“Intelligent data cloud analysis of signals from the past 30 days”
Microsoft is extending its inbuilt vulnerability assessment capabilities to cover Windows Servers 2008 R2, 2012 R2, 2016, and 2019, in a public preview launching this month, building out a Threat and Vulnerability Management (TVM) offering already available for system admins overseeing desktops running Windows 10
The release will mean customers can find and fix Windows server vulnerabilities across the entire stack, including OS components, Microsoft apps, and even third-party software, Microsoft said; one of a series of well-received security enhancements revealed at its Ignite conference in Florida this week.
Microsoft describes it as “the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).”
Among the other previews: Microsoft App Guard in Office, which opens attachments in a micro-virtual machine (VM). Rob Lefferts, Corporate VP, Microsoft Security, said: “You will be able to open an untrusted Word, Excel, or PowerPoint file in a virtualized container. View, print, edit, and save changes to untrusted Office documents—
The image really doesn't show how bloody EPIC this actually is. Embedded macros are still what damn near everyone uses still to pwn. This would change the dynamics in favour of the defender for once. https://t.co/QuCkMpxb2n
— Daniel Cuthbert (@dcuthbert) November 6, 2019
He added in a blogpost Monday: “If the untrusted file is malicious, the attack is contained and the host machine untouched. A new container is created every time you log in, providing a clean start as well as peace of mind.”
The technology is similar to what cybersecurity vendor Bromium (recently acquired by partner HP) has been promoting for many years. With potentially malicious attachments opened in a VM, the malware is effectively trapped in a sandbox from within which it can, in theory, do no damage.
In its threat hunting offering, Microsoft has added four new data schemata, Vulnerability, Software, Recommendation and Score to help customers initiate advanced hunting queries that focus on misconfigurations and vulnerabilities, for example unpatched CVEs.
The move comes as software providers increasingly look to ramp up the breadth of their threat hunting and CVE patching capabilities, with Red Hat earlier this year also broadening the scope of its patching service.
Tomer Teller principal security Lead of threat & vulnerability management at Microsoft wrote in a blog that: “Rich vulnerability data can now be queried through advanced hunting capabilities, providing customers extensive flexibility in slicing and dicing vulnerability and misconfiguration data.”
Initiate Remediation With One-Click
The Redmond firm’s TVM defence component lets users to open tickets and initiate remediation with one-click that works through the Microsoft Intune management tool.
This new integration has also been expanded so it has functionality with ServiceNow, an IT services management tool. Teams using ServiceNow can mitigate risks directly from Microsoft Defender Security Center.
Teller comments that: “Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat and Vulnerability Management already does this for Windows 10 endpoints today, but when it comes to vulnerability detection and remediation, servers are just as important.”
Microsoft Defender ATP Automation
Also rolled out with the new features is the ability for administrators to set role-based access controls for teams that are involved with vulnerability management. As Teller notes: “With Microsoft Defender ATP we provide all security teams across the organization with a single console for better correlation and insights. This comes with the need to allow individual teams to only see certain data or perform certain tasks.”
“This new addition provides you maximum flexibility to create SecOps-oriented roles, TVM-oriented roles, or hybrid roles so only authorized users are accessing specific data to perform their task.”