Introduction
Experts expect Cybercrime to cost companies $9.5 trillion in 2024. This anti-economy is larger than the Gross Deposit Product of every country besides the United States and China.
Microsoft has always taken security seriously, but staying ahead of hackers is a significant challenge. Microsoft Corporate Vice President and Security Fellow John Lambert once said: "Defenders think in lists; attackers think in graphs," indicating that hackers tend to be more sophisticated than those they attack.
Microsoft faces constant attack threats as a large software, hardware, services, and cloud company. The United States Department of Defense is the only organization targeted more than Microsoft.
After some partially successful attacks, Microsoft leadership decided to re-engineer their approach to security. The result was the Secure Future Initiative (SFI), which was introduced in late 2023 and expanded in mid-2024. It focused on three broad categories: Culture, governance, and accountability; Highest urgency and expansion of scope; and New operating model and processes.
Culture, governance, and accountability
This category included hiring new Igor Tsyganskiy, Chief Information Security Officer (CISO), and regular reports on security threats, responses, and updates to the Senior Leadership Team and the Board of Directors. Microsoft's senior leadership team now has plans and milestones correlating to their compensation. Other employees are also affected, as the company has included Security as a core priority in every role at all levels.
Highest urgency and expansion of scope
This Fiscal Year, the Microsoft leadership team is emphasizing that security is the number one priority of every employee. Projects, applications, and services often involve trade-offs between priorities (e.g., new features and bug fixes or between speed and reliability). The message to employees is: If a trade-off exists between security and something else, security takes precedence. Every employee in every division of the company received this message.
New operating model and processes
Microsoft introduced six security priority categories, known as the SFI Pillars. A Lead for each pillar drives the execution of that pillar across departments.
Security Principles
Microsoft's approach emphasizes the following security principles: Secure by Design, Secure by Default, and Secure Operations. I describe these principles below:
Secure by Design
Microsoft builds Security into every product and service they ship. The Common Weakness Enumeration (CWE) is a list of security issues that Microsoft uses to determine and correct potential flaws.
Secure by Default
Many products and services have options to increase security. These options are now turned on by default. You may turn them off at your own risk.
Secure Operations
Microsoft provides monitoring tools to help users determine if their services and software are under attack or at risk of attack, allowing them to react quickly. Additionally, Microsoft has 34,000 engineers focused on security and has removed 730,000 applications that do not meet SFI standards.
SFI Pillars
The Secure Future Initiative consists of six major security priorities, as described below. Some pillars refer to commitments from Microsoft leadership; some are specific changes to processes and software.
Protect Identities and Secrets
This pillar ensures that all services and applications support protection tools, such as Multi-Factor Authentication, open identity standards, and system-managed credentials. It also involves encouraging the use of these tools and requiring internal employees to utilize them. System Managed Identities are more complex than passwords but are inherently more secure, and they remove the need for human intervention in rotating passwords.
Protect Tenants and Isolate Production Systems
Microsoft actively removed unused tenants and legacy systems, reducing the risk of exposing systems with insufficient protection. In addition, they have applied to existing systems, solid practices, such as least privelege access and denying access by unsecured devices.
Protect Networks
This pillar involves improved isolation of networks. Microsoft production environments are now each isolated from one another, and this isolation is implemented by default in networks created by customers. These defaults help prevent a threat actor from moving laterally within a system.
Protect Engineering Systems
The source code of all Microsoft products is secured, applying least privelege access to all users. Microsoft uses automated scanning tools and the Code Analysis Query language CodeQL to analyze source code and automatically detect potential vulnerabilities.
The testing and deployment of code to all environments is automated, making these processes repeatable and secure. The idea is to treat Testing, Development, and Demo environments with the same rigor as Production environments.
Monitor and Detect Threats
Monitoring and real-time threat analysis has been improved within Azure, making it easier to troubleshoot issues. Microsoft has implemented policies to keep security logs within a central data lake for at least two years, making it easier to detect threats more quickly.
Using the tools and practices described above, Microsoft has committed to reducing the response time when mitigating critical security issues and resolving vulnerabilities. Perhaps more importantly, they committed to increasing the transparency of the vulnerabilities when discovered.
Conclusion
Some of these recommendations came from a report issued by the Cyber Safety Review Board (CSRB) of the US Department of Homeland Security. Others are an evolution of what was already happening or a response to recent issues uncovered internally.
One goal is to drive a culture change, allowing every employee to prioritize security in everything they do. Security is a team sport involving everyone in the software development lifecycle. Turning on security features by default and adding multiple layers of defense make it easier to fall into the pit of success. Improved, more secure internal systems and better education are at the heart of these efforts.
Together, these activities will increase cybersecurity, decrease the risk of threats, and anticipate and respond to future cyberattacks.
Links
