Learning how to change and configure Microsoft Edge Proxy Settings is quite important to users who would like to protect their online privacy. Many web browsers, including Microsoft Edge, have features that support proxy. However, some users don’t know to go about it, which is relatively simple. A proxy server intercepts your computer network traffic before it gets to you; it’s just another remote computer. The are many reasons why users switch to a proxy, but the main one is to get an extra measure of online security.
The Edge proxy server is a server that is located on the intranet and connects to the main server via the Internet. It is not bound to other proxy servers. It resolves a request for content from a local cache and proxying from the original server. Edge proxy server cannot request to any other proxy server.
The proxy works so that your IP address will not be revealed. You access the Internet using the proxy’s IP address. It is a great way to ensure you are safe online, especially for sites or malicious people tracking your activities online. It’s good to know that there are paid and free proxy server services.
There are two ways to configure a proxy server in MS Edge and it’s simple. You can use the manual way or simply use the automatic configuration. We will discuss this later in this article. This post will elaborate on changing and configuring Microsoft Edge Proxy settings. If you want to access geo-restricted content, protect your devices or conceal your IP address, you are in the right place. Continue reading.
Changing and configuring Edge proxy settings is a straightforward process, but you don’t need some specific browser proxy settings to surf on standard web pages. However, these settings can be changed to access geo-restricted pages or just for security purposes. To change and configure Microsoft Edge proxy settings, use any of the following methods:
To turn off proxy settings in Microsoft Edge, go to the menu (three dots) on the top right and scroll down to Settings. Choose System and, on the left side, click on Open your computer’s proxy settings. From there, toggle off the buttons next to Automatically detect settings, Use setup script, and Use a proxy server. To complete the process click Save.
To set up a proxy setting manually, you need to use Wi-Fi or Ethernet internet connections. If you are connected to any VPN, you need to disable it while setting up and using the proxy server. Here is how:
Read: Can’t connect to the proxy server says Microsoft Edge
If you feel setting up a proxy server manually is a lot of work, you can choose the automatic mode option. As in the manual setup, you need only to use Ethernet or Wi-Fi connections. Deactivate any VPN running on your computer. This setup automatically detects settings and uses a setup script. Here is how:
Let us know if these methods helped you change and configure Microsoft Edge proxy settings.
Read: Ethernet works but not WiFi in Windows.
Software developers and project managers can use infrastructure as code (IaC) software to automate the management and provisioning of infrastructure. By bypassing manual configuration, software development teams can enjoy lower costs, faster speed, and fewer errors. This guide will discuss the following infrastructure as code tools in terms of their features, pros, cons and pricing so you can pick the ideal solution for your needs:
Puppet is an IaC tool that uses its own declarative language to define desired infrastructure states. It has a solid interface and reporting capabilities and is ideal for teams and organizations in charge of managing large-scale infrastructures.
Some of Puppet’s features that have made it a popular DevOps tool include:
Puppet supports multiple platforms, including Windows, Linux, Microsoft Azure, AWS, GCP and more. The IaC software has real-time monitoring and reporting to help developers spot drift and compliance errors. It also leverages policy-as-code for streamlining and enforcing compliance. You can also extend Puppet’s functionality by integrating it with third-party cloud, infrastructure, secret management, policy-as-code and other services.
SEE: What is DevOps?
Puppet’s pros include:
Since Puppet has been around since 2005, it has a large, well-established community that can offer support and resources for new users and those who stumble upon obstacles. Puppet highlights lines containing coding errors so they can be fixed quickly.
While Puppet’s use of its own declarative scripting language (DSL) can be a con for some newer users, the language is at least easy to learn and eventually write. Puppet’s user interface is also clean and easy to follow.
Puppet’s cons include:
Setting up Puppet can take some time and patience and requires users to be more hands-on than some simpler competing tools since it was designed more for system administrators than less technical users.
Puppet has a steep learning curve, and unless you have a programming background and knowledge of the Puppet DSL, you may have a hard time adapting to it. Additionally, since Puppet only has two versions, some teams may find the custom Enterprise pricing prohibitive if they want more advanced features.
Project managers and developers can choose between Open-Source Puppet and Puppet Enterprise. The open-source version is free.
Puppet offers the Enterprise version via custom-priced plans. It comes with automation features, extensions and more. Get a custom Puppet Enterprise pricing quote.
Progress Chef (formerly Chef) is a flexible configuration management tool with a large following that uses infrastructure as code. It is used by software developers, DevOps teams, system administrators and more to automate their infrastructure and applications’ configuration management.
Chef has several features that make it a popular DevOps tool, including:
Chef is a platform-agnostic programmer tool due to its system resource abstraction, allowing it to support different cloud platforms and operating systems. Due to its reliance on infrastructure as code, Chef keeps configuration consistent and repeatable and promotes version control via a host of version control tools.
Staying in line with the “Chef” name, the IaC tool relies on recipes and cookbooks. Recipes are specific actions/configurations, while cookbooks are recipe collections. Chef’s recipes and cookbooks keep configuration management simple for developers by letting them reuse code and embrace the power of modularity.
The Chef Supermarket is loaded with pre-built cookbooks to speed up configuration management. There is also a large community ecosystem that supplies users with best practices, cookbooks, modules and more. Chef is highly extensible, too, thanks to third-party integrations with Jenkins, CircleCI and other popular tools.
Some of Chef’s biggest advantages as an IaC tool include:
Some of Chef’s competition is best served for handling basic tasks. Chef, on the other hand, has advanced configuration management features to handle complex tasks, such as test driven development infrastructure deployment on-demand. Progress Chef also excels in extensibility as the programmer tool integrates with top DevOps tools like CircleCI, Jenkins, Bitbucket, GitHub and more.
If you are looking for an infrastructure as code tool with a large community that offers added support and resources, you will find just that with Chef. And if you are looking for an IaC tool that is flexible so you have more configuration control, Chef offers that, too, since it follows a code-driven approach.
Chef could Excellerate in some areas as a developer tool, such as:
Yes, Chef was built to handle even the most complex tasks. But to unlock that functionality, you will face a steep learning curve. Remember that Chef was created with experienced programmers in mind, so it will take some time to learn. One thing that could help is taking a Ruby course prior to tackling Chef. Beyond the complexity obstacle, you may find Chef pricey, especially if you are part of a smaller development team with a limited budget.
Developers can buy Chef directly through Progress or via a marketplace. Buy the IaC tool from Progress, and you can get a custom quote for the SaaS or on-premise option. Buy Chef from the Azure Marketplace, and you get three options:
Buy Chef from the AWS Marketplace, and you have two options:
You can learn more about Chef in our Chef Configuration Management Tool Review.
HashiCorp Terraform is an open-source IaC tool ideal for developers and teams comfortable working with the Go language who need strong infrastructure management for cloud-based environments.
Some of Terraform’s top features as a DevOps tool include:
Terraform supports multiple operating systems, including Windows, macOS, Linus, FreeBSD, OpenBSD and more. You can use Terraform for multi-cloud deployment, and it also has features for managing network infrastructure, such as firewall policies and load balancer member pools. Terraform offers extensibility, too, through integrations with CI/CD pipelines, version control systems and other programmer tools.
Terraform’s strengths include:
Terraform is easy to set up and is flexible, with support for Azure, AWS and other cloud providers. The infrastructure as code software’s use of modules promotes repeatability, and its use of the Go language makes it fast and efficient.
Terraform’s weaknesses include:
Terraform is ideal for developers familiar with the Go or Golang language. If you are not, you may find the language unusual and difficult to learn at the start, which can slow onboarding.
Some users have found Terraform’s documentation complex and hard to understand. And while it works well with clouds, Terraform may suffer some issues when working with on-premises services. Managing the state file in Terraform to avoid conflicts can also be tricky and result in unexpected behaviors.
Terraform has a self-managed open-source option that is always free. It also has paid cloud and self-managed plans:
SEE: Building your Platform Engineering practice on AWS with Terraform
With various IaC tools on the market, choosing the right one for your software development team may seem like a daunting task. How can you ensure you pick the proper infrastructure as code software? First, if your budget is limited, consider the cost as the pricing of IaC tools can vary greatly. Luckily, many have free trials you can sign up for to supply the features a test drive, while others may have free plans with limited features.
If the cost of certain IaC software acts as a deterrent, remember that these developer tools can save your team plenty of money by eliminating the need for manual infrastructure setup and maintenance.
After considering cost, look for an infrastructure as code tool that is user-friendly with an intuitive interface. And lastly, look at its features. Standard features that the ideal IaC tool should have include automation that saves time and money while minimizing human error, built-in security (encryption, identity access management, data loss prevention, etc.), solid customer service and support and scalability (autoscaling, dynamic orchestration, rolling updates, etc.). The ideal IaC software should also have plenty of integrations with third-party developer tools and services, plus a library of plugins for added extensibility.
The IaC tools listed above can help your software development team cut costs, increase speed and eliminate errors linked to manual configuration. Before picking an IaC tool from our list, review its features, pros, cons and pricing to ensure it is the right pick for you.
SEE: Top DevOps career paths
Microsoft announced that its Microsoft Edge for Business dedicated work experience will arrive as part of Edge version 116 later this month. The feature has been available in preview since it was announced at Build 2023 in May.
“Microsoft Edge was designed with the specific needs of businesses and organizations in mind, with enterprise-grade security, productivity, management, and now AI, built-in,” Microsoft’s Rick Turner writes in the announcement post. “Microsoft Edge for Business is the next step in the journey to deliver the best browser for business across all platforms, with enhanced separation of work and personal browsing, unmanaged device support, and more coming soon.”
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
Edge for Business is centrally managed by your organization’s IT staff so that it can be configured for optimal productivity and security. It offers minor visual differences from the traditional Edge interface, like a briefcase overlay on the Edge icon and some custom branding around your user profile, and you can access your personal browser settings and content via a separate Edge window. When you browse to work-related sites, they will open in Edge for Business (not regular Edge), and you (as the user) can configure which sites should do so (in Edge settings or via a toggle in the address bar).
Existing policies, settings, and configurations that were created by your organization will automatically transition to Edge for Business, Microsoft notes.
Microsoft Edge for Business will be enabled automatically with the release of Edge 116 for all customers who sign in using Microsoft Entra ID (formerly Azure Active Directory, or AAD). Edge for Business is coming to the mobile versions of Edge “in the future,” Microsoft says.
You can learn more about Microsoft Edge for Business on the Microsoft Learn website.
Welcome to the second part of the tutorial on Hosting a Website with Microsoft IIS. In this part, we will learn about configuring and creating the MySQL server and configuring WordPress. Now that you have followed all the steps of Part-1 let’s proceed to Part-2.
mysql> CREATE DATABASE databasename;
Query OK, 1 row affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON databasename.* TO "username"@"hostname"
IDENTIFIED BY "password";
Query OK, 0 rows affected (0.00 sec)
Your website is now live on your IP address. You can convert your IP into text or some website name, using many services out there like www.no-ip.org.
You have successfully hosted your website. If you face any problems or find that you are getting some error messages, don’t panic just go through all the steps again and try to solve your problem.
Microsoft is rolling out Windows 11 22621.2213 (KB5029351) to Insiders in the Release Preview Channel on Windows 11 version 22H2.
The update ships with several new features as well as improvements.
Admins can now configure the monthly, optional cumulative updates for commercial devices.
Microsoft recently released a new build to the Release Preview channel on Windows 11, version 22H2. The Windows 11 Build 22621.2213 (KB5029351) ships with several new features as well as improvements, including a new policy that allows admins to configure the monthly, optional cumulative updates for commercial devices and a feature that makes search flyout box pop-up whenever you hover over the search box gleam.
The company rolls out these updates in waves. To expedite the process, you can toggle the Get the latest updates as soon as they’re available option in Windows Settings.
In related news, Microsoft's latest update to the Dev Channel makes switching between a local desktop and a Windows 365 PC a breeze.
New! This update adds new functionality that affects app defaults. To learn more, see A principled approach to app pinning and app defaults in Windows.
New! This update adds a new hover behavior to the search box gleam. When you hover over it, the search flyout box appears. You can adjust this behavior by right clicking the taskbar. Then choose Taskbar settings to change your search box experience.
New! This release adds a new policy called “Enable optional updates.” Administrators can use it to configure the monthly, optional cumulative updates for commercial devices. You can also use this policy for the gradual Controlled Feature Rollouts (CFR).
This update makes daylight saving time (DST) changes for Israel.
This update addresses an issue that affects the Group Policy Service. It will not wait for 30 seconds, which is the default wait time, for the network to be available. Because of this, policies are not correctly processed.
This update adds a new API for D3D12 Independent Devices. You can use it to create multiple D3D12 devices on the same adapter. To learn more, see D3D12 Independent Devices.
This update addresses an issue that affects a WS_EX_LAYERED window. The window might render with the wrong dimensions or at the wrong position. This occurs when you scale the display screen.
This update addresses an issue that affects print jobs that are sent to a virtual print queue. They fail without an error.
This update addresses an issue that causes high CPU use. This occurs when you enable the “fBlockNonDomain” policy.
This update addresses an issue that affects disk partitions. The system might stop working. This occurs after you delete a disk partition and add the space from the deleted partition to an existing BitLocker partition.
This update addresses an issue that causes Windows to fail. This occurs when you use BitLocker on a storage medium that has a large sector size.
This update addresses an issue that affects Remote Desktop sessions. Sometimes you receive a wrong error message when you try to sign in to a session.
This update addresses an issue that affects the search icon. When you select it, the Search app does not open. This occurs after a machine has been asleep.
This update improves the reliability of the Search app.
This update addresses an issue that affects the TAB key. Using it to browse search results requires additional actions.
This update addresses an issue that affects Narrator. It does not supply distinct context between the search box on the taskbar and search highlights within the search box.
This update addresses an issue that affects Start menu icons. They are missing after you sign in for the first time.
This update addresses an issue that affects settings. They do not sync even if you turn on the toggle on the Windows backup page in the Settings app.
This update addresses an issue that affects the Resultant Set of Policy (RSOP). The Windows LAPS “BackupDirectory” policy setting was not being reported. This occurs when the setting is set to 1, which is “Back up to AAD.”
New research also shows old CVEs are still exploited en masse with HTTP anomalies the most common API attack vector.
Customer-configured rules are now the biggest contributor to mitigated traffic as organizations adopt web application firewalls (WAFs) and Excellerate at configuring/locking down their applications. That's according to Cloudflare's Application Security Report: Q2 2023, based on HTTP traffic observed by the firm between April and June. The research also found that CVEs dating back almost a decade are still being widely exploited to compromise machines that may be unpatched and running vulnerable software, while HTTP anomalies are the most common attack vector on API endpoints.
Over the course of the last two quarters, Cloudflare has observed WAF-mitigated traffic surpassing DDoS mitigation, with the former now accounting for approximately 57% of all mitigations. Most of this increase has been driven by WAF custom rule blocks rather than WAF managed rules, indicating that these mitigations are generated by customer-configured rules for business logic or related purposes, according to the firm. Organizations are also adopting positive security models by allowing known good traffic as opposed to blocking only known bad traffic, according to Cloudflare.
Upon reviewing rule field usage across WAF custom rules, Cloudflare found that application owners are increasingly relying on geolocation blocks. In fact, 40% of all deployed WAF custom rules use geolocation-related fields to make decisions on how to treat traffic. While geolocation controls are unlikely to stop a sophisticated attacker, they are efficient at reducing the attack surface, Cloudflare noted. Another notable observation is the usage of bot management-related fields in 11% of WAF custom rules, a trend steadily increasing over time as more customers adopt machine learning-based classification strategies to protect their applications, the firm said.
HTTP anomaly is the most common attack category blocked by WAF managed rules, contributing 32% of WAF managed rules mitigated traffic overall, according to the research. SQLi moved up to second position (13%), surpassing directory traversal (10%). Furthermore, old CVEs are still being exploited en masse, with Log4J and Atlassian Confluence code injection responsible for the vast majority of attack traffic seen, Cloudflare said.
Filtering on denial of service (DoS) blocking, the firm found that most mitigated traffic is attributable to one rule: 100031/ce02fd. This rule has a description of Microsoft IIS - DoS, Anomaly:Header:Range - CVE:CVE-2015-1635 and pertains to a CVE dating back to 2015 that affected a number of Microsoft Windows components resulting in remote code execution.
Cloudflare observed a continued growth in API traffic, with 58% of total dynamic traffic classified as API related, a 3% increase compared to Q1. What's more, 65% of global API traffic is generated by browsers, the report said. Meanwhile, HTTP anomalies remain the most common attack vector on API endpoints (64%), followed by SQLi injection attacks (11%) and XSS attacks (9%).
US-based IT software company Ivanti warned customers today that a critical Sentry API authentication bypass vulnerability is being exploited in the wild.
Ivanti Sentry (formerly MobileIron Sentry) functions as a gatekeeper for enterprise ActiveSync servers like Microsoft Exchange Server or backend resources such as Sharepoint servers in MobileIron deployments, and it can also operate as a Kerberos Key Distribution Center Proxy (KKDCP) server.
Discovered and reported by researchers at cybersecurity company mnemonic, the critical vulnerability (CVE-2023-38035) enables unauthenticated attackers to gain access to sensitive admin portal configuration APIs exposed over port 8443, used by MobileIron Configuration Service (MICS).
This is possible after they bypass authentication controls by taking advantage of an insufficiently restrictive Apache HTTPD configuration.
Successful exploitation allows them to change configuration, run system commands, or write files onto systems running Ivanti Sentry versions 9.18 and prior.
Ivanti advised admins not to expose MICS to the Internet and restrict access to internal management networks.
"As of now, we are only aware of a limited number of customers impacted by CVE-2023-38035. This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM, MobileIron Cloud or Ivanti Neurons for MDM," Ivanti said.
"Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have RPM scripts available now for all supported versions. We recommend customers first upgrade to a supported version and then apply the RPM script specifically designed for their version," the company added.
Ivanti provides detailed information on applying the Sentry security updates onto systems running supported versions in this knowledgebase article.
Since April, state-sponsored hackers have exploited two additional security vulnerabilities within Ivanti's Endpoint Manager Mobile (EPMM), previously known as MobileIron Core.
One of them (tracked as CVE-2023-35078) is a significant authentication bypass that was abused as a zero-day to breach the networks of various governmental entities in Norway.
The vulnerability can also be chained with a directory traversal flaw (CVE-2023-35081), granting threat actors with administrative privileges the ability to deploy web shells onto compromised systems.
"Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency's network," CISA said in an advisory published in early August.
The CISA joint advisory with Norway's National Cyber Security Centre (NCSC-NO) followed orders issued earlier this month asking U.S. federal agencies to patch the two actively exploited flaws by August 15 and August 21.
One week ago, Ivant also fixed two critical stack-based buffer overflows tracked as CVE-2023-32560 in its Avalanche software, an enterprise mobility management (EMM) solution, that could lead to crashes and arbitrary code execution following exploitation.
Head over to our on-demand library to view sessions from VB Transform 2023. Register Here
Exploiting gaps in cloud infrastructure that are leaving endpoints, identities and microservices exposed is a quick way for an attacker to steal credentials and infect an enterprise’s DevOps process. Attacks to exploit such gaps are skyrocketing.
The latest 2023 Thales Cloud Security Study provides hard numbers: 39% of enterprises have been hit with a data breach starting in their cloud infrastructure this year alone. A total of 75% of enterprises say that more than 40% of the data they store in the cloud is sensitive. Less than half of that data is encrypted.
CrowdStrike’s 2023 Global Threat Report explains why cloud-first attacks are growing: Attackers are moving away from deactivating antivirus, firewall technologies and log-tampering efforts and toward modifying core authentication processes, along with quickly gaining credentials and identity-based privileges.
The attackers’ goal is to steal as many identities and privileged access credentials as possible so they can become access brokers — selling stolen identity information in bulk at high prices on the dark web. Access brokers and the brokerages they’re creating often turn into lucrative, fast-growing illegal businesses. CrowdStrike’s report found more than 2,500 advertisements for access brokers offering stolen credentials and identities for sale.
VB Transform 2023 On-Demand
Did you miss a session from VB Transform 2023? Register to access the on-demand library for all of our featured sessions.
Consolidating tech stacks continues to dominate CISOs’ plans, driven by the need to Excellerate efficacy, manage a more diverse multicloud security posture, close gaps between cloud apps and shift security left in DevOps pipelines. All these factors are contributing to the growing adoption of cloud-native application protection platforms (CNAPP).
“CNAPPs are formed from the convergence of cloud security posture management (CSPM) and cloud workload protection platform (CWPP) capabilities as well as other security tooling like entitlement management, API controls and Kubernetes posture control,” reads Gartner’s 2023 Planning Guide for Security.
Leading CNAPP vendors are competing in various areas, the most important of which include the efficacy of their cloud infrastructure entitlement management (CIEM), Kubernetes security, API controls and cloud detection and response (CDR), according to CISOs VentureBeat spoke with. Demand for CNAPP is greatest in larger enterprises from highly regulated industries that rely on extensive multicloud configurations. Finance, government and healthcare providers are among the most dominant industries.
CISOs tell VentureBeat that one of the most practical benefits of CNAPPs is the opportunity to consolidate legacy tools with limited visibility across all threat surfaces and endpoints. The takeaway? Reducing tool sprawl is a quick win.
Full-platform CNAPP vendors provide integrated cloud-native security platforms ranging from DevOps to production environments. Here are the top 20 platforms of 2023:
Aqua Security: Highly regarded for its approach of scanning container registries and images, CSPM and runtime protection for container and cloud-native security. Also has full life cycle protection and advanced runtime techniques, including support for the extended Berkeley Packet Filter (eBPF).
Check Point: Provides a broad set of capabilities through its CloudGuard platform, including CSPM, CIEM and advanced runtime protection. Known for securing cloud workloads across environments with identity-centric access controls, as well as threat intelligence integration to provide real-time contextual prioritization of risks.
Cisco: Recently acquired Lightspin for its Kubernetes security capabilities and CSPM. Its Tetration platform focuses on runtime protection, leveraging eBPF and third-party insights for advanced container monitoring and granular controls. Cisco emphasizes behavioral analytics to detect anomalies and threats in container environments and provides strong controls to limit lateral movement between workloads.
CrowdStrike: Offers a leading CNAPP suite emphasizing identity-centric visibility, least-privilege enforcement and continuous monitoring. Its runtime protection leverages agents and eBPF for workload security. CrowdStrike’s key design goals included enforcing least-privileged access to clouds and providing continuous detection and remediation of identity threats.
Cybereason: Platform focuses heavily on malicious behavior detection. A core strength is its ability to detect threats using behavior-based techniques. The company is also known for API integrations, AI and machine learning (ML) expertise. Cybereason specializes in detecting compromised accounts and insider threats via detailed user activity monitoring.
Juniper Networks: Collects extensive data on device posture and traffic patterns to provide networking context for security insights. Also enables segmentation controls between Juniper devices.
Lacework: Focused on workload behavior analysis for containers and runtime techniques such as eBPF to gain a comprehensive insight into container activity and performance. Its emphasis on detecting anomalies using advanced ML algorithms that are custom-tuned for containerized environments is a key differentiator.
Microsoft: Integrates security across Azure services with zero-trust controls, enforces least-privileged access and provides workload protections such as antivirus and firewalls. Uses Microsoft Graph to correlate security analytics and events across Azure.
Orca Security: Performs continuous authorization checks on identities and entitlements across cloud environments. A key differentiator is the ability to generate detailed interactive maps that visualize relationships between cloud assets, users, roles and permissions.
Palo Alto Networks Prisma Cloud: Provides a broad suite of capabilities, including identity-based microsegmentation and robust runtime protection with eBPF. Prisma Cloud is an industry leader known for advanced protections such as deception technique and includes extensive compliance automation and DevSecOps integrations.
Qualys: Focuses on compliance and vulnerability management through continuous scanning and least-privilege controls. Identifies vulnerabilities throughout the life cycle and enables automated patching and remediation workflows. Another key differentiator is compliance mapping and reporting.
Rapid7: Enforces least privilege access and enables automated response and remediation triggered by events. Offers pre configured policies and streamlined workflows designed for small security teams. An intuitive user interface and rapid implementation aim to simplify deployment and usability for organizations with limited security resources.
Sonrai Security: Focuses on entitlement management and identity-based security using graph database technology to discover and map user identities across cloud environments. User identity, geolocation and other contextual factors can define custom access controls.
Sophos: Focuses on data security, compliance and threat monitoring capabilities and offers advanced data loss prevention such as file fingerprinting and optical character recognition. Cloud environments also have anti-ransomware protections.
Sysdig: Centered on runtime security and advanced behavioral monitoring. For container-level visibility and anomaly detection, the platform uses embedded agents. Sysdig Secure Advisor includes an integrated security assistant to help SecOps and IT teams create policies faster.
Tenable: Focused on compliance, entitlement management and identity governance. Offers comprehensive compliance automation mapped to PCI, HIPAA and ISO regulations. Also provides differentiated identity and compliance management through advanced capabilities to enforce least privilege and certify access.
Trend Micro: Includes runtime security, compliance and threat monitoring, enforces policies and protects cloud environments from file- and email-based threats. Custom sandboxing for suspicious file analysis is also included.
Uptycs: Differentiates itself by combining CNAPP capabilities with extended detection and response (EDR) capabilities. Employs data lake techniques to store and correlate security telemetry across cloud and container workloads. Threats are identified using behavioral analytics, and automated response workflows allow for rapid remediation.
Wiz: Centered on continuous access controls, micro segmentation and identity-based adaptive security. Automatically discovers and visualizes relationships between cloud assets, users and permissions. Wiz also conducts risk analysis to identify potential attack paths and stands out with its specialized visualization, identity management and micro-segmentation.
Zscaler: Posture Control prioritizes risks caused by misconfigurations, threats and vulnerabilities. Completely agentless and correlates data from multiple security engines.
CNAPPs are gaining popularity as CISOs look to consolidate and strengthen their security technology stacks. Platforms can provide integrated security across the development lifecycle and cloud environments by combining capabilities including cloud workload protection, container security and CIEM.
CNAPP adoption will continue accelerating in highly regulated industries including finance, government and healthcare. CISOs in these industries are under pressure to consolidate tech stacks, Excellerate compliance and secure complex cloud infrastructure simultaneously. Because they provide a unified platform that meets multiple security and compliance requirements, CNAPPs are proving to be an effective consolidation catalyst.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.
Attackers continue to target Microsoft identities to gain access to connected Microsoft applications and federated SaaS applications. Additionally, attackers continue to progress their attacks in these environments, not by exploiting vulnerabilities, but by abusing native Microsoft functionality to achieve their objective. The attacker group Nobelium, linked with the SolarWinds attacks, has been documented using native functionality like the creation of Federated Trusts  to enable persistent access to a Microsoft tenant.
This article demonstrates an additional native functionality that when leveraged by an attacker enables persistent access to a Microsoft cloud tenant and lateral movement capabilities to another tenant. This attack vector enables an attacker operating in a compromised tenant to abuse a misconfigured Cross-Tenant Synchronization (CTS) configuration and gain access to other connected tenants or deploy a rogue CTS configuration to maintain persistence within the tenant. Vectra AI has not observed the use of this technique in the wild but given the historical abuse of similar functionality — Vectra AI presents details for defenders to understand how the attack would present and how to monitor for its execution. In addition, the article will review how Vectra AI customers currently have coverage — and have had coverage from day one of the functionality being released for this technique through their AI-driven detections and Vectra Attack Signal IntelligenceTM.
CTS is a new feature from Microsoft that enables organizations to synchronize users and groups from other source tenants and grant them access to resources (both Microsoft and non-Microsoft applications) in the target tenant. CTS features build on previous B2B trust configurations enabling automated and seamless collaboration between different tenants and is a feature that many organizations will look to adopt.  
CTS is a powerful and useful feature for organizations like business conglomerates with multiple tenants across affiliated companies, but also opens potential reconnaissance, lateral movement and persistence attacks by bad actors if not configured and managed correctly. Read on for the potential risks and attack paths that adversaries can leverage to exploit CTS to abuse trust relationships from a potentially compromised tenant to any other tenant configured with a CTS trust relationship.
The exploitation techniques follow Assumed Compromise philosophy. The techniques used in these exploits assume that an identity has been compromised in a Microsoft cloud environment. In a real-world setting, this could originate from a browser compromise on an Intune-managed endpoint with a Microsoft-managed identity.
|Source tenant||Tenant from where users & groups are getting synced|
|Target tenant||Tenant with resources where users & groups are getting synced|
|Resources||Microsoft applications (Teams, SharePoint, etc.) and non-Microsoft applications (ServiceNow, Adobe, etc.)|
|CTS||Abbreviation to reference 'Cross Tenant Synchronization' in this document|
|CTA||Abbreviation to reference 'Cross Tenant Access' in this document|
|Compromised Account||Adversaries initial point of access|
Important things to know about CTS configuration:
The attack techniques described in this article require certain licenses and a privileged account compromise or privilege escalation to certain roles in the compromised tenant. A Global Admin role can perform all these actions in a tenant. 
|Action||Source Tenant||Target Tenant|
|Tenant License||Azure AD Premium P1 or P2||Azure AD Premium P1 or P2|
|Configure CTA||Security Administrator||Security Administrator|
|Configure CTS||Hybrid Identity Administrator||N/A|
|Assign users to CTS configuration||Cloud Admin or Application Admin||N/A|
An attacker operating in a compromised environment can exploit an existing CTS configuration tenant to move laterally from one tenant to another connected tenant.
An attacker operating in a compromised tenant can deploy a rogue Cross Tenant Access configuration to maintain persistent access.
Vectra's existing portfolio of alerts are capable of detecting this activity even prior to understanding this operation's implication as well as the expected actions that would occur prior to this event.
The fact that there is no genuine vulnerability exploited in this technique makes it harder to prevent once an adversary is in the environment with sufficient privileges. However, Vectra's AI-driven detections have been designed to detect these types of privilege abuse scenarios without having to rely on signatures or lists of known operations.
Vectra's Azure AD Privilege Operation Anomaly monitors for the underlying value of every operation in the environment and every user. The AI continuously creates a baseline of the types of actions that should be occurring in the environment and identifies cases of cloud-based privilege abuse. By focusing on the behavior of privilege abuse, Vectra is able to identify emerging techniques like the one documented here.
Attacker actions that would occur prior to the attack such as the account access following a token theft or other forms of account compromise, would be alerted on by Vectra detections like Azure AD Unusual Scripting Engine Usage, Azure AD Suspicious Sign-on or Azure AD Suspicious OAuth Application.
Testing environments regularly and effectively is the best way to be confident in the ability to defend against cyberattacks. MAAD-Attack Framework is an open-source attack emulation tool that combines the most commonly used attacker techniques and allows security teams to quickly and effectively emulate them in their environments via a simple interactive terminal. Check out MAAD-AF on GitHub or learn more about it here.
Security teams can use MAAD-AF module "Exploit Cross Tenant Synchronization" to emulate and test against the CTS exploitation techniques in their environment.
Want to learn more?
Vectra AI is the leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises. The Vectra AI Platform delivers the integrated signal powering XDR, SIEM, SOAR — whatever your pane of glass. This powerful platform equips SOC teams with hybrid attack surface coverage and real-time Attack Signal Intelligence, along with integrated, automated and co-managed response. Companies can choose the modules they need to achieve full coverage across identity, public cloud, SaaS and data center networks.
Contact Vectra AI today.