Are you worrying more about ransomware and SMB1 today, or the BlueKeep vulnerability in RDP on those Windows 7 and Server 2008 boxes you haven’t migrated yet? Or are you cleaning up after a phishing attack, running a FIDO2 pilot to go passwordless or checking whether any of your Outlook clients still use basic authentication? The majority of attacks come through vulnerabilities that have already been found and fixed, but organizations haven’t been able to apply patches or workarounds in time.
With so many threats and vulnerabilities to deal with, just knowing which actions you should prioritize from an almost infinite list of urgent tasks can be hard.
Microsoft’s new Threat & Vulnerability Management service (TVM for short) tries to make it easier to curate that list and, just as importantly, makes it easier to roll out fixes to address the highest-priority vulnerabilities.
Office 365 and Microsoft 365 already give you a Secure Score for your organization, based on the controls and configuration you have set (Are all your admin accounts protected by MFA? Are all your PCs and Macs being scanned by Microsoft Defender regularly?). TVM takes some of the same signals from Defender that the Microsoft Defender Advanced Threat Protection service already uses to look for issues on your network and uses them to calculate a dynamic Exposure score to tell you what you’re exposed to right now.
Malware scans tend to run periodically, but Defender sends real-time signals covering the configuration and behaviour of the OS as well as looking at the files on the system and the behaviour of running applications. Those arrive, says corporate vice-president for Microsoft 365 security Rob Lefferts, “even if the laptop gets turned off or goes on a plane or gets put in the closet; so we still have that data, and we can still help the security team understand what’s going on”.
TVM automatically creates a list of vulnerable software across your organisation, getting past the problem that most IT teams don’t know what software is actually being used, who’s using it and how often (and doing a complete audit is rarely a high priority). “Figuring out what is an application and what do all the installations of it look like is a complex machine-learning problem, because apps have so many different files and the footprints vary by geo, they vary by language and by update.”
SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)
TVM works with Desktop Analytics to build a map of which apps and which versions of those apps are deployed on which desktop, and how often they’re being used and then prioritises them by vulnerabilities. “We show you the apps that are experiencing the most active threats, we have a little bug icon that means there’s an active vulnerability and a little target icon that means ‘you’ve got an active alert actually running on this thing’,” Lefferts explains.
It also shows issues with permissions and configurations on devices. “We flag where authentication is configured poorly, or you have extra admin accounts, or local accounts without passwords set,” Lefferts says.
Devices now, servers later
When you click through to see the details, TVM shows you the prevalence of the software on the endpoints you’re managing. If you have a thousand installations of an app with a known vulnerability but it’s only actually being used on 150 devices, that makes a difference to the risk. It also tracks the libraries used by applications, because a vulnerability in a library can affect many different pieces of software. Says Lefferts: “If you have an app that’s loading up an electron library, then we have the data to show you ‘these are all the apps that are impacted by vulnerabilities in that library’ based on actual runtime execution.”
Initially, TVM is for information work devices, not servers, but vulnerabilities and privileged accounts on domain controllers, SQL Server and Exchange servers are a big part of a company’s security exposure. Lefferts says that Microsoft will extend TVM to cover servers in future, in conjunction with Azure Security Center, since Defender ATP already covers Windows Server. Microsoft has also dropped hints about Defender for Linux.
It also creates a prioritised list of tasks to address the vulnerabilities. “Here’s all the things that you could be doing to improve the configuration of your endpoint estate, sorted by which ones are actually going to make the most difference on your exposure score,” Lefferts says.
That’s going to be different, not just for different organisations but for the same organisation on a different day, even if they didn’t make any changes to their IT systems – because new vulnerabilities are discovered, and because many applications now update themselves automatically. The idea is to clarify which of the many potential problems are actually urgent. “If you’ve got an unpatched piece of software, well, that’s bad, you should get around to it,” says Lefferts. “But if somebody releases a zero day vulnerability on that, then, suddenly, it’s super bad. And then, if somebody actually releases an exploit taking advantage of that, it’s even worse. If an exploit lands one morning, my exposure score goes up pretty dramatically. And then the worst of all –– you have active attacks in your environment, using that exploit taking advantage of that zero day. And all of these shift to the priority of your to-do list.”
When you pick a task, you see more details of the problem, including any machines where the risk is greater. “You can see how many other vulnerabilities are on that device. You can see who’s logged into it,” Lefferts says. If a machine has confidential information like customer PII or credit card information that’s been classified with Microsoft Information Protection, that will be flagged. It shows the patches that are available, and mitigations that will help if you’re not ready to patch, like blocking extensions.
SEE: Comparison chart: Enterprise collaboration tools (TechRepublic Premium)
You can also choose those and package them up for deployment through Intune or System Center Configuration Manager. That fits into existing IT workflows, and the deployment package includes information to explain why the update is important. “In many organisations, this isn’t about just one team: it’s about multiple teams working together,” says Lefferts. “The security team can package it up and say ‘this is the thing that we need to fix, this is what we need to do and here are all the devices that are impacted’, and they can hand that over to the desktop admin team so they can go ahead and take care of it.”
“Bugs without context don’t actually help people,” Lefferts notes. “It’s different when you say ‘we really need to deploy this update to this app, because people are actually getting ransomware demands with it’.”
Again, TVM uses Desktop Analytics to see if the update is already deployed elsewhere in your organization and to tell you whether it’s going to be compatible with your other systems, to give you more confidence about rolling out patches. TVM also tracks the rollout of patches and mitigations. “The security team can watch the patch get deployed, they can see the configuration update change. And then both teams can sign off knowing that everything is in a good state,” Lefferts says.
Microsoft is crediting the design of that kind of workflow to collaborating with IoT vendor Telit, a customer who was involved not just in testing TVM but in helping to specify what it needed to do. Telit had worked with Hexadite, who Microsoft acquired, on previous tools and Lefferts says that having the customer perspective was helpful in understanding the most useful way to present information like the exposure score.
Telit’s IT team comes under a lot of pressure, Itzik Menashe, vice-president for IT and information security, told us, because like many organizations the business has grown by acquisition. “In IT you always have a lack of resources, while security needs and security risks are increasing dramatically every day. An acquisition usually includes hardware and developers and finance staff, but not IT people and we don’t have a clear view and transparency of what we have in the network. That makes security hard.”
Rather than ‘best of breed’ products that aren’t integrated, Menashe argues that IT teams need full stack solutions with integration. “Previously, everything was manual; we had different third-party applications and none of them were connected or sharing information. Even if we took a decision to deploy a remediation for a specific vulnerability, it was hard to see in real time, or even at a point in time, what the situation was, because with people travelling you don’t have all the devices connected to the network at the same time – and when you run a remediation manually, you run it at a specific time. Collecting the configuration from 1,000 PCs or 10,000 PCs only takes five to ten minutes with TVM. With other solutions, you need to tell them about the application you use to deploy patches, you have to juggle between all these tools and you don’t have a real-time view. Now we get prioritisation of what we have to remediate first. And when we start to remediate vulnerabilities, we can see the security graph changing in real time as we reduce the risk because we started deploying the software patches.”
TVM will get more automation in future but, says Menashe, “it’s already more powerful than any other tool that we’ve come across.”
One big advantage of TVM is that because it’s a feature in Defender Advanced Threat Protection it’s included in existing Microsoft 365 E5 or Windows E5 subscriptions: if you’re already paying for that, you get the new service without needing to pay any extra. For cash-strapped IT security teams, Menashe notes, not having to request more budget for new security tools means not having to convince managers who see security as nothing but a cost centre (at least until they have a data breach). “Every time you go and ask for more budget for security, they’re always asking ‘What did you have in the budget I gave you last year? What can I cut? We didn’t have any security problems last year so obviously you didn’t actually need that budget’.”