This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.
Protecting the modern workplace against Ransomware
Last week, we shared the roots of Microsoft 365 threat protection. This week, we want to share how Microsoft 365 threat protection services work together to help organizations protect themselves. Figure 1 is a graphical representation of the Microsoft advanced threat protection services which secure the attack surface.
Figure 1. Microsoft 365 advanced threat protection services work together to protect the modern workplace from attacks.
We continue with our ransomware scenario. Ransomware restricts data access by encrypting the user’s files or locking computers. Victims are required to pay a ransom to regain access to their machine and/or files. Microsoft closely monitors the threat landscape and our security intelligence provided in figure 2 shows ransomware remains a prevalent and lethal threat type. All forms of ransomware can be launched at an organization through email, the device ecosystem, or through the enterprise infrastructure.
Figure 2. Monthly ransomware and ransomware downloader encounters, July 2016 to June 2017.
With so many different attack vectors a point service will be unable to mitigate the variety of potential ransomware attacks. Having services that protect specific parts of the attack surface that can also share signals to alert services protecting other surfaces of the enterprise is the only way to help ensure full and near real-time security. In many ransomware scenarios, users receive an email suggesting a ‘necessary’ software update which can be done downloading an attachment. The attachment will contain a trojan downloader which can run a ransomware payload once opened. Figure 3 shows the Microsoft 365 threat protection services which can help protect the modern workplace from ransomware attacks.
| Ransomware Protection with Microsoft 365 |
| Windows Defender Advanced Threat Protection |
| Office 365 Advanced Threat Protection |
| Azure Security Center |
Figure 3. Ransomware protection services for M365 threat protection.
Protection begins with the user identity, and all Microsoft 365 user identities are protected by Azure Active Directory Identity Protection built right into Azure Active Directory (Azure AD). Azure AD Identity Protection leverages dynamic intelligence and machine learning to automatically protect against identity attacks, securing user credentials against various evolving risks. Next, Microsoft 365 threat protection protects email with Office 365 ATP which helps stop unknown advanced threats sent via email. Office ATP will detonate all email attachments, determine if the file is malicious, and remove the file before final delivery of the email to a user mailbox. Additionally, Office ATP will assess links at the time of click when in both the body of an email and detonate links embedded in attachments to determine if they point to a malicious website. Since the attack surface is broad often attacks are made directly at devices. As such, several new enhancements helping prevent ransomware are built into the latest version of Windows 10, leveraging machine learning and behavior based technologies which lead the evolution of malware prevention. To directly attack the device, imagine if our attacker creates a website hosting exploit kits containing ransomware. Users visiting the site mistakenly download ransomware directly from the website. In such an event, Microsoft’s Edge leverages Windows Defender ATP’s browser protection capability which determines if a site is malicious and can block access, helping secure the ransomware entry point. Ransomware attacks also target workloads running in the cloud. Azure Security Center helps provide visibility into your cloud infrastructure leveraging machine learning backed up by the Intelligent Security Graph to provide actionable alerts and recommendations on mitigating such threats as shown in figure 4. While none of these services alone can protect the entire modern workplace, together as Microsoft 365 threat protection, organizations can have confidence that Microsoft helps reduce threats from all vectors. Next week, we’ll demonstrate how Microsoft 365 threat protection services help detect ransomware attacks.
Figure 4. The Azure Security Center Dashboard.
More blog posts from this series:
