New SECCON framework gives five levels of DEFCON-like advice for securing endpoints
Microsoft this week rolled out a new security framework to help administrators lock down Windows 10 endpoints based on five typical device scenarios in a business setting. The five levels in the new SECCON framework are designed to mimic the well-known DEFCON levels and provide specific guidance for endpoint configurations along with primary and compensating controls, policies, and behaviors.
The Lowdown: The recommendations in the SECCON framework were developed, in part, through analysis of the top Security Core recommendations generated by Microsoft Defender ATP, which are context-aware and driven by current configurations and threat models, the company said. Feedback from a select group of pilot customers, experts from Microsoft’s engineering team, and the Microsoft sales field also informed the SECCON guidance.
The Details: Microsoft’s five SECCON levels are:
Level 5 (lowest priority) – Enterprise security: This configuration includes the minimum-security configuration for an enterprise device. Recommendations for this security configuration level are generally straightforward and are designed to be deployable within 30 days.
Level 4 – Enterprise high security: Recommended for devices where users access sensitive or confidential information. Some of the controls may have an impact on app compatibility, and must go through an audit-configure-enforce workflow. Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days.
Level 3 – Enterprise VIP security: For devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk. An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this security configuration level can be complex such as removing local admin rights, and can often go beyond 90 days.
Level 2 – DevOps workstation: Recommended configuration for developers and testers, both attractive targets for supply-chain attacks and credential theft attacks that attempt to gain access to servers and systems containing high-value data or where critical business functions could be disrupted. This guidance is still under development, Microsoft officials said.
Level 1 (highest priority) – Administrator workstation: For machines at the highest level of risk of data theft, data alteration, or service disruption. This guidance is also still under development.
The Buzz: “In the past, we left defining the security configuration for Windows 10 as a task for every customer to sort out. As a result, we saw as many different configurations as we saw customers,” wrote Microsoft Principal Program Manager Chris Jackson in a blog post unveiling the new SECCON framework. “Standardization has many advantages, so we developed a security configuration framework to help simplify security configuration while still allowing enough flexibility to allow you to balance security, productivity, and user experience.”