Mahi - stock.adobe.com

Microsoft beefs up cyber initiative after hard-hitting US report

Microsoft is expanding its recently launched Secure Future Initiative in the wake of a hard-hitting US government report on recent nation state intrusions into its systems

Microsoft is doubling down on its recently launched Secure Future Initiative (SFI), expanding the programme – which sets out to address the software and vulnerability issues frequently exploited by threat actors – in the wake of the US government Cyber Safety Review Board (CSRB) report on last year’s Storm-0558 intrusion and the January 2024 Midnight Blizzard (Cozy Bear) attack.

Redmond said the rapid evolution of the threat landscape underscored the severity of the threats that face both its own operations and those of its customers, and acknowledged that given its central role in the world’s IT ecosystem, it had a “critical responsibility” to earn and maintain trust.

“We are making security our top priority at Microsoft, above all else – over all other features,” said Charlie Bell, executive vice-president of Microsoft Security. “We’re expanding the scope of SFI, integrating the recent recommendations from the CSRB as well as our learnings from Midnight Blizzard to ensure that our cyber security approach remains robust and adaptive to the evolving threat landscape.

“We will mobilise the expanded SFI pillars and goals across Microsoft and this will be a dimension in our hiring decisions,” he said. “In addition, we will instil accountability by basing part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones.”

The SFI, as initially outlined by Microsoft vice-chair and president Brad Smith in November 2023, centres three core pillars – developing and improving AI-based cyber defences, improving software engineering practice, and advocating for stronger application of international norms in cyber space.

In a blog post setting out the SFI expansion, Bell explained that this approach would now evolve with the work to be guided by three new principles:

  • Security by design, as a primary consideration in the design and development of any Microsoft product or service;
  • Security by default, with protections enabled and enforced by default, requiring no extra effort from users, but equally with no opt-outs for them;
  • Secure operations, with controls and monitoring continuously improving to meet changing threats head on.

Six prioritised pillars

Added to this, Microsoft will now align a set of expanded goals and actions to six prioritised pillars, as follows:

  • The protection of identities and secrets using best-in-class, quantum-ready standards;
  • The protection and isolation of all Microsoft tenants and production systems;
  • The protection of Microsoft production networks, and the isolation of Microsoft and customer resources;
  • The protection of engineering systems, encompassing software assets, code security and governance of the software supply chain;
  • The monitoring and detection of threats, providing comprehensive coverage and automatic detection of threats to Microsoft production infrastructure;
  • The acceleration of response and remediation to vulnerabilities, reducing time to mitigate for high-severity bugs and improving public messaging and transparency.

“These goals directly align to our learnings from the Midnight Blizzard incident, as well as all four CSRB recommendations to Microsoft and all 12 recommendations to cloud service providers (CSPs), across the areas of security culture, cyber security best practices, auditing logging norms, digital identity standards and guidance, and transparency,” said Bell.

“We are delivering on these goals through a new level of coordination with a new operating model that aligns leaders and teams to the six SFI pillars, in order to drive security holistically and break down traditional silos.”

Read more about security at Microsoft

  • Microsoft’s latest AI-powered tool, now generally available, has been beneficial for security teams regarding efficiency, but infosec experts see some room for improvements.
  • The Department of Homeland Security’s Cyber Safety Review Board said a ‘cascade’ of errors at Microsoft allowed nation-state hackers to access US government emails last year.
  • Microsoft’s president of identity and network access, Joy Chik, joins Computer Weekly to discuss the evolving threat landscape in identity security, using innovations in artificial intelligence to stay ahead, and advocating for the coming passwordless future.

Internally, Microsoft is also taking steps to improve how its people respond as a collective, implementing new initiatives to help operationalise its learnings from incidents, and instituting a new governance framework overseen by its chief information security officer (CISO), Igor Tsyganskiy, which introduces a partnership between engineering teams and a newly created group of deputy CISOs, and will be backed by the full breadth of Microsoft’s existing nation state actor and threat-hunting capabilities.

It also plans to do more to instil a security-first culture, and will be starting broadscale weekly and monthly operational meetings to include all levels of management and senior individual contributors working on detailed execution and continuous improvement of security.

“Ultimately, Microsoft runs on trust, and this trust must be earned and maintained,” said Bell. “As a global provider of software, infrastructure and cloud services, we feel a deep responsibility to do our part to keep the world safe and secure. Our promise is to continually improve and adapt to the evolving needs of cyber security. This is job number one for us.”

Jake Williams, a faculty member at cyber research firm IANS Research and former hacker for the NSA, said: “Microsoft has some really ambitious goals in their Secure Future Initiative. Most organisations have neither the will nor the technical ability to achieve these goals, but any organisation that does will be in a prime position to repel most intrusions.

“Microsoft certainly has the technical ability to implement these, but that’s always been the case. It appears they now have the political will to do so as well.

“There are plenty of details about significant technical security enhancements Microsoft is making,” he continued. “The hardest part of most of these is getting to 100%. Anything less than 100% leaves a residual attack surface that threat actors will exploit.

“These efforts follow the old 80/20 rule where most of the effort is expended getting the last holdouts onboarded into the new security regime. The thing that gives me the most confidence that Microsoft will get there is the emphasis that engineer SVPs are holding regular operational meetings with all levels of management and senior ICs. That’s how you reinforce cultural change and make sure that it sticks.”

Read more on Business continuity planning