Cloud computing has revolutionized the way businesses operate, with many organizations shifting their business-critical services and workloads to the cloud. This transition, and the massive growth of cloud environments, has led to a surge in security issues in need of addressing. Consequently, the need for contextual and differentiated security strategies is becoming a necessity. Organizations need solutions that allow them to detect, prioritize, and address security issues, based on their business-criticality and overall importance to the organization. Identifying an organization’s business-critical assets serves as the foundation to these solutions.

Microsoft is pleased to announce the release of a new set of critical cloud assets classification capability in the critical asset management and protection experience, as part of Microsoft Security Exposure Management solution, and Cloud Security Posture Management (CSPM) in Microsoft Defender for Cloud (MDC). This capability enables organizations to identify additional business-critical assets in the cloud, thereby allowing security administrators and the security operations center (SOC) teams to efficiently, accurately, and proactively prioritize to address various security issues affecting critical assets that may arise within their cloud environments.

 

Learn more how to get started with Critical Asset Management and Protection in Exposure Management and Microsoft Defender for Cloud: Critical Asset Protection with Microsoft Security Exposure Management, Critical assets protection (Preview) - Microsoft Defender for Cloud

 

Critical Asset Management experience in Microsoft Defender XDR

 

Criticality classification methodology

Over the past few months, we, at Microsoft, have conducted extensive research with several key objectives:

• Understand and identify the factors that signify a cloud asset’s importance relative to others.
• Analyze how the structure and design of a cloud environment can aid in detecting its most critical assets.
• Accurately and comprehensively identify a broad spectrum of critical assets, including cloud identities and resources.

As a result, we are announcing the release of a new set of pre-defined classifications for critical cloud assets, encompassing a wide range of asset types, from cloud resources, to identities with privileged permissions on cloud resources. With this release, the total number of business-critical classifications has expanded to 49 for cloud identities and 8 for cloud resources, further empowering users to focus on what matters most in their cloud environments.

 

In the following sections, we will briefly discuss some of these new classifications, both for cloud-based identities and cloud-based resources, their integration into our products, their objectives, and unique features.

 

Identities

In cloud environments, it is essential to distinguish between the various role-based access control (RBAC) services, such as Microsoft Entra ID and Azure RBAC. Each service has unique permissions and scopes, necessitating a tailored approach to business-criticality classification.
We will go through examples of new business-critical rules classifying identities with assigned roles both in Microsoft Entra and Azure RBAC:

 

Microsoft Entra

The Microsoft Entra service is an identity and access management solution in which administrators or non-administrators can be assigned a wide range of built-in or custom roles to allow management of Microsoft Entra resources.

 

Examples of new business-criticality rules classifying identities assigned with a specific Microsoft Entra built-in role:

• Classification: “Exchange Administrator”
  Default Criticality Level: “High”
  

‘Exchange Administrator’ classification in Critical Asset Management in Microsoft Defender XDR

This rule applies to identities assigned with the Microsoft Entra Exchange Administrator built-in role.

Identities assigned this role have strong capabilities and control over the Exchange product, with access to sensitive information through the Exchange Admin Center, and more.

 

• Classification: “Conditional Access Administrator”
  Default Criticality Level: “High”
  

‘Conditional Access Administrator’ classification in Critical Asset Management in Microsoft Defender XDR

This rule applies to identities assigned with the Microsoft Entra Conditional Access Administrator built-in role.
Identities assigned this role are deemed to be of high importance, as it grants the ability to manage Microsoft Entra Conditional Access settings.

 

Azure RBAC

Azure role-based access control (Azure RBAC) is a system that provides fine-grained access management of Azure resources that helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. The way you control access to resources using Azure RBAC is to assign Azure roles.

 

Example of a new criticality rule classifying identities assigned with specific Azure RBAC roles:

• Classification: “Identities with Privileged Azure Role”
  Default Criticality Level: “High”

‘Identities with Privileged Azure Role’ classification in Critical Asset Management in Microsoft Defender XDR

This rule applies to identities assigned with an Azure privileged built-in or custom role.
Assets criticality classification within the Azure RBAC system necessitates consideration of different parameters, such as the role assigned to the identity, the scope in which the role takes effect, and the contextual business-criticality that lies within this scope.

Thus, this rule classifies identities which have a privileged action-permission assigned over an Azure subscription scope, in which a critical asset resides, thereby utilizing contextual and differential security measures. This provides the customer with a cutting-edge criticality classification technique for both Azure built-in roles, and custom roles, in which the classification accurately adapts to dynamic changes inside the customer environment, ensuring a more accurate reflection of criticality.

 

List of pre-defined criticality classifications for identities in Microsoft Security Exposure Management

 

Cloud resources

A cloud environment is a complex network of interconnected and isolated assets, allowing a remarkable amount of environment structure possibilities, asset configurations, and resource-identity interconnections. This flexibility provides users with significant value, particularly when designing environments around business-critical assets and configuring them to meet specific requirements.

We will present three examples of the new predefined criticality classifications as part of our release, that will illustrate innovative approaches to identifying business-critical assets.

 

Azure Virtual Machines

Examples of new criticality rules classifying Azure Virtual Machines:

• Classification: “Azure Virtual Machine with High Availability and Performance”
  Default Criticality Level: “Low”

‘Azure Virtual Machine with High Availability and Performance’ classification in Critical Asset Management in Microsoft Defender XDR

Compute resources are the cornerstone of cloud environments, supporting production services, business-critical workloads, and more. These assets are created with a desired purpose, and upon creation, the user is presented with several types of configurations options, allowing the asset to meet its specific requirements and performance thresholds.

As a result, an Azure Virtual Machine configured with an availability set, indicates that the machine is designed to withstand faults and outages, while a machine equipped with a premium Azure storage, indicates that the machine should withstand heavy workloads requiring low-latency and high-performance. Machines equipped with both are often deemed to be business-critical.

 

• Classification: “Azure Virtual Machine with a Critical User Signed In”
  Default Criticality Level: “High”

‘Azure Virtual Machine with a Critical User Signed In’ classification in Critical Asset Management in Microsoft Defender XDR

Resource-user interconnections within a cloud environment enable the creation of efficient, well-maintained, and least privilege-based systems. These connections can be established to facilitate interaction between resources, enabling single sign-on (SSO) for associated identities and workstations, and more.

When a user with a high or very high criticality level has an active session in the resource, the resource can perform tasks within the user's scoped permissions. However, if an attacker compromises the machine, they could assume the identity of the signed-in user and execute malicious operations.

 

Azure Key Vault

Example of a new criticality rule classifying Azure Key Vaults:

• Classification: “Azure Key Vaults with Many Connected Identities”
  Default Criticality Level: “High”

‘Azure Key Vaults with Many Connected Identities’ classification in Critical Asset Management in Microsoft Defender XDR

Through the complex environments of cloud computing, where different kinds of assets interact and perform different tasks, lies authentication and authorization, supported by the invaluable currency of secrets. Therefore, studying the structure of the environment and how the key management solutions inside it are built is essential to detect business-critical assets.

Azure Key Vault is an indispensable solution when it comes to key, secrets, and certificate management. It is widely used by both business-critical and non-critical processes inside environments, where it plays an integral role in the smoothness and robustness of these processes.

An Azure Key Vault whose role is critical within a business-critical workload, such as a production service, could be used by a high number of different identities compared to other key vaults in the organization, thus in case of disruption or compromise, could have adverse effects on the integrity of the service.

 

List of pre-defined criticality classifications for cloud resources in Exposure Management

  Protecting the crown jewels of your cloud environment

The critical asset protection, identification, and management, lies in the heart of Exposure Management and Defender Cloud Security Posture Management (CSPM) products, enriching and enhancing the experience by providing the customer with an opportunity to create their own custom business-criticality classifications and use Microsoft’s predefined ones.

 

Protecting your cloud crown jewels is of utmost importance, thus staying on top of best practices is crucial, some of our best practice recommendations:

• Thoroughly enabling protections in business-critical cloud environments.
• Detecting, monitoring, and auditing critical assets inside the environments, by utilizing both pre-defined and custom classifications.
• Prioritizing and executing the remediation and mitigation of active attack paths, security issues, and security incidents relating to existing critical assets.
• Following the principle of least privilege by removing any permissions assigned to overprivileged identities, such identities could be identified inside the critical asset management experience in Microsoft Security Exposure Management.

 

Conclusion

In the rapidly growing and evolving world of cloud computing, the increasing volume of security issues underscores the need of contextual and differentiated security solutions to allow customers to effectively identify, prioritize, and address security issues, thereby the capability of identifying organizations’ critical assets is of utmost importance.

 

Not all assets are created equal, assets of importance could be in the form of a highly privileged user, an Azure Key Vault facilitating authentication to many identities, or a virtual machine created with high availability and performance requirements for production services.

 

Protecting customers’ most valuable assets is one of Microsoft’s top priorities. We are pleased to announce a new set of business-critical cloud asset classifications, as part of Microsoft Defender for Cloud and Microsoft Security Exposure Management solutions.

 

Learn more

Microsoft Security Exposure Management

• Start with Exposure Management Documentation, Product website, blogs
• Critical Asset Management documentation
• Critical Asset Protection and how to get started in Microsoft Security Exposure Management blog post
• List of Microsoft’s predefined criticality classifications: Link
• Microsoft Security Exposure Management what's new page

Microsoft Defender for Cloud

• Microsoft Defender for Cloud (MDC) plans
• Microsoft’s Cloud Security Posture Management (CSPM) documentation
• Critical Asset Protection in Microsoft Defender for Cloud (MDC) documentation

 

This month, we are launching a redesigned Microsoft Purview eDiscovery product experience in public preview. This improved user experience revolutionizes your data search, review and export tasks within eDiscovery. Our new user-friendly and feature-rich eDiscovery experience is not just about finding and preserving data, it's about doing it with unprecedented efficiency and ease. The modern user experience of eDiscovery addresses some long-standing customer requests, such as enhanced search capabilities with MessageID,  Sensitive Information Types (SITs) and sensitivity labels. It also introduces innovative features like draft query with Copilot and search using audit log. These changes, driven by customer feedback and our commitment to innovation, offer tangible value by saving time and reducing costs in the eDiscovery process. 

 

The new eDiscovery experience is exclusively available in the Microsoft Purview portal. The new Microsoft Purview portal is a unified platform that streamlines data governance, data security, and data compliance across your entire data estate. It offers a more intuitive experience, allowing users to easily navigate and manage their compliance needs.  

 

Unified experience 

One of the benefits of the new improved eDiscovery offers a unified, consistent, and intuitive experience across different licensing tiers. Whether your license includes eDiscovery standard or premium, you can use the same workflow to create cases, conduct searches, apply holds, and export data. This simplifies the training and education process for organizations that upgrade their license and want to access premium eDiscovery features. Unlike the previous experience, where Content Search, eDiscovery (Standard), and eDiscovery (Premium) had different workflows and behaviors, the new experience lets you access eDiscovery capabilities seamlessly regardless of your license level. E5 license holders have the option to use premium features such as exporting cloud attachments and Teams conversation threading at the appropriate steps in the workflow. Moreover, users still have access to all existing Content Searches and both Standard and Premium eDiscovery cases on the unified eDiscovery case list page in the Microsoft Purview portal.  

 

The new experience also strengthens the security controls for Content Search by placing them in an eDiscovery case. This allows eDiscovery administrators to control who can access and use existing Content Searches and generated exports. Administrators can add or remove users from the Content Search case as needed. This way, they can prevent unauthorized access to sensitive search data and stop Content Search when it is no longer required. Moreover, this helps maintain the integrity and confidentiality of the investigation process. The new security controls ensure that only authorized personnel can access sensitive data, reducing the risk of data breaches and complying with legal and regulatory standards.

 

Enhanced data source management 

Efficient litigation and investigation workflows hinge on the ability to precisely select data sources and locations in the eDiscovery process. This enables legal teams to swiftly preserve relevant information and minimize the risk of missing critical evidence. The improved data source picking capability allows for a more targeted and effective search, which is essential in responding to legal matters or internal investigations. It enables users to apply holds and conduct searches with greater accuracy, ensuring that all pertinent information is captured without unnecessary data proliferation. This improvement not only enhances the quality of the review, but also reduces the overall costs associated with data storage and management. 

 

The new eDiscovery experience makes data source location mapping and management better as well. You can now perform a user or group search with different identifiers and see their data hierarchy tree, including their mailbox and OneDrive. For example, eDiscovery users can use any of the following identifiers: Name, user principal name (UPN), SMTP address, or OneDrive URL. The data source picker streamlines the eDiscovery workflow by displaying all potential matches and their locations, along with related sources such as frequent collaborators, group memberships, and direct reports. This allows for the addition of these sources to search or hold scope without relying on external teams for information on collaboration patterns, Teams/Group memberships, or organizational hierarchies. 

 

Figure 1: New data source view with ability to associate person’s mailbox and OneDrive, exploring to a person’s frequent collaborator and ability to query data source updates.

The "sync" capability in the new data source management flow is a significant addition that ensures eDiscovery users are always informed about the latest changes in data locations. With this feature, users can now query whether a specific data source has newly provisioned data locations or if any have been removed. For example, if a private channel is created for a Teams group, this feature alerts eDiscovery users to the new site's existence, allowing them to quickly and easily include it in their search scope, ensuring no new data slips through the cracks. This real-time update capability empowers users to make informed decisions about including or excluding additional data locations in their investigations. This capability ensures that their eDiscovery process remains accurate and up-to-date with the latest data landscape changes. It is a proactive approach to data management that enhances the efficiency and effectiveness of eDiscovery operations, providing users with the agility to adapt to changes swiftly. 

 

Improved integration with Microsoft Information Protection 

The new eDiscovery experience now supports querying by Sensitive Information Types (SITs) and sensitivity labels. Labeling, classifying, and encrypting your organization's data is a best practice that serves multiple essential purposes. It helps to ensure that sensitive information is handled appropriately, reducing the risk of unauthorized access and data breaches. By classifying data, organizations can apply the right level of protection to different types of information, which is crucial for compliance with various regulations and standards. Moreover, encryption adds a layer of security that keeps data safe even if it falls into the wrong hands. It ensures that only authorized users can access and read the information, protecting it from external threats and internal leaks.  

 

The new eDiscovery search functionality supports searches for emails and documents classified by SITs or specific sensitivity labels, facilitating the collection and review of data aligned with its classification for thorough investigations. This capability compresses the volume of evidence required for review, significantly reducing both the time and cost of the process. The support of efficient document location and management by targeting specific sensitivity labels unlocks the ability for organizations to validate and understand how sensitivity labels are utilized. This is exemplified by the ability to conduct collections across locations or the entire tenant for a particular label, using the review set to assess label application. Additionally, combining this with SIT searches helps verify correct data classification. For example, it ensures that all credit card data is appropriately labeled as highly confidential by reviewing items containing credit card data that are not marked as such, thereby streamlining compliance and adherence to security policies. 

Figure 2: Better integration with Microsoft Information Protection means the ability to search labeled and protected data by SIT.Figure 3: Better integration with Microsoft Information Protection means the ability to search labeled and protected data by sensitivity label.

Enhanced investigation capabilities 

The new eDiscovery experience introduces a powerful capability to expedite security investigations, particularly in scenarios involving a potentially compromised account. By leveraging the ability to search by audit log, investigators can swiftly assess the account's activities, pinpointing impacted files. As part of the investigative feature, eDiscovery search can also make use of evidence file as search input. It enables a rapid analysis of file content patterns or signatures. This feature is crucial for identifying similar or related content, providing a streamlined approach to discover if sensitive files have been copied or moved, thereby enhancing the efficiency and effectiveness of the security response. 

 

The enhanced search capability by identifier in the new eDiscovery UX is a game-changer for customers, offering a direct route to the exact message or file needed. With the ability to search using a messageID for mailbox items or a path for SharePoint items, users can quickly locate and retrieve the specific item they require. This precision not only streamlines evidence collection but also accelerates the process of purging leaked data for spillage cleanup. It's a significant time-saver that simplifies the workflow, allowing customers to focus on what matters most – securing and managing their digital environment efficiently, while targeting relevant data. 

 

Building on the data spillage scenario, our search and purge tool for mailbox items, including Teams messages, also received a significant 10x enhancement. Where previously administrators could only purge 10 items per mailbox location, they can now purge up to 100 items per mailbox location. This enhancement is a benefit for administrators tasked with responding to data spills or needing to remediate data within Teams or Exchange, allowing for a more comprehensive and efficient purge process. With all these investigative capability updates, now the security operations team is ready to embrace the expanded functionality and take their eDiscovery operations to the next level. 

 

Microsoft Security Copilot capabilities 

The recently released Microsoft Security Copilot's capabilities in eDiscovery are transformative, particularly in generating KeyQL from natural language and providing contextual summarization and answering abilities in review sets. These features significantly lower the learning curve for KeyQL, enabling users to construct complex queries with ease. Instead of mastering the intricacies of KeyQL, users can simply describe what they are looking for using natural language, and Copilot translates that into a precise KeyQL statement. This not only saves time but also makes the power of eDiscovery accessible to a broader range of users, regardless of their technical expertise. 

 

Figure 4: Draft query faster with Copilot’s N2KeyQL capability.

Moreover, Copilot's summarization skills streamline the review process by distilling key insights from extensive datasets. Users can quickly grasp the essence of large volumes of data, which accelerates the review process and aids in identifying the most pertinent information. This is particularly beneficial in legal and compliance contexts, where time is often of the essence, and the ability to rapidly process and understand information can have significant implications. 

 Figure 5: Copilot summarization skill in Review Set helps reviewer review content by assessing summary of the item – even when the conversation is in not in English.

Additional export options 

The new eDiscovery experience introduces a highly anticipated suite of export setting enhancements. The contextual conversation setting is now distinct from the conversation transcript setting, offering greater flexibility in how Teams conversations are exported. The ability to export into a single PST allows for the consolidation of files/items from multiple locations, simplifying the post-export workflow. Export can now give friendly names to each item, eliminating the need for users to decipher item GUIDs, and making identification straightforward. Truncation in export addresses the challenges of zip file path character limits. Additionally, the expanded versioning options empower users to include all versions or select the latest 10 or 100, providing tailored control over the data. These improvements not only meet user expectations but also significantly benefit customers by streamlining the eDiscovery process and enhancing overall efficiency. 

 

Additional enhancements 

As part of the new experience, we are introducing the review set query report, which generates a hit-by-term report based on a KQL query. This query report allows users to quickly see the count and volume of items hit on a particular keyword or a list of compound queries, and can be optionally downloaded.  By providing a detailed breakdown of where and how often each term appears, it streamlines the review by focusing on the most relevant documents, reducing the volume of data that needs to be manually reviewed, and offers a better understanding of which terms may be too broad or too narrow. 

 

As part of the improved user experience, all long-running processes now show a transparent and informative progress bar. This progress bar provides users with real-time visibility into the status of their searches and exports, allowing eDiscovery practitioners to better plan their workflow and manage their time effectively. This feature is particularly beneficial in the context of legal investigations, where timing is often critical, and users need to anticipate when they can proceed to the next steps. This level of process transparency allows users to stay informed and make decisions accordingly. 

Figure 6: Transparent progress bar for all long-running processes detailing scope of the process and estimated time to complete.

In addition to progress transparency, all processes in the new eDiscovery experience will include a full report detailing the information related to completed processes. The defensibility of eDiscovery cases and investigations is paramount. The full reporting capabilities for processes such as exports, searches, and holds provide critical transparency. For example, it allows for a comprehensive audit of what was searched or exported, the specific timing, and the settings used. For customers, this means a significant increase in trust and defensibility of the eDiscovery process. This enhancement not only bolsters the integrity of the eDiscovery process but also reinforces the commitment to delivering customer-centric solutions that meet the rigorous demands of legal compliance and data management. 

 

Hold policy detail view also received an upgrade as part of this new eDiscovery release. Customers now can access the hold policy view with detailed information on all locations and their respective hold status. This detailed view is instrumental in providing a transparent audit of what location is on hold, ensuring that all relevant data is preserved, and that no inadvertent destruction of evidence occurs during the process. Customers can download and analyze the full detailed hold location report, ensuring that all necessary content is accounted for and that legal obligations are met.  

 

As we conclude this exploration of the modernized Microsoft Purview eDiscovery (preview) experience, it's clear that the transformative enhancements are set to redefine the landscape of legal compliance and security investigations. The new experience, with its intuitive design and comprehensive set of new capabilities, streamlines the eDiscovery process, making it more efficient and accessible than ever before. The new eDiscovery experience is currently in public preview and is expected to be Generally Available by the end of 2024.  

 

Thank you for joining us on this journey through the latest advancements in eDiscovery. We are excited to see how these changes will empower legal and compliance teams to achieve new levels of efficiency and effectiveness in their important work. To learn more about the changes in eDiscovery, visit our product documentation. As always, we are eager to hear your feedback and continue innovating to improve your experience. We welcome your thoughts via the Microsoft Purview portal’s feedback button.  

 

We hope these enhancements improve your day-to-day experience and ultimately streamline the eDiscovery process, making it more efficient and accessible than ever before. The new eDiscovery experience is currently in public preview and is expected to be Generally Available by the end of 2024.  

 

Learn more

Rollout has begun and is expected to reach all worldwide tenants by mid September. We are excited to see how these changes will empower legal and compliance teams to achieve new levels of efficiency and effectiveness in their important work. Check out our interactive guide at https://aka.ms/eDiscoverynewUX to better understand the changes in eDiscovery. As always, we are eager to hear your feedback and continue innovating to improve your experience. We welcome your thoughts via the Microsoft Purview portal’s feedback button.  

 

To learn more about thew new eDiscovery user experience, visit our Microsoft documentation at https://aka.ms/ediscoverydocsnew. If you have yet to try eDiscovery, visit the new Purview portal today to start a trial. For more updates on the future of eDiscovery, check out our product roadmap. 

Identities lie at the heart of cloud security. One of the most common tactics used to breach cloud environments is Credential Access. User credentials may be obtained using various techniques. Credentials may be cracked through brute force attempts, obtained in social engineering campaigns, or stolen from compromised resources, where they are stored and used.  

 

In this blog, we demonstrate that properly securing cloud environments requires securing credentials in the organization’s non-cloud environments. To this end, we dive into our innovative capability to detect cloud credentials in on-premises environments and user devices. By integrating it with Microsoft Security Exposure Management, customers are able to identify attack paths starting in non-cloud environments and reaching critical cloud assets using cloud credentials. Customers are then able to effectively prioritize and mitigate those attack paths, thereby improving their enterprise and cloud security posture. 

 

Credentials in On-premises Environments and User Devices: the Achilles Heel of Cloud Security 

Awareness of the risk of credential theft in cloud environments is increasing, with security vendors offering secret scanning in various cloud-based resources, such as virtual machines and code repositories. However, cloud-credential theft from on-premises environments and user devices is a substantial blind spot in cloud protection solutions. 

 

Consider the following attack scenario: To work with cloud infrastructures, employees must constantly use credentials on their personal computers. Most predominantly, users access cloud provider services either using the web portal or a CLI tool. Both methods can leave long-term credentials on the employee’s computer, such as authentication cookies and access tokens. A malicious actor who gains access to the user’s computer can easily steal those credentials and breach the customer’s cloud environment. The attacker immediately gains all the current permissions of the compromised user. 

 

This scenario is a reality that we witness over and over with our customers. Our security research team has recently uncovered a crypto mining campaign targeting a large financial organization. The attack began by executing malware on an endpoint machine used by one of the organization’s administrators. The attacker then extracted a browser cookie from the compromised machine, which allowed them to bypass MFA and gain an initial foothold in the cloud environment with global administrator permissions. 

 

 

The Technical Challenge: Identifying and Mapping Browser Cookies 

The most widespread credential type that is used to access the cloud from user devices are authentication cookies. When logging in to a cloud provider’s website, authentication cookies are saved on the user’s browser to enable easy, password-free access in future sessions.  

 

While the exact format varies, these cookies appear as long, randomized strings, and do not contain any identifier of the user that they be used to authenticate as. This poses a significant challenge to the security vendor, who needs to infer this exact connection.  

 

The trivial way to solve the challenge this out would be to collect the authentication cookie from the user’s machine, and actively send it to the relevant website. This solution has several disadvantages which make it complex and unattractive: 

• Authentication cookies are highly sensitive secrets. Collecting and saving those cookies adds an unwanted risk to the customer.
• Actively sending the cookies on a mass scale may look suspicious and cause false alarms on the website’s side. 
• High operational and engineering costs on the vendor’s side. 

 

The Solution: Smart Analysis of Browser Artifacts 

To overcome this challenge, we have come up with an innovative solution that is based on analysis of browser artifacts. The artifacts, saved by the website upon successful user authentication, contain the identifier of the authenticated user. This solution also provides information on the cookie’s validity, as the artifacts also indicate when a user logs out, or when a cookie is expired due to lack of usage. 

 

The analysis runs periodically over Microsoft Defender for Endpoint and supports detection of both Azure Portal and AWS Console authentication cookies. On the first release, all Chromium-based browsers are supported. 

 

In addition, we’re introducing an ability to detect cloud secrets used by the CLI tools of Azure, AWS and GCP. These secrets are stored locally and include refresh tokens, certificates, and access keys. Here, too, we’re able to correlate them to the relevant user that they can be used to authenticate as. 

 

Reducing the Attack Surface and Enhancing Threat Detection 

This new ability to detect cloud credentials in on-premises environments and user devices is fully integrated into Microsoft Security Exposure Management. This comes in addition to our existing abilities to detect credentials in cloud and hybrid environments. By ingesting the data to the exposure graph, customers are now able to: 

 

• Gain Visibility to the Attack Surface created by Cloud Credentials: Effectively prioritize protection on critical areas of the network which should be better protected. 
• Reduce the Attack Surface: Identify and mitigate attack paths involving cloud credentials.  
• Enhance Threat Detection of Hybrid Attacks: Having knowledge of the connection between on-premises and cloud environments provides important context in threat detection, enhancing detection and response of hybrid attack incidents. 

Below is a screenshot from the Exposure Management user interface showing an on-premises to cloud attack scenario involving cloud credentials. The scenario begins with a vulnerable on-premises machine, which contains a browser cookie of an Azure user with the global administrator role. The cookie may be used to access a sensitive Azure storage account, which contains customer credit card details. This scenario and many more will soon be available in Microsoft Security Exposure Management. 

 

 

 

Learn More

• Dive into Exposure Management in our blog series
• Announcing new CNAPP capabilities in Defender for Cloud  
• Contextual Risk Estimation for Effective Prioritization 
• Start Using Microsoft Security Exposure Management