Endpoint
11/17/2015
08:15 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Microsoft Invests $1 Billion In 'Holistic' Security Strategy

Executives detail strategic and cultural shift at Microsoft to an integrated security approach across its software and services, and announce new managed services group and cyber defense operation center.

Microsoft over the past year invested some $1 billion in security and doubled its number of security executives, and today announced the launch of a new managed security services group and a new cyber defense operations center -- all part of its new strategy of holistic and integrated security across its products and services.

In exclusive interviews with Dark Reading, Microsoft executives -- including Microsoft's chief information security officer Bret Arsenault -- explained how Microsoft's new security strategy is manifested in the company's internal network and across its Windows, Office, and cloud offerings to customers.

Microsoft CEO Satya Nadella today in a keynote address in Washington, D.C., for the first time detailed publicly Microsoft's holistic security strategy and how it aims to better protect, detect, and respond to threats, as well as the announcement of its new managed services group and a new security defense operations center. Nadella and his executive team point to the billions of endpoints, services, and systems from which Microsoft draws threat intelligence and then uses that intel for detection, protection, and responding to security events.

The strategy places security at the heart of the software giant's products and services, and Microsoft execs described a more integrated protection and intelligence approach that uses the threat intelligence information it gathers worldwide from its sensors and customers. Integrating security across platforms is a big theme lately with security giants such as Intel/McAfee and Symantec, which both announced similar strategies last month. Symantec's Advanced Threat Protection platform, for instance, basically integrates and unifies its traditionally separate enterprise security products, and is one of the results of the company's $1 billion investment in R&D under new CEO Michael Brown.

Microsoft's $1 billion in security spending this year includes Microsoft's "organic" investments, Microsoft's Arsenault says, as well as recent acquisitions. To date, Microsoft has purchased three security firms over the past year including behavioral learning and Active Directory security firm Aorato, cloud security firm Adallom, and most recently, data and file protection firm Secure Islands.

"We've always done a good job in caring about writing secure code and making secure services. We needed to do more to protect endpoints and get intelligence from the cloud … so we're making investments in a number of areas," Microsoft's Arsenault says of the company's strategy.

Nadella in his keynote today said the company has been investing $1 billion in security yearly in security research and development.

Microsoft wouldn't disclose just how many new security executives it has added to the company in the past year, but the execs span its product and operations areas, according to Aresnault. The new managed services arm, Microsoft Enterprise Cybersecurity Group (ECG), focuses on sales and services in "nothing but cyber defense," he says. This group will work with Microsoft's security partners and the Office 365 and Azure teams, too, for example, he says.

ECG will provide security assessments, monitoring, threat detection, and incident response to Microsoft customers.

The newly unveiled state-of-the-art Cyber Defense Operations Center (CDOC) co-locates members of the company's internal security team, Microsoft Security Response Center, security experts in Azure, Windows, Office 365, security analysts, as well as its Digital Crimes Unit and other groups, for detecting and responding to threats in real-time.

"My internal operations team can swivel with … the DCU [Digital Crimes Unit]" there, for example, Arsenault says.

Microsoft is incorporating security across the board as part of its products and services as well as its corporate culture.  "We are making [security] part of everything we do, and will continue to invest in it," he says. That includes security training for every employee, he says.

Bret Arsenault, CISO, Microsoft
Source: Microsoft

Bret Arsenault, CISO, Microsoft

Source: Microsoft

"We made the decision that we should get security as close to the workload as possible, versus its own separate product. We think that goes back to the idea of evolving from one perimeter to perimeterizing everything we do: protect data, devices, and people," he says.

The evolution of Microsoft's security posture has been in progress for some time, starting with Windows, so the culmination of the strategy really isn't surprising. But Microsoft's very public announcement by its CEO today, as well as word of its new managed services arm, signal a new chapter in Microsoft's security story.

That doesn't mean Microsoft is looking to compete with traditional security firms, like it tried with the doomed Forefront family of enterprise security products, however.

"We're not a security company like Symantec or McAfee. We are providing end-to-end services for consumers through the enterprise in endpoint, hardware, software, and cloud services. We have a unique position to protect all of those--everything from the endpoint to the way we partner with the ecosystem," he says. "We think of ourselves as a security company, but not in the traditional sense."

Windows: Where It All Began

The evolution of Windows security -- via Microsoft's Security Development Lifecycle and the roster of new security features Microsoft continues to weave into the OS -- represents a case study in how Microsoft's security strategy has emerged.

Dustin Ingalls, general manager of identity and security operations, says the hardware-based security added starting in Windows 8 was the result of a goal to kick the rootkit and bootkit problem. "It became clear we couldn't solve that problem in software," Ingalls says.

Windows 10 security centers around three main features, including Device Guard, which vets applications that try to access the machine and its network, and can use hardware and virtualization to handle that process of determination. Windows Hello, touted as a password-killer by Microsoft, relies on a user's face, iris, or fingerprint to launch the Windows 10 device.  Passport, meanwhile, lets users authenticate to applications, websites, and networks without passwords at all:  it verifies that the user has physical access to his or her device and then authenticates them via a PIN or Windows Hello.

"My personal mission was to get rid of passwords. There's nothing we can do today to [truly] secure passwords," Ingalls says. "So you have to have something else … we have Passport," which is akin to a smart card, he says, and not susceptible to phishing or key theft since the key is asymmetric. It then uses the Hello biometrics for the second level of strong authentication, he says.

Microsoft also is emphasizing a next-generation endpoint security approach that goes beyond traditional signature-based defenses. "We are a lot more focused on using the cloud as an intelligence engine and as a way of being very rapid about how we respond to" a threat, Ingalls says. "A lot of innovation using machine learning and cloud telemetry to look for unusual behaviors instead of static behavioral" detection, he says.

Ingalls says Microsoft will focus more on "detonation" of threats in the cloud as well, before it hits a user's inbox, for example.

Microsoft's Rudra Mitra, a partner director who has worked on the security side of Office at Microsoft the past few years and now focuses mainly on Office 365, says having different pieces of Microsoft's offerings working in tandem improves security.  He says Microsoft's work with the security community and partnering with "best of breed" security partners "helps security in a dramatic way."

"We are way more now focused on the end-to-end security story, with Windows combined with cloud, Azure, Active Directory, Office 365, and enhanced security services for enterprises like advanced threat analytics," Ingalls says.

Security expert Marc Maiffret says the security of Microsoft software has come a long way since the early 2000s, when Microsoft software was the "gateway" for attackers to compromise a business.

"These days, there are still some Microsoft vulnerabilities clearly that are used to compromise companies but the severity and grade of exploitable ones and the hoops [attackers] have to go through to exploit them has changed things," Maiffret says. "Microsoft is no longer that initial front door. Usually, where companies are failing is in how they are architecting and managing their environments: are they doing the proper security design engineering?"

"It's not just the one-off vuln that ruins your day" now, he says. "Companies need help managing their environment [security-wise]," he says.

ID

Identity is one of the key elements of Microsoft's security strategy. "Identity is much more important than ever before at  Microsoft," says Bharat Shah, CVP of cloud and enterprise security engineering at Microsoft. The waning perimeter adds another element of complexity to strong authentication for organizations.

"You will see us making really good progress on the endpoint" in cloud security, he says. "And we do a lot of on-prem stuff, too."

The Adallom buy gives Microsoft software-as-a-service application log analytics, for example, he says.

Will there be more security-related acquisitions by Microsoft?

"We will continue to evaluate what customers demand … and what their needs are," Arsenault says. "Our goal is make sure the network, devices, applications, identity" are secure, he says.

Maiffret says the string of security acquisitions by Microsoft and how its security strategy has evolved demonstrate that the company is "taking to heart securing the whole ecosystem."

Meanwhile, Nadella in his keynote offered a few examples of how security features in Windows 10, Office 365, Azure, and Enterprise Mobility Suite work together to prevent password-related attacks, data loss, and malware. He gave a shoutout to Windows 10's Hello, Passport and Credential Guard security features, for example.

Microsoft also called for companies to take steps to improve their "security hygeine."

"While there will always be new threats, new attacks, and new technologies, companies can take action today to address security concerns and improve their security postures.  It is critical for companies to strengthen their core security hygiene (across things like monitoring, antivirus, patch and operating systems) by adopting modern platforms and comprehensive identity, security and management solutions, and by leveraging features offered within cloud services; and it is just as important to create education and awareness across employee populations in order to build and sustain a pervasive security culture," Microsoft said in a blog post today.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CharlineSau
50%
50%
CharlineSau,
User Rank: Apprentice
11/27/2015 | 11:24:24 AM
re
Wel... data security is really the future, isn't it ?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/26/2015 | 12:22:10 AM
Re: Great start
Microsoft realized that if you want a job done, do it yourself -- especially when many of your users lack the savviness necessary to pick appropriate security packages.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/19/2015 | 3:26:45 PM
Re: Great start
Ah ok that makes sense... Since they have cornered a large market share at the OS level they could potentially use some of their secure coding to make other security vendors irrelevant but I doubt it.


And perhaps that is a good thing for security. Having inconsistent vertical layers of security can be a benefit as circumvention is not as easily attained.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
11/19/2015 | 3:17:36 PM
Re: Great start
They tried with Forefront a few years ago--and it failed miserably. So now Microsoft is all about building security into its products/services, secure coding, etc. The services announcement they made is aimed at their own customers. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/19/2015 | 3:13:25 PM
Re: Great start
Does Microsoft offer a security suite for other companies? I haven't heard too much about security services being availlable.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
11/19/2015 | 3:04:56 PM
Re: Great start
I think it's really interesting to see how Microsoft has evolved its approach to security over the past few years.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/19/2015 | 2:20:03 PM
Great start
This is a great start. I hope that other companies will gain something from this holistic approach. I'm glad to see that all their employees are entitled to security training as the end user could be the pitfall in security but could also be your saving grace if you provide them the tools.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.