Microsoft Security Saturday – 04/16/2022

Next Evolution of the Microsoft Sentinel Zero Trust (TIC 3.0) SolutionDo you need help with design, implementation, and monitoring of Zero Trust (TIC 3.0) workloads? Are you looking for technical solutions for visibility + automation of cloud, multi-cloud, hybrid, and on premises workloads? Do you have needs to implement solutions for Cybersecurity Executive Order requirements? This powerful tool can help organizations assess, monitor, and enhance their security posture relative to Zero Trust practices.

New certification for Security ArchitectsWe are looking for Microsoft cybersecurity architects to take our new beta exam. Microsoft cybersecurity architects have subject matter expertise in designing and evolving the cybersecurity strategy to protect an organization’s mission and business processes across all aspects of the enterprise architecture. They design a Zero Trust strategy and architecture, including security strategies for data, applications, access management, identity, and infrastructure. They also evaluate Governance Risk Compliance (GRC) technical strategies and security operations strategies.

Defender for Endpoint and Defender for Cloud- which dashboard should you use?Microsoft Defender for Servers is a plan that is part of Microsoft Defender for Cloud. When you enable Microsoft Defender for Servers, you get a range of awesome functionality designed to protect your servers, including file integrity monitoring, adaptive application control, just in time access, among others.

Disrupting cyberattacks targeting UkraineWe recently observed attacks targeting Ukrainian entities from Strontium, a Russian GRU-connected actor we have tracked for years. This week, we were able to disrupt some of Strontium’s attacks on targets in Ukraine. On Wednesday April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks. We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications.

Learn the latest cybersecurity techniques at the May 12 digital Microsoft Security SummitMany organizations try to increase their defenses by piecing together a patchwork of security solutions over time. Not only is this piecemeal approach costly and difficult to manage, but it also leaves many security administrators wondering, “Did I miss something?”

Business glossary integrated in Azure Purview data catalog searchIn the Azure Purview data catalog, the business glossary provides definitions, synonyms, and acronyms to different terms used throughout an organization. Glossary terms can be tagged to assets and assist end users in understanding how and why the data is used. We are proud to announce that glossary terms are now integrated into the data catalog search experience.

Identify organizational use/misuse of sensitive information using Microsoft 365 and SentinelWe are pleased to share a new insightful way of pivoting risky behavior with organizational and geographical context. Meaning that you can start building risk profiles for your organization that can be used for both alerting and to be graphically presented as part of risk assessments of sensitive information use. You understand your organizations habits best, please treat this as a sample and expand based on your requirements. 

Tarrask malware uses scheduled tasks for defense evasionAs Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. The Microsoft Detection and Response Team (DART) in collaboration with the Microsoft Threat Intelligence Center (MSTIC) identified a multi-stage attack targeting the Zoho Manage Engine Rest API authentication bypass vulnerability to initially implant a Godzilla web shell with similar properties detailed by the Unit42 team in a previous blog.

Azure AD RBAC: Dynamic administrative units now in public preview for users & devicesWith dynamic administrative units, you no longer have to manually manage membership of your administrative units (or write your own automation to manage it for you). Instead, Azure AD allows you to specify a query based on user or device attributes, and then maintains the membership for you.

Introducing differentiated protection for priority accounts in Microsoft Defender for Office 365Today we’re thrilled to announce general availability of differentiated protection for priority accounts. In every organization, there are people that are critical, like executives, leaders, managers, or other users who have access to sensitive, proprietary, or high priority information. We previously announced the ability to tag these users within Microsoft Defender for Office 365 as priority accounts, allowing security teams to prioritize their focus on these critical individuals. With this release, users tagged as priority accounts will receive a higher level of protection against threats.

Notorious cybercrime gang’s botnet disruptedToday, we’re announcing that Microsoft’s Digital Crimes Unit (DCU) has taken legal and technical action to disrupt a criminal botnet called ZLoader. ZLoader is made up of computing devices in businesses, hospitals, schools, and homes around the world and is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money.

Generally available: Enhanced network security features for App Service Basic SKUApp Service now supports VNet integration (outbound) and private endpoints (inbound) all the way down to the Basic SKU. The App Service VNet integration feature enables your apps to access resources in or through a virtual network but doesn’t grant inbound private access to your apps. For inbound access, you need private endpoints, which allow clients located in your private network to securely access your apps over Private Link, which eliminates exposure from the public internet.

A clearer lens on Zero Trust security strategy: Part 1We start off with some observations and insights on how people are seeing Zero Trust, then highlight some great work at the National Institute of Standards and Technology (NIST) to make Zero Trust real using products available today, and then highlight work being done at The Open Group to standardize Zero Trust (including an origin story of The Jericho Forum from Steve Whitlock).

Deprecating the legacy SIEM API – PostponedWe previously announced the SIEM REST API would be deprecated on 4/1/2022.We’ve listened to customer feedback and the API deprecation has been postponed for now, more details expected in Q3, 2022.
We look forward to sharing exciting details about the ​Microsoft 365 Defender APIs in Microsoft Graph in Q3 2022.

SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965Recently, several remote code execution (RCE) vulnerabilities in the Spring Framework for Java were publicly disclosed. Microsoft is currently assessing the impact associated with these vulnerabilities. This blog is for customers who are looking for protections against exploitation and ways to detect vulnerable installations on their network of the critical vulnerability CVE-2022-22965 (referred to in the security community as SpringShell or Spring4Shell).

New security features for Windows 11 will help protect hybrid workIn 2021, protections built into Windows, Azure, Microsoft 365, and Microsoft Defender for Office 365 have blocked more than 9.6 billion malware threats, more than 35.7 billion phishing and other malicious emails, and 25.6 billion attempts to hijack our enterprise customers by brute-forcing stolen passwords—that’s more than 800 password attacks per second.

Holistic compromised identity signals from MicrosoftHey there! We are delighted to announce the general availability of four new detections in Azure Active Directory (Azure AD) Identity Protection, further expanding our identity threat detection surface area in cloud applications and at endpoints to enhance our comprehensive identity risk signal.

Automate Secret Rotation in Key Vault While the accessing of Secrets from KeyVaults is one side of it; managing the life cycle of the same is even more important. Every Secret stored in KeyVault ideally should have a defined Expiry and that should not be too near or too far – to keep the System secured as well as reducing the management overhead. Ideal is to have an expiry between 1 year to 2 years.

Microsoft 365 Defender demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK® EvaluationsFor the fourth consecutive year, Microsoft 365 Defender demonstrated its industry-leading protection in MITRE Engenuity’s independent ATT&CK® Enterprise Evaluations, showcasing the value of an integrated XDR-based defense that unifies device and identity protection with a Zero Trust approach

Forrester names Microsoft a Leader in 2022 Enterprise Detection and Response Wave™ reportWe are excited to share that Microsoft has been named a leader in The Forrester Wave Enterprise Detection and Response, Q1 2022. Microsoft received one of the highest scores in the strategy category and strength of current offering category. In the Forrester Wave assessment, Microsoft Defender for Endpoint received the highest score possible in 15 separate criteria including endpoint telemetry, investigation capabilities, threat hunting capabilities, user experience, product vision, and innovation roadmap.