In November 2015, Microsoft shared the details of its $1B investment in a new integrated security strategy across its portfolio of products and services including Windows, Office, and Azure.
The funds were allocated toward initiatives such as doubling the number of security executives and launching the Microsoft Enterprise Cybersecurity Group (ECG) and Cyber Defense Operations Center (CDOC). Its broader goal was to better protect, detect, and respond to cyberthreats.
One year following the announcement, Dark Reading caught up with Microsoft executives to learn about how its holistic strategy unfolded in 2016 and where its priorities lie for the year ahead.
Bret Arsenault, Microsoft CVP and CISO, explains how the past year has driven platform progress, particularly with threat intelligence. Leaders across Microsoft's Windows, Office, and Azure teams have begun collaborating to collect data across platforms so they can identify and address security problems.
"We see a large shift in moving away from the 'spray and pray' approach to security, and moving towards how to improve protection and response capabilities," Arsenault says. "In a mobile and cloud world, many approaches aren't as effective."
Many people focus on speed of obtaining threat intelligence, says Arsenault, but data diversity is more important because it improves both precision and isolation. Microsoft analyzes events from billions of devices each month. Office 365 and Azure provide endpoint, cloud, and identity intelligence, which helps the company as identity becomes a bigger part of its security strategy.
"Identity is the number one thing people need to focus on," says Brad Anderson, CVP for Enterprise Client and Mobility at Microsoft.
Anderson, whose team builds management, security, and identity for mobile devices, says more than 75% of attacks trace back to someone having their user account compromised.
He says businesses need to build an identity-based perimeter in addition to the perimeter-based security model. In the cloud world, he says, the only constant factor across services and mobile devices is a user's identity.
"Attacks on organizations are more sophisticated; more targeted," he says. "The attackers are getting as mature as the organizations are. You have to assume you've been breached and you have to find ways to identify accounts that are being used against you."
Security has become a data-gathering exercise, Anderson explains. Last year, Microsoft promised to evolve endpoint security in the cloud and on-premises. In 2016, it aimed to better combine security data and threat intelligence with its Intelligent Security Graph (ISG).
The graph collects data from billions of sources including endpoints, consumer services, commercial services, and on-premises tech, and compiles them in one location to apply data analysis, find patterns, and generate insight to pinpoint security flaws.
Every identity in the security graph has a risk score, says Anderson, and scores can determine different actions. If an identity is performing suspicious activity, it can raise the score and take action or use this information to build policies. For example, medium risk may warrant multi-factor authentication.
Part of the security challenge, of course, is striking a balance between strong protection and a positive user experience.
"It's hard to do both," Anderson admits. "If you haven't engineered the solution to do both, you get something IT loves but users hate." Most people expect a flow of information and connectivity; as a result, they dislike multiple prompts for multi-factor authentication, he notes.
Anderson's Microsoft team will continue working on user experience into next year because users' expectations are so high.
Microsoft made security a priority in Windows 10, and this year the company rolled out a series of new functions to strengthen OS protection for consumers and businesses.
Over the past year, the Windows team's objective was getting onto the forefront of security, says Rob Lefferts, Microsoft's director of program management.
"It's not about focusing on new ways we've been hacked, but about how we're going to step ahead of the attackers," he explains. Over this year, this has involved protecting identity, safeguarding device data, and ensuring devices aren't running unwanted or malicious code.
Windows is focusing less on harding the platform and more on detection and defense. Lefferts cites the release of Windows Information Protection (WIP), which shipped with the Windows 10 Anniversary Update in July. WIP was built on the idea of identifying and separating corporate data from personal info. Businesses can wipe classified information from BYOD devices.
Next year will bring the Windows 10 Creator's Update, which Lefferts explains will focus on detection, intelligence, and remediation in Windows Defender Advanced Threat Protection. For example, added sensors will find threats located in memory or kernel-level exploits.
"They've added a lot of fundamental improvements to Windows to close security gaps," Gartner VP Peter Firstbrook says of Microsoft's progress in 2016.
Even so, there are shortcomings to the changes in Microsoft's strategy. The company has implemented a lot of security tools into Windows, but it almost never makes those tools backwards compatible, Firstbrook notes.
"It makes sense because they want people to upgrade, but it's not always practical -- especially for businesses," he says. Similarly, non-Windows 10 users can't rely on Windows Defender because it only works for the new OS.
Firstbrook says Microsoft needs to provide users more granular control over Microsoft utilities. Many aggressive exploits target its tools; for example, PowerShell is often exploited with ransomware. After this year, attackers can also leverage Linux code to conduct attacks.
"Utilities are useful for enterprises, but there needs to be a way to manage the use of utilities and restrict access to certain individuals or certain types of code," he says. "Is there a way to create more restrictions around the use of utilities?"
Microsoft's Lefferts says while he has no regrets about progress this year, 2017 will be a "tipping point" as organizations move from being interested in Windows 10 to adopting it.
"In the last six months, we've had a three-times increase in Windows 10 enterprise deployments," he notes. "We expect that to continue."
As part of Microsoft's new strategy, the Office team has begun to approach security with two broader goals: how to build security into the software as opposed to adding it separately; and how to leverage Office data to strengthen security across all platforms.
"We don't just think of security as 'What is Windows doing? What is Office doing?'" says Rudra Mitra, Microsoft's partner director for Office 365. "How can we use Microsoft's security perspective to ensure we're not just telling a security narrative, but advancing the productivity narrative?"
One of the security measures Office plans to launch in 2017 is Office 365 Threat Intelligence, which is powered by the Intelligent Security Graph and built into Office 365. It compiles data across Office 365 about good and bad content, and offers broader security insight.
"Email is one of the primary vectors folks are concerned about," he says, noting that Microsoft scans 200 billion emails each month for viruses, malware, and phishing attacks. Those scans in turn inform the Intelligent Security Graph.
Microsoft also plans to launch new data protection and security features to unearth information on each Office 365 user within an organization. This will include signals like who's under attack, who's getting phished, and whether phishing emails contain a particular subject line. Armed with this information, they'll know whether some users need more protection.
Mitra explains how before the security graph, it would have been harder for Microsoft to pull together data and provide this type of information. Going forward, he cites the potential for combining capabilities across Microsoft and scaling so businesses have the full power of cloud-based data.
Firstbrook notes Microsoft has made progress with Office 365 in terms of anti-spam and phishing, but there is a challenge: businesses can access the platform anywhere, anytime, on any device.
"It's a business benefit, but from a security perspective, it's a bit of a nightmare," he notes, and there should be more control over who gets access to different types of information on different devices.
For example, on a corporate machine, someone can have full access to Microsoft information in the cloud, but from home they would be able to access personal information only, or configure different levels of access based on the desired information.
"I would love to completely get rid of passwords within the environment within two years," says Microsoft's Arsenault. "I also would like to reduce the number of point-based solutions we have to use, which cost a lot in terms of skills and talent."
Also on Arsenault's agenda is to replace its user-based network with a database network, which has identity as a perimeter. In this case, anyone who wants to access corporate resources would have to enable multi-factor authentication from a device deemed healthy.
As Microsoft's security team closes out 2016, it's looking at the challenges businesses will face next year, namely the growth of data and expansion of the mobile workforce and BYOD policies, Mitra says.
Gartner's Firstbrook says ransomware is the most prevalent problem businesses will face, and he cautions against the exploitation of PowerShell and other Windows utilities. Microsoft has a strong focus on security now, he says, but they could push the state-of-the-art more.
Its execs agree.
"We've got a lot more work to do. There's a lot more innovation to happen," Microsoft's Mitra says.