The Microsoft Incident Response team takes swift action to help contain a ransomware attack and regain positive administrative control of the customer environment.
This post is authored by a Security Principal of Cyber Security Services and Engineering
Each week seems to bring a new disclosure of a cybersecurity breach somewhere in the world. In 2016 alone, over 3 billion customer data records were breached in several high-profile attacks globally. As we look at current state of cybersecurity challenges today, we see the same types of attacks, but the sophistication and scope of each attack continues to grow and evolve. Cyber adversaries are now changing their tactics and targets based on the current security landscape. For example, as operating systems became more secure, hackers shifted back to credential compromise. As Microsoft Windows continually improves its security, hackers attack other systems and third-party applications.
Both the growth of the internet and the Internet of Things (IoT) is creating more connected devices, many of which are unsecure, to carry out larger Distributed Denial-of-Service (DDoS) attacks. Due to the insecure implementation of internet-connected embedded devices, they are routinely being hacked and used in cyberattacks. Smart TVs and even refrigerators have been used to send out millions of malicious spam emails. Printers and set-top-boxes have been used to mine Bitcoins and cybercriminals have targeted CCTV cameras (common IoT devices), to launch DDoS attacks.
Microsoft has unique visibility into an evolving threat landscape due to our hyper-scaled cloud footprint of more than 200 cloud services, over 100 datacenters, millions of devices, and over a billion customers around the globe and our investment in security professionals focused on secure development as well as protect, detect and respond functions. In an effort to mitigate attacks, Microsoft has developed an automated platform, as part of Microsoft Azure, that provides a rapid response to a DDoS attack. On our software-defined networks, the data plane can be upgraded to respond and stay ahead of network traffic, even while our service or corporate environment is under attack. Our DDoS protection platform analyzes traffic in real-time and has the capability to respond and mitigate an attack within 90 seconds of the detection.
Microsoft Cyber Defense Operations Center operates 24×7 to defend against cyberthreats
In November 2015, we opened the Cyber Defense Operations Center (CDOC) to bring together the company’s cybersecurity specialists and data scientists in a 24×7 facility to combat cyber adversaries.
In the year since opening, we have advanced the policies and practices that accelerate the detection, identification and resolution of cybersecurity threats, and have shared our key learnings with the thousands of enterprise customers who have visited the CDOC. Today, we are sharing a Cyber Defense Operations Center strategy brief that details some of our best practices for how we Protect, Detect and Respond to cyberthreats in real time.
Microsoft’s first commitment is to protect the computing environment used by our customers and employees to ensure the resiliency of our cloud infrastructure and services, products, devices, and the company’s internal corporate resources.
Microsoft’s protect tactics include:
- Extensive monitoring and controls over the physical environment of our global datacenters, including cameras, personnel screening, fences and barriers and multi-factor authentication for physical access.
- Software-defined networks that protect our cloud infrastructure from intrusions and distributed denial of service attacks.
- Multifactor authentication is employed across our infrastructure to control identity and access management.
- Non-persistent administration using just-in-time (JIT) and just-enough administrator (JEA) privileges to engineering staff managing infrastructure and services. This provides a unique set of credentials for elevated access that automatically expires after a pre-designated duration
- Proper hygiene is rigorously maintained through up-to-date, anti-malware software and adherence to strict patching and configuration management.
- Microsoft Malware Protection Center’s team of researchers identify, reverse engineer and develop malware signatures and then deploy them across our infrastructure for advanced detection and defense. These signatures are available to millions of customers using Microsoft anti-malware solutions.
- Microsoft Security Development Lifecycle is used to harden all applications, online services and products, and to routinely validate its effectiveness through penetration testing and vulnerability scanning.
- Threat modeling and attack surface analysis ensures that potential threats are assessed, exposed aspects of the service are evaluated, and the attack surface is minimized by restricting services or eliminating unnecessary functions.
- Classifying data according to its sensitivity—high, medium or low business impact—and taking the appropriate measures to protect it, including encryption in transit and at rest, and enforcing the principle of least-privilege access provides additional protection.
- Awareness training that fosters a trust relationship between the user and the security team to develop an environment where users will report incidents and anomalies without fear of repercussion
Having a rich set of controls and a defense-in-depth strategy helps ensure that should any one area fail, there are compensating controls in other areas to help maintain the security and privacy of our customers, cloud services, and our own infrastructure environment.
Microsoft operates under an Assume Breach posture. This simply means that despite the confidence we have in the defensive protections in place, we assume adversaries can and will find a way to penetrate security perimeters. It is then critical to detect an adversary rapidly and evict them from the network.
Microsoft’s detect tactics include:
- Monitoring network and physical environments 24x7x365 for potential cybersecurity events. Behavior profiling, based on usage patterns and an understanding of unique threats to our services.
- Identity and behavioral analytics are developed to highlight abnormal activity.
- Machine learning software tools and techniques are routinely used to discover and flag irregularities.
- Advanced analytical tools and processes are deployed to further identify anomalous activity and innovative correlation capabilities. This enables highly-contextualized detections to be created from the enormous volumes of data in near real-time.
- Automated software-based processes that are continuously audited and evolved for increased effectiveness.
- Data scientists and security experts routinely work side-by-side to address escalated events that exhibit unusual characteristics requiring further analysis of targets. They can then determine potential response and remediation efforts.
When we detect something abnormal in our systems, it triggers our response teams to engage.
Microsoft’s respond tactics include:
- Automated response systems using risk-based algorithms to flag events requiring human intervention.
- Well-defined, documented and scalable incident response processes within a continuous improvement model helps to keep us ahead of adversaries by making these available to all responders.
- Subject matter expertise across our teams, in multiple security areas, including crisis management, forensics, and intrusion analysis, and deep understanding of the platforms, services and applications operating in our cloud datacenters provides a diverse skill set for addressing incidents.
- Wide enterprise searching across both cloud, hybrid and on-premises data and systems to determine the scope of the incident.
- Deep forensic analysis, for major threats, are performed by specialists to understand incidents and to aid in their containment and eradication.
- Microsoft’s security software tools, automation and hyper-scale cloud infrastructure enable our security experts to reduce the time to detect, investigate, analyze, respond, and recover from cyberattacks.
There is a lot of data and tips in this strategy brief that I hope you will find useful. You can download the Cyber Defense Operations Center strategy brief to gain more insight into how we work to protect, detect and respond to cybersecurity threats. And I encourage you to visit the Microsoft Secure website to learn more about how we build security into Microsoft’s products and services to help you protect your endpoints, move faster to detect threats, and respond to security breaches.