Microsoft announced various enterprise security solution product milestones this week in advance of the forthcoming RSA Conference, which will start on Feb. 24.
The announcements included a few “general availability” (GA) announcements, signifying commercial product launches. In addition, Microsoft described product enhancements, plus some partner collaborations. Quite a lot of these enterprise security products require having top-of-the-line Microsoft 365 E5 licensing in place to use them.
A 13-page summary of Microsoft’s RSA announcements can be found in a “Book of News” publication (PDF download).
Microsoft Threat Protection GA
Microsoft declared that its Microsoft Threat Protection security tooling bundle is now at the GA release stage. Microsoft Threat Protection is Microsoft’s motherlode of security solutions for enterprises, providing for investigation and response actions, including some “automated healing” capabilities. It can be used to protect endpoints (Windows, macOS and Linux), identities, user data, cloud applications and infrastructure.
The Microsoft Threat Protection product has been around since 2018, but was described as being at the public preview stage back in December. It consists of multiple existing Microsoft solutions, including “Microsoft Defender Advanced Threat Protection (ATP) for endpoints, Office 365 ATP for email and collaboration tools, Azure ATP for identity-based threats, and Microsoft Cloud App Security (MCAS) for SaaS applications,” per Microsoft’s December post.
Organizations will need “Microsoft 365 E5 or equivalent” licensing to use Microsoft Threat Protection, according to this Microsoft document. The case for using the product is outlined in this blog post by Moti Gindi, corporate vice president of Microsoft Threat Protection.
Microsoft 365 Insider Risk Management GA
Organizations subscribing to Microsoft 365 services now have access to Insider Risk Management, a personnel investigation and corporate compliance tool that’s now commercially released at the GA stage worldwide. Insider Risk Management is designed to track the “high-risk activities” of employees using artificial intelligence and machine learning technologies, as described here. The kind of corporate compliance risks it tracks is described in this Microsoft document, as follows:
- Leaks of sensitive data and data spillage
- Confidentiality violations
- Intellectual property (IP) theft
- Insider trading
- Regulatory compliance violations
Insider Risk Management sends alerts and offers a dashboard view. Taking actions on its reports may depend on using other Microsoft 365 tools, such as Microsoft’s Advanced eDiscovery service for gathering case data. Tracking potential data theft depends on using the Microsoft 365 HR Connector. Checking for leaked data requires the Microsoft 365 Data Loss Protection service.
Insider Risk Management previously was at preview stage, having been introduced in November at the Microsoft Ignite event.
Microsoft 365 Communication Compliance GA
Microsoft this week announced that its Communication Compliance for Microsoft 365 solution, which uses machine learning to check company communications for policy violations, reached GA release status. Communication Compliance detects “offensive language and threats” and has investigation and remediation capabilities. Microsoft also added Communication Compliance support for Microsoft Teams and Bloomberg Chats on top of support for e-mail communications.
Communication Compliance requires Microsoft 365 E5 licensing. It’s demonstrated in this Microsoft blog post.
Office 365 ATP Campaign Views GA
Microsoft announced this week that Campaign Views, a capability within its Office 365 ATP security solution, reached the GA stage. It was at the preview stage back in December.
Campaign views shows overall details of actual phishing attack campaigns. It shows an attack’s size, timeline and the number of victims. The IP addresses and URLs of the senders are shown. It’ll also show if any users in an organization clicked on phishing URLs.
Office 365 ATP Compromise Detection and Response GA
The Compromise Detections and Response capability in Office 365 ATP is now at the GA release stage, according to Microsoft’s “Book of News.” It’s been enhanced to check for e-mail inbox rules that forward messages, which is known to be a “common attack pattern.”
This feature apparently previewed back in November. Its shows detections of potentially compromised user accounts in the Office 365 Security Center, which is done by assessing “atypical or anomalous” user e-mail activities. For instance, an individual e-mail user may be detected as sending out phishing messages, which suggests that the account got compromised. IT pros get alerts, and potentially compromised users are put into a “restricted user list” and their ability to send e-mails gets restricted. The solution adds automated investigation and response capabilities for Office 365 ATP Plan 2 subscribers.
Also, Office 365 ATP Plan 2 subscribers will be getting access to Terranova’s phishing training materials. Microsoft and Terranova established a partnership to that end, according to the “Book of News” (p. 12), although timing wasn’t described.
Azure Sentinel Enhancements
Azure Sentinel is Microsoft’s cloud-based security information event management (SIEM) solution that reached the GA stage back in September. Microsoft this week announced a few enhancements.
Azure Sentinel now has new data connectors, both for Microsoft and partner security solutions. There’s a new connector for Microsoft’s Azure Security Center for IoT solution, which pulls Internet of Things (IoT) data from “Azure IoT Hub-managed deployments.” Microsoft also added “new data connectors and workbooks from partners like Forcepoint, Zimperium, Quest, CyberArk, and Squadra,” per the “Book of News.”
Microsoft floated a limited-time offer for users of Amazon Web Services (AWS) infrastructure. It’s possible to import AWS’ CloudTrail logs into Azure Sentinel at “no additional cost” from Feb. 24, 2020 to June 30, 2020.
Azure Sentinel uses so-called “Fusion” machine learning technology to find the most important threats. How that’s done is outlined in this blog post by Ram Shankar Siva Kumar of Microsoft’s cloud and AI security team.
Microsoft Defender ATP for Linux Previews
Microsoft is extending endpoint detection and response protections with its currently available Microsoft Defender ATP service to devices running Linux operating systems at the preview level. Support for the macOS went GA back in December. Now there’s preview support in Microsoft Defender ATP for the following Linux server distros:
- CentOS Linux 7+
- Debian Linux 9+
- Oracle Enterprise Linux 7
- Red Hat Enterprise Linux 7+
- SUSE Linux Enterprise Server 12+
- Ubuntu 16+
Microsoft Defender ATP also will get “new mobile security capabilities,” which are expected to roll out sometime this year. Microsoft also announced this week that “tamper protection” is now supported in the Threat and Vulnerability Management section of Microsoft Defender ATP. Tamper protection is used to protect against alterations of a device’s security settings by outside parties. For instance, it’ll detect the disabling of anti-virus software.
Microsoft also plans to announce at the RSA Conference that it will integrate Microsoft Defender ATP with Microsoft Cloud App Security at some point, according to its “Book of News” (p. 10). Few details were provided, but this integration will combine endpoint access controls with the ability to block the uploading of “sensitive files to unsanctioned cloud apps.”
Azure Active Directory and FIDO2 Preview
Microsoft has expanded its preview of using a FAST Identity Online 2.0 (FIDO2) security keys to enable single sign-on access to applications using the Azure Active Directory service, per the “Book of News” (p. 9). Such single sign-on access can be enabled without the use of passwords since the FIDO2 authentication scheme supports biometric confirmation of identities via things like fingerprint scans or face scans. Microsoft’s expanded preview will support “both on-premises and cloud applications,” and even “hybrid” scenarios.
The expanded preview works with “the latest Windows Insider build” of Windows 10 in conjunction with the Azure AD identity and access management service. FIDO2 keys from “Yubico, HID, Global, Feitian Technologies, eWBM, Ensurity, and AuthenTrend” are supported.
Microsoft expects Azure AD and FIDO2 key support will reach the GA stage “sometime in the next 4-6 months.”
Azure Security Center for IoT Perks
Azure Security Center for IoT now supports Azure real-time operating systems (RTOS) on top of Windows 10 IoT and Linux (Debian and Ubuntu) OSes. An Azure RTOS is an embedded OS used in “resource-constrained” or low-power environments. Microsoft bought RTOS-maker Express Logic last year, with the aim of incorporating its ThreadX RTOS with Azure Sphere and the Azure IoT Edge service.
Azure Security Center for IoT also will now show “partner security alerts.” To that end, Microsoft is working with partners such as “Attivo Networks, CyberMDX, CyberX, Firedome and SecuriThings,” per the “Book of News” (p. 8).