Microsoft Floods RSA Conference with Security Announcements
- By Kurt Mackie
- April 20, 2018
Microsoft gave a thorough progress report on its security portfolio at the RSA security conference this week.
The announcements spanned Microsoft's Security Graph, Advanced Threat Protection (ATP), Information Protection and Conditional Access products, and beyond. Here's a rundown of the news.
Security API Preview
Developers working with Microsoft's security products got a preview of a new "Security API" for accessing the Intelligent Security Graph. The Intelligent Security Graph is a search service that typically underlies Microsoft's various security solutions.
The new Security API preview will work with a lot of Microsoft's Azure security services, according to an announcement:
This public preview supports API access of Alerts from Azure Security Center and Azure Active Directory Identity Protection with Intune and Azure Information Protection coming soon. We are also announcing support for high volume streaming of alerts to a SIEM through Security API integration with Azure Monitor. This will enable seamless ingestion of alerts from multiple sources directly into a SIEM.
The Security API is billed as a boost to Microsoft's partners because "they can allow their alerts, context, and automation to be enabled in the Graph at peer level with integrated Microsoft products." It'll support better protection for customers, too.
The Security API preview is currently being used by Anomali to augment its threat intelligence service. Palo Alto Networks is using it to expand the security features of its AutoFocus product. PricewaterhouseCoopers is using the Security API to bring additional information into its Secure Terrain cybersecurity analytics platform.
The Microsoft Intelligent Security Graph pools security information monthly based on "18 billion web pages" that get scanned by Bing, "400 billion" e-mails that get checked for malware and spam, plus threat detections from the Windows Defender Advanced Threat Protection service, according to Rob Lefferts, director of enterprise and security for Windows, in an announcement.
Microsoft Secure Score General Availability
The Microsoft Secure Score solution reached "general availability" (GA) this week, meaning that it's deemed ready for use in production environments. This product, which graphically scores an organization's security position, expands on the Office 365 Secure Score product that reached GA status last year.
Anthony Smith, a senior product marketing manager on the Microsoft 365 team, explained in a Tuesday announcement that "today Office 365 Secure Score is now Microsoft Secure Score." He added that Secure Score addresses other Microsoft solutions besides the Office 365 suite. For instance, it produces security scores for Windows and Microsoft Intune, he noted.
Secure Score "gives the IT administrator a combined view of security readiness across a broad swath of the digital estate -- from Office 365 services to endpoint devices," Lefferts explained.
Attack Simulator General Availability
Attack Simulator, which is part in the Office 365 Threat Intelligence service, reached GA status this week after getting previewed in February. It's available to "all Office 365 E5 or Office Threat Intelligence customers," according to a Tuesday Microsoft announcement.
As the name implies, IT pros can use Attack Simulator to "launch simulated attacks on their end users," including "mock ransomware and phishing campaigns." It has an HTML editor so that credible spear-phishing attack e-mails can be created. The e-mails can include credible names in the display name field to invoke "display name spear phishing" attacks. IT pros can also carry out password spray attacks, which means trying commonly used passwords across multiple user logins in an organization. There's also a brute-force password attack capability.
Windows Defender ATP Improvements
Windows Defender ATP rolled out a couple of years ago and was initially billed as a post-breach security analysis tool, using integrated Hexadite technology. Later, Microsoft indicated that the service would get autoremediation capabilities. This week, Microsoft explained in an announcement that Windows Defender ATP now has added automation capabilities that let the service expand investigations and fix security issues across an organization:
With the new security automation capabilities, Windows Defender ATP can now prevent and find breaches; it can fix them. These actions can be set to run automatically for simple, clear-cut cases, or can be reviewed prior to execution.
Windows Defender ATP will be getting a new capability with its next update called "dynamic machine risk." It'll block access to an organization's data when a threat is active. This capability resulted from collaborative work with Microsoft's Azure Active Directory (AD) team and Intune team, according to the announcement.
The device health checking capability of Windows Defender ATP resulted from an integration of Azure AD Conditional Access capabilities with Windows Defender ATP and Intune. "You can now create access policies based on the risk level detected at Windows 10 endpoints," according an announcement by Alex Simons, director of program manager at the Microsoft Identity Division.
Microsoft also announced this week that Windows Defender ATP is "now built into Windows Server 2019," its forthcoming server product, which is expected to arrive in the second half of this year. The ability to work with non-Windows 10 clients, such as Windows 7 and Windows 8.1, is still at the preview stage, but GA status will be "coming soon," the announcement indicated.
Windows Defender ATP support also is being extended to Android, iOS, Linux and macOS operating systems through the Microsoft Intelligent Security Association. Lefferts had described it as "a group of technology providers who have integrated their solutions with Microsoft products." He said members include "Anomali, Check Point, Forcepoint, Palo Alto Networks and Ziften." The members "benefit from, and contribute to, the Intelligent Security Graph and Microsoft security products," according to an explanation in another Microsoft announcement.
Azure AD Announcements
Simons announced this week that a few other Azure AD-based features have reached the GA status.
For instance, Azure AD Privileged Identity Management, a role-based access control solution that was commercially released about a year-and-a-half ago, now has a new capability to enforce multifactor authentication, which is a secondary identity verification scheme. It also can generate an "approval workflow whenever a user requests elevation into the Virtual Machine Contributor role."
Another commercially available Azure AD feature this week is the ability to schedule "access reviews." It sets up a compliance check on user access privileges.
Lastly, Microsoft now lets Azure AD B2B (Business-to-Business) Collaboration users "specify which partner organizations you want to share and collaborate with." IT pros set up a list of "allow or deny domains" to make it happen.
"This B2B Collaboration feature is available for all Azure Active Directory customers and can be used in conjunction with Azure AD Premium features like conditional access and identity protection for more granular control of when and how external business users sign in and gain access," Simons indicated.
FIDO2 Passwordless Sign-in Support
New passwordless sign-in support, using FIDO2, will be coming to the spring Windows 10 release, Microsoft also announced this week.
There's now a "limited preview" of device sign-ins using a "FIDO2 security key" via the spring Windows 10 update. The spring Windows 10 release (code-named "Redstone 4") was expected to arrive during this month's patch Tuesday security update release phase, but it's been delayed.
Fast IDentity Online 2.0 (FIDO2) is a Web authentication standard developed by the FIDO Alliance industry coalition and the Worldwide Web Consortium (W3C) with a goal of moving away from a reliance on passwords for user authentications. Instead, the FIDO specification describes a public key-private key method that purportedly thwarts "phishing, man-in-the-middle and replay attacks" using stolen passwords. The inclusion of portable private keys in the authentication scheme supposedly defers interlopers who have access to the public passwords.
The ability to test using a FIDO security key with the Windows 10 spring update is currently available via a preview waitlist sign-up process. The FIDO security key typically might be a USB thumb drive type of device with some sort of biometric means of establishing user identity, such as a thumbprint reader. A user plugs the device into the computer and then taps the device to sign into Windows 10 biometrically, without having to enter a user name or password. The FIDO security key also permits single sign-on access to services if they are Azure Active Directory-controlled.
Microsoft had much more RSA security news. It announced that Microsoft Cloud App Security has an improved "ransomware and terminated-user activity." The ransomware detection capability can now detect anomalies and more sophisticated attacks. For terminated employees, Microsoft is previewing the ability to detect when they continue to use SaaS apps. Another preview is the ability to set granular controls for actions to take when end users have "come from a risky session."
Microsoft brought Azure AD Conditional Access capabilities into Azure Information Protection. It lets IT pros require multifactor authentication to access protected documents, or enforce device compliance policies. It also enables risky sign-ins to get blocked. Blocking also can be enforced for nontrusted network access. These Azure AD Conditional Access capabilities can be extended to other systems, enabling policy consistency. The first partner along those lines is Iconic Security with its Data Trust platform, according to Microsoft's announcement.
Lastly, Azure Security Center got a bunch of improvements, according to an announcement this week. Notably, the just-in-time virtual machine access feature is now at GA. Another feature reaching GA this week is a capability that integrates security configurations when virtual machines get created. Lastly at GA, Security Center has a "new web security configuration assessment" that helps to find IIS Web Server vulnerabilities on "IaaS VMs."
Microsoft also announced a couple of Azure Security Center integrations. It partnered with Palo Alto on its Next Generation Firewall, and with McAfee on anti-malware reporting for Windows machines.
Partner Applauds Secure Score and FIDO2
One Microsoft partner attending the show saw Microsoft's flood of announcements as a signal of the company's evolving view of itself as a major security player.
"Microsoft's announcements continue to suggest that the company envisions itself as a full-blown security company. It will be interesting to see if Microsoft can provide collaboration software while also controlling the use and sharing of data," said Dana Simberkoff, chief risk, privacy and information security officer at Avepoint Inc. in an e-mail interview.
While Simberkoff viewed the announcement of Azure Sphere, Microsoft's move to create a pivotal role for itself at the center of securing the Internet of Things (IoT), as the biggest deal of the week, other announcements that struck her as significant included Secure Score and news about FIDO2.
"I am a big fan of benchmarking, and I think the work that Microsoft is doing in this space is important and interesting," Simberkoff said of Secure Score. "Microsoft is using its global presence to show customers that they don't have to reinvent security and that they can follow the established best practices -- a powerful example of sharing for good."
She also called the FIDO2 support a key advancement. "Anything we can do to eliminate password dependence is going to greatly improve our risk posture. Reliance on passwords for security has been problematic and cumbersome for some time, and Microsoft's support of the FIDO 2.0 standard represents progress towards limiting that risk."
RCP Editor Scott Bekker contributed to this report.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.