Learning how to change and configure Microsoft Edge Proxy Settings is quite important to users who would like to protect their online privacy. Many web browsers, including Microsoft Edge, have features that support proxy. However, some users don’t know to go about it, which is relatively simple. A proxy server intercepts your computer network traffic before it gets to you; it’s just another remote computer. The are many reasons why users switch to a proxy, but the main one is to get an extra measure of online security.

What is Edge Proxy Server?

The Edge proxy server is a server that is located on the intranet and connects to the main server via the Internet. It is not bound to other proxy servers. It resolves a request for content from a local cache and proxying from the original server. Edge proxy server cannot request to any other proxy server.

The proxy works so that your IP address will not be revealed. You access the Internet using the proxy’s IP address. It is a great way to ensure you are safe online, especially for sites or malicious people tracking your activities online. It’s good to know that there are paid and free proxy server services.

There are two ways to configure a proxy server in MS Edge and it’s simple. You can use the manual way or simply use the automatic configuration. We will discuss this later in this article. This post will elaborate on changing and configuring Microsoft Edge Proxy settings. If you want to access geo-restricted content, protect your devices or conceal your IP address, you are in the right place. Continue reading.

Changing and configuring Edge proxy settings is a straightforward process, but you don’t need some specific browser proxy settings to surf on standard web pages. However, these settings can be changed to access geo-restricted pages or just for security purposes. To change and configure Microsoft Edge proxy settings, use any of the following methods:

1. Manual proxy setup
2. Automatic proxy setup

To turn off proxy settings in Microsoft Edge, go to the menu (three dots) on the top right and scroll down to Settings. Choose System and, on the left side, click on Open your computer’s proxy settings. From there, toggle off the buttons next to Automatically detect settings, Use setup script, and Use a proxy server. To complete the process click Save.

1] Manual proxy setup

To set up a proxy setting manually, you need to use Wi-Fi or Ethernet internet connections. If you are connected to any VPN, you need to disable it while setting up and using the proxy server. Here is how:

• Open Edge by clicking the icon on the taskbar or by typing Edge on the search box.
• On the top right, click on the three dots for more options. From the list, go down to see Settings and click on it.
• Scroll down the Settings menu. You will Advanced settings, go ahead and select View advanced settings option.
• Select Open proxy settings and head to the Manual proxy setup option and toggle the Use a proxy server button on.
• Enter the required details and select the Save button.
• Now, you will get a prompt asking you to put in a Proxy username and password. Enter these details correctly and your proxy server on Microsoft edge will be configured and ready to run.

Read: Can’t connect to the proxy server says Microsoft Edge

2] Automatic proxy setup

If you feel setting up a proxy server manually is a lot of work, you can choose the automatic mode option. As in the manual setup, you need only to use Ethernet or Wi-Fi connections. Deactivate any VPN running on your computer. This setup automatically detects settings and uses a setup script. Here is how:

• Open Windows Settings by pressings the Windows key + I.
• Head to the Network & Internet and go to the Proxy tab.
• Here, toggle the Automatically detect settings button on, as well as the Use setup script options.
• Insert the script URL and hit the Save button to complete the process.

Let us know if these methods helped you change and configure Microsoft Edge proxy settings.

Read: Ethernet works but not WiFi in Windows.

Software developers and project managers can use infrastructure as code (IaC) software to automate the management and provisioning of infrastructure. By bypassing manual configuration, software development teams can enjoy lower costs, faster speed, and fewer errors. This guide will discuss the following infrastructure as code tools in terms of their features, pros, cons and pricing so you can pick the ideal solution for your needs:

• Puppet: A great option for teams seeking IaC software that can handle large-scale infrastructure and also has an established and supportive community.
• Chef: An excellent pick for developers seeking a flexible and advanced configuration management tool that relies on infrastructure as code to automate complex tasks.
• Terraform: An ideal solution for development teams seeking an open-source IaC tool for cloud-based environments.

Jump to:

Puppet

Puppet is an IaC tool that uses its own declarative language to define desired infrastructure states. It has a solid interface and reporting capabilities and is ideal for teams and organizations in charge of managing large-scale infrastructures.

Features of Puppet

Some of Puppet’s features that have made it a popular DevOps tool include:

• Multi-platform support.
• Real-time monitoring.
• Policy-as-code.
• Third-party integrations.

Puppet supports multiple platforms, including Windows, Linux, Microsoft Azure, AWS, GCP and more. The IaC software has real-time monitoring and reporting to help developers spot drift and compliance errors. It also leverages policy-as-code for streamlining and enforcing compliance. You can also extend Puppet’s functionality by integrating it with third-party cloud, infrastructure, secret management, policy-as-code and other services.

SEE: What is DevOps?

Pros of Puppet

Puppet’s pros include:

• Well-established community.
• Fast error fixes.
• Learnable language.
• Intuitive interface.

Since Puppet has been around since 2005, it has a large, well-established community that can offer support and resources for new users and those who stumble upon obstacles. Puppet highlights lines containing coding errors so they can be fixed quickly.

While Puppet’s use of its own declarative scripting language (DSL) can be a con for some newer users, the language is at least easy to learn and eventually write. Puppet’s user interface is also clean and easy to follow.

Cons of Puppet

Puppet’s cons include:

• Can be complicated to configure.
• Complexity – known for its steep learning curve.
• Requires some programming knowledge.
• Pricing.

Setting up Puppet can take some time and patience and requires users to be more hands-on than some simpler competing tools since it was designed more for system administrators than less technical users.

Puppet has a steep learning curve, and unless you have a programming background and knowledge of the Puppet DSL, you may have a hard time adapting to it. Additionally, since Puppet only has two versions, some teams may find the custom Enterprise pricing prohibitive if they want more advanced features.

Puppet Pricing

Project managers and developers can choose between Open-Source Puppet and Puppet Enterprise. The open-source version is free.

Puppet offers the Enterprise version via custom-priced plans. It comes with automation features, extensions and more. Get a custom Puppet Enterprise pricing quote.

Progress Chef

Progress Chef (formerly Chef) is a flexible configuration management tool with a large following that uses infrastructure as code. It is used by software developers, DevOps teams, system administrators and more to automate their infrastructure and applications’ configuration management.

Features of Chef

Chef has several features that make it a popular DevOps tool, including:

• Platform-agnostic.
• IaC features and adherence.
• Recipes and cookbooks.
• Chef Supermarket.
• Integrations with third-party DevOps tools.

Chef is a platform-agnostic programmer tool due to its system resource abstraction, allowing it to support different cloud platforms and operating systems. Due to its reliance on infrastructure as code, Chef keeps configuration consistent and repeatable and promotes version control via a host of version control tools.

Staying in line with the “Chef” name, the IaC tool relies on recipes and cookbooks. Recipes are specific actions/configurations, while cookbooks are recipe collections. Chef’s recipes and cookbooks keep configuration management simple for developers by letting them reuse code and embrace the power of modularity.

The Chef Supermarket is loaded with pre-built cookbooks to speed up configuration management. There is also a large community ecosystem that supplies users with best practices, cookbooks, modules and more. Chef is highly extensible, too, thanks to third-party integrations with Jenkins, CircleCI and other popular tools.

Pros of Chef

Some of Chef’s biggest advantages as an IaC tool include:

• Advanced configuration management capabilities.
• Extensibility.
• Community support.
• Versatile, offering greater control of configurations.

Some of Chef’s competition is best served for handling basic tasks. Chef, on the other hand, has advanced configuration management features to handle complex tasks, such as test driven development infrastructure deployment on-demand. Progress Chef also excels in extensibility as the programmer tool integrates with top DevOps tools like CircleCI, Jenkins, Bitbucket, GitHub and more.

If you are looking for an infrastructure as code tool with a large community that offers added support and resources, you will find just that with Chef. And if you are looking for an IaC tool that is flexible so you have more configuration control, Chef offers that, too, since it follows a code-driven approach.

Cons of Chef

Chef could Excellerate in some areas as a developer tool, such as:

• Required experience level.
• Time investment.
• Expensive for small teams.

Yes, Chef was built to handle even the most complex tasks. But to unlock that functionality, you will face a steep learning curve. Remember that Chef was created with experienced programmers in mind, so it will take some time to learn. One thing that could help is taking a Ruby course prior to tackling Chef. Beyond the complexity obstacle, you may find Chef pricey, especially if you are part of a smaller development team with a limited budget.

Pricing of Chef

Developers can buy Chef directly through Progress or via a marketplace. Buy the IaC tool from Progress, and you can get a custom quote for the SaaS or on-premise option. Buy Chef from the Azure Marketplace, and you get three options:

• Two-Hour Test Drive: Try Chef for two hours for free.
• BYOL: Pay for Azure compute time and bring your own license.
• Custom Private Offer: Get a custom quote on Chef from Azure.

Buy Chef from the AWS Marketplace, and you have two options:

• BYOL: Pay for AWS compute time and bring your own license.
• Chef on AWS Marketplace: Get a Chef subscription on your AWS account. Software and usage fees start at $0.20 per hour or $189 yearly.

You can learn more about Chef in our Chef Configuration Management Tool Review.

Terraform

HashiCorp Terraform is an open-source IaC tool ideal for developers and teams comfortable working with the Go language who need strong infrastructure management for cloud-based environments.

Features of Terraform

Some of Terraform’s top features as a DevOps tool include:

• Support for multiple operating systems.
• Multi-cloud deployment.
• Network infrastructure management tools.
• Plenty of integrations for developer tools.

Terraform supports multiple operating systems, including Windows, macOS, Linus, FreeBSD, OpenBSD and more. You can use Terraform for multi-cloud deployment, and it also has features for managing network infrastructure, such as firewall policies and load balancer member pools. Terraform offers extensibility, too, through integrations with CI/CD pipelines, version control systems and other programmer tools.

Pros of Terraform

Terraform’s strengths include:

• Easy setup.
• Flexibile hosting and platform support.
• Repeatability and built-in modularity.
• Highly performant.

Terraform is easy to set up and is flexible, with support for Azure, AWS and other cloud providers. The infrastructure as code software’s use of modules promotes repeatability, and its use of the Go language makes it fast and efficient.

Cons of Terraform

Terraform’s weaknesses include:

• Onboarding can be difficult.
• Documentation could use improvement.
• On-premises performance not as good as cloud.
• State management is not optimal.

Terraform is ideal for developers familiar with the Go or Golang language. If you are not, you may find the language unusual and difficult to learn at the start, which can slow onboarding.

Some users have found Terraform’s documentation complex and hard to understand. And while it works well with clouds, Terraform may suffer some issues when working with on-premises services. Managing the state file in Terraform to avoid conflicts can also be tricky and result in unexpected behaviors.

Terraform pricing

Terraform has a self-managed open-source option that is always free. It also has paid cloud and self-managed plans:

• Free (cloud): Up to 500 resources per month. Has the essential features for getting started with IaC provisioning.
• Standard (cloud): Starts at $0.00014 per hour per resource. For developers or teams adopting IaC provisioning.
• Plus (cloud): Custom pricing. For enterprises needing scalability.
• Enterprise (self-managed): Custom pricing. For enterprises with added compliance and security needs.

SEE: Building your Platform Engineering practice on AWS with Terraform

What to look for in infrastructure as code software

With various IaC tools on the market, choosing the right one for your software development team may seem like a daunting task. How can you ensure you pick the proper infrastructure as code software? First, if your budget is limited, consider the cost as the pricing of IaC tools can vary greatly. Luckily, many have free trials you can sign up for to supply the features a test drive, while others may have free plans with limited features.

If the cost of certain IaC software acts as a deterrent, remember that these developer tools can save your team plenty of money by eliminating the need for manual infrastructure setup and maintenance.

After considering cost, look for an infrastructure as code tool that is user-friendly with an intuitive interface. And lastly, look at its features. Standard features that the ideal IaC tool should have include automation that saves time and money while minimizing human error, built-in security (encryption, identity access management, data loss prevention, etc.), solid customer service and support and scalability (autoscaling, dynamic orchestration, rolling updates, etc.). The ideal IaC software should also have plenty of integrations with third-party developer tools and services, plus a library of plugins for added extensibility.

Final thoughts on the best infrastructure as code tools

The IaC tools listed above can help your software development team cut costs, increase speed and eliminate errors linked to manual configuration. Before picking an IaC tool from our list, review its features, pros, cons and pricing to ensure it is the right pick for you.

SEE: Top DevOps career paths

Microsoft announced that its Microsoft Edge for Business dedicated work experience will arrive as part of Edge version 116 later this month. The feature has been available in preview since it was announced at Build 2023 in May.

“Microsoft Edge was designed with the specific needs of businesses and organizations in mind, with enterprise-grade security, productivity, management, and now AI, built-in,” Microsoft’s Rick Turner writes in the announcement post. “Microsoft Edge for Business is the next step in the journey to deliver the best browser for business across all platforms, with enhanced separation of work and personal browsing, unmanaged device support, and more coming soon.”

Edge for Business is centrally managed by your organization’s IT staff so that it can be configured for optimal productivity and security. It offers minor visual differences from the traditional Edge interface, like a briefcase overlay on the Edge icon and some custom branding around your user profile, and you can access your personal browser settings and content via a separate Edge window. When you browse to work-related sites, they will open in Edge for Business (not regular Edge), and you (as the user) can configure which sites should do so (in Edge settings or via a toggle in the address bar).

Existing policies, settings, and configurations that were created by your organization will automatically transition to Edge for Business, Microsoft notes.

Microsoft Edge for Business will be enabled automatically with the release of Edge 116 for all customers who sign in using Microsoft Entra ID (formerly Azure Active Directory, or AAD). Edge for Business is coming to the mobile versions of Edge “in the future,” Microsoft says.

You can learn more about Microsoft Edge for Business on the Microsoft Learn website.

Welcome to the second part of the tutorial on Hosting a Website with Microsoft IIS. In this part, we will learn about configuring and creating the MySQL server and configuring WordPress. Now that you have followed all the steps of Part-1 let’s proceed to Part-2.

Creating a database in MySQL

1. Run MySQL command-line client.
2. Enter your root password that you set in subpart 2 of part 1, in the 12^th step.
3. Enter the following:

mysql> CREATE DATABASE databasename;

Query OK, 1 row affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON databasename.* TO "username"@"hostname"

IDENTIFIED BY "password";

Query OK, 0 rows affected (0.00 sec)

mysql> EXIT

Configuring WordPress

1. Now go to your browser and type in your LAN IP that generally starts from “192.168”.
2. Click on “Create a configuration file.”
3. Click on “Let’s go.”
4. Enter the details that you entered during creating the new Database and click submit.
5. In the next step click on “Run the install.”
6. Enter your details like Site Title, Username, Password, etc. in this step.
7. Now click on Log in.
   
8. Enter with your username and password that you created in this part to login.
9. You will now be able to see your dashboard and operate your blog from this dashboard.

Your website is now live on your IP address. You can convert your IP into text or some website name, using many services out there like  www.no-ip.org.

You have successfully hosted your website. If you face any problems or find that you are getting some error messages, don’t panic just go through all the steps again and try to solve your problem.

What you need to know

• Microsoft is rolling out Windows 11 22621.2213 (KB5029351) to Insiders in the Release Preview Channel on Windows 11 version 22H2.

• The update ships with several new features as well as improvements.

• Admins can now configure the monthly, optional cumulative updates for commercial devices.

Microsoft recently released a new build to the Release Preview channel on Windows 11, version 22H2. The Windows 11 Build 22621.2213 (KB5029351) ships with several new features as well as improvements, including a new policy that allows admins to configure the monthly, optional cumulative updates for commercial devices and a feature that makes search flyout box pop-up whenever you hover over the search box gleam.

The company rolls out these updates in waves. To expedite the process, you can toggle the Get the latest updates as soon as they’re available option in Windows Settings.

In related news, Microsoft's latest update to the Dev Channel makes switching between a local desktop and a Windows 365 PC a breeze.

Windows 11 Build 22621.2213: Changelog

• New! This update adds new functionality that affects app defaults. To learn more, see A principled approach to app pinning and app defaults in Windows.

• New! This update adds a new hover behavior to the search box gleam. When you hover over it, the search flyout box appears. You can adjust this behavior by right clicking the taskbar. Then choose Taskbar settings to change your search box experience.

• New! This release adds a new policy called “Enable optional updates.” Administrators can use it to configure the monthly, optional cumulative updates for commercial devices. You can also use this policy for the gradual Controlled Feature Rollouts (CFR).

• This update makes daylight saving time (DST) changes for Israel.

• This update addresses an issue that affects the Group Policy Service. It will not wait for 30 seconds, which is the default wait time, for the network to be available. Because of this, policies are not correctly processed.

• This update adds a new API for D3D12 Independent Devices. You can use it to create multiple D3D12 devices on the same adapter. To learn more, see D3D12 Independent Devices.

• This update addresses an issue that affects a WS_EX_LAYERED window. The window might render with the wrong dimensions or at the wrong position. This occurs when you scale the display screen.

• This update addresses an issue that affects print jobs that are sent to a virtual print queue. They fail without an error.

• This update addresses an issue that causes high CPU use. This occurs when you enable the “fBlockNonDomain” policy.

• This update addresses an issue that affects disk partitions. The system might stop working. This occurs after you delete a disk partition and add the space from the deleted partition to an existing BitLocker partition.

• This update addresses an issue that causes Windows to fail. This occurs when you use BitLocker on a storage medium that has a large sector size.

• This update addresses an issue that affects Remote Desktop sessions. Sometimes you receive a wrong error message when you try to sign in to a session.

• This update addresses an issue that affects the search icon. When you select it, the Search app does not open. This occurs after a machine has been asleep.

• This update improves the reliability of the Search app.

• This update addresses an issue that affects the TAB key. Using it to browse search results requires additional actions.

• This update addresses an issue that affects Narrator. It does not supply distinct context between the search box on the taskbar and search highlights within the search box.

• This update addresses an issue that affects Start menu icons. They are missing after you sign in for the first time.

• This update addresses an issue that affects settings. They do not sync even if you turn on the toggle on the Windows backup page in the Settings app.

• This update addresses an issue that affects the Resultant Set of Policy (RSOP). The Windows LAPS “BackupDirectory” policy setting was not being reported. This occurs when the setting is set to 1, which is “Back up to AAD.”

US-based IT software company Ivanti warned customers today that a critical Sentry API authentication bypass vulnerability is being exploited in the wild.

Ivanti Sentry (formerly MobileIron Sentry) functions as a gatekeeper for enterprise ActiveSync servers like Microsoft Exchange Server or backend resources such as Sharepoint servers in MobileIron deployments, and it can also operate as a Kerberos Key Distribution Center Proxy (KKDCP) server.

Discovered and reported by researchers at cybersecurity company mnemonic, the critical vulnerability (CVE-2023-38035) enables unauthenticated attackers to gain access to sensitive admin portal configuration APIs exposed over port 8443, used by MobileIron Configuration Service (MICS).

This is possible after they bypass authentication controls by taking advantage of an insufficiently restrictive Apache HTTPD configuration.

Successful exploitation allows them to change configuration, run system commands, or write files onto systems running Ivanti Sentry versions 9.18 and prior.

Ivanti advised admins not to expose MICS to the Internet and restrict access to internal management networks.

"As of now, we are only aware of a limited number of customers impacted by CVE-2023-38035. This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM, MobileIron Cloud or Ivanti Neurons for MDM," Ivanti said.

"Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have RPM scripts available now for all supported versions. We recommend customers first upgrade to a supported version and then apply the RPM script specifically designed for their version," the company added.

Ivanti provides detailed information on applying the Sentry security updates onto systems running supported versions in this knowledgebase article.

Since April, state-sponsored hackers have exploited two additional security vulnerabilities within Ivanti's Endpoint Manager Mobile (EPMM), previously known as MobileIron Core.

One of them (tracked as CVE-2023-35078) is a significant authentication bypass that was abused as a zero-day to breach the networks of various governmental entities in Norway.

The vulnerability can also be chained with a directory traversal flaw (CVE-2023-35081), granting threat actors with administrative privileges the ability to deploy web shells onto compromised systems.

"Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency's network," CISA said in an advisory published in early August.

The CISA joint advisory with Norway's National Cyber Security Centre (NCSC-NO) followed orders issued earlier this month asking U.S. federal agencies to patch the two actively exploited flaws by August 15 and August 21.

One week ago, Ivant also fixed two critical stack-based buffer overflows tracked as CVE-2023-32560 in its Avalanche software, an enterprise mobility management (EMM) solution, that could lead to crashes and arbitrary code execution following exploitation.

Exploiting gaps in cloud infrastructure that are leaving endpoints, identities and microservices exposed is a quick way for an attacker to steal credentials and infect an enterprise’s DevOps process. Attacks to exploit such gaps are skyrocketing. 

The latest 2023 Thales Cloud Security Study provides hard numbers: 39% of enterprises have been hit with a data breach starting in their cloud infrastructure this year alone. A total of 75% of enterprises say that more than 40% of the data they store in the cloud is sensitive. Less than half of that data is encrypted. 

CrowdStrike’s 2023 Global Threat Report explains why cloud-first attacks are growing: Attackers are moving away from deactivating antivirus, firewall technologies and log-tampering efforts and toward modifying core authentication processes, along with quickly gaining credentials and identity-based privileges. 

The attackers’ goal is to steal as many identities and privileged access credentials as possible so they can become access brokers — selling stolen identity information in bulk at high prices on the dark web. Access brokers and the brokerages they’re creating often turn into lucrative, fast-growing illegal businesses. CrowdStrike’s report found more than 2,500 advertisements for access brokers offering stolen credentials and identities for sale. 

What’s driving CNAPP adoption  

Consolidating tech stacks continues to dominate CISOs’ plans, driven by the need to Excellerate efficacy, manage a more diverse multicloud security posture, close gaps between cloud apps and shift security left in DevOps pipelines. All these factors are contributing to the growing adoption of cloud-native application protection platforms (CNAPP). 

“CNAPPs are formed from the convergence of cloud security posture management (CSPM) and cloud workload protection platform (CWPP) capabilities as well as other security tooling like entitlement management, API controls and Kubernetes posture control,” reads Gartner’s 2023 Planning Guide for Security. 

Leading CNAPP vendors are competing in various areas, the most important of which include the efficacy of their cloud infrastructure entitlement management (CIEM), Kubernetes security, API controls and cloud detection and response (CDR), according to CISOs VentureBeat spoke with. Demand for CNAPP is greatest in larger enterprises from highly regulated industries that rely on extensive multicloud configurations. Finance, government and healthcare providers are among the most dominant industries.  

CISOs tell VentureBeat that one of the most practical benefits of CNAPPs is the opportunity to consolidate legacy tools with limited visibility across all threat surfaces and endpoints. The takeaway? Reducing tool sprawl is a quick win. 

Benchmarking the top 20 CNAPP platforms for 2023 

Full-platform CNAPP vendors provide integrated cloud-native security platforms ranging from DevOps to production environments. Here are the top 20 platforms of 2023: 

Aqua Security: Highly regarded for its approach of scanning container registries and images, CSPM and runtime protection for container and cloud-native security. Also has full life cycle protection and advanced runtime techniques, including support for the extended Berkeley Packet Filter (eBPF).

Check Point: Provides a broad set of capabilities through its CloudGuard platform, including CSPM, CIEM and advanced runtime protection. Known for securing cloud workloads across environments with identity-centric access controls, as well as threat intelligence integration to provide real-time contextual prioritization of risks.  

Cisco: Recently acquired Lightspin for its Kubernetes security capabilities and CSPM. Its Tetration platform focuses on runtime protection, leveraging eBPF and third-party insights for advanced container monitoring and granular controls. Cisco emphasizes behavioral analytics to detect anomalies and threats in container environments and provides strong controls to limit lateral movement between workloads.

CrowdStrike: Offers a leading CNAPP suite emphasizing identity-centric visibility, least-privilege enforcement and continuous monitoring. Its runtime protection leverages agents and eBPF for workload security. CrowdStrike’s key design goals included enforcing least-privileged access to clouds and providing continuous detection and remediation of identity threats. 

Cybereason: Platform focuses heavily on malicious behavior detection. A core strength is its ability to detect threats using behavior-based techniques. The company is also known for API integrations, AI and machine learning (ML) expertise. Cybereason specializes in detecting compromised accounts and insider threats via detailed user activity monitoring. 

Juniper Networks: Collects extensive data on device posture and traffic patterns to provide networking context for security insights. Also enables segmentation controls between Juniper devices.

Lacework: Focused on workload behavior analysis for containers and runtime techniques such as eBPF to gain a comprehensive insight into container activity and performance. Its emphasis on detecting anomalies using advanced ML algorithms that are custom-tuned for containerized environments is a key differentiator.

Microsoft: Integrates security across Azure services with zero-trust controls, enforces least-privileged access and provides workload protections such as antivirus and firewalls. Uses Microsoft Graph to correlate security analytics and events across Azure.

Orca Security: Performs continuous authorization checks on identities and entitlements across cloud environments. A key differentiator is the ability to generate detailed interactive maps that visualize relationships between cloud assets, users, roles and permissions. 

Palo Alto Networks Prisma Cloud: Provides a broad suite of capabilities, including identity-based microsegmentation and robust runtime protection with eBPF. Prisma Cloud is an industry leader known for advanced protections such as deception technique and includes extensive compliance automation and DevSecOps integrations. 

Qualys: Focuses on compliance and vulnerability management through continuous scanning and least-privilege controls. Identifies vulnerabilities throughout the life cycle and enables automated patching and remediation workflows. Another key differentiator is compliance mapping and reporting.

Rapid7: Enforces least privilege access and enables automated response and remediation triggered by events. Offers pre configured policies and streamlined workflows designed for small security teams. An intuitive user interface and rapid implementation aim to simplify deployment and usability for organizations with limited security resources.

Sonrai Security: Focuses on entitlement management and identity-based security using graph database technology to discover and map user identities across cloud environments. User identity, geolocation and other contextual factors can define custom access controls.

Sophos: Focuses on data security, compliance and threat monitoring capabilities and offers advanced data loss prevention such as file fingerprinting and optical character recognition. Cloud environments also have anti-ransomware protections. 

Sysdig: Centered on runtime security and advanced behavioral monitoring. For container-level visibility and anomaly detection, the platform uses embedded agents. Sysdig Secure Advisor includes an integrated security assistant to help SecOps and IT teams create policies faster.

Tenable: Focused on compliance, entitlement management and identity governance. Offers comprehensive compliance automation mapped to PCI, HIPAA and ISO regulations. Also provides differentiated identity and compliance management through advanced capabilities to enforce least privilege and certify access.

Trend Micro: Includes runtime security, compliance and threat monitoring, enforces policies and protects cloud environments from file- and email-based threats. Custom sandboxing for suspicious file analysis is also included.

Uptycs: Differentiates itself by combining CNAPP capabilities with extended detection and response (EDR) capabilities. Employs data lake techniques to store and correlate security telemetry across cloud and container workloads. Threats are identified using behavioral analytics, and automated response workflows allow for rapid remediation. 

Wiz: Centered on continuous access controls, micro segmentation and identity-based adaptive security. Automatically discovers and visualizes relationships between cloud assets, users and permissions. Wiz also conducts risk analysis to identify potential attack paths and stands out with its specialized visualization, identity management and micro-segmentation.

Zscaler: Posture Control prioritizes risks caused by misconfigurations, threats and vulnerabilities. Completely agentless and correlates data from multiple security engines.

Why CNAPP will succeed as a consolidation catalyst 

CNAPPs are gaining popularity as CISOs look to consolidate and strengthen their security technology stacks. Platforms can provide integrated security across the development lifecycle and cloud environments by combining capabilities including cloud workload protection, container security and CIEM.

CNAPP adoption will continue accelerating in highly regulated industries including finance, government and healthcare. CISOs in these industries are under pressure to consolidate tech stacks, Excellerate compliance and secure complex cloud infrastructure simultaneously. Because they provide a unified platform that meets multiple security and compliance requirements, CNAPPs are proving to be an effective consolidation catalyst.

Attackers continue to target Microsoft identities to gain access to connected Microsoft applications and federated SaaS applications. Additionally, attackers continue to progress their attacks in these environments, not by exploiting vulnerabilities, but by abusing native Microsoft functionality to achieve their objective. The attacker group Nobelium, linked with the SolarWinds attacks, has been documented using native functionality like the creation of Federated Trusts [1] to enable persistent access to a Microsoft tenant.

This article demonstrates an additional native functionality that when leveraged by an attacker enables persistent access to a Microsoft cloud tenant and lateral movement capabilities to another tenant. This attack vector enables an attacker operating in a compromised tenant to abuse a misconfigured Cross-Tenant Synchronization (CTS) configuration and gain access to other connected tenants or deploy a rogue CTS configuration to maintain persistence within the tenant. Vectra AI has not observed the use of this technique in the wild but given the historical abuse of similar functionality — Vectra AI presents details for defenders to understand how the attack would present and how to monitor for its execution. In addition, the article will review how Vectra AI customers currently have coverage — and have had coverage from day one of the functionality being released for this technique through their AI-driven detections and Vectra Attack Signal IntelligenceTM.

Cross-Tenant Synchronization

CTS is a new feature from Microsoft that enables organizations to synchronize users and groups from other source tenants and grant them access to resources (both Microsoft and non-Microsoft applications) in the target tenant. CTS features build on previous B2B trust configurations enabling automated and seamless collaboration between different tenants and is a feature that many organizations will look to adopt. [2] [3]

CTS is a powerful and useful feature for organizations like business conglomerates with multiple tenants across affiliated companies, but also opens potential reconnaissance, lateral movement and persistence attacks by bad actors if not configured and managed correctly. Read on for the potential risks and attack paths that adversaries can leverage to exploit CTS to abuse trust relationships from a potentially compromised tenant to any other tenant configured with a CTS trust relationship.

• CTS allows users from another tenant to be synced (added) into a target tenant.
• A loosely configured CTS configuration can be exploited to move laterally from a compromised tenant to another tenant of the same or different organization.
• A rogue CTS configuration can be deployed and used as a backdoor technique to maintain access from an external adversary-controlled Microsoft tenant.

Assumed compromise!

The exploitation techniques follow Assumed Compromise philosophy. The techniques used in these exploits assume that an identity has been compromised in a Microsoft cloud environment. In a real-world setting, this could originate from a browser compromise on an Intune-managed endpoint with a Microsoft-managed identity.

Terminologies

The Facilitator

Important things to know about CTS configuration:

1. New users get synced into a tenant via push (not pull). [2]
• Source tenant pushes new users to sync into the target tenant.
2. Automatic Consent Redemption setup. [3]
• Enabling this eliminates the need to consent anytime new users are synced into a target tenant.
3. Users in scope for synchronization are configured in the source tenant. [2]

The Attack

The attack techniques described in this article require certain licenses and a privileged account compromise or privilege escalation to certain roles in the compromised tenant. A Global Admin role can perform all these actions in a tenant. [3]

Technique 1: Lateral Movement

An attacker operating in a compromised environment can exploit an existing CTS configuration tenant to move laterally from one tenant to another connected tenant.

1. The attacker accesses the compromised tenant.
2. Attacker recons the environment to identify target tenants connected via deployed Cross Tenant Access policies.
3. Attacker reviews Cross Tenant Access policy configuration for each connected tenant to identify one with 'Outbound Sync' enabled. CTA policy with Outbound Sync enabled allows users and groups from the current tenant to be synchronized into the target tenant.
4. From the CTA policy configuration analysis, the attacker finds a connected tenant with Outbound Sync enabled and sets the tenant as the target for lateral movement.
5. The attacker then recons the compromised tenant to find CTS sync application that runs the job of synchronizing users and groups to the target tenant.
• There is no straight forward way to find the CTS sync application linked to the target tenant. The attacker can enumerate through service principals in the tenant attempting to validate credentials with the target tenant to ultimately find the application that hosts the sync job to the target tenant. It can be done through a simple module like this.
6. After identifying the CTS sync application, the attacker can modify its configuration to add the currently compromised user account to the application sync scope. This will sync the compromised user account into the target tenant and grant attacker access to the target tenant using the same initially compromised credentials.
7. Alternatively, the attacker can also inspect the CTS sync application configuration to identify configured sync scope and act accordingly.
• For example, if the object in sync scope is a group, then the attacker can attempt to add the compromised user account directly or indirectly to the group which will automatically allow the compromised account to be synced into the target tenant.
8. If there are no explicit CTA inbound conditions blocking the sync in the target tenant, the compromised account will sync into the target tenant.
9. The attacker moves laterally into the target tenant using the same initially compromised account.

Scenario 2: Backdoor

An attacker operating in a compromised tenant can deploy a rogue Cross Tenant Access configuration to maintain persistent access.

1. The attacker accesses the compromised tenant.
2. The attacker attempts to deploy a new Cross Tenant Access Policy in the victim tenant with the following properties.
3. Simultaneously, the attacker also configures CTS on its external tenant.
• The external tenant CTS setup is out of scope for this article and hence not covered here. The process of setting CTS in a source tenant is well defined by Microsoft here.
4. The attacker can now sync new users from its tenant via push to the target victim tenant anytime in future. This grants the attacker future access to resources on the target tenant using the externally controlled account.

Defense

1. The attack techniques in this document follow assumed compromise. Businesses must continue to implement and enforce security best practices to reduce the risk of account compromise.
2. CTS Target tenants must:
1. Avoid implementing a default inbound CTA configuration which permits all users/groups/applications from the source tenant to sync inbound. [2]
2. Deploy less inclusive inbound CTA configuration such as explicitly defining accounts (if possible) or groups that can get access through CTS.
3. Combine CTA policy with additional Conditional Access Policies to prevent unauthorized access.
3. CTS Source tenants must:
1. Ensure groups allowed to access other tenants via CTS (and all privileged groups in general) are properly regulated and monitored.
4. Detect and respond at scale and speed.

Vectra Customers:

Vectra's existing portfolio of alerts are capable of detecting this activity even prior to understanding this operation's implication as well as the expected actions that would occur prior to this event.

The fact that there is no genuine vulnerability exploited in this technique makes it harder to prevent once an adversary is in the environment with sufficient privileges. However, Vectra's AI-driven detections have been designed to detect these types of privilege abuse scenarios without having to rely on signatures or lists of known operations.

Vectra's Azure AD Privilege Operation Anomaly monitors for the underlying value of every operation in the environment and every user. The AI continuously creates a baseline of the types of actions that should be occurring in the environment and identifies cases of cloud-based privilege abuse. By focusing on the behavior of privilege abuse, Vectra is able to identify emerging techniques like the one documented here.

Attacker actions that would occur prior to the attack such as the account access following a token theft or other forms of account compromise, would be alerted on by Vectra detections like Azure AD Unusual Scripting Engine Usage, Azure AD Suspicious Sign-on or Azure AD Suspicious OAuth Application.

Microsoft Cloud Security Testing

Testing environments regularly and effectively is the best way to be confident in the ability to defend against cyberattacks. MAAD-Attack Framework is an open-source attack emulation tool that combines the most commonly used attacker techniques and allows security teams to quickly and effectively emulate them in their environments via a simple interactive terminal. Check out MAAD-AF on GitHub or learn more about it here.

Security teams can use MAAD-AF module "Exploit Cross Tenant Synchronization" to emulate and test against the CTS exploitation techniques in their environment.

Want to learn more?

Vectra AI is the leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises. The Vectra AI Platform delivers the integrated signal powering XDR, SIEM, SOAR — whatever your pane of glass. This powerful platform equips SOC teams with hybrid attack surface coverage and real-time Attack Signal Intelligence, along with integrated, automated and co-managed response. Companies can choose the modules they need to achieve full coverage across identity, public cloud, SaaS and data center networks.

Contact Vectra AI today.

References: