Securing the modern workplace with Microsoft 365 threat protection – part 2

Credit to Author: Microsoft Secure Blog Staff| Date: Wed, 02 May 2018 16:00:48 +0000

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

Protecting the modern workplace against Ransomware

Last week, we shared the roots of Microsoft 365 threat protection. This week, we want to share how Microsoft 365 threat protection services work together to help organizations protect themselves. Figure 1 is a graphical representation of the Microsoft advanced threat protection services which secure the attack surface.

Figure 1. Microsoft 365 advanced threat protection services work together to protect the modern workplace from attacks.

We continue with our ransomware scenario. Ransomware restricts data access by encrypting the user’s files or locking computers. Victims are required to pay a ransom to regain access to their machine and/or files. Microsoft closely monitors the threat landscape and our security intelligence provided in figure 2shows ransomware remains a prevalent and lethal threat type. All forms of ransomware can be launched at an organization through email, the device ecosystem, or through the enterprise infrastructure.

Figure 2. Monthly ransomware and ransomware downloader encounters, July 2016 to June 2017.

With so many different attack vectors a point service will be unable to mitigate the variety of potential ransomware attacks. Having services that protect specific parts of the attack surface that can also share signals to alert services protecting other surfaces of the enterprise is the only way to help ensure full and near real-time security. In many ransomware scenarios, users receive an email suggesting a necessary software update which can be done downloading an attachment. The attachment will contain a trojan downloader which can run a ransomware payload once opened. Figure 3 shows the Microsoft 365 threat protection services which can help protect the modern workplace from ransomware attacks.

Ransomware Protection with Microsoft 365
Windows Defender Advanced Threat Protection
Office 365 Advanced Threat Protection
Azure Security Center

Figure 3. Ransomware protection services for M365 threat protection.

All Microsoft 365 threat protection users have email protected with Office 365 ATP which helps stop unknown advanced threats sent via email. Office ATP will detonate all email attachments, determine if the file is malicious, and remove the file before final delivery of the email to a user mailbox. Additionally, Office ATP will assess links at the time of click when in both the body of an email and detonate links embedded in attachments to determine if they point to a malicious website. Since the attack surface is broad often attacks are made directly at devices. As such, several new enhancements helping prevent ransomware are built into the latest version of Windows 10, leveraging machine learning and behavior based technologies which lead the evolution of malware prevention. To directly attack the device, imagine if our attacker creates a website hosting exploit kits containing ransomware. Users visiting the site mistakenly download ransomware directly from the website. In such an event, Microsofts Edge leverages Windows Defender ATPs browser protection capability which determines if a site is malicious and can block access, helping secure the ransomware entry point. Ransomware attacks also target workloads running in the cloud. Azure Security Center helps provide visibility into your cloud infrastructure leveraging machine learning backed up by the Intelligent Security Graph to provide actionable alerts and recommendations on mitigating such threats as shown in figure 4. While none of these services alone can protect the entire modern workplace, together as Microsoft 365 threat protection, organizations can have confidence that Microsoft helps reduce threats from all vectors. Next week, well demonstrate how Microsoft 365 threat protection services help detect ransomware attacks.

Figure 4. The Azure Security Center Dashboard.


More blog posts from this series:


https://blogs.technet.microsoft.com/mmpc/feed/