Microsoft Security. Now a Leader in 5 Gartner Magic Quadrants
Whatever you may have once thought about Microsoft and Security, (I remember the days when security engineers would say that its due to the amount of security holes in Microsoft that they have a job) Microsoft is now a global leader in cybersecurity, and invest more than $1b annually in security R&D as well as processing more than 6.5Trillion security and threat signals per day to protect organisations and further enhance and develop their platform and their customers businesses.
Gartner has now named Microsoft Security a Leader in five Magic Quadrants whichclearly demonstratesbreadth and depth of their security portfolio and depth of integration across their platforms. The leader awards include…
Cloud Access Security Broker (CASB)
Access Management
Enterprise Information Archiving
Unified Endpoint Management (UEM)
Endpoint Protection Platforms
Gartner places vendors as Leaders who are able to demonstrate balanced progress and effort in all execution and vision categories. This means that Leaders not only have the people and capabilities to deliver strong solutions today, they also understand the market and have a strategy for meeting customer needs in the future.
Given this, Microsoft Security doesn’t just deliver strong security products in five crucial security areas only, as you look across the Microsoft 365, Azure and Dymanics platforms but also across customers in premise and 3rd party cloud providers, they are able to provide a comprehensive set of security solutions that are built to work together, from identity and access management to threat protection to information protection and cloud security.
Their services integrate easily and share intelligence from the 6.5 trillion of signals generated daily on the Microsoft Intelligent Security Graph. Customer thst are bought in to the wider Microsoft Security approach can monitor and safeguard identity, devices, applications and data across their end to end infrastructure and cloud solutions whether that is Microsoft Azure, Amazon Web Services, Slack, SAP, Citrix, Oracle, Salesforce, Google or many many others.
They key to this is their ability (like few others) to unify their security tools, bringing end to end visibility into their customer entire environment all drawn together with their new SEIM platform Azure Sentinel.
Where are the gaps?
There are some… Some of the main ones I see are around
1. Web security and DNS security.. The kind of stuff Cisco does really well with Umbrella for example.
2. Network and LAN segmentation. This is possible in Azure but other than some relatively “old” Network Access Control services in Windows Server, this is also an area Microsoft don’t really play in.
3. Industry Specific scenarios where long (99 year or so) retention policies and archiving is required. These are areas where solutions like Proof Point do really well in my experience.
What others do you see? Interested in your views and comments..
Microsoft Threat Protection now unifies your incident response process by integrating key capabilities across Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP which is powered by the #IntelligentSecurityGraph processing and responding to over 6.5 Trillion threat signals per day!
Learn more about the Intelligent Security Graph
This is just the latest in an ongoing list of updates and features being rolled out across Microsoft 365 and Azure to protect organisations on premises and cloud environment and is a result of their $1billion investment in security each year.
If you have Microsoft 365 E5 you can take a Sneak peak at the new public preview (you need to be an admin or sec admin of course)!
This unified experience now adds powerful new features that can be accessed from the Microsoft 365 security Centre #intelligentsecurity#microsoft365
Microsoft is now top right in the Gartner Magic Quadrant in 6 areas including Cloud App Security Broker, Unified end point management, information protection, data archiving and Endpoint threat protection.
The myth that Microsoft isn’t a security vendor continues… led mainly by the traditional security appliance vendors and organisations that are still predominately on premise and therefore defend their data centre and office perimeters with traditional security blockers.. (sorry that was a bit of a generalist statement and not meant to offend)!
In reality, nothing could be further from the truth. With more than a billion dollar investment in security each year (excluding acquisitions), Microsoft has been recognised as a leader in multiple security-related Gartner Magic Quadrants, the Forrester Wave for Endpoint Security, and by I dependant AV testing firms such as AV TEST, AV Comparatives, and SE Labs in 2019 alone.
Security is built in across everything Microsoft designs, deploys and makes available and I’m proud to work and lead a certified and accredited partner is this space with Gold in Enterprise Mobility and Security competencies.
Take the time to read the reports and I’d love to hear your experiences thoughts and views on where you think Microsoft has its biggest gaps in this space.
Finally, theres some new announcements this week at Ignite to be sure to check these out.. The latest today is the announcment of #safedocuments which adds ATP type protection to Office desktop apps. Rolling over the next couple of month, when a user wants to consider a document “trusted”, Safe Documents will automatically check the file against the ATP threat cloud before it releases the document.
With all the news and media about Surface Pro X, it’s easy to miss that Microsoft have also released a dedicated business version called… Well Surface Pro X for Business which has one core feature aimed at business rather the consumer.
What’s the Difference
On the surface (ok dad joke) the business version isn’t much different from the consumer version. It’s the same spec, same processor, same pen and battery etc, but where it differs is in its security, which is unique to the new Surface business line up in this latest generation.
The Surface Pro X for Business is what Microsoft are calling a “Secured-core PC.”
What’s a Secured-core PC?
In short, this new technology is powered by Windows Defender System Guard and protects the Surface Pro X from firmware hacking such as LoJax
With Secured-core, your organisation can now prevent hackers from tampering or altering with the UEFI (or BIOS) which in the future I think will be a pre req for IoT type devices as well as business decides of all types.
There are 3 levels of protection provided by Secured-Core which make the Surface Pro X ultra secure and essentially shields Windows 10 from attacks and unauthorised access which target the device before Windows has booted or during shutdown.
Firmware attacks
Kernel attacks and
System integrity attacks
Who’s Secured-core ideal for?
Microsoft claim that the target market are people that work in the most data-sensitive industries such as government, financial services, and healthcare but really this is suited to any organisation that ultra concerned with security.
Just Surface?
No… This is by no means limited to just Microsoft decides. Lenovo, Panasonic, Dynabook, Dell, HP etc are all behind this new approach
Find out more
Microsoft have published the following information about Secured-core here
One of my earlier posts talked about how enabling Multi-Factor Authentication across your organisation can dramatically reduce your risk of attack/breach or data theft by Identity Compromise however after reading some of the comments and talking to some other IT admins and CSOs, I felt this needed a Part #2.
According to Symantec, 91% of all Cyber Attacks start with a spear phishing email
Protecting Corporate Email
Its fair to say that “most” organisations who use Microsoft Exchange Online for their corporate email services use some form of additional security or protection….
Exchange Online Protection
Microsoft provides Exchange Online Protection (EOP) as a standard service with Exchange which essentially is an anti-spam and antivirus service.
Every and any mail security company, Symantec, proof point, mimecast, you name it, will heavily criticise Microsoft for its “lack” of protection against modern and zero-day threats and to be honest they are quiet right too but what many people aren’t aware of (and I don’t think Microsoft shout about it loud enough) – they have some pretty good advanced services you can enable (or buy). Any security officer will tell you that they key to security is defence in depth and there isn’t a single “master of all” platform or vendor out there that can protect an organisation from attack, regardless of what form it comes in.
Having multiple defences (not necessarily multiple vendors) in place helps because if spam sneaks by the first line, it might be stopped by the second.
As you’d expect there are many 3rd party products and services available that complement the standard Exchange Online Protection services available including ProofPoint, Symantec, Mimecast etc, but if your organisation uses Microsoft Exchange Online then, depending on your licensing level, you have some pretty impressive advanced security features which to be honest, you should be using especially if you don’t use any 3rd party bolt-ons. This Office 365 ATP (note, its not specifically focuses on Exchange).
Hello Office 365 ATP
Microsoft Office Advanced Threat Protection (ATP), which is part of Office 365 E5 (or an add-on) builds on the Microsoft EOP and provides two key features aimed at protecting users from phishing attacks, malicious attachments and other advanced threat vectors which typically target users but getting them to click something, fill something in or download something. Again, according to Symantec 1 in 4 people will click a link in an email without checking the message header or checking it is from who they think it is.
Of course Microsoft claim Office ATP is the best line of defence for their Office 365 customers. As you’d expect, Third-party mail hygiene services beg to differ and say that their solutions offer better protection. Either way, you’re better protected when EOP is not the only line of defence.
So what’s Office ATP Include?
Office ATP delivers two key security enhancements for Exchange (and Office 365 in general) including ATP Safe Attachments and ATP Safe Links, both features designed to prevent or stop malicious content arriving in user mailboxes and indeed across the other key Office 365 services.
ATP Safe Attachments
The concept behind ATP Safe Attachments is fairly simple and is designed with protecting users against emails that may contain malicious attachments. ATP Safe Attachments helps here by intercepting all emails before they hit the users inbox, essentially detonates the attachment to makes sure its safe. ATP Safe Attachments also stops infections caused by malware being uploaded to SharePoint Online and OneDrive for Business sites, including the SharePoint Online sites used by Microsoft Teams (which is enough for Microsoft to claim ATP support for Teams).
There are a couple of configuration options around how Safe Attachments works which are mainly designed to control how attachments get delivered to users.
The options are relatively self explanatory. For avoidance of doubt, I’d strongly recommend using Dynamic Delivery, which means all users receive their email messages (at first) without the attachments (well, they get a place-holder) while those attachments are being scanned by Microsoft to check they are safe.
Safe Attachments doesn’t generally take long to process attachments and in my experience the delay is usually less than 30 seconds (though that can feel like ages if you are waiting for the scan to complete in order to open your attachment – especially if its a sales PO!).
ATP Safe Links
ATP Safe Links as the name implies, provides “click-time” URL Protection to blocks malicious links by analyzing them at arrival time and also each and every time the user clicks on the link to protect against spear phishing attacks that weaponize a link after an email is delivered.
While links are being checked, users are prevented from getting to these to the sites. Yes, this can delay mail recipients from being able to get to information but given the amount of bad sites that exist on the internet (and that more than 91% of phishing attacks original from email), this is a fair compromise, even if users are sometimes frustrated when they can’t immediately reach a site because of a blocked link.
A newish feature in the ATP Safe Links policy allows Office 365 administrators to “delay message delivery” until all links in an email message are scanned (see below). This seems to be “off” by default but is definitely one I think should be enabled.
” alt=”” aria-hidden=”true” />
What are my other Options?
I’m not going to go into the pros and cons of the other services in this blog, the 3rd party vendors will do this, but depending on your licensing level, need or desire to use multiple vendors for security or to standardise your security products across other key strategic vendors, you may choose to explore. Which is best – its hard to say but if you have nothing, I’d start with Office ATP as its most likely included within your licensing plan (and if not its easy to set-up a trial with your partner).
Microsoft and also many 3rd parties provide Advanced Threat Protection services across Exchange Online . At time of writing, Microsoft, however, are the only vendor that extend these services across other Office 365 services including SharePoint Online, One Drive for Business and therefore Teams.
Cyber-attacks aren’t slowing down, and it’s worth noting that many attacks have been successful without the use of advanced technology.
For even the largest, most security averse company, all it takes is one compromised credential or one legacy application to cause a data breach.
This underscores how critical it is to ensure password security and strong authentication across your organisation and whilst there are many many solutions out there that can protect networks, applications and data, there is one simple thing that organisations can do, regardless of size and sector that can have a significant impact on protecting cyber-attacks and breach through compromised credentials.
Corporate email compromise: Where an attacker (often called bad-actor) gains access to a corporate email account, such as through a phishing or spoofing attack (emails that look like they are from IT or a trusted source that get users to “handover” their log on credentials), and uses it to exploit the system, and steal data or compromise your business. Accounts that are protected with only a user id and password are easy targets.
Legacy protocols: Old email clients and many “stock smartphone email clients” can create a major vulnerability since applications that use these old basic protocols, such as SMTP, were not designed to leverage or use modern security technologies such as Multi-Factor Authentication (MFA). So even if you require MFA for most use cases, if legacy protocols are enabled, attackers will search for opportunities to use outdated browsers or email applications to force the use of less secure protocols.
Password reuse: This is where attacks such as as “password spray” and “credential stuffing attacks” come into play. Common passwords and credentials compromised by attackers in public breaches are used against corporate accounts to try to gain access. It is considered that more than 70% percent of passwords are duplicates and used on other public sites such as shopping or consumer sites, this has been a successful strategy for many attackers for years and it’s easy to do. Most users re-use passwords because many believe that complex passwords (a mix of letters, numbers and symbols) make passwords and accounts secure – but it can actually have a counter affect since passwords are more likely to be re-used.
What you can do to protect your company
There’s loads of simple steps than can and should be undertaken to provide some basic account and security hygiene.
Administrators can quickly help prevent many of these attacks by banning the use of bad passwords (Azure AD can do this naively), blocking legacy authentication, and through basic awareness and training to staff on how to spot common phishing attacks.
Whilst all this will help – by far the most effective step you can take as a business is to turn on and require Multi Factor Authentication (MFA). This extra layer of user account protection, creates a very effective barrier and layer of security that makes it incredibly difficult for attackers to log on or use stolen/compromised credentials even if a user “hands the over” as a result of a successful phishing attack.
Simply put, MFA can block over 99.9% percent of account compromise attacks. With MFA, knowing or cracking the password isn’t enough to gain access since the user will be challenged to enter a code, respond to a text sent to their phone or approve logon via an app on a device that they have in their possession. To learn more, read Your Pa$$word doesn’t matter.
MFA is easy to enable and use
According to the SANS Software Security Institute there are two primary obstacles to adopting MFA implementations today:
Misconception that MFA requires external hardware devices.
Concern about potential user disruption or concern over what may break.
When we have these kind of conversations with customers, the 2nd point is usually the most common – “the owner wont like it” or “what if stops person x from logging on and they cant talk to IT?”
No banking app allows their customers to access their services these days without some form of MFA and we all (as we have to) simply accept this so why should accessing your company’s data be any different?
Depending on your organisations choice of MFA technology and the level of licensing they have in place, services such as MFA can be used in conjunction with Risk Based Conditional Access – which is a feature included within Azure Active Directory.
Risk Based Conditional Access is essentially adaptive authentication which looks at a number of different risk factors to determine what and how to allow a user to gain access to resources. In the MFA example, RBCA can be configured to now need MFA to be used when on a corporate device when in the office but enforced when ever users are remote or on an non-corporate or non encrypted device.
Need some help – the organisation I work for @cisilion can help – get in touch via twitter or visit our website. For more click here:
Note: Aspects of this information are taken from a blog by Melanie Maynes | Senior Product Marketing Manager | Microsoft Security
The move from traditional on-premises IT solutions to cloud services has seen a dramatic change in the way that systems are managed and controlled. The access to services from any location and using any device means that a lot of the traditional management methods are not feasible.
Identity (not the firewall) is the modern control pane. Your user identity (and how ever its protected) is typically the key to your applications, devices and data within the modern workplace so keeping it safe should be paramount.
The UK National Security Agency, any reputable security company or agency will advise you not to use the same password in multiple places, to make it complex, and to not make it simple like Password123 or Comanyname2019 for example.
What is Azure Identity Protection?
Aslong as your organisation uses Microsoft Azure AD – which it will if you use Office 365 (and have Azure AD Premium P1 or P2), Microsoft provides a nifty service (known as Azure Active Directory Identity Protection) that can go a long way in helping organisations guarantee that their users are follow industry (and your) security guidance and that they aren’t using common passwords or passwords that are known to be included in recent data attacks and breaches.
In addition to the automatic protection provided by Microsoft’s Threat Intelligent, Azure Identity Protection also allows you to manually specify up to 1,000 custom passwords. I’d strongly recommend adding (or using) the top 1,000 common passwords which is available on GitHub as a starter and then adding your own organisation’s name, and any common terms used in your company or industry to the list.
If you haven’t used the service before, you can run this in “Audit” mode to allow you to review the number of “hits” against the new policy before enforcing it. Once enforced, when any user tries to set/reset their password, their password is “scored” based on a combination of risks including use of known and common /custom passwords or known breach credential/password.
How are passwords evaluated?
Whenever a user changes or resets their password, the new password is checked for strength and complexity by validating it against both the global and the custom banned password list (if the latter is configured).
Even if a user’s password contains a banned password, the password maystill be accepted if the overall password is strong enough otherwise. A newly configured password will go through the following steps to assess its overall strength to determine if it should be accepted or rejected.
An invalid password reset attempt which is poorly scored as secured, will be rejected and the user will receive an error message similar to the below:
“Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password.”
Reviewing the effectiveness
As well as users being informed (and prevented) to setting a password that is “banned”, admins can also see this activity in the Security Logs.
Read more from Microsoft
Microsoft provides a lot more detail and examples on how this works here:
Microsoft has started warning users of older versions of Windows desktop and Sever to urgently apply a Windows Update today to protect against a potential widespread attack similar to the infamous WannaCry attack.
“Windows 7 users are still vast.. Make sure you are patched..”
Microsoft have yet again issues patched to close the critical remote code execution vulnerability that can be exploited in Remote Desktop Services that exists in Windows XP,Windows 7, and server versions including Windows Server 2003,Windows Server 2008 R2, and Windows Server 2008.
Microsoft seems to be continually “doing the right thing” of still releasing critical patches for Windows XP and Windows Server 2003 even though both operating systems have been out of support for some time.
Anyone still running Windows XP, (yes I know) will need to manually download the update from Microsoft’s website.
As you know Windows 7 reaches end of extended support in just 7 months. #Windows10 offers more than 30 odd significant advances in security and OS hardening compared to its older siblings and whilst many organisations are rapidly migrating to #Windows10 there are still many organisations that have not.
Microsoft did announce yesterday extended support for Windows10E5 subscribers for another 12 months as a benefit to their “commitment” to move to Windows 10.
Two new cloud-based technologies, Microsoft Azure Sentinel and Microsoft Threat Experts, have recently been unveiled in efforts to reduce the “…noise, false alarms, time consuming tasks and complexity…” to empower security operations teams. Check out the articles below to find out more information.
Yesterday, after months of “preview testing”, Microsoft announced the “General Availability” (GA) of their Azure Information Protection (AIP) unified labeling client.
Sorry remind me – what is AIP?
Azure Information Protection (AIP) is a Microsoft 365 cloud-based solution that helps organisations to protect their data and information through the classification, labeling and (optionally), encryption of the data. AIP applies to a vast range of document types and emails data. Labels can be applied automatically by administrators or SecOps who define rules and conditions, manually by your users, or a combination where users are given recommendations as to what labels to apply.
So what has changed in this update?
If you’ve been using labelling in Office 365 for things like DLP in the past you’ll know that this labelling has always been different to the labelling and classification service which is part of Azure Information Protection causing some pain and potential conflict between deifferent data and information labelling across the two services.
This GA release has now brought these together resulting in a completely integrated and unified labeling platform to eliminate managing labels in both the Azure portal and the Office 365 Security & Compliance Center.
The AIP unified labeling client gets its configuration (labels and polices) from the Office 365 Security & Compliance Center like all other Microsoft Information Protection workloads, including built in labeling in across the Office applications for Mac, iOS, and Android.
Microsoft say that this new release contains substantial new features from the original AIP client, including the manual and automatic labeling and exciting new features that are supported only for unified labeling, such as custom sensitive information types, dictionaries and complex conditions (AND/OR) that dramatically improve automation capabilities and reduce false positive rates.
Moving forward….
Microsoft’s advice is that for any organisation just starting their deployment and use of AIP are advised to start with the new unified labeling client and the Office 365 Security & Compliance Center to “enjoy” the unified client and admin experience.
From here on, new features will only be made available in the AIP unified labeling client.
But there is a but….. Since the new Unfied Client is not currently at full “feature parity” with old AIP client, organisations that require any of the features that are still not supported in the new AIP unified labeling client, for example “user defined permissions”, should start with the AIP client and upgrade these clients to the unified labeling client once the required features are released.
Microsoft does support “mixed environments” on the same environment which means you can run the AIP client and scanner, and the AIP unified labeling client on different devices at the same time. Additionally, Microsoft promises that the AIP unified labeling supports a seamless upgrade from the old AIP client.
The options are relatively self explanatory. For avoidance of doubt, I’d strongly recommend using 
