Microsoft has enhanced the holistic agile security platform it touted last November with integrated insights obtained from the company's intelligent security graph and tighter collaboration with industry partners. The changes highlight Microsoft's current approach to enterprise security, which focuses on moving enterprises to cloud platforms to improve overall security.
The company announced security features for its cloud offerings, including Microsoft Azure, Office 365, and SharePoint Online. Along with enhanced security management and reporting capabilities, Microsoft integrated identity protection and threat visualization tools to provide real-time insights and predictive intelligence.
"In the 100 days since Satya [Nadella, Microsoft CEO] discussed our newly invigorated approach to security, we've made some significant progress," Bret Arsenault, the Microsoft CISO, wrote in the official Microsoft blog.
Enhanced intelligent security graph
Back in the fall, Nadella provided some clues on how Microsoft's new enterprise security approach relied on insights from the intelligent security graph to speed up threat detection and protect customer data. The security graph, formed by "trillions of signals from billions of sources," provide real-time insights to help IT detect and mitigate threats while providing actionable intelligence.
Arsenault introduced two new products, Azure Active Directory Identity Protection and Azure Security Center Advanced Threat Detection, to help enterprises move toward a "protect, detect, and response security posture."
The Operations Management Suite taps into Microsoft global threat intelligence to alert administrators when firewall logs, Wire Data, and IIS logs indicate network activity between a server and a known malicious IP address. IT teams can visualize the attacks on an interactive map to find attack patterns.
The Azure Active Directory Identity Protection, available for public preview in early March, detects suspicious activities for end users and privileged identities arising from incidents like brute-force attacks, leaked credentials, sign-ins from unfamiliar locations, and infected devices. Based on the suspicious activity flagged, Identity Protection calculates a user risk severity score. IT administrators can define policies to automatically take actions based on the severity score and protect the identities from attack.
Most attacks against enterprises don't bother with exploits targeting zero-day vulnerabilities since there are plenty of easier ways to steal user credentials and stroll right on to the network. The Identity Protection capability in Azure will help detect if credentials have been stolen and are being used in unexpected ways, such as logging into a system it has never accessed before.
Azure Active Directory already analyzes more than 14 billion logins to identity 300,000 potentially compromised user authentications per day, the company said.
Microsoft also developed a new Advanced Threat Detection capability to analyze crash dump data received from more than a billion Windows machines globally and detect compromised systems. Since crashes are often the result of "failed exploitation attempts and brittle malware" the crash dumps can be a useful sign that something unexpected is happening on the endpoint.
Advanced Threat Detection is now part of Azure Security Center, which lets IT administrators collect crash events from virtual machines running in their Azure environments to find potential issues. Azure Security Center analyzes the data and alerts the customer automatically if any of the virtual machines appear to have been compromised. Similar network and behavioral analytics capabilities have also been integrated into Azure Security Center.
These products "will improve our security signal, help us protect you and help you protect yourself," Arsenault said.
Features of a secure platform
The other part of Nadella's enterprise security vision focused on a secure platform, and Arsenault had several announcements on new security capabilities for Azure and Office 365. Microsoft Cloud App Security, which will let IT departments monitor and control SaaS applications like Box, Salesforce, ServiceNow, Ariba, and Office 365, will be generally available in April. Customer Lockbox for SharePoint Online and OneDrive for Business will be available around the same time. Azure Security Center will also feature a new next-generation firewall in the coming weeks.
Based on the technology from the Adallom acquisition, Cloud App Security will give Office 365 administrators advanced security management capabilities, such as security alerts for anomalous or suspicious behavior and automatic cloud application discovery to analyze which external cloud services users are connecting to. IT will also be able to approve and revoke permissions to third-party applications that users are authorized to connect to the Office 365 environment.
IT administrators don't always know what other apps users are using, so being able to discover what applications are in use will help protect sensitive data from accidentally being exposed.
Microsoft introduced Customer Lockbox for Exchange Online back in December for those "very rare instances" when Microsoft engineers need to access a customer's Exchange environment. Lockbox integrates customers into the approvals process for granting access to these engineers. Microsoft will expand Customer Lockbox to include SharePoint Online and OneDrive for Business, so IT administrators will have new approval rights and greater control over who can access the data being stored in Office 365.
All the security enhancements require better reporting and audit capabilities, so Microsoft expanded security management in Azure Security Center. Instead of just having configuring a security policy for each Azure subscription, IT administrators can now configure a policy for a Resource Group in order to tailor policy to specific workloads. A new Power BI Dashboard lets IT staff look for trends and attack patterns in Azure by visualizing, analyzing, and filtering alerts and recommendations. And a revamped Security and Audit dashboard provides insights across the data center regarding various security-related events, such as authentication, access control events, network activity, malware protections, and system updates.
Azure Security Center will analyze and identify customer deployments that would benefit from having a next-generation firewall. Customers would be able to provision the firewalls and use Azure Security Center to view and respond to security issues from one place. While Check Point vSEC is the only next-generation firewall currently available, the company plans to add Cisco and Fortinet next-gen firewalls, as well as Imperva SecureSphere and Imperva Incapsula Web application firewalls.
Microsoft is not trying to provide all the security capabilities for Azure and Office 365 applications on its own. Instead, it's working with industry partners through the new Azure Security Center partner solutions so that enterprises can bring their own security products when moving to the cloud environment.
"No single company can solve the security challenges that our customers face today, which is why the security ecosystem, and all of our security partners, are key to our approach," Arsenault said.