Microsoft pledges cybersecurity overhaul to protect products and services

Microsoft has announced the launch of the Secure Future Initiative (SFI) to improve the built-in security of its products and platforms to better protect customers against escalating cybersecurity threats. The new initiative will bring together “every part of Microsoft” to advance cybersecurity protection incorporating three pillars focused on AI-based cyber defenses, advances in fundamental software engineering, and advocacy for stronger application of international norms, stated Brad Smith, vice chair and president of Microsoft.

“In recent months, we’ve concluded within Microsoft that the increasing speed, scale, and sophistication of cyberattacks call for a new response,” Smith said. The announcement follows recent criticism levied against Microsoft over the security of its products and services in relation to a major breach that targeted its Azure platform.

Today’s cyber threats emanate from well-funded operations, skilled hackers

Today’s cyber threats emanate from well-funded operations and skilled hackers who employ the most advanced tools and techniques, Smith wrote. “Whether they work for geopolitical or financial motives, these nation-states and criminal groups are constantly evolving their practices and expanding their targets, leaving no country, organization, individual, network, or device out of their sights.” These threat actors don’t just compromise machines and networks, but they also pose serious risks to people and societies, he added. “They require a new response based on our ability to utilize our own resources and our most sophisticated technologies and practices.”

Microsoft commits to AI-enhanced intelligence, threat response, security principles

Microsoft is committed to building an AI-based cyber shield that will protect customers and countries around the world, Smith said. “Our global network of AI-based datacenters and use of advanced foundation AI models puts us in a strong position to put AI to work to advance cybersecurity protection. As part of our SFI, we will continue to accelerate this work on multiple fronts.”

First, Microsoft is taking new steps to use AI to advance its threat intelligence with the Microsoft Threat Analysis Center (MTAC) using advanced AI tools and techniques to detect and analyze cyber threats. “We are extending these capabilities directly to customers, including through our Microsoft security technologies, which collects and analyzes customer data from multiple sources,” according to Smith. “While threat actors seek to hide their threats like a needle in a vast haystack of data, AI increasingly makes it possible to find the right needle even in a sea of needles.” Coupled with a global network of datacenters, Microsoft intends to use AI to detect threats at a speed that is as fast as the internet itself, Smith added.

Second, Microsoft is using AI as a “gamechanger” for all organizations to help defeat cyberattacks at machine speed. “With a global shortage of more than three million people, organizations need all the productivity they can muster from their cybersecurity workforce. Additionally, the speed, scale, and sophistication of attacks creates an asymmetry where it’s hard for organizations to prevent and disrupt attacks at scale,” Smith said. Microsoft’s Security Copilot combines a large language model (LLM) with a security-specific model that has various skills and insights from Microsoft’s threat intelligence, generating natural language insights and recommendations from complex data to help make analysts more effective and responsive, he added.

Third, Microsoft is securing AI in its services based on its Responsible AI principles, Smith said. “We recognize that these new AI technologies must move forward with their own safety and security safeguards. That’s why we’re developing and deploying AI in our services based on our Responsible AI principles and practices. We are focused on evolving these practices to keep pace with the changes in the technology itself.” Microsoft is also committing to building stronger AI-based protection for governments and countries. “Just last week, we announced that we will spend $3.2 billion to extend our hyperscale cloud computing and AI infrastructure in Australia, including the development of the Microsoft-Australian Signals Directorate Cyber Shield (MACS),” Smith wrote. This will enhance Microsoft’s joint capability to identify, prevent, and respond to cyber threats, he added.

Microsoft to transform its software development lifecycle

In addition to new AI capabilities, a more secure future will require new advances in fundamental software engineering, Smith said. As part of its SFI, Microsoft is launching a new standard for security by advancing the way it designs, builds, tests, and operates its technology, he added.

First, Microsoft will “transform the way” it develops software with automation and AI. “The challenges of today’s cybersecurity threats and the opportunities created by generative AI have created an inflection point for secure software engineering. The new steps the firm is taking represent the next evolutionary stage of the Security Development Lifecycle (SDL), which “Microsoft invented” in 2004, Smith said. This will evolve to what Microsoft is calling “dynamic SDL” (dSDL). “This will apply systematic processes to continuously integrate cybersecurity protection against emerging threat patterns as our engineers code, test, deploy, and operate our systems and services,” Smith stated. This will be coupled with other additional engineering measures, including AI-powered secure code analysis and the use of GitHub Copilot to audit and test source code against advanced threat scenarios.

Over the next year, Microsoft will enable customers with more secure default settings for multifactor authentication (MFA) out-of-the-box, expanding its current default policies to a wider band of customer services.

Second, Microsoft will strengthen identity protection against highly sophisticated attacks, Smith said. “Identity-based threats like password attacks have increased ten-fold during the past year, with nation-states and cybercriminals developing more sophisticated techniques to steal and use login credentials.” Microsoft will protect against these threats by applying its most advanced identity protection through a unified and consistent process that will manage and verify the identities and access rights of its users, devices, and services across all of its products and platforms. “We will also make these advanced capabilities freely available to non-Microsoft application developers,” Smith wrote.

Third, Microsoft is “pushing the envelope” in vulnerability response and security updates for its cloud platforms. “We plan to cut the time it takes to mitigate cloud vulnerabilities by 50%. We also will encourage more transparent reporting in a more consistent manner across the tech sector,” Smith said.

Microsoft supports stronger application of international norms in cyberspace

Finally, stronger AI defenses and engineering advances need to be combined with a third critical component – the stronger application of international norms in cyberspace, according to Smith. “We will commit Microsoft’s teams around the world to help advocate for and support these efforts.”

First, there needs to be more endorsement and reinforcement of the key norms that provide the red lines no government should cross, Smith said. “We should all abhor determined nation-state efforts that seek to install malware or create or exploit other cybersecurity weaknesses in the networks of critical infrastructure providers. These bear no connection to the espionage efforts that governments have pursued for centuries and instead appear designed to threaten the lives of innocent civilians in a future crisis or conflict.”

All states should commit publicly that they will not plant software vulnerabilities in the networks of critical infrastructure providers such as energy, water, food, medical care, or other providers. “They should also commit that they will not permit any persons within their territory or jurisdiction to engage in cybercriminal operations that target critical infrastructure.”

Similarly, cloud services themselves have become a critical piece of support for every aspect of societies including reliable water, food, energy, medical care, information, and other essentials, Smith wrote. “For these reasons, states should recognize cloud services as critical infrastructure, with protection against attack under international law.”

Second, governments need to do more together to foster greater accountability for nation states that cross red lines. “What we need now is the type of strong, public, multilateral, and unified attributions from governments that will hold these states accountable and discourage them from repeating the misconduct,” Smith said. “Tech companies and the private sector play a major role in cybersecurity protection, and we are committed to new steps and stronger action.”

Microsoft’s SFI “couldn’t come at a better time” for the company

Microsoft’s security and brand have experienced challenges over the past several years – from legacy on-premises exchange server vulnerabilities (Hafnium) and unauthorized access to cross-tenant applications and sensitive data (Tenable disclosure) to the amount of time it takes to remediate vulnerabilities, Rick Holland, CISO at ReliaQuest, tells CSO. “This perception is even giving some customers with E5 licensing doubts when considering the expansion of the Microsoft security portfolio. Microsoft’s SFI couldn’t come at a better time for the company.”

Microsoft is making its customers (and prospects) aware of its strategy and how it plans to adapt to the rapidly evolving technology and threat landscapes, Holland adds. “Few companies worldwide have datasets of Microsoft’s scale to train on when using AI to advance Microsoft’s threat intelligence. In a world where every technology company will have its version of a ‘copilot’ Microsoft is well positioned to leverage its security telemetry for Security Copilot.”

The transition to dSDL is significant too, Holland says. “All vendors must improve the production of secure code; we must also reduce the time between vulnerability discovery and remediation. I’m pleased that Microsoft will ‘encourage more transparent reporting in a more consistent manner’ across the tech sector. As we have seen with 2023’s deluge of vendor breaches, how and when you communicate is critical to maintaining customer trust amid an intrusion.” Vendors don’t have to have all the answers during an investigation but will be judged harshly for poor communication, Holland adds.

“Expanded MFA and MFA out-of-the-box are welcome and desperately needed components of this initiative. Hopefully, all vendors are moving in this direction, particularly when it comes to not bundling MFA features in higher-level enterprise licensing tiers,” Holland says. MFA should be available to all, not just the Global 2000 organizations that can pay more than small and medium-sized businesses, he adds. “As with all strategies, execution is critical. Historically, as we saw with Trusted Computing, Microsoft has demonstrated the ability to shift the security landscape. Hopefully, this is the case again.”