The evolution of Microsoft Threat Protection, December update

December was another month of significant development for Microsoft Threat Protection capabilities. As a quick recap, Microsoft Threat Protection is an integrated solution securing the modern workplace across identities, endpoints, user data, cloud apps, and infrastructure. Last month, we shared updates on capabilities for securing identities, endpoints, user data, and cloud apps. This month, we provide an update for Azure Security Center which secures organizations from threats across hybrid cloud workloads. Additionally, we overview a real-world scenario showcasing Microsoft Threat Protection in action.

Enhancing your infrastructure security using Azure Security Center

Azure Security Center is a sophisticated service designed to help organizations:

  • Understand their security state across on-premises and cloud workloads.
  • Find vulnerabilities and remediate quickly.
  • Limit exposure to threats.
  • Detect and respond swiftly to attacks.

With modern organizations now adopting hybrid ecosystems, securing the infrastructure across hybrid cloud workloads becomes more critical. Azure Security Center was developed to address the complexities of the modern infrastructure by helping strengthen your security posture and protect against threats to the infrastructure. Azure Security Center can now provide better visibility over an organization’s security state across virtual networks, subnets, and nodes by generating a topology map of the layout of each of these infrastructure components (Figure 1). As admins review the components of the network, Azure Security Center offers recommendations to help quickly respond to detected network issues. Additionally, Azure Security Center continuously analyzes the network security group (NSG) rules in the workload and presents a graph containing the possible reachability of every virtual machine (VM) in that workload.

Figure 1. Network topology map highlighting virtual networks, subnets, and nodes.

Another important enhancement is a new permissions model for “Just in Time (JIT) VM” access (Figure 2). Azure Security Center has updated its required privileges for a user to successfully request JIT access to a VM from write to read, making it easier for customers to follow the “least privileged” Role-Based Access Control (RBAC) model. JIT VM access is used to reduce impact from brute force attacks targeting management ports to gain access to a VM. If successful, an attacker can take control over the VM and establish a foothold into your environment. When JIT access is enabled, Azure Security Center locks down inbound traffic to Azure VMs by creating an NSG rule. Admins select the ports on the VM to which inbound traffic will be locked down. These ports are controlled by the JIT solution. Before, when a user requested access to a VM, Azure Security Center checked a user’s RBAC permissions for write access for the VM, and now the user must only have read access.

Figure 2. The Azure Security Center highlighting the JIT VM access feature.

Microsoft Threat Protection stops threats as envisioned

Security solutions always sound effective in theory, but in practice, often the capabilities do not match the vision. Microsoft Threat Protection was recently put to the test against a real-world threat known as Tropic Trooper (Figure 3), which has been targeting Asian enterprises in the energy and food and beverage industries since 2012.

Figure 3. Tropic Trooper attack chain.

Seamless integration between disparate services is a core differentiator of Microsoft Threat Protection. During the Tropic Trooper campaign, Windows Defender Advanced Threat Protection (ATP), Azure Active Directory (Azure AD), and Office 365 ATP services worked in sync, helping ensure the threat was addressed quickly with no adverse impact. The campaign initiated several Windows Defender ATP alerts triggering its device risk calculation mechanism, which ascribed affected endpoints with high risk scores. These endpoints were put to the top of the list in Windows Defender Security Center leading to early detection and discovery of the attack. Windows Defender ATP seamlessly integrates with Azure AD featuring conditional access. During Tropic Trooper, conditional access blocked high-risk endpoints from accessing sensitive content, protecting other users, devices, and data in the network.

The Windows team examined the alert timeline (Figure 4) to further investigate and ultimately remediated the threat. Investigating the alerts, the Windows team uncovered the malicious document carrying the Tropic Trooper exploit. Since signal is shared between Microsoft Threat Protection services, the Windows team used Office 365 Threat Intelligence’s Threat Explorer to find the specific emails used to distribute the exploit. The investigation also showed that Office 365 ATP blocked the malicious emails at the onset, stopping the attack’s entry point and protecting Office 365 ATP customers. Endpoints remained secure through Windows Defender ATP’s sophisticated automated investigation and remediation capabilities that discovered malicious artifacts on affected endpoints and remediated them. This sequence of actions ensured that the attackers no longer had a foothold on the endpoint ecosystem and that all endpoints returned to normal working state. Importantly, Microsoft Threat Protection services collectively secured identities, endpoints, and Office 365.

Figure 4. Windows Defender ATP alert timeline for Tropic Trooper.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection. Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities. Begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.