Transform your security operations with Microsoft Security Experts | Human-led services

Microsoft Security Experts is a new service category that combines expert-trained technology and product innovation with human-led services. In this show, Kelly Bissel, CVP of Microsoft Security Services, joins Jeremy Chapman to demonstrate how the Microsoft Security Services organization can now manage your security operations for you and with you, and the difference this can make in the timely mitigation of a real ransomware attack.


00:00 — How Microsoft Security Services can help

01:01 — What types of services are available?

05:07 — How is a real ransomware attack managed?

10:55 — Wrap-up

Link References:

To learn more, check out

Unfamiliar with Microsoft Mechanics?

We are Microsoft’s official video series for IT. You can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

Keep getting this insider knowledge, join us on social:

Video Transcript:

- Up next, with cybersecurity challenges at an all time high and cybersecurity skills in short supply, we’re going to look at Microsoft’s role in helping some of the largest organizations on the planet modernize their security operations and respond to attacks with human-led specialist services, including how the Microsoft security services organization can now manage your security operations for you and with you. And the difference this can make in the timely mitigation of a real ransomware attack. And to explore things further, I’m joined today by CVP Kelly Bissell, who leads our security services organization at Microsoft. Welcome to Mechanics.

- Thanks, Jeremy. Great to be on the show.

- It’s really great to have you on. Many organizations today seem to be in this constant state of hyper vigilance in anticipation of the next cyber security attack. So while Microsoft is really no different to other organizations in this respect, because we invest in the highest levels of detection response for our own cloud services, we’ve also become one of the largest cybersecurity organizations in the world.

- Yes, we have. And our goal here at Microsoft is to secure the world, every industry and every person.

- I know that’s not said lightly, because beyond what you see in the headlines, Microsoft constantly plays an active role behind the scenes in combating cyber crimes and cyber attacks.

- Yes, we do. And cyber threats are a fact of life now for all of us. So cybersecurity has to be a top priority, from the C-suite to your end users. And for our part, as a company, we invest billions of dollars every year in our security skillset and our technology stack. Our cybersecurity teams, for example, produce some of the best security research in the industry. We work hand-in-hand with government agencies and our partners in the industry overall.

- And I know we have more than 8,500 security professionals globally, and that number just continues to grow.

- Yes, we do. And that’s on top of the strategic relationships that we have. And on the technology side, what we learn in addressing these attacks also complements the more than 24 trillion security signals that we collect across the cloud services every day. These signals provide the real-time context into trending attacks, and are consumed by our XDR and SIM solutions. They use these signals to find security incidents across domains and automatically contain them.

- And this really highlights a multifaceted approach to addressing today’s threat landscape, which is interesting because there’s a lot of focus right now on the automation side of things, including for Microsoft. And that’s a good thing, but attackers are constantly getting better. They’re innovating. They’re also trying to avoid detections and all the preventative controls that we put in place. So you really do need that human expertise to craft your counter attack and your defense, and also restore compromised services.

- You absolutely do. It takes a level of expertise to understand the scenario, and if an automated response has gone far enough to contain or mitigate a threat. Last year alone, the industry saw 66 zero-days, more than any other year on record. So attacks are getting more targeted and more sophisticated. And at the same time, we know from our LinkedIn research that a third of all security jobs in the US, for example, are vacant, leaving organizations even more exposed.

- Okay, so then from a security practice perspective, how can your team help?

- As you adopt more cloud and more digital capabilities, we help in three main ways. First, our modernization experts provide an extensive set of consulting services that meet you where you are on your journey. And that’s so you can implement appropriate defenses. And this can include building you a long-term comprehensive roadmap that helps you build a layered zero trust approach to building your defenses across identity, endpoints, apps, networking, infrastructure, and ultimately, your data. Next, sometimes you just need a little help resolving a specific security incident. And this is where our incident response team will help you with a detailed investigation of the event. Now, if they discover a bad actor in your environment, we’ll bring in our recovery experts to quickly remove them and get you back to safe operations. Now, then post-breach we’ll help you deploy solutions to prevent similar attacks in the future. The same team can also work with you to test your defenses before a problem arises. So we can help you prevent attack, recover from attack, and transform as the threats change.

- Right. And to be clear here, these are all project-based, point-in-time engagements exactly when you need them.

- They are, but sometimes you may want to work with us on a more ongoing basis. So for our largest customers, the third way we help is with our new managed service called, Microsoft Security Services for Enterprise. This is where we work with you to manage your security operations. What we’ve seen here is the need for more automated threat-hunting, detection-response services, that we tailor specifically to your business. Importantly, we’ll assign a dedicated security expert or bring in other experts, including partners, for the continuous improvement of your security posture, so you can evolve as the threats evolve.

- Right, and I know that in addition to kind of our Microsoft tools and solutions that we have, like Defender, our experts are going to use other custom tools during the attack. So can we make this real for everyone who’s watching, and really see what Microsoft experts can do to help out here?

- Yeah, we can really make a big difference here. We’ve worked through hundreds of high-profile data breaches over the past couple of years alone. So I’ll describe a few of the common elements across them, and give you an idea of the type of work that we do to mitigate an attack. What often happens is the organization learns about an attack from a user, an alert, or even a third party. Now, of course, at this point, if it’s ransomware, many of the digital lines and communications might be closed, sometimes bringing the whole business to a halt, which in many cases will mean your customers can’t buy, your plants can’t produce or even ship product. It’s not a position you want to be in.

- Okay, so why don’t we focus in then on the ransomware type of attack? So what methods are you seeing getting used in the wild with these types of attacks?

- Well, it always depends. But let me describe two common tools that attackers use. One of them is called Cobalt Strike. This is actually a penetration testing framework, but in the wrong hands, it could be used as a toolkit to carry out these types of attacks. It helps them establish command and control, or C2 nodes, to perform reconnaissance against the resources on the network to exfil your data. And from there, they can use ransomware like Conti, which can encrypt databases, apps, files, and even backups to take down your critical IT infrastructure.

- And we all know the story here. So they’re actually using that ransomware to hold the encryption keys in return for the ransom they’re demanding. So what steps then do you take typically to resolve an attack like this?

- In all these cases, timing is critical, and we will work with you to quickly mobilize resources for remote or onsite support. Our incident response team will start with a full investigation of any compromised user accounts or rogue processes. And in parallel, they’ll work with our recovery experts to do what they can to remove the adversary from the environment and restore services. Now starting at the top, we’ll use hunting scripts that we’ve developed in cases like this that allows us to investigate terabytes of log data really quickly. This one is looking at encoded PowerShell script execution, which is common in these kinds of attacks because it can help hide the tracks of the commands that they’re executing. Now, once we decipher those commands, we can assess what the attacker was doing, so we know what to contain. For example, these can be processes that were run from the compromised nodes that we want to investigate further and block. And to get more forensics information after we’ve identified these rogue processes, we can put together a timeline of the attack. We also have a suite of custom forensics tools that are unique to us to collect data from things like Windows event logs and registry info across targeted systems at scale. So we can investigate individual systems and gauge the spread of the attack. From there, we analyze the data further using our analytics tools and Azure to find out these critical insights.

- Okay, so what are some of the clues, then, that you’re looking for in these event logs, and also the registry that you’re collecting?

- All right, we’re looking to identify rogue processes and anomalies that are executing out of place. For example, you can see here, there’s a massive payload of batch scripts placed in the public user account, which is likely an indicator of malicious intent, because the location’s rarely used to store scripts. And using the same heuristics, we can identify the reconnaissance tools used, like you see here with ADFind. It’s important because once we get visibility into the malware, we can deploy our own tools to contain the activity and prevent it from spreading to other systems, clean up what’s impacted, and help rebuild what we need to.

- And really, this level of timely containment is what can make a huge difference, because you might start out with just a handful of encrypted machines, but that can easily go to thousands. And really, this attack, I think like many attacks, is probably due to a compromise set of credentials. So then let’s move on to the directory service. What are the things that we can do there to help?

- Ah, so compromised credentials are very common in cases like this, and we built the expertise and tooling to help there as well. So you need to recover the directory and reset these compromised accounts at scale. We have the ACL X-Ray tool. This is a custom tool that scans Active Directory to look for privileged accounts. And it maps these privileges across the relationships for admin roles. Sometimes these accounts can be used for adversaries to regain the privileges, even if you reset other compromised accounts. And in cases like this, where several privileged accounts have been compromised, we develop sophisticated account disposition scripts to reset them at scale. This saves tons of time, and allows us to create a clean slate of privileges. It’s one of the things I love about what our recovery teams do.

- Okay, so to recap, you’ve discovered all the bad actors, you evicted them, but there are still some systems that are encrypted. So what do you do about those?

- Ah, so it goes without saying that the goal with any encrypted servers, storage, apps, or data is to restore them from a verified backup, because the adversaries will go after the backup files, even the processes that perform the backups. And in fact, one tip here would be to use multi-user auth. This solution requires multiple admins to approve the policy changes, which means an attacker can’t modify or disable the backup policies without consent. Of course, once we’ve verified the backups are healthy, we’ll restore those when possible. And along those lines, we’ll work with you to restore client and server infrastructure, using your automated templates to rebuild the apps and services. Now, even if we rebuild them manually, we usually can do that pretty fast.

- And it’s worth noting here that by the time you’ve gone through all of this, this point in time, your security teams will have a ton of insight on specific vulnerabilities in that environment to make further improvements.

- Right, and this is really where we make a difference for you. Now, once we got everything restored and running, we won’t stop there. We’ll work with you and your service providers to put in place a longer-term security improvement plan. This can include expert configuration and deployment of Microsoft Defender and Sentinel services to improve your protection/detection response, and we’ll use these tools all the time. And you can too. And again, if you want to partner with us, this is all part of our new Microsoft Security Services for Enterprise that we just announced today.

- Great, and that really wraps up a comprehensive and proactive approach to cybersecurity that we have across our human specialists, proven processes, and also security automation. So what’s the best way then to get engaged with your team of Microsoft security experts?

- Ah, look, you could learn more at And your Microsoft account manager can help you get the ball rolling. We’re here for you.

- Thanks so much for joining us, Kelly, on this very important topic. And of course, keep watching Microsoft Mechanics for the latest tech updates. And if you haven’t already, be sure to subscribe to our channel, and we’ll see you soon.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store