There was a time when this title might have meant they simply decided to talk about security. For a lot of years Microsoft Security was an oxymoron. Not anymore though they take security very seriously now largely because, as they grew up, they realized that not owning the security of your products also meant you didn’t own their perceived quality and security companies that supported Microsoft used to aggressively disparage Microsoft’s offerings in order to generate demand for their products.
Those days are past and now Microsoft funds significant efforts both in going after those that compromise Microsoft’s products at scale and in building tools, but integrated and stand alone, that protect those offerings. Microsoft announced two enhancements to their offerings this week Microsoft Azure Sentinel, and Microsoft Threat Experts which should further their security focus. (A briefing on this announcement can be found here).
Before we explore those offering let’s chat for a moment about Microsoft’s Security report as there are some interesting trends.
Microsoft Security Report
First apparently Ransomware attacks are down sharply year over year. This is likely because the defenses against Ransomware have increased as have prosecutions against those committing the related crime. But there is a new trend.
Second illegal Cryptocurrency mining has increased sharply. This is when the minor penetrates and uses a system they do not own for mining. Apparently, they are doing this a lot, and this is having a massive impact on both performance and escalating energy invoices.
Third the software supply chain is badly compromised. This means a lot of legitimate products are being delivered with embedded malware. These attacks are particularly dangerous because the user is convinced, they are installing a legitimate product, in fact it could be a legitimate product, which has been compromised. You may not be able to trust the branded software you purchased.
Fourth Phishing remains the preferred method of attack. As always, the least technically proficient attack is the most popular and people really need to practice safe email and safe phone calling best practices to avoid being caught up in this embarrassing problem.
Now to the security offerings…
Microsoft Azure Sentinel
Microsoft Azure Sentinel is a SIEM (Security Information and Event Management) product and SIEM products are notoriously hard to sell. The reason is that SIEM offering do a great job of identifying threats but, alone, they do little to correct the exposures. An enterprise could have thousands upon thousands of exposures and lack the funding to address any but a small number. If there is a breach a SIEM report will make it look like IT was negligent, clearly knowing of the related exposure, but not fixing it. Microsoft’s offering does prioritize the exposures so that IT can resource the most likely to cause damage mitigating somewhat an adverse impact but still, alone, a SIEM product is viewed as more trouble than it is worth.
Now I tend to think this is a process and priority problem and that IT should instead use the reports to ask for the resources they need to correct the problem, document the requests, and then showcase they weren’t negligent, executive management just didn’t prioritize the fix. After a couple breaches with top executives taking the hit perhaps priorities would shift, and the company made safer.
Microsoft Threat Experts
Fortunately, Azure Sentinel doesn’t stand alone but comes to market with another service called Microsoft Threat Experts. This service uses expends on Windows Defender ATP by providing managed threat research using Microsoft experts, who have likely seen similar threats and know how to deal with them quickly and cost effectively, to address the threats that Azure Sentinel discovers. This isn’t free and it would still need to be funded but the combined result should, particularly in a mostly Microsoft account, provide a level of security as yet unheard of from Microsoft.
Included with this offering is the ability to send tailored alerts to the exposed department from the Microsoft ATP console providing further guidance on the identified threats along with even tighter prioritization. Apparently, there is even an “ask the expert” button so that teams can instantly contact a Microsoft expert to help with rapidly remediating a threat.
Microsoft is very focused on securing their platforms and that focus is only increasing because the threats are mostly increasing. Microsoft’s security report this year did have some good news, Ransomware has fallen off a cliff, but this was offset by the bad news that hackers have shifted to Cryptocurrency mining instead raising another class of problem abuse or theft of company assets.
Against these and other threats Microsoft has released a SIEM product called Microsoft Azure Sentinel and a related service called Microsoft Threat Experts which should both be able to significantly reduce the security exposure in a Microsoft shop.