Microsoft Ignite: Accepting User Behavior As Part of Doing Business

A Q&A with Windows Devices group program manager Dave Bossio shows a pragmatic approach for security: Accept that users are going to do what they do, and work hard to offset the risk by anticipating and containing it. Here, we talk about what Microsoft's doing to reduce risk in a workplace where so much productivity takes place across multiple types of devices.
 

Q. What is the top security priority for your group?

A.  As for Microsoft overall: protect, defend, respond. My team focuses on the protection aspect. Browsers are the primary vector for attacks in the enterprise systems. We're running the browser session in a virtualized container, so if that session gets contaminated, then that session can’t cross the boundary and contaminate the system.

Q. Let's talk about some of the tools you’re using to configure Windows Defender.

A. We've got policy controls around the ability to move data — so the enterprise can decide, "Do I want my user to be able to copy and paste, do i want my user to be able to print, to move to PDF?" and so on. We do notify the user at the soonest point in the process for this.

The only time a user gets put in the container is if Windows Defense Application Guard decides the site is a threat.

Q. Do admins have the ability to block sites in the first place?

A. Yes, but what we find is that attacks are so targeted these days, these attack-launching sites don’t get into a reputation system as quickly as we’d like.

Q. So how do you determine these sites?

A. We have machine learning that takes information from a variety of sources and give the URLs a reputation score. Based on that, we’ll identify it as a potentially malicious site and ask the user if they want to continue.

Q. Do admins also get to decide which sites are okay to open on a container level?

A. The IT administration decides basically through a network which sites open and don’t open at the container level. Anything that’s not on a trusted site list does open in a container. The site list generally comes through a third party, a service that assesses websites for threat levels.

Q. Is there a way to track the behavior of users and see how often they’re opening sites in a container - -you know, if they're predisposed to surf to risky sites?

A. All that information will be available in backend tools to admins.

Q. Can you use that data to help a user to learn better security practices?

A. For the most part, what we find is we train users, the users — even after training — have challenges exhibiting the right behavior, so we understand it’s not something you can train your way out of. 

Q. It seems to be a race between human behavior and tools to offset it.

A. These attacks are so targeted now. They look at social media, they pull information that’s relevant to your personal life or day job, and once you click on the link, the attacker determines whether you’re a source of information or if you're worth attacking, and then they release the zero-day on your device. Where we see the most aggressive attacks is the ones that are the most targeted.

Not every person is an IT professional. They don’t understand the consequences of their behavior and the truth is, they shouldn’t have to.

As much as you want to lock down a device, it still has to be productive for someone to use it. The user will find a way to work around whatever restrictions you put in front of them, so we’re just trying to make it part of a normal course of business — a combination of platform protections, threat analytics and then responding to those threats as quickly as possible.