Using Microsoft Security Solutions Against Modern Threats
In this post I will discuss the range of Microsoft’s cloud-based security solutions that have been launched recently to defend the attacks that are happening now.
The nature of attacks has changed. Hackers aren’t relying on probing firewalls for vulnerabilities. Instead, they’re looking for the easy route, which is stealing identity from users and getting users to install zero-day malware from e-mails. You would think that if after countless surveys and reports confirming that hackers have changed their patterns of attack, then organizations would realize that relying on the traditional firewall and anti-malware filters/scanners just is not enough. A firewall blocks intrusions; it doesn’t stop apparently legitimate e-mails and malware scanners cannot detect zero-day attacks – someone has to suffer from an attack and submit the malware to the scanning companies before updated definition files can be distributed. Anti-virus companies admit that they cannot keep up with the rates of releases, and variants of malware such as CryptoLocker are too common & devious to give you 100% protection.
So it’s time to evolve. And that’s what Microsoft has done. This article isn’t about some new generation of Forefront. Microsoft isn’t trying to do the same security that everyone else does. And Microsoft has not just released a bunch of version 1 solutions either – most of what is discussed in this article will include already mature products that Microsoft took control of by acquiring a number of Israeli tech security companies.
Protecting User Accounts
The easiest way to steal information and intellectual property (IP) is to get legitimate access to it, and hackers can do that by getting users to give them their usernames and passwords. A little bit of social engineering will get names and email addresses, and some phishing emails (or free pens) later the hacker has all they need to sign in as those employees.
Don’t be fooled into thinking that this is a “cloud problem”. Sure, the likes of Google Apps and Office 365 make sign-in easy, but if remote access to a corporate network is available then that access is just as easy, thanks to either single sign-on or user laziness.
Microsoft released an acquired solution called Advanced Threat Analytics (ATA), available as a standalone solution and through the Enterprise Mobility + Security (EMS) suite. ATA monitors user activity in on-premises networks via a number of possible methods. This data is sent to the ATA Center, the Microsoft Cloud, where Microsoft is able to analyse the activity for suspicious behavior. This could be as simple as:
- A user signing in from a machine in New York, and then signing in from another machine in New Delhi 2 hours later, which isn’t possible in this pre-wormhole transport era.
- A user attempting to sign into a large number of services.
Control Data in Third-Party SaaS Services
Every BOFH (an admin with IT megalomania) likes to think that they have complete control over everything that happens in their network. Those days are over! Personal device usage and the cloud, approved or not, have changed everything. You might have total control over OneDrive for Business but what about Box or Dropbox? Do you know if PCI data is being deliberately or accidentally shared, breaking security and compliance requirements?
Microsoft Cloud App Security was acquired by Microsoft to protect company data in third-party (and Microsoft) SaaS app services. The first step is to discover the services that are being used; logs from your edge devices are sent to Microsoft for analysis. A portal presents those services and ranks them – Microsoft has a database of around 13,000 rated cloud services. At this point you can take control of those services, opting to integrate and implement policies. This can include proactive and retroactive policies to control who can do what, and to filter what data can be stored in the cloud and what can be done with it. Your organization then has full visibility of what’s being done with that data – now that’s power!
Protecting Documents and Emails
You can encrypt your laptops and servers all you want, but once a document leaves the safety of your server farm, do you know who will get a copy of it? Do you know if it will make it to the media or a competitor? Does an email contain personal information that shouldn’t leave a small circle of control? This is the sort of thing that worries a lot of business owners – documents and emails are able to move more like water and we need to restrict who can see those documents.
Maybe you have heard of Azure Rights Management Services (RMS) before? RMS is a document- and email-level security solution that started life as an on-premises solution long before Edward Snowden started leaking NSA documents to the press – you’d think that security experts might have … implemented some security, right? RMS evolved into a cloud solution, with a subset of the functionality in some Office 365 SKUs, and is also available as a stand-alone solution and in the EMS bundle. In Q4 of 2016, RMS is changing.
The first change is that RMS is being renamed to Azure Information Protection, hinting at exactly what the solution does – protect information no matter where it goes or who gets their hands on it. Users can classify an email or document, using pre-engineered templates, with a security policy. You can say who can open a document or read an email. You can send an email to a customer, but prevent them from forwarding it or printing it. The security is built into the document or email, so no matter where it goes, the organization is protected from accidental or deliberate leakage. The solution, which does work with external users including those who don’t have Azure Information Protection, is powered by Azure AD so you can track exactly what’s happening with your information and property via a rich set of logs/reports.
There will be a second, higher version of Azure Information Protection (AIP) which will be included in the new higher version of EMS (called E5). The full version of AIP will include automatic classification of documents and emails based on the detected contents. A user can override the classification, and this action will be audited for any later investigations.
Imagine this; Edward Snowden would be a nobody if the most famous IT security agency in the world was an active user of this solution.
An attack usually starts with an email. It could be a phishing email – hopefully user education protects you from most of that, and ATA protects you if someone does hand over their details. The other method is malware. Your traditional scanner/filter will block the known threats, but what about the all-too-common zero-day threat? No one has seen this malware before so it cannot be filtered via traditional means. This is why the world of advanced threat protection has evolved.
Microsoft Online Advanced Threat Protection is a service that compliments the regular filter/scanner, Exchange Online Protection, and is available in the E5 SKU of Office 365, but can be added to other SKUs as well.
If there’s any lesson that I want someone to learn, it’s that IT security is made up of lots of solutions and human education and process. Even the most ardent Microsoft fanboy will design a security solution made from Microsoft services and third-party solutions. But even if you choose the best of the best individual components, no one element of your security matrix has a full view of what is happening. For example, a user might legitimately sign into a database from a server that they rarely use, and start to send a large amount of data to the internet. There’s nothing there that will be blocked or alerted on. But if you put the pieces together, it’s clear that the network has been hacked and someone’s downloading company data to a machine on the internet. We understand this but we’re not watching the network at this level, and if the hacker is clever (and they are very professional) then they will compromise a lot of systems and fly under the radar.
This is why Microsoft has started working on Azure Security Center (ASC), which is currently in preview. ASC is a security supervisor aggregating data from:
- Resources that you have deployed within Azure.
- Azure itself, including your subscription, all other subscriptions, and the fabric.
- Potentially any third-party appliances/software that you have deployed within Azure.
ASC gathers information and presents health reports for your subscription to you. Microsoft’s huge visibility of activity, trends, and experience are combined with Azure’s intelligence and data analytics to understand what is going on in your deployments; if something is wrong, you’ll be alerted and you can start to take action.
And the potential is there for Microsoft to expand ASC to be a supervisor of all your IT everywhere.
More in Cloud Computing
Build 2022: Microsoft Introduces New Dev Box Cloud PC Service for Developers
May 24, 2022 | Rabia Noureen
Amazon EC2 Now Supports NitroTPM and UEFI Secure Boot
May 24, 2022 | Michael Otey
AWS Snow Family Now Supports Remote Monitoring and Operations
May 9, 2022 | Michael Otey
Use Azure ExpressRoute Private Peering & Azure Virtual WAN to Connect Privately to Microsoft 365
Apr 21, 2022 | Flo Fox
Microsoft to Make Changes to Cloud Licensing Restrictions after Customer Complaints
Apr 18, 2022 | Rabia Noureen
Reviewing Your Backup Checklist
Apr 8, 2022 | Michael Otey
Most popular on petri