zentilia - Fotolia
As a dominant player in enterprise and personal computing, Microsoft owes it to its customers to keep its products and services secure, especially at a time when data breaches and cyber attacks are showing no signs of abating.
Beginning with its Trustworthy Computing framework spearheaded by Bill Gates in 2002, Microsoft’s efforts in security have come a long way, from changing the way it develops software across the product development cycle to the formation of the Enterprise Cybersecurity Group (ECG) in 2015.
In this interview, Computer Weekly APAC editor Aaron Tan speaks to Eric Lam, Microsoft’s Asia director for ECG, who talks up the pain points that chief information security officers (CISOs) are facing and what Microsoft is doing to address pressing cyber security challenges.
Tan: It has been around three years since the ECG was formed. How has the group helped enterprises in Asia-Pacific improve their security posture so far?
Lam: We have been helping customers understand how security is built into Microsoft’s products and services, and that’s important because there’s still an obsession around best-of-breed security products to mitigate security risks. This approach will be less effective over time, given the scale and volume of cyber security incidents we’re seeing today.
In Asia-Pacific, we are a team of cyber security specialists who serve as trusted advisors to our customers who want to get the most value out of their Microsoft products and services from a security perspective.
This may include areas such as threat protection, which covers endpoints, servers and right into the cloud. Putting in place a comprehensive threat protection strategy is a challenge for customers, and Microsoft has the ability to help them with that because we have security expertise across all those layers.
Take malware, for example. When it comes in through an e-mail attachment or link, it could infect one or two machines and start spreading. But today, we have built in detection and response capabilities into Windows 10, through Windows Defender AV for endpoint protection.
We also have Windows Defender Advanced Threat Protection (ATP) that can detect abnormal behaviour and unknown malware at an endpoint. Red flags are raised for those malware even though their signatures may not be available.
After some inspection and investigation, we’ll find out what’s going on and help customers protect other endpoints. This way, we can limit the impact of unknown malware to just a few devices.
Because Windows Defender ATP is a cloud service, we’re able to send information about the malware and infected emails to Microsoft Office, which can then quarantine the malware. This level of response, automation and integration is extremely difficult to execute if you have half a dozen security products across your IT stack.
Tan: You meet a lot of CISOs – what would you say are their biggest challenges?
Lam: With the risk of reputational damage and potential loss of jobs in the event of a cyber attack, CISOs face the challenge of navigating the complex cyber security landscape.
A large organisation may need more than 100 security technologies to protect their environment. If they can reduce that complexity, their jobs will be a lot easier, because they wouldn’t have to worry about having too many systems to manage. Getting multiple alerts won’t help either if their security systems are not integrated.
Tan: At Black Hat Asia last year, cyber security experts called for the software industry to do more to plug the vulnerabilities in their products. In the physical world, we don’t accept cars with defects but we seem to have accepted defective software. What are your thoughts?
Lam: I would say that a lot has been done to make sure software is as robust and resilient as it can be. For example, Windows 10 is vastly more superior to earlier versions of the operating system. In fact, Windows 10 was built from the ground up.
That said, the software we have today is never going to be perfect, but it is very much improved. Anyone who is already using Windows 10 will attest to that.
In general, I agree we need to have better software with fewer bugs and vulnerabilities. We have also done a lot of work to protect Microsoft’s cloud infrastructure and services, products and devices, and our own corporate resources.
Tan: Can you provide examples of what that work entails, say, red teaming or penetration testing?
Lam: Microsoft runs a Cyber Defense Operations Center (CDOC) in the US, which is more than a security operations centre. At CDOC, we have in-house teams that do threat hunting and red-blue teaming exercises.
At Microsoft, we fundamentally believe that a breach has occurred and that we will get attacked sooner or later. With that mindset, we don’t rely just on protection. We’re also vigilant in detecting threats so we can reduce the window for attackers to get into our systems.
If they break our defences, we want to catch them in the act and immediately respond to attacks. Our global incident response teams also provide services for some of our key customers in the event of a breach or attack.
Tan: What are your thoughts on the state of cyber security in the APAC region?
Lam: With attacks intensifying, organisations need to do a lot more to become resilient. As they move to the cloud or plan to do so, they will also have to look at securing their infrastructure on the cloud.
The good news is the level of security provided by the cloud can be higher than what an organisation can provide – a point that was also made by David Gledhill of DBS Bank, one of our customers in Singapore.
Tan: But a secure cloud infrastructure isn’t a panacea for data breaches and cyber attacks, as evident from the data leakages resulting from misconfigured S3 buckets.
Lam: When you move to the cloud, you’re not handing off everything to the cloud provider. Employees accessing cloud applications and services still need to adopt best practices. Security incidents often arise because of human error and behaviour, so there’s no substitute for good end-user education.
Read more about cyber security in APAC
- The Australian Broadcasting Corporation is the latest organisation to fall prey to misconfigured Amazon S3 storage buckets, exposing database backups and sensitive data such as login credentials.
- The personal data of more than 46 million mobile phone users in Malaysia was reportedly leaked online in possibly the biggest data breach in the Southeast Asian country.
- A majority of publicly listed companies in Singapore had little or no exposure to cyber threats even as the country is being used as launch pad for cyber attacks.
- Coordination is vital to ensure that Southeast Asia’s cyber security efforts are focused, effective and in synergy with one another, said ministers and senior officials at a recent cyber security event in Singapore.
Tan: Do you think the growing complexity of managing hybrid IT environments – where staff may not be fully conversant with cloud technologies – contributes to the security problem?
Lam: You nailed it. It is complexity, and it gets more complex for IT operations and security teams to manage as organisations get larger. But with built-in security, they won’t have the burden of managing multiple complicated technologies. If they use Office 365, for example, we will identify malicious links and detonate them with a sand bomb.
This will ensure employees won’t click on them out of curiosity. If their identities have been compromised, we can detect if someone is trying to log in using their accounts through threat analytics. We take that kind of complexity away from the IT operations folks, enabling organisations to become more secure.
Tan: Much of the security efforts you’ve shared apply to Windows-based workloads and customers who use Microsoft software. What about Linux which forms the majority of Azure Marketplace workloads?
Lam: A large proportion of the compute power in our datacentres is running Linux. That wasn’t the case in the past, but we have transformed. Customers using our cloud platform can leverage security technologies from our partners and third-parties to protect their cloud assets. And they can manage all of that using the Azure Security Center, a single platform that offers a central console to manage their cloud presence.