Microsoft overhaul treats security as ‘top priority’ after a series of failures

Image: The Verge

Microsoft is making security its number one priority for every employee, following years of security issues and mounting criticisms. After a scathing report from the US Cyber Safety Review Board recently concluded that “Microsoft’s security culture was inadequate and requires an overhaul,” it’s doing just that by outlining a set of security principles and goals that are tied to compensation packages for Microsoft’s senior leadership team.
Last November, Microsoft announced a Secure Future Initiative (SFI) in response to mounting pressure on the company to respond to attacks that allowed Chinese hackers to breach US government email accounts. Just days after announcing this initiative, Russian hackers managed to breach Microsoft’s defenses and spy on the email accounts of some members of Microsoft’s senior leadership team. Microsoft only discovered the attack nearly two months later in January, and the same group even went on to steal source code.
These recent attacks have been damaging, and the Cyber Safety Review Board report added fuel to Microsoft’s security fire recently by concluding that the company could have prevented the 2023 breach of US government email accounts and that a “cascade of security failures” led to that incident.
“We are making security our top priority at Microsoft, above all else – over all other features,” explains Charlie Bell, executive vice president for Microsoft security, in a blog post today. “We will instill accountability by basing part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones.”

Microsoft now has three security principles that form a big part of these goals: secure by design; secure by default; secure operations. These principles are designed to put security first during the design phases of products and services, place a greater focus on protections that are enabled by default, and improve controls and monitoring for current and future threats.
The broader goals are underlined by “six prioritized security pillars,” which is corporate speak for stuff Microsoft needs to greatly improve:

Protect identities and secrets. Microsoft is promising to implement “best-in-class standards” across its identity and secrets infrastructure so that 100 percent of user accounts are protected using multifactor authentication and 100 percent of applications are protected by managed credentials like certificates.

Protect tenants and isolate production systems. Microsoft is taking an approach here to ensure only healthy, managed, and secure devices get access to the company’s own set of services, alongside a least-privilege access model (the minimum levels of access or permissions) for 100 percent of applications.

Protect networks. Microsoft is promising to secure 100 percent of its production networks and systems that are connected to networks by applying isolation and microsegmentation to all production environments. This should help create additional layers of defense against attackers.

Protect engineering systems. Microsoft says it will secure access to its source code 100 percent of the time through Zero Trust and least-privilege access policies. Any source code that’s deployed to production environments will also be protected by security best practices, and test environments will also have standardized security and infrastructure isolation.

Monitor and detect threats. Microsoft is promising to retain 100 percent of security logs for two years and make six months of “appropriate logs” available to customers. It will also automatically detect and respond “rapidly” to suspicious access or configuration changes across 100 percent of Microsoft’s production infrastructure and services.

Accelerate response and remediation. The goal here is to prevent unpatched vulnerabilities from being exploited with more “timely remediation.” Microsoft is committing to reduce the time it takes to fix “high-severity” cloud security vulnerabilities and increase the transparency around these issues by adopting Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) industry standards.

All of these goals are tied to some of Microsoft’s leadership compensation and are a clear and direct response to the recent Russian hacker intrusions and the Cyber Safety Review Board recommendations.
Microsoft is now coordinating its engineering teams to complete this work in waves across the company. “These engineering waves involve teams across Azure Cloud, Windows, Microsoft 365 and Security, with additional product teams integrating into the process weekly,” says Bell.
Microsoft is already making progress toward its ambitious security goals. The company has implemented multifactor by default across more than 1 million of its own tenants within Microsoft, including ones used for development, testing, demos, and production. It has also removed 730,000 apps so far that “were out-of-lifecycle or not meeting current SFI standards.”
The software maker is also trying to improve its security culture after it was branded “inadequate” by the Cyber Safety Review Board. The engineering leads at Microsoft are now holding weekly and monthly operational meetings that include a variety of management and senior individuals, with a goal to improve Microsoft’s security thinking across the company.
Microsoft is also adding deputy chief information security officers (CISOs) to each product team and is moving its threat intelligence team to report directly to the CISO. That should mean there’s a clear responsibility for security in engineering teams.
I reported last month that inside Microsoft there is concern that the recent security attacks could seriously undermine trust in the company. “Ultimately, Microsoft runs on trust and this trust must be earned and maintained,” says Bell. “As a global provider of software, infrastructure and cloud services, we feel a deep responsibility to do our part to keep the world safe and secure. Our promise is to continually improve and adapt to the evolving needs of cybersecurity. This is job #1 for us.”