Operations
12/15/2016
10:00 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Execs: Identity, Threat Intelligence Driving Company's Security Strategy

One year after Microsoft announced its $1B investment into a holistic cybersecurity strategy, executives discuss how their plans unfolded and what's on the agenda for 2017.

In November 2015, Microsoft shared the details of its $1B investment in a new integrated security strategy across its portfolio of products and services including Windows, Office, and Azure. 

The funds were allocated toward initiatives such as doubling the number of security executives and launching the Microsoft Enterprise Cybersecurity Group (ECG) and Cyber Defense Operations Center (CDOC). Its broader goal was to better protect, detect, and respond to cyberthreats.

One year following the announcement, Dark Reading caught up with Microsoft executives to learn about how its holistic strategy unfolded in 2016 and where its priorities lie for the year ahead.  

Bret Arsenault, Microsoft CVP and CISO, explains how the past year has driven platform progress, particularly with threat intelligence. Leaders across Microsoft's Windows, Office, and Azure teams have begun collaborating to collect data across platforms so they can identify and address security problems.

"We see a large shift in moving away from the 'spray and pray' approach to security, and moving towards how to improve protection and response capabilities," Arsenault says. "In a mobile and cloud world, many approaches aren't as effective."

(Image: Bret Arsenault, courtesy of Microsoft)

(Image: Bret Arsenault, courtesy of Microsoft)

Many people focus on speed of obtaining threat intelligence, says Arsenault, but data diversity is more important because it improves both precision and isolation. Microsoft analyzes events from billions of devices each month. Office 365 and Azure provide endpoint, cloud, and identity intelligence, which helps the company as identity becomes a bigger part of its security strategy.

"Identity is the number one thing people need to focus on," says Brad Anderson, CVP for Enterprise Client and Mobility at Microsoft.

Identity

Anderson, whose team builds management, security, and identity for mobile devices, says more than 75% of attacks trace back to someone having their user account compromised.

He says businesses need to build an identity-based perimeter in addition to the perimeter-based security model. In the cloud world, he says, the only constant factor across services and mobile devices is a user's identity.

"Attacks on organizations are more sophisticated; more targeted," he says. "The attackers are getting as mature as the organizations are. You have to assume you've been breached and you have to find ways to identify accounts that are being used against you."

Security has become a data-gathering exercise, Anderson explains. Last year, Microsoft promised to evolve endpoint security in the cloud and on-premises. In 2016, it aimed to better combine security data and threat intelligence with its Intelligent Security Graph (ISG).

The graph collects data from billions of sources including endpoints, consumer services, commercial services, and on-premises tech, and compiles them in one location to apply data analysis, find patterns, and generate insight to pinpoint security flaws.

Every identity in the security graph has a risk score, says Anderson, and scores can determine different actions. If an identity is performing suspicious activity, it can raise the score and take action or use this information to build policies. For example, medium risk may warrant multi-factor authentication.

(Image: Brad Anderson, courtesy of Microsoft)

(Image: Brad Anderson, courtesy of Microsoft)

Part of the security challenge, of course, is striking a balance between strong protection and a positive user experience.

"It's hard to do both," Anderson admits. "If you haven't engineered the solution to do both, you get something IT loves but users hate." Most people expect a flow of information and connectivity; as a result, they dislike multiple prompts for multi-factor authentication, he notes.

Anderson's Microsoft team will continue working on user experience into next year because users' expectations are so high. 

Windows

Microsoft made security a priority in Windows 10, and this year the company rolled out a series of new functions to strengthen OS protection for consumers and businesses.

Over the past year, the Windows team's objective was getting onto the forefront of security, says Rob Lefferts, Microsoft's director of program management.

"It's not about focusing on new ways we've been hacked, but about how we're going to step ahead of the attackers," he explains. Over this year, this has involved protecting identity, safeguarding device data, and ensuring devices aren't running unwanted or malicious code.

Windows is focusing less on harding the platform and more on detection and defense. Lefferts cites the release of Windows Information Protection (WIP), which shipped with the Windows 10 Anniversary Update in July. WIP was built on the idea of identifying and separating corporate data from personal info. Businesses can wipe classified information from BYOD devices.

Next year will bring the Windows 10 Creator's Update, which Lefferts explains will focus on detection, intelligence, and remediation in Windows Defender Advanced Threat Protection. For example, added sensors will find threats located in memory or kernel-level exploits.

"They've added a lot of fundamental improvements to Windows to close security gaps," Gartner VP Peter Firstbrook says of Microsoft's progress in 2016.

Even so, there are shortcomings to the changes in Microsoft's strategy. The company has implemented a lot of security tools into Windows, but it almost never makes those tools backwards compatible, Firstbrook notes.

"It makes sense because they want people to upgrade, but it's not always practical -- especially for businesses," he says. Similarly, non-Windows 10 users can't rely on Windows Defender because it only works for the new OS.

(Image: Rob Lefferts, courtesy of Microsoft)

(Image: Rob Lefferts, courtesy of Microsoft)

Firstbrook says Microsoft needs to provide users more granular control over Microsoft utilities. Many aggressive exploits target its tools; for example, PowerShell is often exploited with ransomware. After this year, attackers can also leverage Linux code to conduct attacks.

"Utilities are useful for enterprises, but there needs to be a way to manage the use of utilities and restrict access to certain individuals or certain types of code," he says. "Is there a way to create more restrictions around the use of utilities?"

Microsoft's Lefferts says while he has no regrets about progress this year, 2017 will be a "tipping point" as organizations move from being interested in Windows 10 to adopting it.

"In the last six months, we've had a three-times increase in Windows 10 enterprise deployments," he notes. "We expect that to continue."

Office

As part of Microsoft's new strategy, the Office team has begun to approach security with two broader goals: how to build security into the software as opposed to adding it separately; and how to leverage Office data to strengthen security across all platforms.

"We don't just think of security as 'What is Windows doing? What is Office doing?'" says Rudra Mitra, Microsoft's partner director for Office 365. "How can we use Microsoft's security perspective to ensure we're not just telling a security narrative, but advancing the productivity narrative?"

One of the security measures Office plans to launch in 2017 is Office 365 Threat Intelligence, which is powered by the Intelligent Security Graph and built into Office 365. It compiles data across Office 365 about good and bad content, and offers broader security insight. 

"Email is one of the primary vectors folks are concerned about," he says, noting that Microsoft scans 200 billion emails each month for viruses, malware, and phishing attacks. Those scans in turn inform the Intelligent Security Graph.

Microsoft also plans to launch new data protection and security features to unearth information on each Office 365 user within an organization. This will include signals like who's under attack, who's getting phished, and whether phishing emails contain a particular subject line. Armed with this information, they'll know whether some users need more protection.

Mitra explains how before the security graph, it would have been harder for Microsoft to pull together data and provide this type of information. Going forward, he cites the potential for combining capabilities across Microsoft and scaling so businesses have the full power of cloud-based data.

Firstbrook notes Microsoft has made progress with Office 365 in terms of anti-spam and phishing, but there is a challenge: businesses can access the platform anywhere, anytime, on any device.

"It's a business benefit, but from a security perspective, it's a bit of a nightmare," he notes, and there should be more control over who gets access to different types of information on different devices.

For example, on a corporate machine, someone can have full access to Microsoft information in the cloud, but from home they would be able to access personal information only, or configure different levels of access based on the desired information.

What's next?

"I would love to completely get rid of passwords within the environment within two years," says Microsoft's Arsenault. "I also would like to reduce the number of point-based solutions we have to use, which cost a lot in terms of skills and talent."

Also on Arsenault's agenda is to replace its user-based network with a database network, which has identity as a perimeter. In this case, anyone who wants to access corporate resources would have to enable multi-factor authentication from a device deemed healthy.

As Microsoft's security team closes out 2016, it's looking at the challenges businesses will face next year, namely the growth of data and expansion of the mobile workforce and BYOD policies, Mitra says.

Gartner's Firstbrook says ransomware is the most prevalent problem businesses will face, and he cautions against the exploitation of PowerShell and other Windows utilities. Microsoft has a strong focus on security now, he says, but they could push the state-of-the-art more.

Its execs agree.

"We've got a lot more work to do. There's a lot more innovation to happen," Microsoft's Mitra says.

Related Content:

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance & Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she's not catching up on the latest in tech, Kelly enjoys ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.