Microsoft Invests $1 Billion In 'Holistic' Security Strategy

Executives detail strategic and cultural shift at Microsoft to an integrated security approach across its software and services, and announce new managed services group and cyber defense operation center.

Bret Arsenault, CISO, Microsoft. Source: Microsoft

Microsoft over the past year invested some $1 billion in security and doubled its number of security executives, and today announced the launch of a new managed security services group and a new cyber defense operations center -- all part of its new strategy of holistic and integrated security across its products and services.

In exclusive interviews with Dark Reading, Microsoft executives -- including Microsoft's chief information security officer Bret Arsenault -- explained how Microsoft's new security strategy is manifested in the company's internal network and across its Windows, Office, and cloud offerings to customers.

Microsoft CEO Satya Nadella today in a keynote address in Washington, D.C., for the first time detailed publicly Microsoft's holistic security strategy and how it aims to better protect, detect, and respond to threats, as well as the announcement of its new managed services group and a new security defense operations center. Nadella and his executive team point to the billions of endpoints, services, and systems from which Microsoft draws threat intelligence and then uses that intel for detection, protection, and responding to security events.

The strategy places security at the heart of the software giant's products and services, and Microsoft execs described a more integrated protection and intelligence approach that uses the threat intelligence information it gathers worldwide from its sensors and customers. Integrating security across platforms is a big theme lately with security giants such as Intel/McAfee and Symantec, which both announced similar strategies last month. Symantec's Advanced Threat Protection platform, for instance, basically integrates and unifies its traditionally separate enterprise security products, and is one of the results of the company's $1 billion investment in R&D under new CEO Michael Brown.

Microsoft's $1 billion in security spending this year includes Microsoft's "organic" investments, Microsoft's Arsenault says, as well as recent acquisitions. To date, Microsoft has purchased three security firms over the past year including behavioral learning and Active Directory security firm Aorato, cloud security firm Adallom, and most recently, data and file protection firm Secure Islands.

"We've always done a good job in caring about writing secure code and making secure services. We needed to do more to protect endpoints and get intelligence from the cloud … so we're making investments in a number of areas," Microsoft's Arsenault says of the company's strategy.

Nadella in his keynote today said the company has been investing $1 billion in security yearly in security research and development.

Microsoft wouldn't disclose just how many new security executives it has added to the company in the past year, but the execs span its product and operations areas, according to Aresnault. The new managed services arm, Microsoft Enterprise Cybersecurity Group (ECG), focuses on sales and services in "nothing but cyber defense," he says. This group will work with Microsoft's security partners and the Office 365 and Azure teams, too, for example, he says.

ECG will provide security assessments, monitoring, threat detection, and incident response to Microsoft customers.

The newly unveiled state-of-the-art Cyber Defense Operations Center (CDOC) co-locates members of the company's internal security team, Microsoft Security Response Center, security experts in Azure, Windows, Office 365, security analysts, as well as its Digital Crimes Unit and other groups, for detecting and responding to threats in real-time.

"My internal operations team can swivel with … the DCU [Digital Crimes Unit]" there, for example, Arsenault says.

Microsoft is incorporating security across the board as part of its products and services as well as its corporate culture.  "We are making [security] part of everything we do, and will continue to invest in it," he says. That includes security training for every employee, he says.

"We made the decision that we should get security as close to the workload as possible, versus its own separate product. We think that goes back to the idea of evolving from one perimeter to perimeterizing everything we do: protect data, devices, and people," he says.

The evolution of Microsoft's security posture has been in progress for some time, starting with Windows, so the culmination of the strategy really isn't surprising. But Microsoft's very public announcement by its CEO today, as well as word of its new managed services arm, signal a new chapter in Microsoft's security story.

That doesn't mean Microsoft is looking to compete with traditional security firms, like it tried with the doomed Forefront family of enterprise security products, however.

"We're not a security company like Symantec or McAfee. We are providing end-to-end services for consumers through the enterprise in endpoint, hardware, software, and cloud services. We have a unique position to protect all of those--everything from the endpoint to the way we partner with the ecosystem," he says. "We think of ourselves as a security company, but not in the traditional sense."

Windows: Where It All Began

The evolution of Windows security -- via Microsoft's Security Development Lifecycle and the roster of new security features Microsoft continues to weave into the OS -- represents a case study in how Microsoft's security strategy has emerged.

Dustin Ingalls, general manager of identity and security operations, says the hardware-based security added starting in Windows 8 was the result of a goal to kick the rootkit and bootkit problem. "It became clear we couldn't solve that problem in software," Ingalls says.

Windows 10 security centers around three main features, including Device Guard, which vets applications that try to access the machine and its network, and can use hardware and virtualization to handle that process of determination. Windows Hello, touted as a password-killer by Microsoft, relies on a user's face, iris, or fingerprint to launch the Windows 10 device.  Passport, meanwhile, lets users authenticate to applications, websites, and networks without passwords at all:  it verifies that the user has physical access to his or her device and then authenticates them via a PIN or Windows Hello.

"My personal mission was to get rid of passwords. There's nothing we can do today to [truly] secure passwords," Ingalls says. "So you have to have something else … we have Passport," which is akin to a smart card, he says, and not susceptible to phishing or key theft since the key is asymmetric. It then uses the Hello biometrics for the second level of strong authentication, he says.

Microsoft also is emphasizing a next-generation endpoint security approach that goes beyond traditional signature-based defenses. "We are a lot more focused on using the cloud as an intelligence engine and as a way of being very rapid about how we respond to" a threat, Ingalls says. "A lot of innovation using machine learning and cloud telemetry to look for unusual behaviors instead of static behavioral" detection, he says.

Ingalls says Microsoft will focus more on "detonation" of threats in the cloud as well, before it hits a user's inbox, for example.

Microsoft's Rudra Mitra, a partner director who has worked on the security side of Office at Microsoft the past few years and now focuses mainly on Office 365, says having different pieces of Microsoft's offerings working in tandem improves security.  He says Microsoft's work with the security community and partnering with "best of breed" security partners "helps security in a dramatic way."

"We are way more now focused on the end-to-end security story, with Windows combined with cloud, Azure, Active Directory, Office 365, and enhanced security services for enterprises like advanced threat analytics," Ingalls says.

Security expert Marc Maiffret says the security of Microsoft software has come a long way since the early 2000s, when Microsoft software was the "gateway" for attackers to compromise a business.

"These days, there are still some Microsoft vulnerabilities clearly that are used to compromise companies but the severity and grade of exploitable ones and the hoops [attackers] have to go through to exploit them has changed things," Maiffret says. "Microsoft is no longer that initial front door. Usually, where companies are failing is in how they are architecting and managing their environments: are they doing the proper security design engineering?"

"It's not just the one-off vuln that ruins your day" now, he says. "Companies need help managing their environment [security-wise]," he says.


Identity is one of the key elements of Microsoft's security strategy. "Identity is much more important than ever before at  Microsoft," says Bharat Shah, CVP of cloud and enterprise security engineering at Microsoft. The waning perimeter adds another element of complexity to strong authentication for organizations.

"You will see us making really good progress on the endpoint" in cloud security, he says. "And we do a lot of on-prem stuff, too."

The Adallom buy gives Microsoft software-as-a-service application log analytics, for example, he says.

Will there be more security-related acquisitions by Microsoft?

"We will continue to evaluate what customers demand … and what their needs are," Arsenault says. "Our goal is make sure the network, devices, applications, identity" are secure, he says.

Maiffret says the string of security acquisitions by Microsoft and how its security strategy has evolved demonstrate that the company is "taking to heart securing the whole ecosystem."

Meanwhile, Nadella in his keynote offered a few examples of how security features in Windows 10, Office 365, Azure, and Enterprise Mobility Suite work together to prevent password-related attacks, data loss, and malware. He gave a shoutout to Windows 10's Hello, Passport and Credential Guard security features, for example.

Microsoft also called for companies to take steps to improve their "security hygeine."

"While there will always be new threats, new attacks, and new technologies, companies can take action today to address security concerns and improve their security postures.  It is critical for companies to strengthen their core security hygiene (across things like monitoring, antivirus, patch and operating systems) by adopting modern platforms and comprehensive identity, security and management solutions, and by leveraging features offered within cloud services; and it is just as important to create education and awareness across employee populations in order to build and sustain a pervasive security culture," Microsoft said in a blog post today.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights