Vulnerability management overview

How do Microsoft online services conduct vulnerability management?

No matter how well a system is designed, its security posture can degrade over time. Machines can go unpatched, inadvertent configuration changes can be introduced, and regressions to security code can accumulate. All these issues can make a system less secure than when it was initially deployed. Microsoft has built automation to continually assess our systems for this kind of degradation, enabling us to act immediately to correct issues in our security posture.

Microsoft online services use machine state scanning to make sure the machines comprising our infrastructure are up to date with the latest patches and that their base configurations correctly align with relevant frameworks. Machine state scanning uses patching, anti-malware, vulnerability scanning, and configuration scanning (PAVC). Microsoft online services apply effective PAVC by installing a custom security agent on each asset during deployment. This security agent enables machine state scanning and reports results to our service teams.

How do Microsoft online services ensure service infrastructure is up to date with the latest security patches?

Patch management mitigates vulnerabilities by ensuring Microsoft online services systems are updated quickly when new security patches are released. Microsoft prioritizes new security patches and other security updates according to risk. Microsoft online service security teams analyze available security patches to determine their risk level in the context of our production environments. Their analysis includes severity scores based on the Common Vulnerability Scoring System (CVSS) along with other risk factors.

Microsoft service teams review the analysis from the security team and update their service components and baseline images with applicable patches within the appropriate remediation timeframe. Security patches are subject to the change management process to ensure adequate testing and management approval before deployment to production environments. Deployment of security patches occurs in stages to enable rollback if a security patch causes unexpected issues.

Service teams use vulnerability scan results to validate security patch deployment on applicable system components. Any overdue vulnerabilities are reported daily and reviewed by management monthly to measure the breadth and depth of patch coverage across the environment and hold ourselves accountable for timely patching.

How does Microsoft conduct vulnerability and configuration scanning?

Microsoft's security agent is installed during asset deployment and enables fully automated vulnerability and configuration scanning. The security agent uses industry-standard tools to detect known vulnerabilities and security misconfigurations. Production assets are scheduled for daily, automatic scans with the most recent vulnerability signatures. The results of these scans are collected in a secure, central storage service, and automated reporting makes results available to service teams.

Service teams review scan results using dashboards that report aggregate scan results to provide comprehensive reporting and trend analysis. Vulnerabilities detected in scans are tracked in these reports until they are remediated. When vulnerability scans indicate missing patches, security misconfigurations, or other vulnerabilities in the environment, service teams use these reports to target the affected components for remediation. Vulnerabilities discovered through scanning are prioritized for remediation based on their Common Vulnerability Scoring System (CVSS) scores and other relevant risk factors.

How does Microsoft defend against malware?

Microsoft uses comprehensive anti-malware software to protect Microsoft online services against viruses and other malware. Baseline operating system images used by Microsoft online services include this software to maximize coverage throughout the environment.

Every endpoint in Microsoft online services performs a full anti-malware scan at least weekly. Additional real-time scans are performed on all files as they are downloaded, opened, or executed. These scans use known malware signatures to detect malware and prevent malware execution. Microsoft's anti-malware software is configured to download the most recent malware signatures daily to ensure scans are conducted with the most up-to-date information. In addition to signature-based scans, Microsoft anti-malware software uses pattern-based recognition to detect and prevent suspicious or anomalous program behavior.

When our anti-malware products detect viruses or other malware, they automatically generate an alert for Microsoft security response teams. In many cases, our anti-malware software can prevent the execution of viruses and other malware in real time without human intervention. When this prevention is not possible, Microsoft security response teams resolve malware incidents using the security incident response process.

How does Microsoft detect new or unreported vulnerabilities?

Microsoft supplements automated scanning with sophisticated machine learning to help detect suspicious activity that might indicate the presence of unknown vulnerabilities. Regular penetration testing by internal Microsoft teams and independent auditors provides an additional mechanism for discovering and remediating vulnerabilities before they can be exploited by real-world attackers. Microsoft conducts internal penetration testing using "Red Teams" of Microsoft ethical hackers. Customer systems and data are never the targets of penetration testing, but lessons learned from penetration tests help Microsoft validate its security controls and defend against new kinds of attacks. Microsoft also uses bug bounty programs to incentivize disclosure of new vulnerabilities, enabling them to be mitigated as soon as possible.

Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to vulnerability management.

Azure and Dynamics 365

External audits Section Latest report date
ISO 27001/27002

Statement of Applicability
Certification
A.12.6.1: Management of technical vulnerabilities December 2, 2020
ISO 27017

Statement of Applicability
Certification
A.12.6.1: Management of technical vulnerabilities December 2, 2020
ISO 27018

Statement of Applicability
Certification
A.12.6.1: Management of technical vulnerabilities December 2, 2020
SOC 1
SOC 2
SOC 3
VM-3: Anti-malware monitoring
VM-5: Patching
VM-6: Vulnerability Scanning
March 31, 2021
November 12, 2021
November 12, 2021

Office 365

External audits Section Latest report date
FedRAMP CA-7: Continuous monitoring
CA-8: Penetration testing
RA-3: Risk assessment
RA-5: Vulnerability scanning
SI-2: Flaw remediation
SI-5: Security alerts, advisories, and directives
September 24, 2020
ISO 27001/27002/27017

Statement of Applicability
Certification (27001/27002)
Certification (27017)
A.12.6.1: Management of technical vulnerabilities March, 2021
SOC 1 CA-27: Vulnerability scanning December 24, 2020
SOC 2 CA-24: Internal risk assessment
CA-27: Vulnerability scanning
December 24, 2020

Resources