Users No Longer Have to Choose Between Security and Productivity

By David Weston, Director of OS Security, Microsoft

At Microsoft, we spend more than $1 billion annually on security and have more than 3,500 dedicated security professionals. Among them is a dedicated Offensive Security Research team, think of them as penetration testers specifically targeting our own products so we can design them more securely from the start. Every day, that team emulates and builds on known and evolving attacker techniques, trying to break into our own products. Findings are reinvested in our always-up-to-date Windows 10 and Office 365 ProPlus product development, shared with the IT and security communities.

Among the most common and powerful attack vectors, we have seen are those that exploit the daily tradeoff users make between productivity and security. Often, this is as simple as a document hiding an exploit or a malicious link. Basic phishing techniques or the simple pressures of a busy day can be enough for a user to open a file, dismiss security defenses like Protected View, and expose themselves and the rest of the network to attack. Many long-established security tools and practices consider this tradeoff inevitable.

We have machine learning and AI built into Office today that quarantine malware in email and file attachments and there are policies we recommend as part of Microsoft Secure Score that will stop a lot of attacks, but nothing is perfect for all files, especially as attackers are constantly changing the techniques. Security always has to be evolving and working to proactively defend against exploits and get ahead of bad actors.

To do this, we’ve built more proactive protections into Office 365 and eliminated the need for users to have to choose between security and productivity. Microsoft Defender Application Guard first introduced this hardware-level containerization with Edge and we continue to build on the concepts of isolation and minimizing trust by extending these capabilities to Office 365 applications. With Application Guard for Edge, if a user visited an untrusted website, Application Guard enabled Edge to deliver that site in a container, with a new instance of Windows and an entirely separate copy of the kernel. Application Guard’s enforcement completely blocked access to memory, local storage, other installed applications, corporate network endpoints, or any other resources of interest to the attacker. Now, these capabilities will be available to Office documents.

Microsoft Defender Application Guard for Office 365 enables users to stay safe, secure and productive when working with untrusted documents. It’s built directly into the Windows platform so users get a native, seamless experience where they can continue to work as they normally would.

This hardware-backed security isolates untrusted Office documents without compromising the comfortable experience to which Office users are accustomed because it is built directly into the Windows 10 platform. With Application Guard, an untrusted document that is opened inside the Application Guard container has the same look and feel as an Office document opened on the desktop.

Now, users can open an untrusted Word, Excel, or PowerPoint file in a virtualized container, and view, print, edit, and save changes to untrusted Office documents – all while benefiting from that same hardware-level security. If the untrusted file is malicious, the attack is contained and the host machine remains untouched. A new container is created every time you log in, providing a clean start and peace of mind for both users and cybersecurity teams.

If users do need to “trust” a file to open it with more privileges, files are automatically checked against the Microsoft Defender Advanced Threat Protection (ATP) threat cloud before it is released. This integration with ATP provides admins with advanced visibility and response capabilities – providing alerts, logs, confirmation the attack was contained, and visibility into similar threats across the enterprise.

About the Author

David Weston is the Partner Director of OS security at Microsoft where he is responsible for the Security engineering of Windows, Windows Server, and the Azure OS as well as the Offensive Security Research Team (also known as the Windows RED TEAM). Before leading security engineering in Windows, David led the security research team for Microsoft Defender Advanced Threat Protection (ATP), the team responsible for detecting and responding to global adversaries. David has been with Microsoft since Windows 7,  holding many different security roles in mitigation design, penetration testing, malware analysis, and threat intelligence. In addition to his engineering work, David is also an accomplished security researcher presenting his work at numerous security conferences including Blackhat and Defcon. Learn more about David