Articles

Office 365 Vulnerability Management

November 12, 2019


– Hi, I’m Sandhya from Microsoft. A security vulnerability is a weakness that could allow attackers
to compromise the integrity, availability, or
confidentiality of the service. The objective of vulnerability
management is to detect and remediate these
vulnerabilities in a timely manner. In accordance with
international standards, such as NIST and ISO, Microsoft
Security program policy mandates that information
systems should be kept up to date with appropriate security patches and vulnerability mitigation measures. This helps prevent the risk of exposure to known security vulnerabilities. Office 365 service teams
proactively monitor the information system assets
for known vulnerabilities. Office 365’s Vulnerability
Management program includes an initial
assessment and prioritization of software vulnerabilities,
detailed risk analysis, identification of
requirements for remediation or mitigation, compliance
verification reporting, and communication about
vulnerabilities to stakeholders. Office 365 uses a three stage approach to vulnerability management,
protect, detect, and mitigate. Let’s look at how Office
365 assets are protected against known vulnerabilities. Leveraging known
vulnerability related data from multiple external sources is critical to a strong protect phase. These include the Microsoft
Security Response Center, or MSRC, which publishes
security bulletins, associated patches,
and security advisories to address vulnerabilities
identified in Microsoft products. A Bug Bounty Program, which
allows for independent testers to assess the security of the system, identify vulnerabilities, and share them with Microsoft for a bounty. This enables Microsoft to
mitigate these vulnerabilities ahead of hackers leveraging them. Independent penetration
testing is conducted by CREST certified testers using the OWASP top 10 framework and custom tool to identify potential weaknesses. The outcomes of this test are shared with Microsoft’s customers
on an annual basis. The combination of these
sources ensures Microsoft stays ahead of the most
determined adversities. In addition to external
sources of vulnerabilities, Microsoft has strong
capabilities for protecting against vulnerabilities internally. Continuous penetration
testing is conducted by Microsoft’s red and blue teams from inside and outside our environment. Vulnerability scanning
software is installed on all Office 365 assets
to scan for vulnerabilities published in common
vulnerabilities and exposures, or CVE, databases. Anti-malware software detects and prevents the introduction of computer malware, namely viruses, rootkits, worms, or other malicious software
on the service systems. Anti-malware software
is installed as a part of the initial build and
its signature updates are downloaded daily from the
vendor’s virus definition site. Security monitoring enables
Microsoft to catch attackers operating within the
Office 365 environment and block them from
doing anything dangerous. Office 365 invests heavily in building sophisticated telemetry onto our machines that captures a variety
of different events that could reveal the
presence of an attacker. We regularly update our
telemetry to capture new events, making sure that we keep up with the changing patterns of attacks. The key to keeping customer data secure is to have a reliable way of
detecting vulnerabilities. Let’s dive deeper into the different ways Microsoft detects them. As we saw before, the red
and blue teams at Microsoft battle each other to attack and protect the Office 365 assets. Following each penetration
testing exercise, the teams engage in a transparent and collaborative process to help uncover potential weaknesses, which are identified as action items for the service
as well as security teams. Every host in Office 365
service is scanned daily. The scanning service ensures
that the vulnerability signatures published by
the third party vendors is tested for risks and then refreshed within the Office 365
environment frequently. The vulnerability scan
detects if any published CVEs are present on the system and reports it. Beyond capturing telemetry from machines, we have developed sophisticated
processing systems that will alert our teams in real time if any malicious activity is detected. These processing systems
have a logic in place that ranges from static
tools, based on known attacker signatures, to advanced
machine learning models, that are able to detect
more subtle behaviors. We’ve looked at the
protections and detections in Office 365 environment guarding against vulnerabilities and attackers. But the critical third
phase of the process is adequate, appropriate,
and timely mitigation of the detected vulnerabilities. The risks surfaced by penetration testing are expediently addressed
by the Office 365 service teams, working with
the central security team. The mitigations and remediations
for these vulnerabilities are re-tested during the
next pen test of the service. With vulnerability scanning, service teams within Office 365 monitor the report, identifying the set of patches required to address the
risks found in their service. Each vulnerability based on its score in the Common Vulnerability
Scoring System, or CVSS, is tagged with a fix within time period. Mitigations for vulnerabilities undergo a rigorous change management process before being deployed
to production services within that stipulated time. All malware alerts are triaged at priority by a central security response team. An investigation is
launched with the intent of a quick incisive remediation. Proactive security monitoring
focuses on stopping the attackers and evicting
them from the service. The response systems range from tooling that the security response teams use to mitigate threats, to fully
automated intelligent agents that take action without
human involvement. The vulnerability management
process in Office 365 generates petabytes of data each year. In order to maximize the
value from this data, we’ve invested heavily in
analytics and machine learning, which in turn helps us
accurately identify weaknesses and anomalous activities. By bringing together different teams, service teams, security teams, incident response teams,
and pen test teams, and sharing knowledge, Microsoft is able to better protect, detect, and respond to cyber threats, ensuring
customer data is safeguarded. Thank you for watching. For additional papers and assessments on vulnerability and
security, please visit the Service Trust Portal.

No Comments

Leave a Reply