Microsoft review treats security as ‘top priority’ after series of flaws

Microsoft is making security its number one priority for all employees, after years of security issues and mounting criticism. After a scathing report from the US Cybersecurity Review Board recently concluded that “Microsoft’s security culture was inadequate and requires review,” it is doing just that, outlining a set of security principles and goals that are tied to compensation packages for Microsoft’s senior leadership team. .

Last November, Microsoft announced a Secure Future Initiative (SFI) in response to growing pressure on the company to respond to attacks that allowed Chinese hackers to breach US government email accounts. Within days of announcing this initiative, Russian hackers managed to breach Microsoft’s defenses and spy on the email accounts of some members of Microsoft’s senior leadership team. Microsoft only discovered the attack almost two months later, in January, and the same group even stole the source code.

These recent attacks have been damaging, and the Cybersecurity Review Board’s report added fuel to Microsoft’s security fire recently by concluding that the company could have prevented the breach of US government email accounts in 2023 and that a “cascade of security breaches” led to this incident.

“We are making security our top priority at Microsoft, above all else – above all other features,” explains Charlie Bell, executive vice president of security at Microsoft, in a statement. blog post today. “We will instill accountability by basing part of the company’s senior leadership team’s compensation on our progress in meeting our security plans and milestones.”

Microsoft now has three security principles that make up a large part of these goals: security by design; safe by default; safe operations. These principles are designed to put security first during the design phases of products and services, place a greater focus on protections that are enabled by default, and improve controls and monitoring for current and future threats.

The broader goals are underscored by “six prioritized security pillars,” which is a corporate term for things Microsoft needs to improve a lot:

1. Protect identities and secrets. Microsoft promises to implement “best-in-class standards” in its identity and secrets infrastructure so that 100% of user accounts are protected through multi-factor authentication and 100% of applications are protected by managed credentials such as certificates.
2. Protect tenants and isolate production systems. Microsoft is taking an approach here to ensure that only healthy, managed, and secure devices have access to the company’s own suite of services, along with a least privilege access model (the minimum access levels or permissions) for 100% of applications .
3. Protect networks. Microsoft promises to protect 100% of its networks and network-connected production systems by applying isolation and microsegmentation to all production environments. This should help create additional layers of defense against attackers.
4. Protect engineering systems. Microsoft says it will protect access to its source code 100% of the time through Zero Trust and least privilege access policies. Any source code deployed to production environments will also be protected by security best practices, and test environments will also have standardized security and infrastructure isolation.
5. Monitor and detect threats. Microsoft promises to retain 100% of security logs for two years and make six months of “appropriate logs” available to customers. It will also automatically detect and respond “quickly” to suspicious access or configuration changes across 100% of Microsoft’s production infrastructure and services.
6. Speed ​​response and correction. The goal here is to prevent unpatched vulnerabilities from being exploited with a “more timely patch.” Microsoft is committing to reducing the time it takes to patch “high severity” cloud security vulnerabilities and increasing transparency around these issues by adopting the Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) industry standards.

All of these goals are tied to some of Microsoft’s leadership compensation and are a clear and direct response to recent Russian hacking and Cybersecurity Review Board recommendations.

Microsoft is now coordinating its engineering teams to complete this work in phases across the company. “These engineering waves involve teams from Azure Cloud, Windows, Microsoft 365, and Security, with additional product teams onboarded weekly into the process,” says Bell.

Microsoft is already making progress toward its ambitious security goals. The company has implemented multi-factor by default in more than 1 million of its own Microsoft tenants, including those used for development, testing, demos, and production. So far, it has also removed 730,000 apps that “were out of lifecycle or did not meet current SFI standards.”

The software maker is also trying to improve its security culture after it was deemed “inadequate” by the Cybersecurity Review Board. Microsoft engineering leaders are now holding weekly and monthly operational meetings that include a variety of managers and senior individuals, with the goal of improving Microsoft’s security thinking across the company.

Microsoft is also adding deputy chief information security officers (CISOs) to each product team and moving its threat intelligence team to report directly to the CISO. This should mean there is clear responsibility for security within engineering teams.

I reported last month that there is concern within Microsoft that recent security attacks could seriously undermine trust in the company. “Ultimately, Microsoft runs on trust, and that trust must be earned and maintained,” says Bell. “As a global provider of software, infrastructure and cloud services, we feel a deep responsibility to do our part to keep the world safe and secure. Our promise is to continually improve and adapt to evolving cybersecurity needs. This is job No. 1 for us.”