Category: Microsoft news

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Runa Sandvik, Former Senior Director of Information Security at The New York Times and member of CISA’s Technical Advisory Council. She recently was interviewed about her new startup, Granitt, in TechCrunch.¹ The thoughts below reflect Runa’s views, not the views of Microsoft, and are not legal advice. In this blog post, Runa talks about security for journalists and media organizations.

Brooke: How did you get into cybersecurity?

Runa: I got my first computer when I was 15. I studied for a bachelor’s in computer science at a university in Norway, where I’m from. One thing I really enjoy about this industry is that within computer science and cybersecurity, there are so many different challenges to take on. There are so many problems that you can work on and so many things to be curious about and I’ve always really loved that.

During the summer of 2009, before the last year of my bachelor’s, I worked for the Tor Project as part of Google Summer of Code. Once that internship wrapped up, I stayed on with the Tor project and I volunteered to continue maintaining my project. Over time, Tor offered me a part-time contract and later, a full-time contract.

A lot of the work that I do today has been shaped by the four years that I spent working with the Tor project. When I first heard about Tor, I thought it was cool that you could be anonymous online by using a piece of technology. I didn’t consider who’s using it or for what reason. But over the four years with Tor, I got to meet not only other people working in the same space but also people around the world who told me about their experiences with the tool and what it enabled them to do, which was a hugely positive experience for me.

Brooke: What excites you the most about protecting journalists?

Runa: Around 2011, four projects got funding to train reporters on how to use the Tor browser and I ended up leading that project. We were building out a curriculum and we felt very quickly that it was not super helpful to teach someone how to use a Tor browser to be safe online if they’re not also familiar with general security best practices, like passwords and two-factor authentication and the importance of software updates. So, we built a curriculum around that. I later took that experience with me to the Freedom of the Press Foundation and The New York Times.

The work that I’ve done with journalists was something that I stumbled into, but looking at it now, I think investigative journalism has a lot of the same themes as security research. It has the same puzzles, same challenges, and the same digging that gets me really curious and really interested. It also has this incredibly important mission behind it.

Brooke: What do you do to protect journalists and at-risk groups or organizations?

Runa: For an individual to work safely or securely, I consider digital security, physical security, emotional safety, and legal issues. Journalism security really needs to encompass all four buckets, so some of the work that I do has been one-on-one discussions with reporters who want everyday security guidance, and I help them figure out what they can do to improve. They are usually preparing for a specific investigative project or preparing for a trip to an at-risk area.

I have worked closely with groups of people at media organizations that are a mix of reporters, IT, security, and legal to produce a security plan based on the challenges they face and the kind of support the newsroom needs. Years ago, if you were a big enterprise like The New York Times, Washington Post, Microsoft, or Google, there were a lot of big, complex cybersecurity frameworks to help you get a baseline and the steps to take to improve moving forward.

If you’re an individual looking to improve your security, there are guides from the Electronic Frontier Foundation and the Freedom of the Press Foundation giving you information like “here’s how you use a password manager” and “here’s how you set up two-factor authentication,” but Ford Foundation fellow, Matt Mitchell, found that if you’re a small organization or small team, there’s not a good option available. He put together a committee to develop the Ford Foundation Cybersecurity Assessment Tool, which is designed for smaller organizations. It is a really effective way to figure out where I am today and where the focus should be on the next year or two.

Brooke: What are the biggest threats you’ve seen in your line of work?

Runa: If we are talking about security issues that a journalist as an individual might face, we could talk about online account takeover and phishing scams. I recently gave a talk at Paranoia in Oslo about how the media gets hacked and the root cause behind all these issues. If we are talking about the organization that the journalist works for, it comes down to a lack of two-factor authentication credential stuffing, poor passwords, phishing, and outdated systems.

Over the years, my work has focused on the individual, but 10 years ago, Tor was clunky and complex. We had VPNs. We had tools to fully encrypt the drive in your laptop, but they were clunky to use. There was a long text of steps to get it all up and running. People needed a lot of help to use it. These days, we have all the tools and they’re either free or not super expensive. What is missing now is that buy-in from leadership to create the processes and the workflows to ensure that the newsrooms have all these tools provided to them. Currently, it is more of a building-the-bridges type of challenge. I don’t think we are necessarily missing any tools. We just need to figure out how to piece it together.

Brooke: What are the biggest security challenges for journalists?

Runa: A journalist is a journalist all day, every day. That is not just a job, it is an identity. They are journalists, whether they are in a movie theater with a personal phone or at work with their company laptop. Regardless of the device they are using, the time of day, and location in the world, they are still journalists, and they are going to report if there is something to report on. In a corporate context, historically, we have been focused on securing corporate accounts, corporate systems, and corporate devices, but for roles like journalism and other activist groups, which starts to break down a bit. I think there needs to be a greater conversation around how we go about securing identities as opposed to just the 9-to-5 corporate bits and bobs.

Another big challenge is building sufficient support on the business side of the company to be able to provide adequate support to the newsroom. Reporters who I have talked to are not questioning that they need to be more secure and that they need processes or tools. Once that is provided, they are very willing to try things. You just need to build that bridge and help the business side understand the challenges in the newsroom and the potential challenges that presents for the business, whether from a physical, digital, or legal standpoint, and then produce ways to address that.

Supporting the work that the newsroom is doing means developing products, developing the content management system (CMS), getting stories out, producing new ways to report, retaining subscribers, and funding reporters who go out on investigative trips. All of these things are incredibly important and sometimes more important than security. The challenge is where do I spend my resources knowing that everything is so strapped?

There are a lot of diverse ways that you could improve security at your organization and even if you do not have the resources currently for the best and biggest and greatest product, there are still small things that you can do. It is a matter of figuring out how to focus on this one thing you do have to focus on, even if it’s just one person, two people, or a small team. At this point, not focusing on cybersecurity is not an option.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Runa Sandvik’s new startup Granitt secures at-risk people from hackers and nation states, Zack Whittaker. July 15, 2022.

Today, Microsoft is excited to publish our second edition of Cyber Signals, spotlighting security trends and insights gathered from Microsoft’s 43 trillion security signals and 8,500 security experts. In this edition, we pull back the curtain on the evolving cybercrime economy and the rise of Ransomware-as-a-service (RaaS). Instead of relying on what cybercriminals say about themselves through extortion attempts, forum posts, or chat leaks, Microsoft threat intelligence gives us visibility into threat actors’ actions.

RaaS is often an arrangement between an operator, who develops and maintains the malware and attack infrastructure necessary to power extortion operations, and “affiliates” who sign on to deploy the ransomware payload against targets. Affiliates purchase initial access from brokers or hit lists of vulnerable organizations, such as those with exposed credentials or already having malware footholds on their networks. Cybercriminals then use these footholds as a launchpad to deploy a ransomware payload against targets.

The impact of RaaS dramatically lowers the barrier to entry for attackers, obfuscating those behind initial access brokering, infrastructure, and ransoming. Because RaaS actors sell their expertise to anyone willing to pay, budding cybercriminals without the technical prowess required to use backdoors or invent their own tools can simply access a victim by using ready-made penetration testing and system administrator applications to perform attacks.

The endless list of stolen credentials available online means that without basic defenses like multifactor authentication (MFA), organizations are at a disadvantage in combating ransomware’s infiltration routes before the malware deployment stage. Once it’s widely known among cybercriminals that access to your network is for sale, RaaS threat actors can create a commoditized attack chain, allowing themselves and others to profit from your vulnerabilities.

While many organizations consider it too costly to implement enhanced security protocols, security hardening actually saves money. Not only will your systems become more secure, but your organization will spend less on security costs and less time responding to threats, leaving more time to focus on incoming incidents.

Businesses are experiencing an increase in both the volume and sophistication of cyberattacks. The Federal Bureau of Investigation’s 2021 Internet Crime Report found that the cost of cybercrime in the United States totaled more than USD6.9 billion.¹ The European Union Agency for Cybersecurity (ENISA) reports that between May 2021 and June 2022, about 10 terabytes of data were stolen each month by ransomware threat actors, with 58.2 percent of stolen files including employees’ personal data.²

It takes new levels of collaboration to meet the ransomware challenge. The best defenses begin with clarity and prioritization, which means more sharing of information across and between the public and private sectors and a collective resolve to help each other make the world safer for all. At Microsoft, we take that responsibility to heart because we believe security is a team sport. You can explore the latest cybersecurity insights and updates at our threat intelligence hub Security Insider. 

With a broad view of the threat landscape—informed by 43 trillion threat signals analyzed daily, combined with the human intelligence of our more than 8,500 experts—threat hunters, forensics investigators, malware engineers, and researchers, we see first-hand what organizations are facing and we’re committed to helping you put that information into action to pre-empt and disrupt extortion threats.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Internet Crime Report, Federal Bureau of Investigation. 2021.

²Ransomware: Publicly Reported Incidents are only the tip of the iceberg, European Union Agency for Cybersecurity. July 29, 2022.

The transition to a remote and hybrid workforce happened fast during a time of uncertainty, and IT professionals rose to the challenge with ingenuity and dedication. But two years in, many IT teams are still responding with patchwork solutions to enforce identity and access management (IAM) across a newly decentralized, multiple-endpoint ecosystem. It’s clear that new IAM strategies are needed to accommodate these major shifts in the workplace, as well as meet new organizational priorities and user expectations.

In that spirit of discovery, we’re looking forward to joining the IAM community at the Gartner Identity & Access Management Summit, August 22 to 24, 2022, in Las Vegas, Nevada. We’ll be sharing some of Microsoft’s recent insights about strengthening lifecycle and permissions management, stopping attacks on identity infrastructure, and moving to a cloud-based identity platform. With the recently announced Microsoft Entra, identity threat detection and response (ITDR), and our security information and event management (SIEM) and extended detection and response (XDR) solutions, we’re committed to providing end-to-end protection for your organization. Be sure to visit Microsoft Booth #304 and connect with our frontline defenders.

Gartner IAM Summit—Microsoft sessions

We’re excited to meet with our customers, colleagues, and peers at the 2022 Gartner Identity & Access Management Summit. Microsoft will present three research-backed sessions led by senior product managers, including a special look at ITDR led by Alex Weinert, Director of Identity Security at Microsoft.

Title: Manage, Secure, and Govern Identities Across Multicloud Infrastructures
Speaker: Balaji Parimi, Partner General Manager
Date/Time: Monday, August 22, 2022 | 11:45 AM to 12:15 PM PT
Synopsis: Going multicloud makes you more agile and resilient. But it also creates more complexity and blind spots for your security and identity teams. It’s time to reimagine how we manage, secure, and govern identities, and enforce least-privileged access consistently across cloud platforms. In this session, we’ll explore how cloud infrastructure entitlement management (CIEM) can strengthen your Zero Trust security in a multicloud world.

Title: Beyond the Firewall: Upgrading from On-Premises to the Microsoft Cloud Identity
Speaker: Brjann Brekkan, Group Program Manager, Identity and Network Access
Date/Time: Monday, August 22, 2022 | 1:15 PM to 1:35 PM PT
Synopsis: Today’s new normal of “work from anywhere” and “on any device” has exposed the challenges of using on-premises authentication technologies and platforms as the control plane for enterprise applications and collaboration. You’re invited to join the Microsoft Identity product group for this interactive session. We’ll discuss the latest trends and platform capabilities to accelerate and simplify the journey of adopting a modern cloud-based identity platform.

Title: Identity Threat Prevention, Detection, and Response—Essential Defenses for a New Generation of Attacks
Speaker: Alex Weinert, Director of Identity Security
Date/Time: Tuesday, August 23, 2022 | 11:15 AM to 11:45 AM PT
Synopsis: Attacks against identity infrastructure are accelerating. Instead of trying to compromise individual accounts, today’s attackers seek to gain unrestricted access to multicloud environments and workloads wherever they’re deployed. For that reason, protecting accounts is not enough—organizations need robust protections for the identity infrastructure itself. In this session, we’ll share how Microsoft envisions the future of ITDR, including what an effective identity and security collaboration should look like to help your organization grow fearlessly.

Bridging the IAM and SOC divide

Even as we approach another IAM summit, many organizations are still shocked to learn the reality of how most identity breaches occur. According to the 2022 Verizon Data Breach Investigations Report, 65 percent of breaches are caused by credential misuse, while only 4 percent caused are by system vulnerabilities.¹ A full 82 percent of breaches involve the human element, including social engineering attacks, user errors, and data misuse.

As I will discuss in my Tuesday session, ITDR offers a way of reimagining the scope and collaboration between the SOC and identity admins that can help stop more of these credential-based attacks. IAM requires a lot of the same telemetry and inventory that SOC teams have, but the two groups rarely share tools. That’s because each team buys tools for different reasons. Operations and identity admins want stable, predictable operations and high uptime. Security analysts aren’t concerned with uptime; they care about identifying threats. In other words, IAM is mostly focused on letting only the good guys in, but it also needs an equal capability for keeping the bad guys out.

So, how do we reduce that staggering 65 percent of breaches that result from account-takeover attacks? And how do we know if and when the architecture itself is faulty? The solution lies in unifying more signals and more controls into a holistic solution. Microsoft is positioned to bridge the chasm between SOC and IAM because Microsoft Azure Active Directory (Azure AD) is already the foundation identity that so many organizations rely on. In addition, Microsoft Sentinel provides a cloud-native SIEM and SOAR solution with built-in user entity and behavior analytics (UEBA), while Microsoft Defender provides XDR capabilities for user environments, and Microsoft Defender for Cloud provides XDR for infrastructure and multicloud platforms.

Microsoft Entra: The way in is the way forward

Along with bridging the SOC and IAM relationship, Microsoft Entra is a vital component of Microsoft’s approach to ITDR. The products in the Entra family help provide secure access by providing IAM, CIEM, and identity verification in one solution.

Entra encompasses all of Microsoft’s existing IAM capabilities and integrates two new product categories: Microsoft Entra Permissions Management is a CIEM solution that empowers customers to discover, remediate, and monitor permission risks across all major public cloud platforms (such as Amazon Web Services, Azure, and Google Cloud Platform) from a unified interface. Microsoft Entra Verified ID provides a decentralized identity service based on open standards, safeguarding your organization by allowing admins to seamlessly customize and issue verifiable credentials in all your apps and services. 

Microsoft is working with our customers to reimagine IAM for our new decentralized workplace, and we’re committed to providing end-to-end protection for your organization with Microsoft Entra and SIEM and XDR. We look forward to meeting with you at Gartner Identity & Access Management Summit, August 22 to 24, 2022, in Las Vegas, Nevada. Be sure to stop and chat with us at Microsoft Booth #304.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹2022 Data Breach Investigations Report, Verizon. 2022.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.