way though, and once there is joint awareness, understanding and trust in the Microsoft security portfolio – this complexity and silo approach to security can be a thing of the past.
Microsoft (as any end to end security provider) would say that that Microsoft can secure and protect the entire digital footprint for every enterprise customer, however the reality is for any organisation that has, or is embracing Microsoft Cloud, significant cost advantages (>52% according to Microsoft & Gartner) can be achieved in security alone by enabling the services they have bought and displacing all or most of their legacy point security products.
Joining us on the Fireside chat this month was Jose Lazaro Pinos, a Security Architect at Microsoft. He said that:
Our solutions deliver comprehensive protection across your entire digital estate – Identity, Data, Apps, Endpoints, and Infrastructure Network. Where we differentiate is that security is built into our products rather than bolted on.
We have a building block approach to security and compliance and provide protection in over fifty security categories.
We are investing $20b in security over next 5 years.
Jose Lazaro Pinos | Security Architect | Microsoft
Many of the clients we work are onboard and committed to leveraging Microsoft Cloud and Microsoft Security across the board. This extends to beyond basic hygiene services such as Azure AD, Conditional Access, Identity Protection and Privilege Identity Management, into the more advanced compliance and protection services such as Defender for Office 365, Identity and Endpoint, DLP and Purview (formerly Microsoft Information Protection) for compliance and data protection and Sentinel for SEIM and XDR.
We use Microsoft Security for most things. We also use Microsoft Information Protection and DLP and were an early adopter for Azure Sentinel.
Paul Clark | Director Security & Services | London & Quadrant Housing
L&Q, like many organisations have a hugely diverse workforce and the tight integration of the Microsoft Security products have enabled them to have confidence that their employees, devices, and data are well protected wherever they are. Paul also said in the chat, that with the Exec board are on-top of Security and it’s very much front and centre so Paul and his team need to top of their game and trying to ensure they continue to get value from the new things coming to Microsoft Security is top of mind and again enforces what we hear about point one above.
The Microsoft ecosystem is our primary security stack, but if the business is not educated and engaged, it can be easy to be sold multiple products that overlap or do the same thing. We have a drive to consolidate where we can with Microsoft 365.
Alex Taylor | Group IT Director | AWIN
4. What are the downsides of a single vendor approach?
In short, the consensus from the panel was “probably none” – not anymore.
Go back just 5 years and I’d say most IT and security teams had a negative (or empty) view of Microsoft as a “security company”. Even as their reputation improved, it was still commonplace to see many organisations that were accepting of just how extensive Microsoft’s security offering has become still question “what if one vendor gets compromised, you need protection from the other vendor that hadn’t been compromised“.
Our security team used to preference a multi-vendor approach, but the benefits of a single vendor approach are recognised – single pane of glass, consolidated reporting and joined up protection across the digital estate
Lee Phipps | Strategic Enterprise Architect | East Riding of Yorkshire Council
More recently, this view is changing, as my customer panel confirmed. Zero Trust is all about defense in depth and having multiple layers of protection. The key principle is not necessary about a single or multi-vendor, but more important is the need for seamless join up and integration between the service layers – whether this is a mix of vendor products connected via API driven integration into a SEIM, or the integration and consistency (which is key) through using a joined-up suite of products which provides multi-layer protection.
Its critical of course that whatever you use can see and protect all your applications, services and infrastructure including services which sit outside the Microsoft Cloud.
Zero Trust Security Architecture
Previously we used to use third-party multi-vendor products for monitoring and DLP, but we took the decision to remove these and move them to Microsoft and to configure the ruleset in Azure Sentinel to give us a seamless view and dashboard.
The panel also agreed that managing multiple security tools creates unnecessary workload for their IT and SecOps team as they have multiple products dashboards to check and consolidate and the terminology signals don’t always align.
Rowland Hills said that the reality here is that for any smaller business, where you are struggling to have a couple of people in IT and in which case have one or sometimes no dedicated security focussed person. The impact of attack of course is no different no matter how big or small you are, but one of the things about leveraging cloud for security means that the smallest or largest organisations benefit from the power of Microsoft Cloud which has some impressive threat protection stats (which they asked me to share).
(c) Microsoft -43Trillion daily threat signals include data seen through Risk IQ acquisition
Microsoft Security On-Ramp – where to start
Firstly, you don’t have to spend loads of money to get some increased awareness – you can work with your Microsoft Cloud Security partner and/or leverage some of the free tools, assessments, workshops, and training available to you as a Microsoft 365 customer.
Collaborate to Sharing Best Practice
We also find more recently that organisations are starting to form security alliances where they share best practice methodologies, observations and even training and workshops with their peers in similar organisations.
We work with other housing associations in a collective intelligence forum where we share information around cyber awareness and best practice and if any of us have an issue, we have others to lean in and help each other out.
Paul Clark | London & Quadrant Housing
This can be a great way to reduce the burden on stretched IT resources as well as reduce cost when they are paying for or attending security assessments and workshops, much in the same way we do with our customer panel on our monthly Fireside Chats.
Do it yourself withMicrosoft Secure Score
Microsoft Secure Score enables your IT or Security Operations team to review, score and benchmark your organisation’s secure posture. Secure Score works by representing your security metric across the entire digital estate irrespective of whether you’re using a Microsoft or third-party tools.
Secure Score does four things
Provides a tool to help you assess the state of your security posture across identity, devices, information, apps, and infrastructure. You can also benchmark your organisation’s status over time and compare it to other organisations.
Evaluate each recommendation using embedded guidance to determine which vectors of attack are a priority and how they can be mitigated. Can also be used to help identity and add improvement actions to your posture improvement plan.
Help determine potential user impact using integrated workflow capabilities to and identify the procedures necessary to implement each recommendation in your environment.
Use historical reports to track and maintain progress, identify regressions, and report to leaderships teams. Using measurable data, clearly demonstrate the progress you’re making to better secure your environment.
Microsoft Secure Score(r)
Leverage Free* Cloud Security Workshops
Cisilion are one of a handful of trusted Microsoft Cloud Security partners that can deliver free (*funded – subject to approval by Microsoft) workshops, threat assessments and awareness workshops to help organisations understand, test drive, and prove the value of Microsoft Security whether they have already invested int he product suites or not.
These provide an overview, deep dive, and hands on exposure to help you understand key areas and aspects of key areas of threat protection including:
Securing corporate identities and access
Defending against threats with SEIM plus XDR
Securing Azure and multi-cloud environments
Mitigating compliance and privacy risks including “insider risk”
Protect and govern sensitive data
Defense and visibility in depth with Azure Sentinel
All paying Microsoft 365 commercial and public sector organisations will have entitlement to Microsoft Fast Track Services. This is a free consultative and guidance service delivered by Microsoft or their trusted Fast Track partners and provides free guidance and assistance for the enablement and adoption of Microsoft Cloud Technology.
Public Webinars and News
There is lots of useful content, webinars and new on the Microsoft Security Pages:
Microsoft Defender for Endpoint has just received top marks for the latest Advanced Threat Protection Test carried out by AV-Test in Feb 2022.
The report (which tested many of the top products including Microsoft Defender in both the home and commercial space) found that it was best-in-class in terms of its ransomware detection and blocking.
The Advanced Threat Protection tests provide vendors and users with substantial findings as to how securely a product can protect against ransomware in real-life scenarios.
… All the products have to successfully defend against ransomware in 10 real-life scenarios under Windows. The test involves threats such as files containing hidden malware in archives, PowerPoint files with scripts or HTML files with malicious content.
AV-TEST
Top Marks
The tests were carried out amongst 14 of the top anti virus and endpoint protection products in the consumer and commercial space including:
Acronis
AVG
Avast
Bitdefender
Kaspersky
F-Secure
McAfee (Trellix)
Microsoft
Symantec
Whilst Microsoft came out joint top for all the tests in the corporate space, the lowest of the scores were McAfee / Trellix who AV-TEST claim were unable to fully block ransomware attacks in multiple different attack scenarios:
Microsoft Defender AV-TEST ransomware tests 02-22McAfee AV-TEST ransomware tests 02-22
You can access the full reports from AV-TEST here.
Good news for consumers and corporate
In short this should be good news for corporate customers that use Microsoft Defender (which is built into Windows 10 and Windows 11) as well as consumers.
Consumers in particular are often sold additional third party antivirus and anti ransomware products when they buy a new computer, buy software or through advertising and whilst there may be good reasons to buy additional products, these results should demonstrate just how good Microsoft are at protecting consumers and corporate clients who use their products.
Defender is part of a much bigger family
In the corporate space at least, Microsoft Defender is a an entire multiplatform, multi vendor platform suite of. Integrated services for protecting corporate systems and data from attack, breach, ransomware and theft. Their product suite extends across Identity (Defender for Identity), Cloud, Endpoint, IoT and Office 365 to name just a few.
You can find out more about the Microsoft Defender suite of products for corporate customers here.
Microsoft also annouced last month the release of Microsoft Defender for individuals which provides enterprise grade protection for Microsoft 365 consumers and family users. Microsoft Defender is a cross-device security app that helps individuals and families protect their data and devices, and stay safer online with malware protection, real-time security notifications, and security tips. You can read more here.
As Russia continues its attack on Ukraine, Microsoft has taken some of the lessons they have learnt from their cyber attack defensive assistance of Ukraine at the start of the war and have now shared their insights with the world to learn from.
In a recent blog post on Microsoft’s “Microsoft on the Issues” site, Brad Smith, Microsoft VP and Chairman, shared highlights of the re-occurring themes around how the war in Ukraine follows a similar yet updated parallel to other historical battles but with a modern cyber focussed offensive now a huge part of the war-plan.
In this most recent blog, Brad Smith discussed the three-part strategy Microsoft has discovered and observed during their early defense assistance of Ukraine. He calls out “destructive cyberattacks within Ukraine, network penetration and espionage outside Ukraine, and cyber influence operations targeting people around the world.”
The wider report goes into detail around how Microsoft’s are continuing their efforts in assisting in the defense of technological targets in Ukraine as well as the continuous evolving strategy Microsoft is pushing to further help harden businesses, institutions, governments, and nations against future cyber-attacks.
The Russian military poured across the Ukrainian border on February 24, 2022, with a combination of troops, tanks, aircraft, and cruise missiles. But the first shots were in fact fired hours before when the calendar still said February 23. They involved a cyberweapon called “Foxblade” that was launched against computers in Ukraine. Reflecting the technology of our time, those among the first to observe the attack were half a world away, working in the United States in Redmond, Washington.
Brad Smith | Vice President | Microsoft
Conclusions and how to defend against state nation attacks
Microsoft say that to defend against similar state-nation coordinated attacks you first need to understand the approach, what has worked and what needs to be done to allow other state nations and countries to better protect against cyber warfare. The conclusions of the report (which you can read in depth here), highlights the following:
Defense against a military invasion now requires for most countries the ability to disburse and distribute digital operations and data assets across borders and into other countries.
Recent advances in cyber threat intelligence and end-point protection have helped Ukraine withstand a high percentage of destructive Russian cyberattacks.
As a coalition of countries has come together to defend Ukraine, Russian intelligence agencies have stepped up network penetration and espionage activities targeting allied governments outside Ukraine.
In coordination with these other cyber activities, Russian agencies are conducting global cyber-influence operations to support their war efforts. Russian agencies are focusing their cyber-influence operations on four distinct audiences. They are targeting the Russian population with the goal of sustaining support for the war effort. They are targeting the Ukrainian population with the goal of undermining confidence in the country’s willingness and ability to withstand Russian attacks. They are targeting American and European populations with the goal of undermining Western unity and deflecting criticism of Russian military war crimes. And they are starting to target populations in nonaligned countries, potentially in part to sustain their support at the United Nations and in other venues.
Finally, the lessons from Ukraine call for a coordinated and comprehensive strategy to strengthen defenses against the full range of cyber destructive, espionage, and influence operations.
Microsoft continues its huge investment and expansion of their leading cyber security, threat analysis and response solutions with the acquisition of Milburo, a world leader in foreign threat analysis and research detection services.
They announced via their security blog site that they have entered into an agreement to acquire Milburo, who will be ‘assimilated’ so to speak into Microsoft’s Customer Security and Trust organisation.
Microsoft will leverage Milburo portfolio to help bolster their current threat detection platforms while also expanding their abilities to counter new cyber threats and state sanctioned information operations and attacks. Miburo’s mission statement is to “protect democracies and the free information environment from malign influence and extremism.”
“Working in close collaboration with the Microsoft Threat Intelligence Center, our Threat Context Analysis team, our data scientists and others, the new analysts from Miburo will enable Microsoft to expand its threat detection and analysis capabilities to address new cyber-attacks and shed light on the ways in which foreign actors use information operations in conjunction with other cyber-attacks to achieve their objectives. Miburo has become a leading expert in identification of foreign information operations.”
Tom Burt |Microsoft
The public announcement arrives just a month after Microsoft acknowledged its role in combating many state-sanctioned cyber-attacks and disinformation campaigns aimed at Ukraine by Russia.
Microsoft has unveiled a new “software updates” dashboard in the Microsoft 365 admin center that enables IT to get a simple, unified overview of the installation status of Windows and Microsoft 365 app updates across all their devices. This is currently in preview.
Software update tab in Admin Centre
“Keeping devices current with the latest security updates is an important part of an IT admin’s role. The software updates page in the health section of the Microsoft 365 admin center provides a high-level summary view that informs you of devices that may be behind on taking the latest updates released by Microsoft. “
Microsoft
The software updates page now has a new tab that shows Windows update status and end of service statistics. These charts provide information about all the Windows devices running unsupported versions of the Windows as well as those that reaching the end of support.
There is a separate tab which provides update status for Microsoft 365 Apps.
This new dashboard currently only provides update status for Microsoft 365 apps and the core Windows OS, but they plan to expand this in the future to cover critical on premises servers such as Exchange.
There is currently no ability to drill down into the non compliant devices. To do this you need to head the Security pane or Microsoft Endpoint Manager but I suspect this will be linked by the time it comes out of preview.
Windows Autopatch, a service to automatically keep Windows and Microsoft 365 up to date in enterprise organisations, has now reached public preview. When officially released (GA), it will be included Microsoft commercial customers with a Windows Enterprise E3 license or higher.
In short, Windows Autopatch automatically allows organisation to shift the management and deployment of Windows 10, Windows 11 and Microsoft 365 Apps including quality and feature updates, drivers, firmware to Microsoft.
What’s the purpose?
Essentially this aims to take the nightmare out of the age-old “patch Tuesday” and promises to be a great time saver for IT admins. With Autopatch, IT can continue to use their existing tools and processes for managing and deploying updates to devices OR can look to phase in or replace this in entirety and with this new “hands off” approach and let Windows Autopatch take care of security, driver and firmware updates.
“Changing the way things get done, even when that change makes things easier, gives pause to most people who run large IT organisations. By joining the public preview, you’ll be able to get comfortable with Windows Autopatch and ready your organisation to take advantage of the service at scale”.
Lior Bela | Senior Product Marketing Manager | Microsoft
The main purpose of Windows Autopatch is moving the update orchestration burden from the IT department to Microsoft. Once deployed, configured and tested, Autopatch should allow the entire effort around planning and managing the Windows Update process (sequencing and rollout) to be taken away from IT freeing up time and resources.
“Whenever issues arise with any Autopatch update, the remediation gets incorporated and applied to future deployments, affording a level of proactive service that no IT admin team could easily replicate,” Bela added.
“Whenever issues arise with any Autopatch update, the remediation gets incorporated and applied to future deployments, affording a level of proactive service that no IT admin team could easily replicate.”
Lior Bela | Senior Product Marketing Manager | Microsoft
How to enable Autopatch
Windows Autopatch devices must be managed by Microsoft Intune for this to work and Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.
As you’d expect, there are a handful of steps needed to enable the preview and to enrol your Microsoft 365 tenant into the Windows Autopatch public preview:
Log on to Endpoint Manager as a Global Admin and navigate to the Windows Autopatch blade which is under the Tenant Administration menu – this will only be visible if you have the right licenses deployed.
Using an InPrivate browser window, redeem your Autopatch preview code
Run the readiness assessment, add the required admin contact, and add the devices you want to enrol in the service.
Tick the box, to allow Microsoft to manage updates on behalf of your organisation.
Allowing Microsoft to manage updates for your organisation
Microsoft also provides detailed instructions(and video) on how to add devices to your test ring and how to resolve the status of “tenant not ready,” or a status of “device not ready” or “device not registered.”
Microsoft YouTube video on enabling Windows Autopatch
How Autopatch works
The Windows Autopatch service automatically splits your organisation’s device estate into four groups of devices described by Microsoft as “testing rings”.
Test Ring: Contains a minimum number of devices for test purposes
First Ring: Contains ~1% of all endpoints (think of this like the early adopter ring)
Fast Ring: Contains ~9% of devices
Broad Ring: Contains the rest of the devices.
The updates are deployed progressively, starting with the test ring and moving to the larger sets of devices following a validation period in which the system and IT can monitor device performance and compare it to pre-update metrics through End Point Analytics.
Autopatch rings. Image (c) Microsoft
Autopatch also features a nifty, feature called “Halt and Rollback” that block updates from being applied to higher test rings or rolled back automatically. This is key for critical dates or projects which may be impacted by updates or where quality errors are detected in the Test Ring updates.
What about Patch Tuesday and Critical Updates?
Microsoft will continue to deliver monthly security and quality updates for supported versions of the Windows on the second Tuesday of the month (commonly referred to Patch Tuesday or Update Tuesday) as they have been to date. These will be delivered by Autopatch also.
For normal updates, Autopatch uses a regular release cadence starting with devices in the test ring and completing with general rollout to broad ring.
Any updates addressing a critical vulnerability, such as Zero Day threats, will be expedited by Windows Autopatch with a aim to patch all devices immediately.
Microsoft provides further info in the Windows Autopatch support documentation, including details on service eligibility, prerequisites, licensing and features.
Microsoft has just announced “Entra“, which is the latest “family of products” and joins their other suites alongside Priva and Viva.
Entra brings together all of Microsoft’s identity and access products and services and includes Microsoft Azure Active Directory (Azure AD), as well as their Cloud Infrastructure Entitlement Management (CIEM) and decentralized identity services.
Identity is one of the biggest cornerstones for cybersecurity.
Microsoft Entra. Image (c) Microsoft
Microsoft Entra aims to help simply the way organisations approach and accomplish attack surface reduction in the multicloud, hyperconnected world by filling the biggest and most critical gaps. It does this by:
Protecting access to any application or resource for each and every user
Secure and verify every identity across hybrid and multicloud environments
Discovering and governing permissions in multicloud environments
Simplying the user experience with real-time intelligent access decisions.
Microsoft Entra embodies our vision for what modern secure access should be. Identity should be an entryway into a world of new possibilities, not a blockade restricting access, creating friction, and holding back innovation. We want people to explore, to collaborate, to experiment – not because they are reckless, but because they are fearless.
Microsoft.
Entra works with the majority of all cloud platforms, including Azure, AWS, Google Cloud, as well as other Microsoft apps and websites.
To find out more, visit the Microsoft Entra website to learn more about how Azure AD, Microsoft Entra Permissions Management, and Microsoft Entra Verified ID deliver secure access for our connected world.
Microsoft’s security business is growing faster than any of their other mainstream products and services, and today they announced they will be adding three new services designed to help organisations spot and respond to cybersecurity incidents.
Here’s the TL;DR version.
Microsoft are bolstering their security services offerings to go along with its technology products and partners.
Security is the fastest-growing broad product category for Microsoft.
Microsoft are increasing annual research and development spend in cybersecurity from $1 billion to $4 billion (more than any other security vendor anywhere).
The new services will see Microsoft’s own cyber security experts providing hands-on, proactive threat hunting for organisations unable to fully build out their own SOC due to the global security skills shortage and cost.
Keep reading to learn more…
This new announced investment comes as we see increasing reports from industry analysts on the continued increase in cyber security budgets globally as organisation continue to invest in protecting against the ever-increasing threat of ransomware attacks, identity theft and network hacks.
Attacks are getting smarter and more targeted
Cybercrime attacks are continuing to rise and get increasing sophisticated, costing the world’s businesses $6 trillion USD last year, with that number expected to rise to $10.6 trillion in 2025.
According to Microsoft, “most human-operated ransomware attacks share some common traits, as attackers take advantage of an organization’s reliance on legacy software configurations or poor “credential hygiene” to gain entry into systems, and once in to find privilege escalation points to move through systems and carry out attacks.“.
Whilst identity hygiene is improving many organisations still do not get the basics right with poor identity protection, lax controls, no (or patchy) MFA and a disjointed and fragmented approach to security rather than a Zero Trust ‘defence in depth mindset’
“Guarding single points of entry is not enough anymore, and a system or systems of managed extended detection and response (MXDR) is helping to help companies take a step back and look to guarding overall systems rather than focusing on locking down network ports or domains etc. “, Microsoft said in their latest security blog.
What is Microsoft Security Experts?
Microsoft Security Experts is a newly announced set of human, AI and software led services they will offer to organisations which will provide managed security services without them needing to build everything in house.
Microsoft Security Expert Services
Whilst just the start, the three new security managed services include Defender Experts for Hunting, Defender Experts for XDR, and Security Services for Enterprise.
Microsoft Defender Experts for Hunting.
This involves Microsoft Security engineers hunting and altering organisations of issues they proactive hunt in clients’ devices, Office 365 productivity software installations, cloud apps and identity platforms programs.
This will put Microsoft into a more direct competition with pure-play security software companies such as CrowdStrike.
Cost is circa $3 pupm.
Microsoft Defender Experts for XDR.
This is a more people intense service that will see Microsoft Security Experts helping organisations act on threats. Microsoft say that this type of work is typically done by a variety of different organisations today, including the big four accounting firms.
Cost is $14 pupm.
Microsoft Security Services for Enterprise
This service includes an even broader set of people-driven services.
It aims to be more specific and customised to the needs of large enterprise organisations.
It’s set to help elevate the global security skills and people challenge which affecting almost every organisation.
Costs are bespoke to each organisation.
Microsoft and Security
Security is already a $15 billion annual business for Microsoft, and in 2021/22 it has increased faster than any other significant product or service that Microsoft sold – up 45% YoY.
Microsoft is of course no new kid on the block when it comes to cyber defence, and last year blocked over 9.6 billion malware threats and 35.7 billion malicious emails as well taking down several huge state nation attacks.
Microsoft believe that they are uniquely positioned to help their customers and partners do more to meet today’s security challenges. “We secure devices, identities, apps, and clouds—the fundamental fabric of our customers’ lives – with the full scale of our comprehensive multicloud, multiplatform solutions. At Microsoft, we understand today’s security challenges because we live this fight ourselves every single day“.
Microsoft’s CEO Satya Nadella had already announced last year that their annual cyber security research and development spending is increasing to a staggering $4 billion, up from an already huge $1 billion.
What about the role of the Microsoft Partner?
Details are still emerging about how partners that sell security consultancy, enablement, training and of course managed extended detections and response (XDR) will be able to leverage these and build on their services.
Microsoft has said in their Yammer partner community site that they will be making a whole new set of investments in partners to help advance (or build) their managed extended detection and response (XDR) services business.
Growth and demand for Managed Security Services
According to Gartner, demand is on a fast growth trajectory, and more than 50 percent of organizations will be using managed detection and response (MDR) services for threat monitoring, detection, and response functions that offer threat containment and mitigation capabilities by 2025.
Microsoft say that their Partners will play a critical role in addressing this incredible customer demand.
Today (May 3rd 2022) Microsoft formally announced the general availability of the standalone version of Microsoft Defender for Business.
Why should I care?
Well firstly, it’s a myth that smaller organisations are not targeted and attacked. Security continues to be an increasing challenge for small and medium businesses with a more than 300% increase in ransomware attacks alone in the past year alone, leading to increase cost in time and money, whilst pulling you away from doing what matters most – running your business and making money.
300% Increase in ransomware attacks 2021
As an example, the solicitor I was personally using last year for a house purchase was victim of a cyber-attack in September last year and it took them almost 3 months to get back on their feet which cost them loads of business – including mine!
In addition, according to a report commission by Microsoft – over 90% SMB organisations admit to buying “bad” endpoint security (which means it is below par, nor is it integrated into their wider security portfolio).
What is Defender for Business
Microsoft Defender for Business brings enterprise-grade security to smaller and medium sizes businesses (SMBs), including world-class endpoint detection and response capabilities.
Microsoft position this as “the solution for the new Hybrid Workforce”. As employees increasingly work across a mix of different devices and locations, Defender for Business delivers end-to-end security and moves beyond traditional end-point anti-virus, with their cloud connected, AI-powered service that is backed by trillions of daily signals, bringing enterprise grade, real time detection of known or trending threats including zero-day attacks and ransomware.
Microsoft Defender for business is part of the wider Microsoft 365 Defender family – a unified pre- and post-breach enterprise defence suite which natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Key Benefits
Reduce your vulnerability with Defender’s risk-based management approach
Help eliminate risks by reducing the surface area of attack
Protect against cyberthreats like ransomware and malware
Detect and investigate advanced persistent attacks
Automatically investigate alerts and helps respond to complex threats
Here’s how it works
If you think of your business as like you might think about your own house, we can use this simple by effective analogy:
Threat and Vulnerability Management is like a proactive police/crime assessment – looking at your doors and windows for potential weaknesses. It’s a risk prevention approach to vulnerability management that reduces threats before they grow into serious problems.
Attack surface reduction works by making sure the windows are locked, and only the right people have keys to the front door. This helps minimise risk by reducing the attack surfaces open across your devices.
Next Generation Protection acts as the lock for your front door. It helps to stop the things you don’t want to enter, from file-based and fileless malware, to spyware.
Endpoint Detection and Response is like a security camera system, helping you see and record an intruder in the building. Defender’s advanced tools then sets off the alarms, allowing you to respond directly to the problem, device, or file.
Auto Investigation and Remediation is like your smart alarm system, calling the authorities and taking the intruder away. Defender for Business automatically investigates alerts and helps remediate complex threats, acting as your personal security analyst, working 24/7 to protect your business.
In short, Microsoft Defender for Business looks across your environment, multiple activities, devices, and users and then aggregates your alerts into a single incident making it easier for you (or your IT Services partner) to manage and respond to threats before they impact your business.
How does it compare to Defender for Enterprise?
Defender for Business provides the same premium protection at endpoint level for SMBs as it does for Enterprise organisations – the only difference is the price point and simplified management. The table below, shows the main differences.
Microsoft Defender Product Comparison (c) Microsoft.
How do I get it?
All these features and more are available as part of Microsoft 365 business premium plan or can be purchased (if you are not a Microsoft 365 subscriber) as a standalone application.
Microsoft Defender for Business Options
Speak to your Microsoft Partner or CSP license provider in the first instance. They can probably also help you quickly get started and set it up..
Defender for Business is already included as part of Microsoft 365 Business Premium – Microsoft’s comprehensive security and productivity solution for businesses with up to 300 employees (or as part of a blended licensing approach). Microsoft Business Premium costs just £16.50 per user per month.
You can (from today) also purchase Defender for Business as a standalone solution for just £2.75 per user, per month and what’s more support for On-Premises and Cloud Hosted Servers for SMB is also coming later this year.
Microsoft has launched their first Cyber Signals, a new quarterly cyber intelligence brief that highlights the latest cyber security threats, tactics, and strategies and is aimed at Chief Information Security Officers, Chief Information Officers, Chief Privacy Officers and other senior security opps teams.
Microsoft Cyber Signals Report
The brief is built using Microsoft’s extensive threat and data and research which leverages insights from more than 24 million security signals as well as intelligence data mined from the monitoring of 40 nation-state groups and over 140 threat groups. Microsoft has focused the first edition specifically on identity, which they believes is “the battleground for security” and the biggest weakest link in most organisations security posture.
In the briefing, Microsoft state that “Our identities are made up of everything we say and do in our lives, recorded as data that spans across a sea of apps and services. While this delivers great utility, if we don’t maintain good security hygiene our identities are at risk. And over the last year, we have seen identity become the battleground for security.“
Perhaps the biggest point raised in this Cyber Signals report is the worrying low adoption of strong identity authentication across organisations. This includes multifactor authentication (MFA) which are proven to reduce the risk of compromised identity by 99.9%.
Here are they key highlights from the report.
Only 22% of customers using Microsoft Azure Active Directory (Azure AD), Microsoft’s Cloud Identity Solution, have implemented strong identity authentication protection as of December 2021.
Microsoft Defender for Endpoint blocked more than 9.6 billion malware threats targetting enterprise and consumer customer devices
From January 2021 through December 2021, Microsoft blocked more than 25.6 billion Azure AD brute force authentication attacks and intercepted 35.7 billion phishing emails with Microsoft Defender for Office 365.
The full brief also examines how nation-states are using spear phishing attacks and targeted social engineering to obtain passwords and other sensitive data. It also details the latest Ransomware attack trends and how they are being along with guidance and recommendations for how to stop the attacks.
“Microsoft ended 2021 with 71 billion cyberattacks blocked.”
Microsoft Cyber Signals
Much of the research explained by leading security chiefs including Christopher Glyer – the principal threat intelligence lead at the Microsoft Threat Intelligence Center which employs nearly 4,000 security experts and threat hunters.
