This post is authored by Berk Veral, Senior Marketing Communication Manager, Enterprise Cybersecurity Group.
Perhaps one of the best-kept secrets within Microsoft cybersecurity services is the Global Incident Response and Recovery team. We affectionately call them the “GIRR” team for short. Not many people know about the team but, for those whom they have helped to combat cyber criminals, they are indispensable – a trusted partner when the worst cybercrimes happen.
The GIRR team is comprised of elite cybersecurity professionals who are experts in handling critical incidents and helping our customers during a crisis when a compromise or a breach is suspected. On an ongoing basis, the team works around the clock and around the globe, demonstrating grit, fortitude and steadfast dedication to Microsoft customers in need.
The team is expanding and now offers two new services for our customers: Persistent Adversary Detection Services – Cloud Enabled (PADS-CE) and Compromise Recovery (CR). These are two very different standalone services designed to help customers under specific circumstances.
Cloud-Based Persistent Adversary Detection Service
PADS-CE is a cybersecurity service for customers who want to understand their exposure to the risks posed by today’s targeted attacks from determined human adversaries and sophisticated criminal organizations. However, unlike a traditional PADS engagement where all resources would be deployed onsite at the customer’s location, PADS-CE leverages a secure Azure workspace for collaboration, allowing remote team members to participate in the engagement. PADS-CE provides the ability to leverage the unique skill sets of seasoned Incident Responders worldwide, culminating in a richer engagement experience and output for our customers.
PADS-CE is ideal for enterprise customers primarily running Windows endpoints who would like to validate that they have not been victim to a target attack. It is a proactive, discrete service that is, in effect, an incident response prior to an actual emergency.
Microsoft will provide information regarding the customer’s exposure to targeted attacks via PADS-CE at a lower price point by leveraging Azure and a team of remote resources. PADS-CE leverages telemetry from Microsoft’s vast, global sensor network, and is able to correlate PADS-CE findings against threat intelligence worldwide. The team leverages proprietary scanners (that do not remain on the network), to detect the presence of implants, backdoors, and similar unauthorized malc0de. Through forensic analysis and reverse engineering of any implants found, the team can assess customers’ current exposure to the threats posed by targeted attacks.
Microsoft Compromise Recovery (CR) service is a cybersecurity offering designed to restore a customer’s secure business operations after a compromise. The service runs in parallel with any ongoing incident response investigation or soon after its completion, whether performed by Microsoft or a 3rd party.
It consists of four principal components:
- Scoping of the compromise
- Installing critical hardening policies
- Deploying and tuning tactical monitoring solutions
- Coordinating an attacker eviction event
CR is ideal for enterprise customers primarily running Windows endpoints who have confirmed malicious activity in their environment. Most likely, they have already engaged Microsoft or a 3rd party to complete an incident response investigation.
CR will help customers get their business operations back up and running by remediating their exposure to risks after an incident response investigation. CR will remove identified malicious activity from their network, harden against further compromise and monitor for indicators of compromise based on the current attack.
In addition to restoring a customer’s secure business operations and providing information regarding the customer’s remaining risk exposure, CR will offer suggestions for strategic initiatives to improve security posture. Microsoft leverages best in class monitoring solutions – Advanced Threat Analytics (ATA) and Operations Management Suite (OMS) – to monitor systems after a compromise. Compromise Recovery is based on years of industry expertise and best practices with incident response, based on the Microsoft GIRR team successfully leading countless recoveries around the globe.
Trusted Security Partner Every Step of the Way
These two offerings bring Microsoft customers expanded capabilities in cybersecurity, and provide the Microsoft Global Incident Response and Recovery team another tool to ensure Microsoft can be counted on by every enterprise CISO as their trusted security partner when it comes to detecting and responding to incidents, as well as getting business operations back up and running in the wake of an incident.
Please visit Sharing Microsoft learnings from major cybersecurity incidents to learn more about the Microsoft Global Incident Response and Recovery team and how they can help your organization.