Events
Nov 19, 11 PM - Nov 21, 11 PM
Protect your org with AI-powered solutions built across platforms and cloud environments at Microsoft Ignite online.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Microsoft works continuously to provide highly secure, enterprise-grade services for Microsoft customers, but security incidents are an inevitable reality that must be thoroughly and swiftly managed. This document provides an overview on how Microsoft handles security incidents using tried and true methods and technologies to minimize their potential impact. A security incident refers to any unlawful access to customer data stored on Microsoft's equipment or in Microsoft's facilities, or unauthorized access to such equipment or facilities that have the potential to result in the loss, disclosure, or alteration of customer data. Microsoft's goals when responding to security incidents are to protect customer data and Microsoft's online services.
Microsoft online services security teams and the various service teams work jointly and take the same approach to security incidents:
Microsoft's approach to managing a security incident conforms to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61. Microsoft has several dedicated teams that work together to prevent, monitor, detect, and respond to security incidents.
Team/Area | Description |
---|---|
Microsoft Security Response Center | Identifies, monitors, resolves, and responds to security incidents and Microsoft software security vulnerabilities. |
Cyber Defense Operations Center | The Cyber Defense Operations Center is the physical location that brings together security response teams and experts from across the company to help protect, detect, and respond to threats in real time. |
Corporate, External, and Legal Affairs | Provides legal and regulatory advice for a suspected security incident. |
Microsoft Datacenter Security Team | Team that focuses across the various services on common security engineering investments to protect, detect, and respond to service architecture risks and threats. |
Microsoft security response teams | Independent Azure, Dynamics 365, and Microsoft 365 security teams that partner with service teams to build the appropriate security incident management process and to drive any security incident response. |
Microsoft Governance, Risk, and Compliance (GRC) teams | Provide guidance on regulatory requirements, compliance, and privacy. |
Service teams | Engineering teams for Azure, Dynamics 365, Microsoft 365 that are responsible for security-related policies and decisions for each service. |
Azure operations managers | Oversees the investigation and resolution of Azure-related security and privacy incidents. |
Microsoft Threat Intelligence Center (MSTIC) | Provides the current state of art in digital security threats against Microsoft infrastructure and assets, helps partner teams inside Microsoft prioritize mitigation and prevention effort action plans, and increases protection by adopting near real-time incident monitoring/detection. |
Customer experience communication teams | Engineering teams responsible for all customer communications about security and service incidents. Separate teams are dedicated to Azure, Dynamics 365, and Microsoft 365. |
Microsoft online services security teams and service teams work together on and take the same approach to security incidents, which is based on the NIST 800-61 response management phases:
Microsoft online services consist of core Microsoft products, including Azure, Dynamics 365, and Microsoft 365. Each of these services are operated by separate teams with their own security operational processes. Other teams at Microsoft, such as MSTIC, are also engaged in various security aspects of Microsoft online services. Because of the multitude of teams working on security operations management across all the various services that make up Microsoft online services, Microsoft has implemented a federated security response model.
This table presents the operational boundaries between the various Microsoft online service security operations teams and the Microsoft service teams:
Activity | Microsoft Security Team Operations | Microsoft Service Team Operations |
---|---|---|
Detection and analysis | - Detection requirements - Security monitoring and analysis - Indicator of compromise (IOC) sweeps - Breach hunt - 24x7 security on-call and incident response lead |
- Detection requirements - Monitoring infrastructure deployment - Service analysis and insight - Event and alert triage - 24x7 service engineering on-call |
Containment, eradication, recovery | - Incident response lead - Forensics investigation - Security expertise and consulting - Recovery guidance |
- Security incident owner - Service insight and expertise - Execute containment, eradication, and recovery |
Post-incident activity | - Post-incident analysis lead - Data collection and archival - Lessons learned and bug requests - Incident reporting |
- Service-side incident analysis - Prioritize follow-up activities - Implementation security investments - Service security readiness |
Events
Nov 19, 11 PM - Nov 21, 11 PM
Protect your org with AI-powered solutions built across platforms and cloud environments at Microsoft Ignite online.
Register now