Hidden Treasure: Intrusion Detection with ETW (Part 2)

In our last post, we discussed how Event Tracing for Windows (ETW) provides a wealth of knowledge in addition to what’s available from the Windows Security Event Log. While we can gain increased insight into Windows activity, ETW was originally meant as a high-volume debug trace. Without some mechanism for filtering or reducing event volume,…


DNS Intrusion Detection using Dnsflow

In the DNS Intrusion Detection in Office 365 post we introduced strategies implemented in Office 365 to detect anomalous DNS activity. Dnsflow is one of those strategies and involves aggregating DNS data processed by the DNS servers in Office 365. In this post, we discuss detailed benefits, challenges and implementation of Dnsflow. We also discuss how…

0

DNS Intrusion Detection in Office 365

In Office 365, we are committed to protecting our customer’s data. We implement and exercise industry leading security practices to ensure that customer’s data is safe. Intrusion detection is one such security practice which ensures that we are notified about any anomalous activity or behavior on our servers or in our network. We monitor and…

2

Hidden Treasure: Intrusion Detection with ETW (Part 1)

Today’s defenders face an increasing obstacle with information asymmetry. With the advent of in-memory attacks and targeted malware, defenders cannot simply rely on the default event logs provided by Windows. Attackers may make use of process hollowing to hide their code within a seemingly benign process as well as routing their Command & Control traffic…


Defending Office 365 with Graph Analytics

In Office 365, we are continually improving the detection and response systems that safeguard your data. We gather many terabytes of telemetry from our service infrastructure each day and apply real-time and batch analytics to rapidly detect unauthorized access. The same engineers who design and operate the Office 365 service also analyze and act on…


Using the Office 365 Secure Score API

The Office 365 Security Engineering team is pleased to announce the availability of the Office 365 Secure Score API. This API is fully integrated into the Microsoft Graph. If you are wondering what the Office 365 Secure Score is, get the low down here, or visit the experience here: https://securescore.office.com. Why Collect Secure Score Data?…

0

New Security Analytics Service: Finding and Fixing Risk in Office 365

Microsoft is pleased to announce the preview availability of a new security analytics service called the Office 365 Secure Score. The Secure Score is a security analytics tool that will help you understand what you have done to reduce the risk to your data in Office 365, and show you what you can do to…


Finding Illicit Activity The Old Fashioned Way

Finding bad guys doing bad things in your cloud services is a hard thing to do under even the best circumstances. There are a ton of idiosyncrasies at play, including the capabilities of the cloud applications you are using and the very unique nature of your users and the data you are storing in the…


How to Deal with Ransomware

What is Ransomware? Ransomware is a type of malware or virus that prevents user access to devices, files or applications, requiring the victim to pay a ransom (money or information) to regain access. The ransomware that we most often see encrypts the user’s files (for example: Crowti, Tescrypt and Locky) and then asks the user…

6

Addressing Your CxO’s Top Five Cloud Security Concerns

 Overview and the Kill Chain Customers frequently ask us how they can defend their Office365 tenancy. While the motivations and capabilities of attackers vary widely, most attacks still follow a common process. The security industry refers to it as the attacker kill chain; a concept borrowed from military doctrine and adapted for this realm. The…

0