User Profile
TonyOPS
MicrosoftJoined 2 years ago
User Widgets
Recent Discussions
New Blog Post: Securing Multi-Cloud Gen AI workloads using Azure Native Solutions
Note: This series is part of “Security using Azure Native services” series and assumes that you are or planning to leverage Defender for Cloud, Defender XDR Portal, and Azure Sentinel. Introduction AI Based Technology introduces a new set of security risks that may not be comprehensively covered by existing risk management frameworks. Based on our experience, customers often only consider the risks related to the Gen AI models like OpenAI or Anthropic. Thereby, not taking a holistic approach that cover all aspects of the workload. This article will help you: Understand a typical multi-cloud Gen AI workload pattern Articulate the technical risks exists in the AI workload Recommend security controls leveraging Azure Native services We will not cover Data Security (cryptography, regulatory implications etc.), model specific issues like Hallucinations, deepfakes, privacy, toxicity, societal bias, supply chain security, attacks that leverage Gen AI capabilities to manifest such as Disinformation, Deepfakes, Financial Fraud etc. Instead, we aim to provide guidance on architectural security controls that will enable secure: Configuration of AI workload Operation of the workload This is a two-part series: Part 1: Provides a framework to understand the threats related to Gen AI workloads holistically and an easy reference to the native security solutions that help mitigate. We also provide sample controls using leading industry frameworks. Part 2: Will dive deeper into the AI shared responsibility model and how that overlaps with your design choices Threat Landscape Let’s discuss some common threats: Insider abuse:An insider (human or machine) sending sensitive / proprietary information to a third party GenAI model Supply chain poisoning:Compromise of a third-party GenAI model (whether this is a SaaS or binary llm models developed by third party and downloaded by your organization) System abuse:Manipulating the model prompts to mislead the end user of the model Over privilege:Granting unrestricted permissions and capability to the model thereby allowing the model to perform unintentional actions Data theft/exfiltration:Intentional or unintentional exfiltration of the proprietary models, prompts, and model outputs Insecure configuration:Not following the leading practices when architecting and operating your AI workload Model poisoning:Tampering with the model itself to affect the desired behavior of the model Denial of Service:Impacting the performance of the model with resource intensive operations We will discuss how these threats apply in a common architecture. Reference architecture Fig. Gen-AI cloud native workload Let’s discuss each step so we can construct a layered defense: Assuming you are following cloud native architecture patterns, your developer will publish all the application and infrastructure code in an Azure DevOps repo The DevOps pipeline will then Create a container image Pipeline will also set up respective API endpoints in Azure API management Pipeline will deploy the image with Kubernetes manifests (note that he secrets will stored out of bound in Azure Key Vault) User access an application that leverages GenAI (Open AI for Azure and Anthropic in AWS) Depending on the API endpoint requested, APIM will direct the request to the containerized application running in cloud native Kubernetes platforms (AKS or EKS) The application uses API credentials stored in KeyVault The application makes requests to appropriate Gen AI service The results are stored in a storage service and are reported back to the user who initiated step 5 above Each cloud native service stores the diagnostic logs in a centralized Log Analytics Workspace (LAW) Azure Sentinel is enabled on the LAW For the full post click here:Securing Multi-Cloud Gen AI workloads using Azure Native Solutions - Microsoft Community HubNew Feedback Opportunity: Microsoft Defender for Cloud DevOps Security Survey
If you work for a small or medium company and if you're already using Microsoft Defender for Cloud and you have Defender CSPM we want to hear your thoughts about DevOps security capabilities:https://learn.microsoft.com/en-us/azure/defender-for-cloud/devops-support#azure-devops Your opinion is instrumental in shaping the future of how Microsoft approaches the Defender for Cloud (MDC) product, for small and medium customers (SMC). We sincerely appreciate your dedication to helping us deliver a world-class security solution that aligns with your needs. Take the survey here!New Feedback Opportunity
Hello! I am pleased to inform you of a new enhancement to your Microsoft E5 license. We have introduced Enterprise IoT, a solution that enables the monitoring and protection of IoT devices within office environments, including printers, cameras, and scanners. By turning on Enterprise IoT apart from getting alerts and recommendations, you will get vulnerability and misconfiguration data, purpose-built for IoT devices. Activation is a breeze: Getting started is as easy as turning on a toggle in your Defender XDR Portal. Follow this documentation to set it up. Bonus Protection: For every E5 license you have, we provide complimentary protection for 5 IoT devices. That means if you have 20 E5 licenses, you can secure up to 100 devices at no extra cost! Curious about the details? Our documentation will guide you on how to calculate the number of devices you can protect. Your Experience Matters: We are dedicated to continuous improvement and your input is invaluable. Please take a moment to share your thoughts through a short survey. Let’s Connect: Interested in a deeper dive into Enterprise IoT or other Microsoft Security solutions? Simply reply to this email and we’ll arrange a conversation with a product manager from our Microsoft Engineering team. Thank you!New Blog Post | Act now: Turn on or customize Microsoft-managed Conditional Access policies
As part of ourSecure Future Initiative, we announcedMicrosoft-managed Conditional Access policiesin November 2023. These policies are designed to help you secure your organization's resources and data based on your usage patterns, risk factors, and existing policy configuration, all while minimizing your effort. Our top recommendation for improving your identity secure posture is enabling multifactor authentication (MFA), whichreduces the risk of compromise by 99.2%. This is why our first three policiesare all related to MFA for different scenarios. Since we announced Microsoft-managed Conditional Access policies,we’ve rolled out these policies to more than 500,000 tenants in report-only mode. In this mode, the policies don’t impact access but log the results of policy evaluation. This allows administrators to assess the impact before enforcing these policies.Thanks to proactive actions taken by administrators to enable or customize these policies, over900,000users are now protected with MFA. We’ve been actively listening to your feedback. Customers shared that Microsoft-managed policies impact the number of Conditional Access policies that organizations can create. We’ve addressed this by making a significant change: Microsoft-managed policies will no longer count towards the Conditional Access policy limit. Another adjustment relates to existing Conditional Access policies. If you already have a policy in the “On” state that meets or exceeds the requirements set by the Microsoft-managed policy, the latter will not be automatically enforced in your tenant. Initially, we communicated that these policies would be automatically enabled 90 days after creation. However, based on customer feedback, we recognize that some customers need additional time to prepare for these policies to be enforced. As a result, we have extended the time frame before enforcing the policies for this initial set of policies. For these three policies, you will have more than 90 days to review and customize (or disable) your Microsoft-managed Conditional Access policies before they are automatically enforced. Rest assured, you’ll receive an email and aMessage Centernotification providing a 28-day advance notification before the policies are enforced in your tenant. Call to Action Review these policies in the Conditional Access policies blade. Add customizations such as excluding emergency accounts and service accounts. Read the full story here:Act now: Turn on or customize Microsoft-managed Conditional Access policies - Microsoft Tech CommunityNew Blog Post | Cross-tenant access settings - Notes from the field
The introduction of cross-tenant access settings for Microsoft Entra External ID marked a pivotal shift in how organizations manage security and collaboration across different tenants. This blog post dives into the essence of these settings, focusing on their significance for secure B2B collaboration. Three key areas of focus, include: The critical aspect of trusting multifactor authentication (MFA) from business collaborators, including the exploration into the balance between maintaining high security standards and ensuring a seamless user experience for B2B guest users, plus highlighting a perspective to simplify authentication processes and reduce administrative burdens. Offering a closer look at the cross-tenant access settings and how these settings enable more granular control over cross-tenant collaborations. Real-world use cases illustrate the application of these policies in managing and restricting access to ensure security without hindering productivity and cooperation. Insights into leveraging Microsoft Entra cross-tenant access policies for improved security and collaboration and to ensure a smooth user experience. Trust MFA from business collaborators (B2B collaboration) by default In today's interconnected digital landscape, organizations are increasingly embracing B2B collaboration to streamline workflows and facilitate cooperation with external partners. As part of this collaborative approach, many businesses routinely create guest user accounts within their Microsoft Entra tenants and grant trusted partners access to their resources. To enhance security, many have already extended the requirement for MFA to B2B guest users. This, however, requires external users in cross-tenant access scenarios to register an additional authentication method in the foreign tenant. The need for B2B guest users to register for an additional MFA method in the resource tenant basically increases the account security, but at the same time it adds layers of complexity. User experience disruption in a B2B collaboration scenario B2B guest users who have already implemented MFA in their home tenant and have become accustomed to the convenience of advanced MFA methods like Windows Hello for Business, encounter disruptions when attempting to access the resource tenant. Even if users have already provided strong authentication in their home tenant, they will still be prompted for authentication again in the resource tenant. Figure 1: MFA prompt for B2B guest user who access protected resource in foreign tenant Administrative overhead for IT and users Both the guest user and the resource tenant's IT team face additional administrative tasks. For the guest user, navigating a new MFA setup and maintaining an additional MFA registration can be annoying. For the tenant administrator and the support team, managing these additional MFA registrations can increase overhead significantly. In cases where a guest user loses access to their device or does not have a backup for a new device, regaining access to their account involves additional administrative tasks for both the guest user and the resource tenant's IT team. The guest user may need to perform a new MFA setup, while the tenant support team need to manage the additional MFA registrations. Are you wonderingwhyguest users must register an additional authentication method per resource tenant when they already have one in their home tenant? Well, let's talk about the trust settings in cross-tenant access settings. Read the full post here: Cross-tenant access settings - Notes from the field - Tech CommunityNew Blog | New at Secure: Enhanced Vulnerability Profiles and CVE Search within MDTI
The Microsoft Defender Threat Intelligence (MDTI) team revamped vulnerability profiles to improve customers’ ability to access world-class intelligence on vulnerabilities and exposures within the Defender XDR portal. These exciting updates include: A new layout that mirrors the design of our Threat Actor and Tool intel profiles for a more consistent experience Vulnerability profiles sorted by published date by default in list view to display a steady feed of new, high importance CVEs The decoupling of Vulnerability Profiles from open-source Common Vulnerabilities and Exposures (CVEs) so customers can access all available information on vulnerabilities An enhanced CVE search experience: searches will return all content related to a vulnerability instead of directing a user to a CVE information page. These enhancements will provide a more intuitive experience for surfacing content related to CVEs, offering critical context on threats and information within alerts and incidents. What are Vulnerability Profiles? Vulnerability Profiles are MDTI’s newest intel profile type,launched at Microsoft Ignite in November. Building off our work tointroduce intel profiles to MDTI, which has become the definitive source of Microsoft’s shareable knowledge on over 200 threat actors and 70 tools, MDTI now also contains over 75 extensive profiles of the CVEs deemed most critical and relevant by our dedicated security researchers. Amid the many vulnerabilities teams must keep track of — old and new, with varying degrees of prominence and impact as threat actors adjust their techniques, tactics, and procedures (TTPs) — Vulnerability Profiles tilt the advantage back in favor of defenders by delivering focused, actionable insights and recommendations on how to protect against the most critical CVEs, based on information garnered from Microsoft’s 65 trillion threat signals per day. By routinely visiting the “Vulnerabilities” tab on the Intel Profiles page in Defender XDR, customers will see a steady stream of new profiles, sorted by published date, indicating CVEs that are considered pressing by Microsoft’s security researchers. This enables CISOs, Vulnerability Managers, SOC Analysts and Cyber Threat Intelligence Analysts alike to remain informed on these CVEs to prioritize detections and implement patching on endpoints and other recommendations in their environment for the vulnerabilities which are most relevant to their organization. Vulnerability Profiles are accessible from the “Intel profiles” page within the “Threat intelligence” blade in the left navigation. See these profiles by clicking on the “Vulnerabilities” tab: Vulnerability Profiles are accessible from the “Vulnerabilities” tab on the Intel Profiles page, which is contained under the threat intelligence blade in the left navigation. On the Vulnerability Profiles list view, the “Profile” column displays the CVE number, title, and summary of the profile, whereas the right-most column displays the published date, indicating how recently Microsoft wrote about the vulnerability. Under the “Intelligence” column in the Vulnerability Profiles list view, customers will see priority and CVSS scores as well as indications of active exploitation (“Active exploitation observed”), dark web chatter (“Chatter Observed”), and available public proof of concept exploits (“POC Available”, "1 Published POC") for these vulnerabilities. Vulnerability Profiles are decorated with proprietary information from Microsoft’s own research and telemetry that can only be found in our intel profiles. This includes original research such as observations of active exploitation in the wild; detailed analysis of the methods used to exploit these CVEs by malicious actors; detections and Advanced Hunting queries that will indicate or alert on related activity in an organization’s network; and recommendations to protect against the threat. Read the full post here:New at Secure: Enhanced Vulnerability Profiles and CVE Search within MDTI - Microsoft Tech CommunityNew Blog Post | New at Secure: MDTI in Defender XDR Global Search
On the heels of introducing Microsoft Defender Threat Intelligence (MDTI)premiumandstandardeditions into the Microsoft Defender XDR portal, we are thrilled to introduce an even greater integrated threat intelligence experience by making results for MDTI content available within Defender XDR’s global search bar. Users will notice that they can now use the top-level Defender XDR search to discover results from MDTI on indicators of compromise (IOCs), common vulnerabilities and exposures (CVEs), articles, threat actors and more. From anywhere in the portal, customers now can readily find MDTI raw intelligence including IPs, domains, hashes, and URLs as well as finished intelligence in the form of articles, intel profiles, and CVEs alongside their other content from Defender XDR when conducting searches, helping to accelerate investigations with critical threat intelligence context. Results from MDTI and Threat Analytics will appear within the “Intel Explorer” list in the results page: MDTI results are now available under the “Intel Explorer” tab when searching via Defender XDR’s global search bar. You may search and see results for indicators such as IP addresses or file hashes, intel profiles, CVEs, threat articles and more. Read the full post here:New at Secure: MDTI in Defender XDR Global Search - Microsoft Tech CommunityNew Blog Post | What's New at Microsoft Secure 2024
At Microsoft Secure, we are excited to announce several new innovations from the Microsoft Defender Threat Intelligence (MDTI) team. These updates enable our customers to access valuable, high-fidelity threat intelligence where, when, and how they need it: To optimize MDTI content for customers, we have enhanced the look and feel of vulnerability profiles and are releasing the full corpus of Microsoft’s intel profiles to the MDTI standard version. We are keeping pace with Copilot for Security as it evolves, launching a new side card experience in the threat intelligence blade of Defender XDR. We have also introduced new MDTI skills and promptbooks for Copilot that deliver more of Microsoft's world-class threat intelligence to the SOC at machine speed. Finally, as we continue to build a more comprehensive threat intelligence experience across Microsoft Defender XDR, we’re proud to announce that MDTI content is now available via the global search function. Read more about what's rolling out at Microsoft Secure 2024 below: New MDTI skills and workbooks for Copilot for Security MDTI is making more threat intelligence available via new Copilot for Security skills and workbooksto help customers understand the full scope of attacks, anticipate the next steps of an ongoing campaign, and drive an optimal security plan for their organizations at machine speed and scale. These include: Correlate MDTI data with Defender XDR information:These out-of-the-box promptbooks correlate MDTI data with other critical security information from Defender XDR such as incidents and hunting activities to help a user understand the broader scope of an attack. Correlate MDTI Content with Threat Analytics (TA) content:When prompted, this skill reasons over threat intelligence content from MDTI and Threat Analytics, and provides a summary of the two, e.g., "Tell me everything Microsoft knows about [this threat actor]." Obtain current reputation TI for file hashes, URLs, Domains, and IPs:This skill shows the full information for hashes and URLs, including MDTI and SONAR data. Register for our Tech Community Webinar in April 11to learn more about how MDTI enables Copilot to deliver threat intelligence at machine speed. Read the full post here:What's New at Microsoft Secure 2024- Tech CommunityNew Blog Post | Exposure Management: The Evolution of Vulnerability Management
Traditional Vulnerability Management As security professionals, we’re tasked with the seemingly impossible job of staying one step ahead of attackers. This task is made more challenging by the constantly evolving threat landscape as well as the silos that exist within our businesses, security teams, and even our tooling. The technology and architecture required to support a modern enterprise has caused the attack surface to expand rapidly in recent years—this includes things like leveraging a hybrid cloud/on-premises architecture, enabling a fully remote workforce, and using a myriad of tools and technologies to support a single web application. Combined with a consistent increase in the amount of malicious activity from both organized crime groups and independent hackers, the odds have never been more stacked against security teams. For many defenders, security is a game of Whac-a-Mole; as soon as one issue is fixed, three more are identified. Despite common attacks exploiting known vulnerabilities and often following well defined tactics, techniques, and procedures (TTPs), we still find it challenging to identify and prevent them within our organizations. Misconfigurations and vulnerabilities, even those that are well-known and have patches and fixes available, continue to be a common cause of successful breaches. Our traditional approach to vulnerability management is falling short. This is in part due to its limited scope. Historically, we’ve focused on protecting what we know – looking for Common Vulnerabilities and Exposures (CVEs) across our endpoints, servers, and infrastructure. While this is a good start, it does not give us a holistic view of our digital estate, it lacks context, and assumes all resources are equal. With this approach, we only have insights into a small snapshot of our environment. We also need to account for risks within our code, network vulnerabilities, data access, resource misconfigurations, and identity over permissions. Today, all these risks fall under the Vulnerability Management charter, and each introduces a new tool or set of tools designed to identify and remediate the risk. While it’s helpful to have specialized tools for each unique use case, the tools continue to operate in silos. The data itself is not integrated and the tools operate within separate portals. As a result, they continue to provide a fragmented view of our environment. This lack of integration means that despite having additional coverage, we do not have contextual security, making it hard to prioritize the most critical threats and our corresponding remediation efforts. Continuous Threat and Exposure Management The NIST Cybersecurity Framework helps us to break down cybersecurity into 5 domains: identify, protect, detect, respond, and recover. In recent years, we have seen organizations focus heavily and make significant investments into two of these domains— detection and response. Due to these investments, which include innovative technologies like artificial intelligence (AI) and advanced automation, these organizations have been able to achieve a much lower Mean Time to Detect (MTTD) than ever before, a key metric in evaluating their efficiency in responding to cyber incidents. Despite this, we continue to see the rates of successful breaches grow year-over-year. Two of the areas that we have been investing heavily in over the years are Identify and Protect capabilities. Identify is just as important as any of the other stages of the framework. You cannot Protect, Detect, or Respond to threats against services of which you are unaware. The first stage in ensuring up-to-date services, proper configuration, and the right detection and response tools is ensuring you know the scope of your environment. While we can often protect what we know, it is much harder to protect the resources we do not know exist. This is especially important to keep top of mind because we’ve seen through our most recent research that 80-90% of successful ransomware compromises originated through unmanaged devices (Microsoft Digital Defense Report 2023 (MDDR) | Microsoft Security Insider). These devices run a higher risk of having unpatched remote code execution vulnerabilities and misconfigurations allowing RDP or SSH access. Without being able to identify these resources and their relationship to our organization, we are ill-equipped to protect against targeted attacks. We need to consider our entire exposure, including the areas not directly within our control. Once we’ve identified the true scope of our exposure, the next stage of the cycle is to define protections. For years, we’ve used vulnerability management solutions, and we have used them as well as we can. Even with Vulnerability Management solutions in place, studies show only about 13% (Why does it take so long for security teams to remediate vulnerabilities? | SC Media (scmagazine.com...) of vulnerableness are remediated and the average time it takes to remediate these vulnerabilities is 271 days. Typically, organizations look at vulnerabilities from a criticality standpoint, starting with the most severe, working down from there. With this approach, we only focus on the individual CVEs, not the full impact of exploitation. Without contextual security, we are potentially focusing on the wrong vulnerabilities. The Vulnerability Management industry is evolving from targeted vulnerability identification and remediation to a more holistic exposure management approach referred to by Gartner as Continuous Threat Exposure Management (CTEM). This represents a paradigm shift for vulnerability management from prioritizing based purely on the threat type and severity to focusing our remediation strategy on potential business impact. To do this effectively, we must recognize that there are significant variables to consider including our external attack surface, sensitive data exposure, and resource interconnectivity (attack paths). CTEM is not just about vulnerability and posture management, it’s a process to help prioritize risk reduction based on business impact. Microsoft’s Exposure Management Journey Microsoft has always placed a high emphasis on helping customers understand their posture and has been on the Exposure Management journey for quite some time. One of the first features was a feature within our Defender for Identities solution called Identity Security Posture Management. This is a technology that helps organizations to discover and visualize identity vulnerabilities such as legacy protocols being used, dormant entities in sensitive groups, exposed credentials in clear text, and many others. The next stage of the journey was the introduction of Microsoft Defender Vulnerability Management (MDVM). MDVM brought the capability to evaluate both first and third-party OS kernel vulnerabilities. Over the years we continued to build and expand our capabilities with the goal of being able to discover vulnerabilities from application to hardware. Some of these innovations include introducing security baselines, hardware and firmware assessments, digital certificates assessments, browser extension assessments, and even network share analysis. Microsoft Defender Vulnerability Management was then extended from traditional client and server management to containerized applications. Using the MDVM engine, we now have the ability to run vulnerability scans against new images checked into container registries across Azure, AWS or GCP, and discovers running instances with vulnerabilities. In August of 2021, Microsoft acquired RiskIQ, a cybersecurity company focused on Internet-scale data discovery, threat intelligence, and attack surface management. Leveraging the web-crawling infrastructure and datasets from RiskIQ, we released a new solution called Defender for External Attack Surface Management (Defender EASM). Defender EASM automatically discovers and monitors customers’ external attack surface and gives security teams visibility into potentially unknown resources and Internet assets, like shadow IT or improperly decommissioned UAT environments. Since EASM only leverages open-source data collection, it allows security teams to view their organization’s external attack surface the same way that an attacker would—if we can see it, so can they. Read the full post here:Exposure Management: The Evolution of Vulnerability Management - Tech CommunityNew Blog Post | Microsoft named as a Leader in three IDC MarketScapes for Modern Endpoint
Organizations have seen the number of human-operated ransomware attacks increase more than 200% since September 2022 and about 70% of organizationsencounteringthese attacks had fewer than 500 employees[1]. With these securityconcernstop of mind, there is no surprise that in the last five years, the Modern Endpoint Security (MES) market has nearly tripled in size to defend against emerging,sophisticated,and persistent threats. Microsoft continues to develop solutions that help protect organizations of all sizes and today we are thrilled to announce that we have been recognized as a Leader intheIDCMarketScapereports for Worldwide Modern Endpoint Security across three (3) segments for enterprise[2], midsize[3], and small businesses[4]– the only vendor positioned in the “Leaders” category in all three reports. IDCMarketScapevendor analysis model is designed to provide an overview of the competitive fitness of ICT suppliersin a givenmarket. The researchmethodologyutilizesa rigorous scoringmethodologybased on both qualitative and quantitative criteria that results in a single graphical illustration of each vendor’s position within a given market. The Capabilities score measures vendor product, go-to-marketand business execution in the short-term. The Strategy score measures alignment of vendor strategies with customer requirements in a 3-5-yeartimeframe. Vendor market share is represented by the size of the icons. Read the full post here:Microsoft named as a Leader in three IDC MarketScapes for Modern Endpoint Security 2024- Tech Community
