Microsoft leaned heavily on updates to its zero-trust security features as part of this week’s Ignite event, which came on the heels of a corporate breach tied to the SolarWinds attacks and a new breach found just this week.
Many of this week’s announcements were tied to Microsoft’s zero trust initiatives, which Vasu Jakkal, corporate VP for security, compliance, and identity at Microsoft said during her presentation was “the cornerstone of effective protection and the foundation for security.”
One of Microsoft’s big moves was its launch of a new Threat Analytics component for its 365 Defender platform. Andrew Conway, GM for security marketing at Microsoft, explained that this provides curated threat intelligence reports, “highlighting specific threats, like the recent SolarWinds attack,” within the extended detection and response (XDR) platform.
“In addition to documentation describing the threat source from both Microsoft threat experts and the broader industry, it includes the relevant incidents and alerts associated with this threat … and it recommends the mitigation and remediation steps” that a user can take, Conway added.
Microsoft also noted that its Defender for Endpoint and Defender for Office 365 products now allow customers to investigate and remediate threats from the 365 Defender portal. This provides a single pane of glass to monitor alerts, investigations, and analysis of those threats. And it has made that user experience common between 365 Defender and Microsoft’s Azure Sentinel cloud-native security information and event management (SIEM) tool.
The vendor’s Azure Active Directory (Azure AD) service now offers passwordless authentication options for cloud and hybrid environments. These include biometrics, a tap using Windows Hello for Business that runs on the Microsoft Authenticator application, or a physical security key that runs the FIDO2 security specification. Microsoft also launched a preview of its Temporary Access Pass system that generates a time-limited code to set up or recover passwordless credentials.
The Azure AD Conditional Access policy engine also now uses now uses authentication context to enforce more granular policies based on user actions within the application they are using or sensitivity of data they are trying to access. Microsoft notes that this move helps customers to apply the appropriate protection rules without restricting access to less sensitive content.
Microsoft is also on the verge of launching a preview of an Azure AD verifiable credentials option that will allow organizations confirm someone’s information without collecting and storing that personal data.
David Mahdi, senior director and analyst at Gartner, noted in an email to SDxCentral that the passwordless updates could drive the market “further down the path of eliminating passwords,” and “perhaps, to a more ‘natural’ state of authentication and access.”
“Furthermore, due to the ubiquity of Microsoft in the enterprise, having a GA passwordless approach could be seen as low hanging fruit for many enterprises that were on the fence(in investing in this area,” Mahdi added.
Microsoft liberally sprinkled references to the recent SolarWinds breach on its most recent updates, and also provided more insight into the wide-ranging attack.
Tom Burt, corporate VP of customer security and trust, explained as part of a question-and-answer session with Jakkal at the Ignite event, that Microsoft’s Threat Intelligence Center (MSTIC) was able to tap into the 8 trillion signals that come in each day to Microsoft and look for patterns of activity “that this nation-state actor would leave behind as a trail that showed that some of our customers were compromised.”
“It was hard to find. This actor was good,” Burt said. “They were hiding in the network traffic. They were closing the doors that they opened when they no longer needed them. But our teams were able to find these traces and hints sufficiently so that we could notify our customers when we knew they’d been compromised.”
Paul Webber, senior director and analyst at Gartner, in an email to questions said that Microsoft was “refreshingly direct” about its need to “respond to an increase in both cybercrime and nation-state attacks originating from China, Russia, Iran, and North Korea.”
“This was an opportunity for Microsoft to promote the activities of its ‘MSTIC’ threat intelligence center and the vast array of data and intelligence that it can leverage in thwarting cybercrime but also now indicating that Microsoft is willing to also use these capabilities to assist in defense against nation state actors too,” Webber added.
Peter Firstbrook, VP and analyst at Gartner, noted in an email to SDxCentral that while he had not been following Microsoft’s specific announcements from the Ignite event, that he felt the vendor’s “overall commitment to security has never been better.”
“SolarWinds was an excellent learning experience for the entire industry,” Firstbrook wrote. “Microsoft was well positioned to detect it earlier and I expect that knowledge will drive their roadmap.”
Latest China-Based Attack
That roadmap might also include learnings from a new attack that hit Microsoft customers using its Exchange email server. This zero-day attack targeted on-premises versions of Exchange and allowed access to email accounts and the ability for additional malware to be installed into a corporate system to “facilitate long-term access to victim environments.”
Microsoft rolled out a handful of patches for the flaw, and “strongly urged customers to update on-premises systems immediately.” Volexity and Dubex were also part of finding the bugs.
While SolarWinds was tied to Russia-based attackers, MSTIC attributed this latest attack to the China-based and state-sponsored HAFNIUM group. Microsoft explained that the group primarily targets U.S.-based entities and “has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control.”
“Hopefully, Microsoft can continue to leverage its considerable resources and reach to make more interventions and next time perhaps even thwart the more sophisticated nation-state attacks before they have had time to compromise so many systems and affected so many organizations as we saw in the SolarWinds attacks,” Gartner’s Webber added.