What is this Microsoft Intelligent Security Graph everybody is talking about?

Ever since Microsoft announced the Intelligent Security Graph earlier this year, as a preview at the //Build/ conference, later as being generally available at #MSIgnite, there has been a lot of talk about it.

Microsoft describes it as a way to ‘build solutions that correlate alerts, get context for investigation, and automate security operations in a unified manner.”

But what is the Intelligent Security Graph exactly? And how do I use it for my own security operations? And didn’t Microsoft already have a Graph, for Office? Does it work with my other security solutions?

What is a Graph?

The dictionary defines a graph as: “a diagram representing a system of connections or interrelations among two or more things by a number of distinctive dots, lines, bars, etc.”. In the context of security, John Lambert describes it in better details as:

The graph in your network is the set of security dependencies that create equivalence classes among your assets.

“The design of your network, the management of your network, the software and services used on your network, and the behavior of users on your network all influence this graph. Take a domain controller for example. Bob admins the DC from a workstation. If that workstation is not protected as much as the domain controller, the DC can be compromised.

Any other account that is an admin on Bob’s workstation can compromise Bob and the DC. Every one of those admins logs on to one or more other machines in the natural course of business. If attackers compromise any of them, they have a path to compromise the DC.”

A great example of a Graph that unveils what the ‘shortest path to Domain Admins’ is in Active Directory, is project Bloodhound. A free open-source project created by the specialists of SpecterOps.

Project Oslo

Almost a decade ago Microsoft started working on what was codenamed Project “Oslo”. The core focus was to deliver on a social and collaborative working application for the Office products to transform the way people work. To power “Oslo”, Microsoft was developing API’s for Office that would expose the required data programmatically. In early 2014, at its SharePoint conference, Microsoft announced “Oslo” as Office Delve, and the API’s as Office Graph.

The Office Graph has been extensively used by Office 365 and other Microsoft properties, but has also built a large developer community. Many companies are using the API’s nowadays as the primary integration point for their app development.

Why does this matter to me?

John Lambert clearly describes the need for a graph-based defender mindset:

“A lot of network defense goes wrong before any contact with an adversary, starting with how defenders conceive of the battlefield. Most defenders focus on protecting their assets, prioritizing them, and sorting them by workload and business function. Defenders are awash in lists of assets — in system management services, in asset inventory databases, in BCDR spreadsheets.

There’s one problem with all of this. Defenders don’t have a list of assets — they have a graph. Assets are connected to each other by security relationships. Attackers breach a network by landing somewhere in the graph using a technique such as spear phishing and they hack, finding vulnerable systems by navigating the graph.”

In September of 2018 Microsoft organized its annual premium security conference called Bluehat. There was a full track of Graph talks and workshops. The slides can be found here: https://github.com/JohnLaTwC/Bluehat2018GraphWorkshop

“Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.”

Security Graph API

Early 2018, during Microsoft’s developer conference //Build/, program manager Sarah Fender announced a preview of what Microsoft would be calling the Intelligent Security Graph.

This is how Microsoft describes the Intelligent Security Graph: “the Graph Security API can be defined as an intermediary service (or broker) that provides a single programmatic interface to connect multiple security providers. Requests to the graph are federated to all applicable providers. The results are aggregated and returned to the requesting application in a common schema.”

This new security-focused API will live alongside the Office Graph.

Brad Anderson, corporate vice president at Microsoft, responsible for their enterprise mobility offerings, recorded a brief video about the Intelligent Security Graph, giving you an overview of the what and the why.

Later, during Microsoft’s IT Pro focused conference Ignite, the team announced that the Intelligent Security Graph was generally available, and that you could easily access alerts from the following security solutions:

· Azure Active Directory Identity Protection
· Azure Information Protection
· Azure Security Center
· Microsoft Cloud App Security
· Microsoft Intune
· Windows Defender ATP

The API now also allows you to update the alerts, they can be tagged with additional context or threat intelligence to inform response and remediation, comments and feedback can be captured for visibility to other workflows, and alert status and assignments can be kept in sync.

Integration with Office 365 ATP and Azure ATP is coming soon.

In the June 2018 update of the Microsoft Cybersecurity Reference Architecture, the Intelligent Security Graph was also included.

Windows 10 & Security Graph work in tandem

Since the Windows 10 “1709 release” Microsoft introduced a new feature to the newly-renamed Windows Defender Application Control (WDAC): the ability to allow any applications to run that have obtained positive application reputation in Microsoft’s Intelligent Security Graph (MISG) cloud service. WDAC now comprises most, but not all, of the functionality that used to fall under the label “Device Guard” pre-1709.

WDAC, when integrated with MISG, could hold the potential to make adoption of application whitelisting much less painful for organizations and individuals by allowing commonly used Windows programs from reputable publishers to run without it being necessary to have specific, per-application or per-publisher rules for them specifically set out in a whitelisting policy.

Here are the steps to configure the WDAC + MISG integration:

1. Download the SIPolicy.p7b file for the policy you want to test and copy it into your C:/Windows/System32/CodeIntegrity directory.
2. Open an elevated command or Powershell prompt and run the following commands:
sc.exe start appidsvc
sc.exe config appidsvc start= auto
appidtel.exe start
2. Reboot.
4. If you’re in audit mode, use your device normally and, at some point, begin to look for issues with legitimate software getting flagged as “unauthorized” in your CodeIntegrity log, as well as .msi and scripts flagged in the AppLocker log.
5. Determine how suitable WDAC + MISG is for your needs by testing applications and drivers you need to have in your environment.

There is a guide on GitHub that you can use to get further instructions, background on the process and some key pointers for troubleshooting.

Tanmay Ganachary, General Manager at Microsoft for Windows Defender Security Research, also points to an article on the Microsoft Docs website which has further information on the integration.

PowerShell

Because the Security Graph API allows for making HTTPS REST API requests, it’s easy to work with the API with PowerShell. Microsoft published a sample at this GitHub repository.

To enable Azure PowerShell to query Azure Resource Graph, the module must be added. This module can be used with locally installed Windows PowerShell and PowerShell Core, or with the Azure PowerShell Docker image.

First step, install the module and authenticate:

# Install the Intelligent Security Graph module from PowerShell Gallery
# Connect to your Azure subscription
Install-Module -Name Az.Security
Connect-AzAccount

Next step, query the API:

# Get all the high severity alerts
# Query: https://graph.microsoft.com/v1.0/security/alerts?$filter=Severity eq ‘High’
get-AzSecurityAlert | where {$_.ReportedSeverity -eq “High”}

You can also work with the Graph API directly by using the graph.microsoft.com endpoint. Note, there is a Beta endpoint that surfaces even more information about your environment:

# Get the most recent SecureScore
# Query: https://graph.microsoft.com/beta/security/securescores?$top=1

PRO TIP: Use the new Az module for Azure PowerShell. This new module is written from the ground up in .NET Standard. Using .NET Standard allows Azure PowerShell to run under PowerShell 5.x on Windows or PowerShell 6 on any platform, for instance Linux. The Az module is now the intended way to interact with Azure through PowerShell. AzureRM will continue to get bug fixes, but no longer receive new features.

Powershell on Linux, quering the Intelligent Security Graph

READING TIP: My good friend Ronny de Jong, an Enterprise Mobility MVP from The Netherlands, has written a blog about another example: keeping your Microsoft Intune tenant clean and tidy using #Azure Automation and the Security Graph API.

Matt Graeber also posted a link to the documentation of the Schema, and how to use it for Bulk IOC updating.

Sample web UI

Now as an added bonus, Microsoft has open sourced a web UI which interacts with all the data from Security Graph API and shows it in a neat UI. You can find it on GitHub: https://github.com/microsoftgraph/aspnet-security-api-sample

Third Parties

Many security companies have begun integrating their solutions with the Microsoft Intelligent Security Graph:

• Lookout adds mobile device security telemetry into the Microsoft Graph for unique threat detection, protection, visibility and control of iOS and Android devices
• Illumio Adaptive Security Platform uses the Graph Security API to surface unauthorized network connection attempts, enabling customers to make better security decisions.
• Demisto integrates with Security Graph API to enable alert ingestion across sources, rich and correlated threat context, and automated incident response at scale.
• Symantec alerts are accessible from the Graph Security API, delivering insights from its Cloud Workload Protection solution to improve management of cloud security risks.
• Contrast Security integrates with the Graph Security API to unlock highly relevant security intelligence from inside the application layer to manage overall cyber risk.
• Softeng provides customers with alerts information delivered by Microsoft Graph Security, empowering its clients with a personalized and unified view of their security risks.
• The Palo Alto Networks provider allows applications to access alerts and contextual information from the Application Framework using the Graph Security API. It is available from their marketplace.
• Anomali integrates with the Graph Security API to correlate alerts from Microsoft Graph with threat intelligence, providing earlier detection and response to cyber threats.

Demisto integration with the Intelligent Security Graph

Hackathon

Last but not least, Microsoft is currently hosting a Security Graph API hackathon until March 1st 2019. Build something cool with the API and win prizes up to $15K and a chance to speak at //Build/ 2019! More info here: https://graphsecurityhack.devpost.com.

Summary

Microsoft’s Intelligent Security Graph is aggregating all their security properties for ‘signal sharing’ to build a bigger context around the events happening in your environment.

Together with their machine learning backend, Microsoft is upping their game over other threat detection vendors to detect and protect you against malicious intent.

— Maarten Goet, MVP & RD