Microsoft Security Saturday – 12/19/2020

A moment of reckoning: the need for a strong and global cybersecurity responseThe final weeks of a challenging year have proven even more difficult with the recent exposure of the world’s latest serious nation-state cyberattack. This latest cyber-assault is effectively an attack on the United States and its government and other critical institutions, including security firms. It illuminates the ways the cybersecurity landscape continues to evolve and become even more dangerous. As much as anything, this attack provides a moment of reckoning.

Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customersWe, along with the security industry and our partners, continue to investigate the extent of the Solorigate attack. While investigations are underway, we want to provide the defender community with intelligence to understand the scope, impact, remediation guidance, and product detections and protections we have built in as a result.

New Threat analytics report shares the latest intelligence on recent nation-state cyber attacksMicrosoft 365 Defender can help you track and respond to emerging threats with threat analytics. Our Threat Intelligence team has published a new Threat analytics report, shortly following the discovery of this new cyber attack. This report is being constantly updated as the investigations and analysis unfold.

Protecting Microsoft 365 from on-premises attacksThis document will show you how to configure your systems to protect your Microsoft 365 cloud environment from on-premises compromise. We primarily focus on Azure AD tenant configuration settings, the ways Azure AD tenants can be safely connected to on-premises systems, and the tradeoffs required to operate your systems in ways that protect your cloud systems from on-premises compromise.

SolarWinds Post-Compromise Hunting with Azure SentinelAzure Sentinel has made it easy to collect data from multiple data sources across different environments both on-prem and cloud with the goal of connecting that data together more easily. This blog post contains guidance and generic approaches to hunt for attacker activity (TTPs) in data that is available by default in Azure Sentinel or can be onboarded to Azure Sentinel.

Important steps for customers to protect themselves from recent nation-state cyberattacksToday, Microsoft is sharing information and issuing guidance about increased activities from a sophisticated threat actor that is focused on high value targets such as government agencies and cybersecurity companies. We believe this is nation-state activity at significant scale, aimed at both the government and private sector. While we aren’t sharing any details specific to individual organizations, it is important for us to share greater detail about some of the threat activity we’ve uncovered over the past weeks, along with guidance that security industry practitioners can use to find and mitigate potential malicious activity.

Becoming resilient by understanding cybersecurity risks: Part 2In part two of this series, we further explore the imperative of thinking and acting holistically as a single organization working together to a common goal. Building true resilience begins with framing the issue accurately to the problem at hand and continuously (re)prioritizing efforts to match pace with evolving threats.

Terranova Security Gone Phishing Tournament reveals continued weak spot in cybersecurityTerranova Security’s Gone Phishing Tournament is a free, annual cybersecurity event that takes place in October to coincide with National Cybersecurity Awareness Month. The Tournament tests real-world responses using a phishing email modeled on actual threats provided by Attack Simulation Training in Microsoft Defender for Office 365 (Office 365 Advanced Threat Protection).

Azure Active Directory audit logs now available in Advanced Hunting (public preview)We are happy to announce the availability of a new data source in Microsoft 365 Defender Advanced Hunting. We have just enabled streaming of Azure Active Directory audit logs into Advanced Hunting, already available for all customers in public preview.

99.99% uptime for Azure Active DirectoryToday, I’m pleased to announce that we are taking the next step in our commitment to the resilience and availability of Azure AD. On April 1, 2021, we will update our public service level agreement (SLA) to promise 99.99% uptime for Azure AD user authentication, an improvement over our previous 99.9% SLA. 

Enhanced AI for account compromise preventionFast forward to today, we just released a re-design on the real-time machine learning compromise prevention system for Azure AD. The improved system still leverages supervised machine learning but it expands the features and process used to train the model, which provides significantly improved accuracy in Azure AD real-time risk assessment.

A breakthrough year for passwordless technologyIn November 2019 at Microsoft Ignite, we shared that more than 100 million people were already using Microsoft’s passwordless sign-in each month. In May of 2020, just in time for World Password Day, that number had already grown to more than 150 million people, and the use of biometrics to access work accounts is now almost double what it was then. We’ve drawn strength from our customers’ determination this year and are set to make passwordless access a reality for all our customers in 2021.

Securely manage and autofill passwords across all your mobile devices with Microsoft AuthenticatorToday we are announcing the public preview of password management and autofill capability in the Microsoft Authenticator app. For any sites or apps you visit on your mobile device, Authenticator will help you autofill strong passwords without having to remember them. These passwords can be synced across mobile and desktop, so you can seamlessly autofill passwords as you move across devices.

Announcing new Microsoft Information Protection capabilities to know and protect your sensitive dataMicrosoft Information Protection (MIP) is a built-in, intelligent, unified, and extensible solution to protect sensitive data in documents and emails across your organization. MIP provides a unified set of capabilities to know and protect your data and prevent data loss across Microsoft 365 apps (e.g., Word, PowerPoint, Excel, Outlook), services (e.g., Microsoft Teams, SharePoint, Exchange, Power BI), on-premises locations (e.g., SharePoint Server, on-premises files shares), devices, and third-party apps and services (e.g., Box and Dropbox).

Customer Key support for Microsoft Teams now in Public Preview!Microsoft Teams helps keep data safe by encrypting it while at rest in Microsoft data centers, starting with volume-level encryption enabled through BitLocker while service encryption ensures that content at rest is encrypted at the application layer. Customer Key is built on service encryption and provides an added layer of encryption at the application level for data-at-rest and allows you as the organization to control the encryption keys.

MCAS: How to protect AWS Admins and DevelopersIn this blog, I am going to tell you about a new deployment guide that will help you to apply several advanced security controls for access to AWS environments, using Microsoft Security solutions – this is one of the simplest implementations that can solve a myriad of problems when trying to provision identities and govern access to systems that may be business critical and hold very sensitive information.

Microsoft Cloud App Security (MCAS) Activity Log in Azure SentinelThe Microsoft Cloud App Security (MCAS) connector lets you stream alerts and Cloud Discovery logs from MCAS into Azure Sentinel. This will enable you to gain visibility into your cloud apps, get sophisticated analytics to identify and combat cyberthreats, and control how your data travels, more details on enabling and configuring the out of the box MCAS connector (Connect data from Microsoft Cloud App Security).

Investigate Azure Security Center alerts using Azure SentinelAzure Security Center performs continuous assessment of your cloud workloads and provides the recommendations concerning the security of the environment. Azure Security Center covers scenarios by offering Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) capabilities (read this article for more details). 

Data Connector Health – Push Notification AlertsThis enhanced solution builds on the existing “Connector Health Workbook” described in this video. The Logic App leverages underlying KQL queries to provide you with an option to configure “Push notifications” to e-mail and/or a Microsoft Teams channel based on user defined anomaly scores as well as time since the last “Heartbeat” from Virtual Machines connected to the workspace. 

Guest Access in Yammer using Azure AD B2B is now in preview!External Collaboration is a key ingredient for the success of any organization. At Microsoft, we recognize the need to seamlessly connect and engage with key stakeholders and partners outside of your company and today, we are excited to announce the preview of Azure AD business-to-business (B2B) guest support in Yammer. 

Security baseline (FINAL) for Windows 10 and Windows Server, version 20H2We are pleased to announce the final release of the for Windows 10 and Windows Server, version 20H2 (a.k.a. October 2020 Update) security baseline package!