Microsoft at Black Hat 2021: Sessions, bug bounty updates, product news, and more

Black Hat USA 2021 is about understanding the needs of security professionals and meeting you where you are. With last year’s pandemic-related firefighting still fresh in our minds, this year’s event will provide a welcome respite to learn about cutting-edge security solutions, build our skillsets, and network with peers.

Microsoft Security is committed to helping you secure your entire digital estate with integrated, comprehensive protection—bridging the gaps to catch what others miss. We provide the leading AI, automation, and expertise that help you detect threats quickly, respond effectively, and fortify your security posture.​ As the world enters a new normal where seasoned security professionals are more needed than ever, we’re proud to share our experience and learn from you at the virtual Black Hat USA 2021.

Virtual Microsoft-sponsored sessions

The Emerging Cyber Threat Landscape

Date and time: Tuesday, August 3, 1:15 PM – 1:45 PM PT

Black Hat CISO summit virtual breakout


  • Ann Johnson, Corporate Vice President, Security, Compliance, and Identity Business Development, Microsoft

The rapid rise of ransomware can be traced to WannaCry and (Not)Petya, which fused large-scale compromise techniques with an encryption payload that demanded a ransom payment in exchange for the decryption key. These successful attacks inspired a new generation of human-operated ransomware, expanding into an enterprise-scale operation blending targeted attacks and extortion. Learn how the rise in ransomware is influencing cyber strategies that can help strengthen your security posture.

Evolving Red Teaming at Microsoft

Date and time: Wednesday, August 4, 8 AM to 8:15 AM PT

Track: Security Operations and Incident Response


  • Alexandre Fernandes Costa, Principal Security Engineer Lead
  • Reid Borsuk, Principal Security Engineer

Representatives from one of the six teams dedicated to offensive security at Microsoft share how we’ve evolved from red teaming to broader offensive security practices and techniques. They’ll walk you through our collaborative approach to offensive security operations, all while demonstrating how red team activity is reflected in our products designed to stop adversaries in their tracks.

Preventing a Hostage Situation: Defusing the Pervasive Threat of Human-Operated Ransomware

Date and time: Wednesday, August 4, 3:10 PM – 3:30 PM PT

Track: Endpoint Security


  • Hadar Feldman, Product Management Lead, Microsoft 365 Defender
  • Itai Kollmann Dekel, Principal Research Manager, Microsoft Defender for Endpoint

Ransomware has evolved. We’ve all seen it progress from automated, indiscriminate nuisance attacks into the targeted, human-operated campaigns that cost businesses millions. Protecting against a ransomware attack is like preventing a hostage situation in real life—you need to understand the nature of the threat, assess your exposure to risk, identify high-value assets, implement protective measures, and have playbooks ready to respond rapidly.

In this session, we’ll take you through crisis prevention and mitigation strategies that can be a game-changer against human-operated ransomware. You’ll learn about our latest research on the ransomware threat landscape, based on in-depth analysis of dozens of real-world ransom attacks in the past year. We’ll examine how human-operated ransomware attacks have become more like advanced persistent threats, and what that means for your organization. We’ll discuss key mitigations that address common techniques observed in ransomware campaigns (like tampering with security products). Finally, we’ll examine approaches to contain aggressive ransomware along with critical ways to improve your ability to see through the noise—before it’s too late.

Inside the Most Impactful Nation-State Attack in History

Date and time: Thursday, August 5, 2:10 PM – 2:30 PM PT

Track: Security Operations and Incident Response


  • Elia Florio, Principal Research Lead, Microsoft
  • Ramin Nafisi, Senior Malware Reverse Engineer, Microsoft
  • Dana Baril, Senior Security Research Lead, Microsoft
  • Michael Grenetz, Senior Product Manager, Microsoft

Get an inside look into one of the most sophisticated attacks in history—the Nobelium incident—from the frontline responders that helped track and defend against it. We’ll discuss the adversary’s tradecraft, novel techniques, and expert recommendations that can help organizations protect themselves from the next wave of advanced threats.

Microsoft Bug Bounty Program

Microsoft awarded $13.6 million in bug bounties to more than 340 security researchers in 58 countries during the past 12 months. Bounties averaged more than $10,000 per award across all programs, with the largest ($200,000) awarded under the Hyper-V Bounty Program. The more than 1,200 eligible reports we received over the past year reflect the talent of the global security research community, as well as the spirit of partnership Microsoft fosters in addressing the challenges of a rapidly evolving threat landscape.

Bug bounty and research programs—new and updated

A heartfelt thank you goes out to everyone who shared their research with Microsoft over the past year. We look forward to sharing more Bug Bounty Program improvements with you in the coming year, as we continue to invest in our partnerships within the security research community.

Machine Learning Evasion Competition

Microsoft is seeing an uptick of attacks on commercial AI systems that could compromise the confidentiality, integrity, and availability guarantees of these systems. To help the AI and security community ramp up on this novel space, and provide a learning environment, today, we are launching MLSEC.IO, an educational Machine Learning Security Evasion Competition (MLSEC). Learn more about the competition and how to participate from our announcement blog.

Microsoft Security product news

Microsoft Azure Sentinel

In March 2021, Microsoft announced an important step in realizing our vision for integrated SIEM and XDR with the release of incidents integration between Azure Sentinel and Microsoft 365 Defender. Now, we’re excited to take another key step in this journey—bi-directional incidents syncing between Azure Defender and Azure Sentinel are now in public preview. With this capability, users can now automatically sync alerts, incidents, and incident statuses across the two products. Microsoft now delivers the only integrated SIEM and XDR with incident sharing across all components, streamlining the investigation process and giving your SecOps team more time to focus on what’s really important. Read  Microsoft Ignite 2021: What’s New in Azure Sentinel to learn more.

Microsoft Defender for Endpoint

Today’s threat environment is complex, and the endpoint continues to be a top attack vector. We recently released improvements and updates to the evaluation lab in Microsoft Defender for Endpoint to include new simulations by SafeBreach for attack campaigns such as Solorigate and Carbanak+FIN7, enabling security teams to better prepare for these types of advanced threats.

Robust prevention is a necessary first step in securing your organization. For that reason, we’re excited to share new device control capabilities for USB printing and removable storage to help organizations add additional layers of protection to their endpoints. We’ve also been extending our preventative capabilities across platforms, and the general availability of threat and vulnerability management for Linux adds to our existing support for macOS and Windows.

Finally, when responding to a potential threat, time is of the essence; so, we’ve focused on enabling security teams to scale their capabilities for more rapid investigations and response. Giving security teams the ability to download quarantined files without getting the user involved can dramatically speed up an investigation. In addition, our new live response API enables forensic evidence to be gathered as soon as suspicious activity is identified on a device.

Microsoft Azure Defender for IoT

Azure Defender for IoT is an agentless, network-layer monitoring solution for identifying unmanaged IoT and operational technology (OT) assets, prioritizing vulnerability mitigations, and continuously monitoring for threats using IoT/OT-aware behavioral analytics. Available for either on-premises or cloud-connected environments, Azure Defender for IoT is tightly integrated with Azure Sentinel and supports third-party security operation center (SOC) tools such as Splunk, IBM QRadar, and ServiceNow.

We’re happy to announce that IoT/OT-specific threat intelligence can now be continuously delivered to cloud-connected sensors—reducing manual efforts and helping to ensure constant security. Coming soon: mapping of threats to tactics and techniques for MITRE ATT&CK for industrial control systems (ICS). Plus be sure to attend our Black Hat session featuring Azure Defender for IoT security researchers describing BadAlloc, the critical RCE vulnerability they uncovered in widely used IoT/OT real-time operating systems (RTOS), libraries, and SDKs.

App governance add-on to Microsoft Cloud App Security

App governance is a new add-on capability to Microsoft Cloud App Security that can be used to monitor, protect, and govern OAuth-enabled third-party apps on Microsoft 365 platform that use Microsoft Graph API. The new app governance add-on, now in preview, helps security administrators and analysts to quickly identify, alert, and prevent risky app behaviors from Microsoft 365 compliance center.

Learn more about the new app governance add-on:

Azure Key Vault Managed hardware security modules (HSM)

Azure Key Vault Managed HSM is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables customers to safeguard cryptographic keys for their cloud applications using FIPS 140-2 Level 3 validated HSMs.

Always Encrypted

Always Encrypted protects sensitive data (credit card or social security numbers) stored in Azure SQL Database or SQL Server databases, allowing our customers to encrypt data inside client applications without revealing the encryption keys to the database engine. Meaning, Always Encrypted maintains a secure separation between those who own the data and those who manage it. The general availability of Always Encrypted strengthens our promise that Microsoft Azure offers the broadest support for confidential computing. Along with Azure Confidential Ledger and support for Kubernetes and other confidential containers, Always Encrypted gives our customers the broadest range of options for making their virtual machines (VMs), applications, and services confidential.

Learn more about Microsoft Security solutions

We look forward to joining you at Microsoft virtual booth 2340 for Black Hat 2021, July 31 to August 5, 2021.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.