Microsoft Releases Secure Score, Attack Simulator and More at RSA
Microsoft announced a raft of security improvements at the RSA security conference last week affecting its Security Graph, Advanced Threat Protection (ATP), Information Protection and Conditional Access products -- and more.
Here's a rundown of the news.
Security API Preview
Developers working with Microsoft's security products got a preview of a new "Security API" for accessing the Intelligent Security Graph. The Intelligent Security Graph is a search service that typically underlies Microsoft's various security solutions.
The new Security API preview will work with a lot of Microsoft's Azure security services, according to an announcement:
This public preview supports API access of Alerts from Azure Security Center and Azure Active Directory Identity Protection with Intune and Azure Information Protection coming soon. We are also announcing support for high volume streaming of alerts to a SIEM through Security API integration with Azure Monitor. This will enable seamless ingestion of alerts from multiple sources directly into a SIEM.
The Security API is billed as a boost to Microsoft's partners because "they can allow their alerts, context, and automation to be enabled in the Graph at peer level with integrated Microsoft products." It'll support better protection for customers, too.
The Security API preview is currently being used by Anomali to augment its threat intelligence service. Palo Alto Networks is using it to expand the security features of its AutoFocus product. PricewaterhouseCoopers is using the Security API to bring additional information into its Secure Terrain cybersecurity analytics platform.
The Microsoft Intelligent Security Graph pools security information monthly based on "18 billion web pages" that get scanned by Bing, "400 billion" e-mails that get checked for malware and spam, plus threat detections from the Windows Defender Advanced Threat Protection service, according to Rob Lefferts, director of enterprise and security for Windows, in an announcement.
Microsoft Secure Score General Availability
The Microsoft Secure Score solution reached "general availability" (GA) last week, meaning that it's deemed ready for use in production environments. This product, which graphically scores an organization's security position, expands on the Office 365 Secure Score product that reached GA status last year.
Anthony Smith, a senior product marketing manager on the Microsoft 365 team, explained in an announcement that "today Office 365 Secure Score is now Microsoft Secure Score." He added that Secure Score addresses other Microsoft solutions besides the Office 365 suite. For instance, it produces security scores for Windows and Microsoft Intune, he noted.
Secure Score "gives the IT administrator a combined view of security readiness across a broad swath of the digital estate -- from Office 365 services to endpoint devices," Lefferts explained.
Attack Simulator General Availability
Attack Simulator, which is part in the Office 365 Threat Intelligence service, reached GA status last week after getting previewed in February. It's available to "all Office 365 E5 or Office Threat Intelligence customers," according to a Microsoft announcement.
As the name implies, IT pros can use Attack Simulator to "launch simulated attacks on their end users," including "mock ransomware and phishing campaigns." It has an HTML editor so that credible spear-phishing attack e-mails can be created. The e-mails can include credible names in the display name field to invoke "display name spear phishing" attacks. IT pros can also carry out password spray attacks, which means trying commonly used passwords across multiple user logins in an organization. There's also a brute-force password attack capability.
Windows Defender ATP Improvements
Windows Defender ATP rolled out a couple of years ago and was initially billed as a post-breach security analysis tool, using integrated Hexadite technology. Later, Microsoft indicated that the service would get autoremediation capabilities. Last week, Microsoft explained in an announcement that Windows Defender ATP now has added automation capabilities that let the service expand investigations and fix security issues across an organization:
With the new security automation capabilities, Windows Defender ATP can now prevent and find breaches; it can fix them. These actions can be set to run automatically for simple, clear-cut cases, or can be reviewed prior to execution.
Windows Defender ATP will be getting a new capability with its next update called "dynamic machine risk." It'll block access to an organization's data when a threat is active. This capability resulted from collaborative work with Microsoft's Azure Active Directory (AD) team and Intune team, according to the announcement.
The device health checking capability of Windows Defender ATP resulted from an integration of Azure AD Conditional Access capabilities with Windows Defender ATP and Intune. "You can now create access policies based on the risk level detected at Windows 10 endpoints," according an announcement by Alex Simons, director of program manager at the Microsoft Identity Division.
Microsoft also announced last week that Windows Defender ATP is "now built into Windows Server 2019," its forthcoming server product, which is expected to arrive in the second half of this year. The ability to work with non-Windows 10 clients, such as Windows 7 and Windows 8.1, is still at the preview stage, but GA status will be "coming soon," the announcement indicated.
Windows Defender ATP support also is being extended to Android, iOS, Linux and macOS operating systems through the Microsoft Intelligent Security Association. Lefferts had described it as "a group of technology providers who have integrated their solutions with Microsoft products." He said members include "Anomali, Check Point, Forcepoint, Palo Alto Networks and Ziften." The members "benefit from, and contribute to, the Intelligent Security Graph and Microsoft security products," according to an explanation in another Microsoft announcement.
Azure AD Announcements
Simons announced last week that a few other Azure AD-based features have reached the GA status.
For instance, Azure AD Privileged Identity Management, a role-based access control solution that was commercially released about a year-and-a-half ago, now has a new capability to enforce multifactor authentication, which is a secondary identity verification scheme. It also can generate an "approval workflow whenever a user requests elevation into the Virtual Machine Contributor role."
Another commercially available Azure AD feature last week is the ability to schedule "access reviews." It sets up a compliance check on user access privileges.
Lastly, Microsoft now lets Azure AD B2B (Business-to-Business) Collaboration users "specify which partner organizations you want to share and collaborate with." IT pros set up a list of "allow or deny domains" to make it happen.
"This B2B Collaboration feature is available for all Azure Active Directory customers and can be used in conjunction with Azure AD Premium features like conditional access and identity protection for more granular control of when and how external business users sign in and gain access," Simons indicated.
Microsoft had much more RSA security news. It announced that Microsoft Cloud App Security has an improved "ransomware and terminated-user activity." The ransomware detection capability can now detect anomalies and more sophisticated attacks. For terminated employees, Microsoft is previewing the ability to detect when they continue to use SaaS apps. Another preview is the ability to set granular controls for actions to take when end users have "come from a risky session."
Microsoft brought Azure AD Conditional Access capabilities into Azure Information Protection. It lets IT pros require multifactor authentication to access protected documents, or enforce device compliance policies. It also enables risky sign-ins to get blocked. Blocking also can be enforced for nontrusted network access. These Azure AD Conditional Access capabilities can be extended to other systems, enabling policy consistency. The first partner along those lines is Iconic Security with its Data Trust platform, according to Microsoft's announcement.
Lastly, Azure Security Center got a bunch of improvements, according to an announcement last week. Notably, the just-in-time virtual machine access feature is now at GA. Another feature reaching GA last week is a capability that integrates security configurations when virtual machines get created. Lastly at GA, Security Center has a "new web security configuration assessment" that helps to find IIS Web Server vulnerabilities on "IaaS VMs."
Microsoft also announced a couple of Azure Security Center integrations. It partnered with Palo Alto on its Next Generation Firewall. It partnered with McAfee on anti-malware reporting for Windows machines.