Using Microsoft Security Solutions Against Modern Threats

In this post I will discuss the range of Microsoft’s cloud-based security solutions that have been launched recently to defend the attacks that are happening now.


The nature of attacks has changed. Hackers aren’t relying on probing firewalls for vulnerabilities. Instead, they’re looking for the easy route, which is stealing identity from users and getting users to install zero-day malware from e-mails. You would think that if after countless surveys and reports confirming that hackers have changed their patterns of attack, then organizations would realize that relying on the traditional firewall and anti-malware filters/scanners just is not enough. A firewall blocks intrusions; it doesn’t stop apparently legitimate e-mails and malware scanners cannot detect zero-day attacks – someone has to suffer from an attack and submit the malware to the scanning companies before updated definition files can be distributed. Anti-virus companies admit that they cannot keep up with the rates of releases, and variants of malware such as CryptoLocker are too common & devious to give you 100% protection.
So it’s time to evolve. And that’s what Microsoft has done. This article isn’t about some new generation of Forefront. Microsoft isn’t trying to do the same security that everyone else does. And Microsoft has not just released a bunch of version 1 solutions either – most of what is discussed in this article will include already mature products that Microsoft took control of by acquiring a number of Israeli tech security companies.

Microsoft is bringing a new kind of security to enterprises [Image Credit: Aidan Finn]
Microsoft is bringing a new kind of security to enterprises [Image Credit: Aidan Finn]
Keep in mind that Microsoft has a unique opportunity in this market; Microsoft is able to build intelligent security services, supported by Azure’s intelligence and analysis services. And Microsoft has huge visibility and knowledge of attacks and how they are constructed, thanks to being one of the most attacked companies on the planet, directly because of cloud services such as Office 365 and Azure, and indirectly because of the huge market penetration of Window client OS and Windows Server in the enterprise. This means that any cloud-based security services that you consume from Microsoft are not limited to experience from your network, but from the entire Microsoft security eco-system spanning Microsoft and other customers of that service.

Protecting User Accounts

The easiest way to steal information and intellectual property (IP) is to get legitimate access to it, and hackers can do that by getting users to give them their usernames and passwords. A little bit of social engineering will get names and email addresses, and some phishing emails (or free pens) later the hacker has all they need to sign in as those employees.
Don’t be fooled into thinking that this is a “cloud problem”. Sure, the likes of Google Apps and Office 365 make sign-in easy, but if remote access to a corporate network is available then that access is just as easy, thanks to either single sign-on or user laziness.
Microsoft released an acquired solution called Advanced Threat Analytics (ATA), available as a standalone solution and through the Enterprise Mobility + Security (EMS) suite. ATA monitors user activity in on-premises networks via a number of possible methods. This data is sent to the ATA Center, the Microsoft Cloud, where Microsoft is able to analyse the activity for suspicious behavior. This could be as simple as:

  • A user signing in from a machine in New York, and then signing in from another machine in New Delhi 2 hours later, which isn’t possible in this pre-wormhole transport era.
  • A user attempting to sign into a large number of services.

Microsoft ATA sends user activity to the cloud for analysis [Image Credit:MIcrosoft]
Microsoft ATA sends user activity to the cloud for analysis [Image Credit:Microsoft]
The above examples show misuse of identity. But what if identity has been stolen? Hopefully you deployed Azure AD Premium and enabled multi-factor authentication (MFA); that would have made life much more difficult for the attacker! But even before that point, Microsoft is scanning the darknet for auctions and sales of user accounts from your domain(s). You’ll be alerted if anything is found (meaning that those staff have probably been phished) and you can reset some passwords and start investigating/educating/slapping heads.

Control Data in Third-Party SaaS Services

Every BOFH (an admin with IT megalomania) likes to think that they have complete control over everything that happens in their network. Those days are over! Personal device usage and the cloud, approved or not, have changed everything. You might have total control over OneDrive for Business but what about Box or Dropbox? Do you know if PCI data is being deliberately or accidentally shared, breaking security and compliance requirements?
Microsoft Cloud App Security was acquired by Microsoft to protect company data in third-party (and Microsoft) SaaS app services. The first step is to discover the services that are being used; logs from your edge devices are sent to Microsoft for analysis. A portal presents those services and ranks them – Microsoft has a database of around 13,000 rated cloud services. At this point you can take control of those services, opting to integrate and implement policies. This can include proactive and retroactive policies to control who can do what, and to filter what data can be stored in the cloud and what can be done with it. Your organization then has full visibility of what’s being done with that data – now that’s power!

Microsoft cloud app security protects company data in SaaS app services [Image Credit: Microsoft]
Microsoft cloud app security protects company data in SaaS app services [Image Credit: Microsoft]

Protecting Documents and Emails

You can encrypt your laptops and servers all you want, but once a document leaves the safety of your server farm, do you know who will get a copy of it? Do you know if it will make it to the media or a competitor? Does an email contain personal information that shouldn’t leave a small circle of control? This is the sort of thing that worries a lot of business owners – documents and emails are able to move more like water and we need to restrict who can see those documents.
Maybe you have heard of Azure Rights Management Services (RMS) before? RMS is a document- and email-level security solution that started life as an on-premises solution long before Edward Snowden started leaking NSA documents to the press – you’d think that security experts might have … implemented some security, right? RMS evolved into a cloud solution, with a subset of the functionality in some Office 365 SKUs, and is also available as a stand-alone solution and in the EMS bundle. In Q4 of 2016, RMS is changing.
The first change is that RMS is being renamed to Azure Information Protection, hinting at exactly what the solution does – protect information no matter where it goes or who gets their hands on it. Users can classify an email or document, using pre-engineered templates, with a security policy. You can say who can open a document or read an email. You can send an email to a customer, but prevent them from forwarding it or printing it. The security is built into the document or email, so no matter where it goes, the organization is protected from accidental or deliberate leakage. The solution, which does work with external users including those who don’t have Azure Information Protection, is powered by Azure AD so you can track exactly what’s happening with your information and property via a rich set of logs/reports.
There will be a second, higher version of Azure Information Protection (AIP) which will be included in the new higher version of EMS (called E5). The full version of AIP will include automatic classification of documents and emails based on the detected contents. A user can override the classification, and this action will be audited for any later investigations.
Imagine this; Edward Snowden would be a nobody if the most famous IT security agency in the world was an active user of this solution.

Zero-Day Attacks

An attack usually starts with an email. It could be a phishing email – hopefully user education protects you from most of that, and ATA protects you if someone does hand over their details. The other method is malware. Your traditional scanner/filter will block the known threats, but what about the all-too-common zero-day threat? No one has seen this malware before so it cannot be filtered via traditional means. This is why the world of advanced threat protection has evolved.
Microsoft Online Advanced Threat Protection is a service that compliments the regular filter/scanner, Exchange Online Protection, and is available in the E5 SKU of Office 365, but can be added to other SKUs as well.

Microsoft ATP scanning emails for zero-day attacks [Image Credit: Microsoft]
Microsoft ATP scanning emails for zero-day attacks [Image Credit: Microsoft]
When you use this service, attachments are sent to a “detonation chamber”; here, the service pokes and prods the attachment to see if it will … detonate. In other words, Microsoft analyses the “virtual machine” to see if the attachment starts making changes. If it does, then we have a zero-day threat, such as a PDF that attempts to install a Trojan downloader or a CryptoLocker variant.

Security Supervisor

If there’s any lesson that I want someone to learn, it’s that IT security is made up of lots of solutions and human education and process. Even the most ardent Microsoft fanboy will design a security solution made from Microsoft services and third-party solutions. But even if you choose the best of the best individual components, no one element of your security matrix has a full view of what is happening. For example, a user might legitimately sign into a database from a server that they rarely use, and start to send a large amount of data to the internet. There’s nothing there that will be blocked or alerted on. But if you put the pieces together, it’s clear that the network has been hacked and someone’s downloading company data to a machine on the internet. We understand this but we’re not watching the network at this level, and if the hacker is clever (and they are very professional) then they will compromise a lot of systems and fly under the radar.
This is why Microsoft has started working on Azure Security Center (ASC), which is currently in preview. ASC is a security supervisor aggregating data from:

  • Resources that you have deployed within Azure.
  • Azure itself, including your subscription, all other subscriptions, and the fabric.
  • Potentially any third-party appliances/software that you have deployed within Azure.

And the potential is there for Microsoft to expand ASC to be a supervisor of all your IT everywhere.

Azure Security Center aggregates, analyses, and reports on security issues [Image Credit: Microsoft]
Azure Security Center aggregates, analyses, and reports on security issues [Image Credit: Microsoft]
ASC gathers information and presents health reports for your subscription to you. Microsoft’s huge visibility of activity, trends, and experience are combined with Azure’s intelligence and data analytics to understand what is going on in your deployments; if something is wrong, you’ll be alerted and you can start to take action.