Microsoft beefs up cyber initiative after hard-hitting US report

Six prioritised pillars

Added to this, Microsoft will now align a set of expanded goals and actions to six prioritised pillars, as follows:

• The protection of identities and secrets using best-in-class, quantum-ready standards;
• The protection and isolation of all Microsoft tenants and production systems;
• The protection of Microsoft production networks, and the isolation of Microsoft and customer resources;
• The protection of engineering systems, encompassing software assets, code security and governance of the software supply chain;
• The monitoring and detection of threats, providing comprehensive coverage and automatic detection of threats to Microsoft production infrastructure;
• The acceleration of response and remediation to vulnerabilities, reducing time to mitigate for high-severity bugs and improving public messaging and transparency.

“These goals directly align to our learnings from the Midnight Blizzard incident, as well as all four CSRB recommendations to Microsoft and all 12 recommendations to cloud service providers (CSPs), across the areas of security culture, cyber security best practices, auditing logging norms, digital identity standards and guidance, and transparency,” said Bell.

“We are delivering on these goals through a new level of coordination with a new operating model that aligns leaders and teams to the six SFI pillars, in order to drive security holistically and break down traditional silos.”

Internally, Microsoft is also taking steps to improve how its people respond as a collective, implementing new initiatives to help operationalise its learnings from incidents, and instituting a new governance framework overseen by its chief information security officer (CISO), Igor Tsyganskiy, which introduces a partnership between engineering teams and a newly created group of deputy CISOs, and will be backed by the full breadth of Microsoft’s existing nation state actor and threat-hunting capabilities.

It also plans to do more to instil a security-first culture, and will be starting broadscale weekly and monthly operational meetings to include all levels of management and senior individual contributors working on detailed execution and continuous improvement of security.

“Ultimately, Microsoft runs on trust, and this trust must be earned and maintained,” said Bell. “As a global provider of software, infrastructure and cloud services, we feel a deep responsibility to do our part to keep the world safe and secure. Our promise is to continually improve and adapt to the evolving needs of cyber security. This is job number one for us.”

Jake Williams, a faculty member at cyber research firm IANS Research and former hacker for the NSA, said: “Microsoft has some really ambitious goals in their Secure Future Initiative. Most organisations have neither the will nor the technical ability to achieve these goals, but any organisation that does will be in a prime position to repel most intrusions.

“Microsoft certainly has the technical ability to implement these, but that’s always been the case. It appears they now have the political will to do so as well.

“There are plenty of details about significant technical security enhancements Microsoft is making,” he continued. “The hardest part of most of these is getting to 100%. Anything less than 100% leaves a residual attack surface that threat actors will exploit.

“These efforts follow the old 80/20 rule where most of the effort is expended getting the last holdouts onboarded into the new security regime. The thing that gives me the most confidence that Microsoft will get there is the emphasis that engineer SVPs are holding regular operational meetings with all levels of management and senior ICs. That’s how you reinforce cultural change and make sure that it sticks.”