J
Jon Nordström
You don't need us to tell you about the current Cyber Security threat landscape, if you are reading this blog post you already know. You are also aware that the absence of evidence for a breach is not the same as not being breached and that your cyber security posture is constantly being assessed by adversaries. This is not becoming easier with the boom of AI and related services that are leading to a boom in data processing in combination with new capabilities for threat actors. Or... could it?
We are excited to provide you with a series of posts that will help you use the new technology to your advantage. This series will help small to large organizations to achieve more with the Microsoft Cloud Ecosystem Security.
No matter if you are a business leader or a technologist this will spark ideas that will help you achieve more. These abilities are fully customizable, and we are also adding new out-of-the-box features that can be used to replace these custom features. We will post updates as those become available.
The basis of this approach
How do you identify new security projects? How do you assess which security project you should fund? Are you uncertain if the program you funded has had the desired outcome? What cost is associated with a failed control? What is the positive financial impact of effective controls?
We think the answer to these questions is: By focusing on what the adversaries are after and the consequences of controls being bypassed. Much may change but the target is your crown jewels (across the dimensions of confidentiality, integrity and availability).
The benefit of this focus is that it is well aligned with the focus of the entire organization. Investments to be made can be clearly articulated in terms and values that are understood across the organization. From a technology perspective, it switches the focus to the adversaries' goals (and how to prevent), which avoids a too-introspective view and approach to security. It also helps you to focus on the consequences of such a breach, the awareness of the consequences will guide you to implement the right type of mitigation based on the impact. Do not let technology get in the way of your decision-making. Allow a freer form of communication across the organization using the value the technology enables.
What are attackers after? Let’s ask Copilot for Security
Please go here to learn more about Copilot for security.
Figure 1: Prompting Copilot about cyber attacks
Are you able to tell how far away threat actors have been from this type of data in your system? Wouldn’t it be nice if every time you have an incident you could validate proximity to sensitive information? Before we go deep into this let’s zoom out.
Is there a way to visualize the impact that cyber security has in a business context?
Yes, if your organization is using Microsoft 365 Purview configured to capture file access and you have enabled Microsoft Defender for Cloud Apps integration with Advanced Hunting (more in technical document). This example provides an overview of the data that you can use. Organizational context like department, data context like the data types being accessed, type of cyber security incidents including incident details can be viewed at a high level or at a detailed level. Pair this with your technology investments and you can provide the gains of attacks prevented as well as a view of incidents that penetrated further. With the contextual data you can associate a monetary cost to compromises as well as effective protection.
Figure 2: Cyber attack data
What about non-Microsoft systems, to see the types of cross-platform systems that can be visualized please see Connect apps to get visibility and control - Microsoft Defender for Cloud Apps | Microsoft Learn. We have not built visualizations for all these products but if you follow the existing patterns, you can do so for your key applications.
We have added the ability to use Microsoft Defender for Endpoint data to output connections to sensitive systems from compromised devices. You can also use Copilot for Security as part of this work, bring in other contextual data you have in documents and in other forms and let Copilot for Security make the connections.
Do not limit this to reporting
Start tagging your incidents with the organizational context in mind. When communicating Cyber Security incidents to stakeholders use contextual data not technical details. Reporting on near misses and actual incidents should bring the actual financial impact and a steer for new investments.
For example, if you have a phishing incident, don't just report the affected user and the type of phish. Instead, tag the incident with the class of sensitive information that may have been disclosed if the user was compromised. Even if the attack was successfully prevented.
Phishing is one of the most common attacks be realistic (anticipating your reaction), this type of data will support your investments. And it also provides an important data point, what if this control is bypassed. What types of controls do I have in between the attacker and the crown jewels? Which departments are targets, is this a specific threat actor?
Time for another sample from Copilot for Security
Incidents like Anonymous IP are not especially alarming for most organizations. It may be used as supporting data.
Figure 3: Anonymous IP involving one user
But when looking at this same innocuous incident from Copilot for Security we can note that this incident would benefit from the right type of tagging. The fact that an Account Key has been found in the open is concern enough. This tagging can be suggested directly by Copilot for Security, or for highest value connect Copilot for Security with your security policy and tagging taxonomy.
Figure 4: Copilot prompting about compromised data types
Regularly use Copilot for Security to map out potential ways the attacker may have gone deeper using MITRE ATT&CK as an example. With that in mind what is the proximity to other sensitive content and systems? Use the Exposure management tools like Microsoft Secure Score to find areas you can improve. Armed with this knowledge you may find additional controls that should be set in place to limit the impact of one of the controls failing. Backing the investment decisions with data that matters to your business.
When you validate CVE’s or software vendors for possible supply chain attacks check the impact they may have on your sensitive content. It can validate your next actions and you may even find the type of attackers you weren’t aware of.
Figure 5: Copilot prompting about sensitive information
But don’t stop here use Microsoft Defender for Cloud Apps to define networks and ISP’s, see this for more information. This will allow you to capture this type of detail based on vulnerabilities or threat actors you know are coming from a specific network segment and the amount of sensitive information being processed at that location. Which will allow you to extend this business context to investments needed in that space.
Are there other areas where this can be used?
What if you need to move one department to another location or are divesting parts of your organization? What type of data is being processed by that department or location?
You can use Copilot for Security.
Figure 6: Copilot prompting about types of sensitive info
Or you can use the view from Power BI to start the conversation and filter on the types that are key to your operations.
Figure 7: PowerBI info about data types
Conclusion
The approach to placing what is most valuable in the center will help you prepare for new and future threats. As your data landscape changes you will be able to monitor and early on spot weaknesses that may lead to increased risk. In a way you can see this as training where you build your muscles around your data. Instead of meeting cyber incidents as a problem you are meeting them as an opportunity to grow.
What's next
Please see the new blog posts and start building on your own adaptation of this approach. This is the starting point, and you will see us make many advancements to allow you to grow further.
Continue reading...
We are excited to provide you with a series of posts that will help you use the new technology to your advantage. This series will help small to large organizations to achieve more with the Microsoft Cloud Ecosystem Security.
No matter if you are a business leader or a technologist this will spark ideas that will help you achieve more. These abilities are fully customizable, and we are also adding new out-of-the-box features that can be used to replace these custom features. We will post updates as those become available.
The basis of this approach
How do you identify new security projects? How do you assess which security project you should fund? Are you uncertain if the program you funded has had the desired outcome? What cost is associated with a failed control? What is the positive financial impact of effective controls?
We think the answer to these questions is: By focusing on what the adversaries are after and the consequences of controls being bypassed. Much may change but the target is your crown jewels (across the dimensions of confidentiality, integrity and availability).
The benefit of this focus is that it is well aligned with the focus of the entire organization. Investments to be made can be clearly articulated in terms and values that are understood across the organization. From a technology perspective, it switches the focus to the adversaries' goals (and how to prevent), which avoids a too-introspective view and approach to security. It also helps you to focus on the consequences of such a breach, the awareness of the consequences will guide you to implement the right type of mitigation based on the impact. Do not let technology get in the way of your decision-making. Allow a freer form of communication across the organization using the value the technology enables.
What are attackers after? Let’s ask Copilot for Security
Please go here to learn more about Copilot for security.
Figure 1: Prompting Copilot about cyber attacks
Are you able to tell how far away threat actors have been from this type of data in your system? Wouldn’t it be nice if every time you have an incident you could validate proximity to sensitive information? Before we go deep into this let’s zoom out.
Is there a way to visualize the impact that cyber security has in a business context?
Yes, if your organization is using Microsoft 365 Purview configured to capture file access and you have enabled Microsoft Defender for Cloud Apps integration with Advanced Hunting (more in technical document). This example provides an overview of the data that you can use. Organizational context like department, data context like the data types being accessed, type of cyber security incidents including incident details can be viewed at a high level or at a detailed level. Pair this with your technology investments and you can provide the gains of attacks prevented as well as a view of incidents that penetrated further. With the contextual data you can associate a monetary cost to compromises as well as effective protection.
Figure 2: Cyber attack data
What about non-Microsoft systems, to see the types of cross-platform systems that can be visualized please see Connect apps to get visibility and control - Microsoft Defender for Cloud Apps | Microsoft Learn. We have not built visualizations for all these products but if you follow the existing patterns, you can do so for your key applications.
We have added the ability to use Microsoft Defender for Endpoint data to output connections to sensitive systems from compromised devices. You can also use Copilot for Security as part of this work, bring in other contextual data you have in documents and in other forms and let Copilot for Security make the connections.
Do not limit this to reporting
Start tagging your incidents with the organizational context in mind. When communicating Cyber Security incidents to stakeholders use contextual data not technical details. Reporting on near misses and actual incidents should bring the actual financial impact and a steer for new investments.
For example, if you have a phishing incident, don't just report the affected user and the type of phish. Instead, tag the incident with the class of sensitive information that may have been disclosed if the user was compromised. Even if the attack was successfully prevented.
Phishing is one of the most common attacks be realistic (anticipating your reaction), this type of data will support your investments. And it also provides an important data point, what if this control is bypassed. What types of controls do I have in between the attacker and the crown jewels? Which departments are targets, is this a specific threat actor?
Time for another sample from Copilot for Security
Incidents like Anonymous IP are not especially alarming for most organizations. It may be used as supporting data.
Figure 3: Anonymous IP involving one user
But when looking at this same innocuous incident from Copilot for Security we can note that this incident would benefit from the right type of tagging. The fact that an Account Key has been found in the open is concern enough. This tagging can be suggested directly by Copilot for Security, or for highest value connect Copilot for Security with your security policy and tagging taxonomy.
Figure 4: Copilot prompting about compromised data types
Regularly use Copilot for Security to map out potential ways the attacker may have gone deeper using MITRE ATT&CK as an example. With that in mind what is the proximity to other sensitive content and systems? Use the Exposure management tools like Microsoft Secure Score to find areas you can improve. Armed with this knowledge you may find additional controls that should be set in place to limit the impact of one of the controls failing. Backing the investment decisions with data that matters to your business.
When you validate CVE’s or software vendors for possible supply chain attacks check the impact they may have on your sensitive content. It can validate your next actions and you may even find the type of attackers you weren’t aware of.
Figure 5: Copilot prompting about sensitive information
But don’t stop here use Microsoft Defender for Cloud Apps to define networks and ISP’s, see this for more information. This will allow you to capture this type of detail based on vulnerabilities or threat actors you know are coming from a specific network segment and the amount of sensitive information being processed at that location. Which will allow you to extend this business context to investments needed in that space.
Are there other areas where this can be used?
What if you need to move one department to another location or are divesting parts of your organization? What type of data is being processed by that department or location?
You can use Copilot for Security.
Figure 6: Copilot prompting about types of sensitive info
Or you can use the view from Power BI to start the conversation and filter on the types that are key to your operations.
Figure 7: PowerBI info about data types
Conclusion
The approach to placing what is most valuable in the center will help you prepare for new and future threats. As your data landscape changes you will be able to monitor and early on spot weaknesses that may lead to increased risk. In a way you can see this as training where you build your muscles around your data. Instead of meeting cyber incidents as a problem you are meeting them as an opportunity to grow.
What's next
Please see the new blog posts and start building on your own adaptation of this approach. This is the starting point, and you will see us make many advancements to allow you to grow further.
- Security for Copilot Data Security Analyst plugin Learn how to customize and optimize Copilot for Security with the custom Data Security plugin
- Guided walkthrough of the Microsoft Purview extended report experience https://techcommunity.microsoft.com/t5/security-compliance-and-identity/guided-walkthrough-of-the-microsoft-purview-extended-report/ba-p/4121083
- How to build the Microsoft Purview extended report experience How to build the Microsoft Purview extended report experience
Continue reading...