Keeping the bad guys out of Azure
9 May 2016 | 0
Microsoft has published its latest Security Intelligence Report (SIR), which it does twice a year, covering security issues for the prior six months. This latest edition covers the second half of 2015, analysing the threat landscape of exploits, vulnerabilities and malware using data from Internet services and over 600 million computers worldwide.
It is a massive effort, with dozens of Microsoft staff from different groups contributing. For the first time, they looked at not only PC malware but threats to its Azure cloud service as well, which the company says “reveals how we are leveraging an intelligent security graph to inform how we protect endpoints, better detect attacks and accelerate our response, to help protect our customers.”
Every day, Microsoft’s machine learning systems process more than 10 terabytes of data, including information on over 13 billion logins from hundreds of millions of Microsoft Account users and Azure Active Directory accounts, according to the company.
“We’ve included new data in this report that provides insight into how the Microsoft cloud uses this massive data and machine learning to literally detect and prevent over a million attacks every day,” the report said.
A large chunk of the 198-page report, some 35 pages, is dedicated to a Southeast Asian hacker group Microsoft has dubbed “PLATINUM.” Microsoft said the group has been around since 2009 but has engaged in targeted attacks around Southeast Asia and is very good at covering its tracks. Its primary targets have been governments and related organisations in South Asia and Southeast Asia, using zero-day exploits and spearphishing attacks.
As for the cloud, Microsoft provided some impressive stats:
- 95% of all organisations and 90% of the world’s 2,000 largest organisations use Active Directory on premises.
- There were 8.24 million tenants in Azure Active Directory, comprising more than 550 million users.
- Most of these tenants were small businesses with fewer than 500 user accounts and were not synchronising from an on-premises instantiation of Active Directory.
- A minority of these 8.24 million tenants had more than 500 user accounts, but because they are comparatively large, they accounted for 91% of all the identities in Azure Active Directory.
- At the time these statistics were collected, Azure Active Directory was averaging more than 1.3 billion authentications per day.
The company uses machine learning systems to help prevent cyberattacks or to mitigate potential damage should they succeed. Each day, Microsoft’s account protection systems automatically detect and prevent more than 10 million attacks from tens of thousands of locations, even when the attacker has valid credentials.
One thing Microsoft detailed was where the attacks come from:
- 49% in Asia
- 20% in South America
- 14% in Europe
- 13% in North America
- 4% in Africa
Other data from the report includes:
- The worldwide encounter rate increased to 20.8% at the end of 2015. The encounter rate in the US was about 40% lower than the worldwide encounter rate in 2015, or approximately eight percentage points.
- The locations with the highest encounter rates were Pakistan, Indonesia, the Palestinian territories, Bangladesh and Nepal, which all had encounter rates above 50%.
- Exploit kits accounted for four of the 10 most commonly encountered exploits during the second half of 2015.
- Although ransomware had relatively low encounter rates, just 0.3% worldwide, its use in exploit kits is increasing.
- Sites that targeted financial institutions accounted for the largest number of active phishing attacks.
IDG News Service