Category: XP

Featured Microsoft Build Book of News, 2023 > The Book of News is your guide to key news and announcements at the conference. Use the interactive Table of Contents to browse the topics. Click the Translate button below the Table of Contents to enable translations.

What’s New Next generation AI for developers with the Microsoft Cloud > Scott Guthrie and Tomas Domke discuss the GitHub Copilot and Visual Studio (including Visual Studio Code) developer experience.   Developer career tools: Saying NO to improve mental health, Q&A > Debbie O’Brien, Scott Hanselman and Justin Yoo talk about finding the right life-work balance, challenging yourself and finding motivation as a developer.   Techniques to get the most out of GitHub Copilot > A look at how Copilot works, some best practices and what AI can realistically do for developers in the real world.

Events See local events > Key moments from Microsoft Build 2023 > Check out sessions you may have missed. Now available on demand.   Get started: Generative AI with Azure OpenAI Service > Watch practical code demos and preview plugins for Microsoft Azure services.   Microsoft Build 2023 Community-led Parties > Join an After Party hosted by your local Community, covering your favorite topics in your time zone and language today through July 7.   Data + AI Summit 2023 by Databricks / June 26-29 > Join this event in person or online for technical deep dives, hands-on training, lightning talks and more.   Microsoft Ignite / November 15-16 > Attend Microsoft Ignite to catch up on the latest industry innovations. Sign up to be one of the first to know when registration launches.

Learning Cloud Skills Challenge: Azure AI Fundamentals > Get a solid foundation in machine learning and AI concepts including computer vision, natural language processing, and conversational AI.   Microsoft Learning Room Directory > Join Learning Rooms, a space designed for in-depth conversations with experts and peers, for skilling and training hosted on Microsoft Teams.   Build and scale cloud-native, intelligent apps on Azure > Learn how to run cloud-native serverless and container applications in Azure using Azure Kubernetes Service and Azure Container Apps.

This month’s episode of Uncovering Hidden Risks discusses strategies and best practices to mitigate security and compliance risks by using in-place eDiscovery to support investigations and litigation.  As data volumes continue to balloon, it’s becoming clear that the quickest path to victory does not involve the fewest steps. Let’s explore ways to defensibly move data minimization decisions upstream, to collaboratively expedite the eDiscovery process and reduce risk within the safety of your own tenant.

Joining our host Erica Toelle is our guest, EJ Bastien. EJ is Microsoft’s Director of Discovery Programs, leading the eDiscovery and Litigation Support function for its Litigation Department where he manages a multidisciplinary team of Program Managers, Engineers, Paralegals, and Records Managers.  During his 18-year tenure, he has been an integral part of the small team responsible for re-envisioning Microsoft’s internal approach to eDiscovery from the ground up, architecting the processes for the identification, preservation, and collection of ESI (Electronically Stored Information), and shepherding it through the stages of processing, analytics, and review. 

Caitlin Fitzgerald joins us as our guest host. Caitlin is a Sr. Product Marketing Manager focused on eDiscovery and Audit solutions for Microsoft Purview. She’s been at Microsoft for 10 years. She enjoys helping every organization, small or large, regulated, or unregulated encounter scenarios in which they need to find that needle in the haystack, or evidence to determine what happened in a security breach, or support an internal investigation, including what steps they need to take to reduce that risk in the future.

Together, we’ll explore how eDiscovery can help you reduce data and risks.

In this episode, we’ll cover the following:   

• What trends are affecting the eDiscovery space? 
• What advice would we give to other organizations that are looking to get a handle on the growing amount of data?
• How is Microsoft approaching some of the new technology innovations? 
• How can you implement an effective eDiscovery strategy?
• What benefits has Microsoft seen by using Purview eDiscovery Premium internally?
• What is exciting about the future of eDiscovery?   

Listen to this episode on your favorite podcast platform: 

• Main show page 
• Apple Podcasts 
• Spotify 
• Google Podcasts 
• Amazon 
• RSS Feed 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

NIST’s IoT cybersecurity guidance has long recognized the importance of secure software development (SSDF) practices, highlighted by the NIST IR 8259 series—such as the recommendation for documentation in Action 3.d of NIST IR 8259B, that manufacturers have considered and documented their “secure software development and supply chain practices used.” The NIST SSDF (NIST SP 800-218) describes software development practices that can aid manufacturers in developing IoT products by providing guidance for the secure development of software and firmware. These development practices can also provide assurance to customers regarding how those products were developed and how the manufacturer will support them. When used together, NIST’s SSDF and IoT cybersecurity guidance help manufacturers design and deliver more secure IoT products to customers.Read the Blog

Many different types of mobile apps—including those related to productivity, education, lifestyle, social media, entertainment, and gaming—exist to provide users with ease of use, convenience, and functionality. These apps collect a vast amount of data for marketing purposes and data sharing with third parties. For example, location data, IP addresses, saved home or work addresses, and saved activity on websites and services can be collected on your device. Many apps allow advertising firms to track a user’s location, sell that information to others, and target advertisements based on a user’s location history. Users may have the option to adjust their security and privacy settings to reduce what and how information is collected and shared. However, these permissions may make it more difficult to determine what an app is doing with the accessibility of users’ data and location. The data may not be private or anonymized as expected and, therefore, may be vulnerable to malicious actors.     Image Source: anupamdas.org   The popular fitness app Strava tracks a user’s heart rate, activity details, GPS location, and more. Strava’s heatmap feature anonymously aggregates user activity to assist users with finding trails or exercise hotspots, meeting like-minded people, and conducting their workout sessions in more crowded and safer locations. However, in the above example, researchers discovered potential privacy concerns with Strava’s heatmap feature that could identify a user’s home address by tracking and de-anonymizing users utilizing the heatmap data and specific user metadata. They collected data through the Strava heatmap and used OpenStreetMap overlays and image analysis to detect start/stop routes next to streets, signifying that a specific home is associated with a user’s tracked activity. They also used Strava’s search feature to identify users who registered a specific city as their location, correlating high activity points on the heatmap and the user’s home address. The researchers noted that Strava users typically registered with real names and profile pictures, correlating identities with home addresses and voter registration data, if available online. Also, Strava accounts marked as “private” still display when searching for a list of all users in a specified municipality. Strava’s mitigations include starting the tracking after the user has left their home or creating an exclusion for the heatmap feature for a distance around home locations, which would provide an option for users to set privacy zones around their home locations, and/or opt out of the heatmap feature.     Image Source: arxiv.org   The Short Message Service Center (SMSC) of a mobile network handles SMS delivery reports and provides notifications when a message has been delivered, accepted, failed, is undeliverable, has expired, or has been rejected. Despite delays in this process, mobile networks’ fixed nature and specific physical characteristics can be predictable when standard signal pathways are followed. In the above example, researchers developed a machine learning algorithm to analyze timing data in the SMS responses to identify and extract the recipient’s location. First, measurement data was collected to correlate SMS delivery reports and the targets’ known locations. For every hour for three days, multiple SMS messages were sent to the target in the experiment as marketing messages to ignore or disregard, or as silent SMS messages displaying no content and producing no notification on the target’s screen. The timing of the SMS delivery reports was then measured and aggregated with matching location signatures to create a machine learning (ML) evaluation dataset. The ML model and training data included receiving location, connectivity conditions, network type, receiver distances, and more.    Despite some limitations and extensive efforts, detecting information—such as a physical address, job location, phone number, email address, or other personal information—is still feasible, and users can easily become a target for cyberattacks, harassment, identity theft, and violence. Additionally, threat actors may engage in doxing, which is a tactic that involves the malicious targeting, compiling, and public release of personally identifiable information (PII) without permission. This information is posted on hosting websites and further disseminated on social media platforms. Doxing can also refer to revealing the real person behind an anonymous username and exposing their identity online.    It is important to know how to stay secure and limit privacy concerns while using apps. Even if a user is careful with what information is voluntarily shared and what settings are adjusted, the app may be able to track activity without the user’s knowledge, and their data could still be at risk through other covert means. Beyond personal risk for individuals, businesses and organizations are advised to weigh the risks that apps introduce and consider restricting their usage in sensitive environments. It is vital to stay informed on the abilities, accesses, and permissions of apps, what data they collect, and what they do with that data.

The NJCCIC received an uptick in reports of cyberattacks targeting law firms and small businesses. Threat actors may claim to be a construction company, supplier, or other specialty contractor seeking legal services. In one example, the threat actor included several red flags and conflicting information, such as an incorrect mailing address, email information, and website. At first glance, however, these red flags are inconspicuous and may go unnoticed. Further analysis revealed additional red flags, such as a .org top-level domain (TLD) typically used for nonprofit organizations, and the newly established website included multiple redirects and missing characters – a tactic often used by threat actors to impersonate a legitimate website. This website was able to bypass basic antivirus software, likely due to its recent creation.

Small businesses such as law firms are increasingly targeted by threat actors with the intent to gain access to the vast amounts of sensitive information they manage. A successful cyberattack may allow threat actors to gain access to internal networks and databases in attempts to commit further nefarious activity, such as ransomware , attacks, fraud, and theft. As a reminder, common red flags include misspelled email domains and websites, missing characters, and newly created website URLs. Users can quickly check website validity using trusted open-source tools such as VirusTotal, URLScan.io, MXToolBox, IPQualityScore, and the Any.Run sandbox; though, scans are publicly available and, therefore, users should avoid uploading internal files unless the user has a private account.

The National Artificial Intelligence Advisory Committee (NAIAC) has delivered its first report to the president, established a Law Enforcement Subcommittee to address the use of AI technologies in the criminal justice system, and completed plans to realign its working groups to allow it to explore the impacts of AI on workforce, equity, society and more.

The report recommends steps the U.S. government can take to maximize the benefits of AI technology, while reducing its harms. This includes new steps to bolster U.S. leadership in trustworthy AI, new R&D initiatives, increased international cooperation, and efforts to support the U.S. workforce in the era of AI. The report also identifies areas of focus for NAIAC for the next two years, including in rapidly developing areas of AI, such as generative AI.Read More

Today, U.S. Secretary of Commerce Gina Raimondo announced that the National Institute of Standards and Technology (NIST) is launching a new public working group on artificial intelligence (AI) that will build on the success of the NIST AI Risk Management Framework to address this rapidly advancing technology. The Public Working Group on Generative AI will help address the opportunities and challenges associated with AI that can generate content, such as code, text, images, videos and music. The public working group will also help NIST develop key guidance to help organizations address the special risks associated with generative AI technologies. The announcement comes on the heels of a meeting President Biden convened earlier this week with leading AI experts and researchers in San Francisco, as part of the Biden-Harris administration’s commitment to seizing the opportunities and managing the risks posed by AI.Read More

Grow your skills at Security Virtual Training Day: Security, Compliance, and Identity Fundamentals from Microsoft Learn. At this free, introductory event, you’ll gain the security skills and training you need to create impact and take advantage of opportunities to move your career forward. You’ll explore the basics of security, compliance, and identity—including best practices to help protect people and data against cyberthreats for greater peace of mind. You’ll also learn more about identity and access management while exploring compliance management fundamentals. You will have the opportunity to: Learn the fundamentals of security, compliance, and identity. Understand the concepts and capabilities of Microsoft identity and access management solutions, as well as compliance management capabilities. Gain the skills and knowledge to jumpstart your preparation for the certification exam. Join us at an upcoming two-part event: Monday, July 24, 2023 | 2:00 PM – 4:45 PM | (GMT-05:00) Eastern Time (US & Canada) Tuesday, July 25, 2023 | 2:00 PM – 4:00 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Visit the Microsoft Virtual Training Days website to learn more about other event opportunities.

Webinar date: Tuesday, June 27, 2023 9:00 AM Pacific Time / 12:00 PM Eastern Time Concerned about safeguarding your organization’s data? The changing demands of employees and customers have created the need for cloud transformation, which requires a modern security architecture. Businesses that meet and exceed the baseline security requirements for employees and customers can optimize the digital experience for all users while protecting data. Learn how you can securely access critical business data and software services without compromising speed or reliability. Join this upcoming webinar with Zscaler and Microsoft experts to discover how your organization can embrace zero trust security. During this interactive Q&A session, you will have the opportunity to: Gain insights on how zero trust can strengthen your organization’s security Optimize access to organizational workloads, data, and assets Attract and retain the next generation of employees

Improving your competitive edge with Zero Trust Framework

Register now >

Modernize your ability to detect, respond, and recover from threats

Take the self-assessment

In today’s evolving threat landscape, security teams must continually modernize their security operations to stay prepared and keep up with adversaries. We’ve developed two resources to help you succeed. Answer the questions in the modern security operations self-assessment questionnaire to evaluate the maturity stage of your security operations. Based on your answers you’ll get recommendations to help you modernize your approach to: Triage InvestigationThreat hunting Incident management Automation Download the modern security operations guide to see best practices and lessons learned from the Microsoft Cyber Defense Operations Center. We’ve created this guide to help you develop strategies to:  Modernize your technology stack to ensure you have protection and visibility across all attack vectors Improve the processes of your security operations team and help them separate true threats from false positives Reduce your vulnerabilities and increase speed and efficiency for security teams defending against attacks.