Microsoft 365 vulnerability scanning and remediation
An organization’s security posture isn't achieved through a one-time effort, it requires consistent evaluation and maintenance. Systems deemed secure at the time of deployment are soon considered insecure due to newly identified vulnerabilities in the ever-evolving threat landscape. For this reason, systems and baselines should be continuously evaluated and updated through standardized processes enforced across the enterprise. Microsoft 365 routinely scans all its systems and applicable network devices for known vulnerabilities and centrally tracks their remediation in a timeframe directly related to their severity.
Scanning tools and approach
Microsoft 365 uses a third-party scanning tool utilizing three different techniques to ensure full coverage of its assets: host-based, network-based, and container image configuration scans.
For all servers and network accessible devices capable of running a host agent, a first party agent is used to take a host level snapshot, which is uploaded to a central location for assessment. This agent is deployed in a holistic manner as part of the Microsoft 365 service onboarding process and authentication rates are calculated daily to ensure asset scanning coverage with an authentication rate target of 95%. A snapshot of the host containing metadata is created and stored within a sandbox environment where it’s assessed for vulnerabilities. By running the scan in a sandbox environment instead of on host machines, we mitigate the risk that an attacker can perform a supply chain attack.
Assets that can’t run the local agent, such as network devices and a small subset of bare metal servers, are captured by network scanning tools.
Lastly, container image configurations are listed in a central registry and scanned for any vulnerabilities. If any changes are made, the new image is deployed to all active instances.
Scans evaluate assets for missing patches, configuration issues, and application vulnerabilities using up-to-date vulnerability information from industry sources such as the Microsoft Security Response Center (MSRC), the NIST National Vulnerability Database, and the MITRE Common Vulnerabilities and Disclosures Database.
Host-based scans are performed daily, network scans are performed weekly, and each is configured to search for all known vulnerabilities in the signature database. Scanning processes include a check to ensure that signature updates have occurred and results are sent to Azure Data Explorer for central storage. From there, scan results are aggregated, prioritized for triage, and reported on via internally developed dashboards.
Reporting
Microsoft 365 Security uses automated reporting to compare scan results over time, displaying new vulnerabilities when they're found. These reports are updated daily and are available to authorized personnel via the Threat and Vulnerability Reporting (TVR) dashboard. The TVR dashboard is the source of truth for tracking and reporting all Microsoft 365 vulnerability data.
The dashboard displays:
- Live vulnerability metrics including host counts.
- Recommended solutions for service teams
- Metrics for scan quality and compliance with remediation requirements
- A list of all active vulnerabilities.
Remediation
Service teams who own the assets with detections are responsible for remediating identified vulnerabilities. They may track remediation however they want, but the vulnerability won't be considered resolved until it's reflected in the TVR dashboard via a clear scan.
Vulnerability remediation varies and could include actions such as making updates to base image configurations, applying patches, and removing problematic components. Remediation must be accomplished for high, moderate, and low vulnerabilities within 30, 90, and 180 days respectively.
Microsoft 365 engineering teams can also file exceptions for vulnerabilities if they're false positives, if Microsoft has mitigating controls in place that lower the severity of the vulnerability, or if patches resolving the issue haven’t been released yet. The Microsoft 365 TVR Exception Review Board then reviews these requests and either approves or rejects them based on security and compliance needs. If rejected, service teams continue with the remediation process. If accepted, the exception is processed so that it isn't flagged for that system during future scans.
Asset coverage
To ensure remediation across all systems in Microsoft 365, TVR compares its results to a complete inventory of all physical and virtual assets.
A list of virtual assets is maintained in an internal Azure tool which is automatically updated when new assets are created and deployed. Physical Assets are maintained by the individual Service Teams that own them.
TVR uses automated scripting and queries to centralize inventory data into TVR tooling and conducts a monthly review to ensure scripts continue to capture a complete and accurate list. This allows the TVR team to track patching coverage and ensure that vulnerability remediations are comprehensive.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for