Operations
12/15/2016
10:00 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Execs: Identity, Threat Intelligence Driving Company's Security Strategy

One year after Microsoft announced its $1B investment into a holistic cybersecurity strategy, executives discuss how their plans unfolded and what's on the agenda for 2017.

In November 2015, Microsoft shared the details of its $1B investment in a new integrated security strategy across its portfolio of products and services including Windows, Office, and Azure. 

The funds were allocated toward initiatives such as doubling the number of security executives and launching the Microsoft Enterprise Cybersecurity Group (ECG) and Cyber Defense Operations Center (CDOC). Its broader goal was to better protect, detect, and respond to cyberthreats.

One year following the announcement, Dark Reading caught up with Microsoft executives to learn about how its holistic strategy unfolded in 2016 and where its priorities lie for the year ahead.  

Bret Arsenault, Microsoft CVP and CISO, explains how the past year has driven platform progress, particularly with threat intelligence. Leaders across Microsoft's Windows, Office, and Azure teams have begun collaborating to collect data across platforms so they can identify and address security problems.

"We see a large shift in moving away from the 'spray and pray' approach to security, and moving towards how to improve protection and response capabilities," Arsenault says. "In a mobile and cloud world, many approaches aren't as effective."

(Image: Bret Arsenault, courtesy of Microsoft)

(Image: Bret Arsenault, courtesy of Microsoft)

Many people focus on speed of obtaining threat intelligence, says Arsenault, but data diversity is more important because it improves both precision and isolation. Microsoft analyzes events from billions of devices each month. Office 365 and Azure provide endpoint, cloud, and identity intelligence, which helps the company as identity becomes a bigger part of its security strategy.

"Identity is the number one thing people need to focus on," says Brad Anderson, CVP for Enterprise Client and Mobility at Microsoft.

Identity

Anderson, whose team builds management, security, and identity for mobile devices, says more than 75% of attacks trace back to someone having their user account compromised.

He says businesses need to build an identity-based perimeter in addition to the perimeter-based security model. In the cloud world, he says, the only constant factor across services and mobile devices is a user's identity.

"Attacks on organizations are more sophisticated; more targeted," he says. "The attackers are getting as mature as the organizations are. You have to assume you've been breached and you have to find ways to identify accounts that are being used against you."

Security has become a data-gathering exercise, Anderson explains. Last year, Microsoft promised to evolve endpoint security in the cloud and on-premises. In 2016, it aimed to better combine security data and threat intelligence with its Intelligent Security Graph (ISG).

The graph collects data from billions of sources including endpoints, consumer services, commercial services, and on-premises tech, and compiles them in one location to apply data analysis, find patterns, and generate insight to pinpoint security flaws.

Every identity in the security graph has a risk score, says Anderson, and scores can determine different actions. If an identity is performing suspicious activity, it can raise the score and take action or use this information to build policies. For example, medium risk may warrant multi-factor authentication.

(Image: Brad Anderson, courtesy of Microsoft)

(Image: Brad Anderson, courtesy of Microsoft)

Part of the security challenge, of course, is striking a balance between strong protection and a positive user experience.

"It's hard to do both," Anderson admits. "If you haven't engineered the solution to do both, you get something IT loves but users hate." Most people expect a flow of information and connectivity; as a result, they dislike multiple prompts for multi-factor authentication, he notes.

Anderson's Microsoft team will continue working on user experience into next year because users' expectations are so high. 

Windows

Microsoft made security a priority in Windows 10, and this year the company rolled out a series of new functions to strengthen OS protection for consumers and businesses.

Over the past year, the Windows team's objective was getting onto the forefront of security, says Rob Lefferts, Microsoft's director of program management.

"It's not about focusing on new ways we've been hacked, but about how we're going to step ahead of the attackers," he explains. Over this year, this has involved protecting identity, safeguarding device data, and ensuring devices aren't running unwanted or malicious code.

Windows is focusing less on harding the platform and more on detection and defense. Lefferts cites the release of Windows Information Protection (WIP), which shipped with the Windows 10 Anniversary Update in July. WIP was built on the idea of identifying and separating corporate data from personal info. Businesses can wipe classified information from BYOD devices.

Next year will bring the Windows 10 Creator's Update, which Lefferts explains will focus on detection, intelligence, and remediation in Windows Defender Advanced Threat Protection. For example, added sensors will find threats located in memory or kernel-level exploits.

"They've added a lot of fundamental improvements to Windows to close security gaps," Gartner VP Peter Firstbrook says of Microsoft's progress in 2016.

Even so, there are shortcomings to the changes in Microsoft's strategy. The company has implemented a lot of security tools into Windows, but it almost never makes those tools backwards compatible, Firstbrook notes.

"It makes sense because they want people to upgrade, but it's not always practical -- especially for businesses," he says. Similarly, non-Windows 10 users can't rely on Windows Defender because it only works for the new OS.

(Image: Rob Lefferts, courtesy of Microsoft)

(Image: Rob Lefferts, courtesy of Microsoft)

Firstbrook says Microsoft needs to provide users more granular control over Microsoft utilities. Many aggressive exploits target its tools; for example, PowerShell is often exploited with ransomware. After this year, attackers can also leverage Linux code to conduct attacks.

"Utilities are useful for enterprises, but there needs to be a way to manage the use of utilities and restrict access to certain individuals or certain types of code," he says. "Is there a way to create more restrictions around the use of utilities?"

Microsoft's Lefferts says while he has no regrets about progress this year, 2017 will be a "tipping point" as organizations move from being interested in Windows 10 to adopting it.

"In the last six months, we've had a three-times increase in Windows 10 enterprise deployments," he notes. "We expect that to continue."

Office

As part of Microsoft's new strategy, the Office team has begun to approach security with two broader goals: how to build security into the software as opposed to adding it separately; and how to leverage Office data to strengthen security across all platforms.

"We don't just think of security as 'What is Windows doing? What is Office doing?'" says Rudra Mitra, Microsoft's partner director for Office 365. "How can we use Microsoft's security perspective to ensure we're not just telling a security narrative, but advancing the productivity narrative?"

One of the security measures Office plans to launch in 2017 is Office 365 Threat Intelligence, which is powered by the Intelligent Security Graph and built into Office 365. It compiles data across Office 365 about good and bad content, and offers broader security insight. 

"Email is one of the primary vectors folks are concerned about," he says, noting that Microsoft scans 200 billion emails each month for viruses, malware, and phishing attacks. Those scans in turn inform the Intelligent Security Graph.

Microsoft also plans to launch new data protection and security features to unearth information on each Office 365 user within an organization. This will include signals like who's under attack, who's getting phished, and whether phishing emails contain a particular subject line. Armed with this information, they'll know whether some users need more protection.

Mitra explains how before the security graph, it would have been harder for Microsoft to pull together data and provide this type of information. Going forward, he cites the potential for combining capabilities across Microsoft and scaling so businesses have the full power of cloud-based data.

Firstbrook notes Microsoft has made progress with Office 365 in terms of anti-spam and phishing, but there is a challenge: businesses can access the platform anywhere, anytime, on any device.

"It's a business benefit, but from a security perspective, it's a bit of a nightmare," he notes, and there should be more control over who gets access to different types of information on different devices.

For example, on a corporate machine, someone can have full access to Microsoft information in the cloud, but from home they would be able to access personal information only, or configure different levels of access based on the desired information.

What's next?

"I would love to completely get rid of passwords within the environment within two years," says Microsoft's Arsenault. "I also would like to reduce the number of point-based solutions we have to use, which cost a lot in terms of skills and talent."

Also on Arsenault's agenda is to replace its user-based network with a database network, which has identity as a perimeter. In this case, anyone who wants to access corporate resources would have to enable multi-factor authentication from a device deemed healthy.

As Microsoft's security team closes out 2016, it's looking at the challenges businesses will face next year, namely the growth of data and expansion of the mobile workforce and BYOD policies, Mitra says.

Gartner's Firstbrook says ransomware is the most prevalent problem businesses will face, and he cautions against the exploitation of PowerShell and other Windows utilities. Microsoft has a strong focus on security now, he says, but they could push the state-of-the-art more.

Its execs agree.

"We've got a lot more work to do. There's a lot more innovation to happen," Microsoft's Mitra says.

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
The Dark Reading Security Spending Survey
The Dark Reading Security Spending Survey
Enterprises are spending an unprecedented amount of money on IT security where does it all go? In this survey, Dark Reading polled senior IT management on security budgets and spending plans, and their priorities for the coming year. Download the report and find out what they had to say.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.