Cybersecurity in a context that allows your organization to achieve more

If you are reading this blog post, you probably don’t need us to explain the current cybersecurity threat landscape. You probably know that the absence of evidence of a breach is not the same as not being breached, and that your cybersecurity posture is constantly being evaluated by adversaries. This isn’t getting any easier as the boom in AI and related services, combined with new capabilities for threat actors, creates a boom in data processing. Or… could it be so?

We are excited to bring you a series of posts to help you leverage new technologies to your advantage. This series will help small to large organizations achieve more with Microsoft Cloud Ecosystem Security.

Whether you are a business leader or a technologist, this will spark ideas to help you achieve more. These features are fully customizable, and we are also adding new built-in features that can be used to replace these custom features. We will post updates as they become available.

The basis of this approach

How do you identify new security projects? How do you evaluate which security projects should be funded? Are you unsure whether the programs you fund are achieving the desired results? What are the costs associated with failed controls? What are the positive financial impacts of effective controls?

We believe the answers to these questions are: Just focus on what your adversaries are after and what the consequences would be if they bypassed your controls.. A lot can change, but your goal is your crown jewel. (across the dimensions of confidentiality, integrity and availability).

The benefit of this focus is that it aligns well with the focus of the entire organization. What you invest in can be clearly expressed in terms and values ​​that are understood across the organization. From a technical perspective, it shifts the focus to the adversary’s goals (and how to prevent them), avoiding an overly introspective view and approach to security. It also helps focus on the consequences of such a breach, and awareness of the consequences helps implement the right type of mitigation based on the impact. Don’t let technology get in the way of decision-making. Use the value that technology enables to allow freer forms of communication throughout your organization.

What are attackers aiming for? Let’s ask Copilot for security.

Go here Learn more about Copilot for Security.

Figure 1: Copilot prompts for cyber attacks

How far away from this type of data can a threat actor be in your system? Wouldn’t it be nice if you could verify proximity to sensitive information every time an incident occurs? Before we dive in, let’s zoom in.

Is there a way to visualize the impact of cybersecurity in a business context?

Yes, if your organization uses Microsoft 365 Purview configured to capture file access and has enabled Microsoft Defender for Cloud Apps integration with Advanced Hunting (detailed in the technical documentation). This example provides an overview of the data available. Cyber ​​security incident types, including organizational context such as departments, data context such as types of data accessed, and incident details, can be viewed at a high or detailed level. When combined with technology investments, this can provide a view into the benefits of prevented attacks and deeper-penetrating incidents. Using contextual data, you can associate the monetary cost of damage with effective protection.

Figure 2: Cyber ​​attack data

For a cross-platform system type that can be visualized when it’s not a Microsoft system, see: Connect your apps for visibility and control – Microsoft Defender for Cloud Apps | Microsoft Learn. We haven’t built visualizations for all of these products, but following the established pattern, we can build visualizations for the main applications as well.

Added the ability to use Microsoft Defender for Endpoint data to output connections from compromised devices to critical systems. You can use Copilot for Security as part of this work, or you can bring in other contextual data from documents or other forms and make the connections in Copilot for Security.

Don’t limit yourself to just reporting this.

Start tagging incidents with organizational context in mind. When communicating cybersecurity incidents to stakeholders, use contextual data rather than technical details. Reporting on misses and real incidents should provide real financial impact and direction for new investments.

For example, if a phishing incident occurs, don’t just report the affected users and the type of phishing. Instead, tag the types of sensitive information that might have been exposed if the users were compromised in the incident, even if the attack was successfully prevented.

Phishing is one of the most common attacks. Realistically (and expectedly) this type of data will support your investment. It also provides important data points. What if this control is bypassed? What type of control is between the attacker and the crown jewel? What departments are being targeted, and is it a specific threat actor?

Here’s another sample time for Copilot for security.

Incidents like Anonymous IP are not particularly surprising to most organizations, and can be used as supporting data.

Figure 3: Anonymous IP containing one user

However, looking at this harmless incident that occurred in Copilot for Security, we can see that this incident would benefit from the right kind of tagging. The fact that an account key was found in an open location is enough to be concerning. This tagging can be suggested directly by Copilot for Security, or for the highest value, you can link Copilot for Security to your security policy and tag classification.

Figure 4: Pilot prompt for corrupted data type

Use it regularly Use Copilot for Security to understand potential ways an attacker could have penetrated deeper, for example, using MITRE ATT&CK. With that in mind, what is your proximity to other sensitive content and systems? Use exposure management tools like Microsoft Secure Score to find areas for improvement. With this knowledge, you can identify additional controls you need to put in place to limit the impact if one of your controls fails. Back up your investment decisions with business-critical data.

When validating a CVE or supply chain attack potential for a software vendor, check the impact it could have on sensitive content. This will allow you to validate next steps and possibly find attacker types you weren’t aware of.

Figure 5: Pilot’s message regarding important information

But don’t stop there, define your network and ISPs with Microsoft Defender for Cloud Apps. For more information, please see here. This allows us to capture these types of details based on vulnerabilities or threat actors coming from a particular network segment and the amount of sensitive information being processed at that location. This allows us to extend that business context to the investments needed in that space.

Are there any other areas where this could be used?

What if you need to move a department to another location or sell part of your organization? What types of data are being processed in that department or location?

You can use Copilot for security.

Figure 6: Message asking the pilot about the type of important information

Or, you can use views in Power BI to start conversations and filter for the types that are important to your operations.

Figure 7: PowerBI information about data types

conclusion

The approach of putting the most valuable things at the center helps you prepare for new and future threats. As your data environment changes, you can monitor and detect weaknesses that could lead to increased risk early. In some ways, you can think of this as a muscle building exercise around your data. Instead of seeing cyber incidents as problems, you see them as opportunities for growth.

What’s next

Check out our new blog posts and try this approach yourself. This is a starting point, and you’ll see us make a lot of progress to help you grow further.