Jump to content

Microsoft publishes Security Intelligence Report, including cloud data for the first time


Batu69

Recommended Posts

microsoft-sir-2015b_story.jpg

 

Microsoft has published its latest biannual Security Intelligence Report (SIR), covering the second half of 2015. The SIR "analyzes the threat landscape of exploits, vulnerabilities, and malware using data from Internet services and over 600 million computers worldwide."

 

This report, its twentieth in the last ten years, includes security data from the Microsoft cloud for the first time, which the company says "reveals how we are leveraging an intelligent security graph to inform how we protect endpoints, better detect attacks and accelerate our response, to help protect our customers."

 

The security graph is compiled from "trillions of signals from billions of sources", with inputs from endpoints, consumer and commercial services, and on-premises technologies. This helps Microsoft to combine security and threat intelligence data, to inform its real-time analysis and insights, and predictive intelligence, in an effort to improve overall protection for all of its customers.

 

Microsoft highlighted some examples of the insights provided in its latest SIR:

  • From a sensor network made up of hundreds of millions of systems running Microsoft anti-malware software, the data shows us that:
    • The number of systems that encountered malware in 2015 increased in the second half of the year. The worldwide encounter rate increased to 20.5% by the end of 2015, an increase of 5.5% from six months earlier.
    • The locations with the highest encounter rates were Pakistan, Indonesia, the Palestinian territories, Bangladesh, and Nepal which all had encounter rates above 50%.
    • Exploit kits accounted for four of the 10 most commonly encountered exploits during the second half of 2015. The Angler exploit kit was the most commonly encountered exploit kit family.
    • Although ransomware had relatively low encounter rates (worldwide ER for ransomware in the first quarter of 2015 was 0.35 percent and 0.16 percent in the second quarter), its use in ransomware-as-a-service kits and targeted attacks is increasing.
  • SmartScreen Filter is a feature in Internet Explorer and Microsoft Edge that offers users protection against phishing sites and sites that host malware. Based on phishing data from the SmartScreen:
    • Phishing sites that targeted online services received the largest share of impressions during the period, and accounted for the largest number of active phishing URLs
    • Sites that targeted financial institutions accounted for the largest number of active phishing attacks during the period

 

As part of the new cloud security data published in the new SIR, it said that "the massive scale of Microsoft's cloud enables us to gather an enormous amount of intelligence on malicious behavior". It notes that:

  1. At the end of 2015, Azure Active Directory was being used by 8.24 million tenants with over 550 million users.
  2. Azure Active Directory averaged over 1.3 billion requests per day.
  3. Every day, Microsoft processed over 13 billion logins from hundreds of millions of Microsoft Account users.

The company uses machine learning systems to help prevent cyber-attacks, or to actively limit the potential damage caused by those that succeed. A key factor in doing so is understanding where these attacks come from:

  1. Compromised login attempts were blocked from unfamiliar locations nearly three quarters of the time.
  2. Attackers were located in different parts of the world:
  • 49% in Asia
  • 20% in South America
  • 14% in Europe
  • 13% in North America
  • 4% in Africa

With this knowledge, data collection and intelligent analysis, Microsoft says that every day, its account protection systems "automatically detect and prevent more than 10 million attacks, from tens of thousands of locations, including millions of attacks where the attacker has valid credentials." That adds up to more than four billion attacks prevented last year.

 

Microsoft's full Security Intelligence Report is 198 pages long, with far too much detail to consider here, including key sections on a major network of targeted attacks in south and southeast Asia, which Microsoft has codenamed 'PLATINUM'; and an in-depth focus entitled 'Protecting Identities in the Cloud: Mitigating Password Attacks'.

 

The full Security Intelligence Report is available to download free from Microsoft's site.

 

Article source

Link to comment
Share on other sites


  • Replies 2
  • Views 572
  • Created
  • Last Reply

Microsoft has released the latest edition of its twice-annual Security Intelligence Report, its survey of the security landscape and threats around the world. The survey has a ton of data about what malware is infecting people, which parts of the world are seeing increased attacks, and more.

 

 

HBkuoaL.jpg

 

For the first time, this report includes data that Microsoft has collected from its cloud operations. Azure Active Directory, handling logins for corporate Office 365 customers, has some 550 million users across 8.24 million customers and handles 1.3 billion logins a day. The Microsoft Account system used for consumer products handles more than 13 billion logins per day.

 

This generates a ton of data, and Microsoft uses this data in machine learning systems to build models of what normal user behavior looks like and detect anomalies. Capabilities like this are used in the new Windows Defender Advanced Threat Protection, and today's SIR gives some quantification to them.

 

Many of the login attempts are fraudulent. Often the fraudulent login attempts won't have the right username or password, but that's not always the case; credentials are often phished or compromised when people re-use the same username and password on multiple systems. The heuristics can detect these anomalous logins by noticing, for example, an unusual time of day or country and trap these attempts to break into an account. Accounts that are believed to be compromised are forced into a two-factor authentication process, with Microsoft saying that more than 10 million login attacks are trapped each day, millions of which use the right password but fail the second factor test.

 

IP addresses that repeatedly attempt fraudulent logins to Microsoft Accounts are blocked. Forty-nine percent of all blocked addresses originate in Asia, with South America in second place at 20 percent.

 

The data Microsoft collects shows some striking differences between systems that are managed by an IT department (using membership of a Windows domain to indicate this) and those that aren't. Managed systems are much less likely to encounter malware, with about 11 percent of domain-joined PCs encountering malware in the fourth quarter, compared to about 22 percent of non-domain-joined systems. The report categorizes malware into different types such as adware, viruses, worms, trojans, and unwanted browser plugins; unmanaged PCs saw more of every single type of malware, except one. Ransomeware was slightly more common on the managed PCs. Targeted ransomware attacks aiming at hospitals have wreaked havoc lately, and the financial rewards may make aiming at enterprise targets more attractive than victimizing home users.

 

There are some oddities within the data. The second most commonly found malware family was an exploit for Windows that's known as CplLnk. This attacks a flaw in the way that Windows handles shortcut files, permitting an attacker to automatically execute a program of their choosing whenever they attach an infected USB stick to their system. CplLnk became widely known as one of the zero-day flaws used by Stuxnet, the malware believed to have been written by US and Israeli intelligence services to attack the Iranian nuclear effort. The flaw was fixed by Microsoft way back in 2010, and Windows 8 and Windows 10 have never been susceptible to it. As such, there shouldn't be any systems that can be exploited with this flaw. Its continued detection in the wild indicates that for some reason, malware authors are continuing to find it a useful part of their toolkit.

 

Most systems that Microsoft has telemetry data for have permanent antimalware protection, either from Microsoft or third parties. About a quarter of PCs either lack protection entirely or have only sporadic protection. Among systems cleaned of malware, systems with permanent antimalware protection were half as common as those with no or intermittent protection. This isn't a perfect measure, as in some cases malware may disable antimalware software, but it's suggestive that having effective and up-to-date antimalware software provides a meaningful reduction in malware infections. Traditionally, many self-styled power users have argued that common sense computing practices and good sense can be ample protection from malware. This may not be true in practice, and it looks like the software does in fact make a difference.

 

 

The source

 

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...