Microsoft Reforms ‘Weak’ Cyber Security Strategy

Uploaded on 2024-05-08 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Following harsh criticism for failing to contain several major cyber attacks, Microsoft’s CEO, Satya Nadella, has sent has sent a clear message to employees, urging them to make cyber security a top priority.

“If you’re faced with the trade-off between security and another priority, your answer is clear: Do security,” Nadella wrote in a company memo. “In some cases, this will mean prioritising security above other things we do, such as releasing new features or providing ongoing support for legacy systems.”

Microsoft's security and privacy is suffering in the wake of a highly critical US government report that condemned the company’s weak cyber security practices and lax corporate culture, Microsoft’s Security Chief Charlie Bell has pledged significant reforms and a strategic shift to prioritise security above all other product features.

“This is job number one for us,” Bell said in his first public comments since the Cyber Safety Review Board (CSRB) called public attention to “a cascade of avoidable Microsoft  errors” that led to one of the most daring APT attacks in history.

“We must and will do more. We are making security our top priority at Microsoft, above all else, over all other features,” said Bell  as he  announced plans to add Deputy CISOs into each product team and link a senior managers’ pay to making progress on meeting security goals.

Engineering teams across Microsoft Azure, Windows, Microsoft 365, and Security have begun what Bell described as 'engineering waves' to prioritise security enhancements and remediation within the compnany's Secure Future Initiative (SFI).

The SFI was announced in November 2023 ahead of the CSRB investigation, and promises faster cloud patches, better management of identity signing keys and products with a higher default security bar.

Bell, who was previously responsible for security at AWS, said that Microsoft will expand the scope of the security-themed initiative to adopt recommendations from the CSRB report and will add technical controls to reduce unauthorised access and lock down its corporate infrastructure. 

Microsoft will implement state-of-the-art standards for identity and secrets management, including hardware-protected key rotations and phishing-resistant multi-factor authentication for all user accounts.

Microsoft also committed to beefing up the protection of its network and tenant environments; removing all entity lateral movement pivots between tenants, environments, and clouds; and ensuring only secure, managed, healthy devices are granted access to Microsoft tenants.

The new strategy will also place an emphasis on protecting Microsoft’s production networks and systems by improving isolation, monitoring, inventory, and secure operations.

Furthermore, Microsoft plans to build and maintain inventory of software assets used to deploy and operate Microsoft products and services and ensure access to source code and engineering systems infrastructure is secured through Zero Trust and least-privilege access policies.

CISA     |     Security Week     |     ARS Technica     |    ARS Technica     |     Double Pulsar    |   Bloomberg     |    

The Information    |    FastCompany 

Image: Pixabay

You Might Also Read: 

The Evolving Cybersecurity Vulnerability Landscape:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Cyber Tensions & Capabilities In Asia
Neutralizing Cyber Threats In SaaS Applications »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Voyager Networks

Voyager Networks

Voyager Networks is an IT solutions business with a focus on Enterprise Networks, Security and Collaborative Communications.

Synopsys

Synopsys

Synopsys delivers trusted and comprehensive silicon to systems design solutions, from electronic design automation to silicon IP and system verification and validation.

XBOSoft

XBOSoft

XBOSoft is a software QA and testing company. We cover the entire QA and testing life cycle including software and application security.

RiskLens

RiskLens

RiskLens is a software company that specializes in the quantification of cybersecurity risk.

Owl Cyber Defense

Owl Cyber Defense

Owl patented DualDiode Technology enables hardware-enforced network segmentation and deterministic, one-way transfer of all data types and file sizes.

Labris Networks

Labris Networks

Labris Networks specializes in DDoS mitigation, NG Firewall, Unified Threat Management, Centralized Management, Regulatory Compliances and SOC/CERT Services.

Cask Government Services

Cask Government Services

Cask Government Services focuses on program management, cybersecurity, logistics, business analysis and engineering services for Federal, State and Local Government.

Blackpoint Cyber

Blackpoint Cyber

Blackpoint’s mission is to provide effective, affordable real-time threat detection and response to organizations of all sizes around the world.

ERI

ERI

ERI is the largest fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company in the United States.

Codean

Codean

The Codean Review Environment automates mundane software analysis tasks, so security experts can focus on finding vulnerabilities.

Lab 1

Lab 1

Lab 1 turns criminal data breaches and attacks into insights. Get alerts of data breaches or ransomware attack incidents as they happen.

Leostream

Leostream

Leostream's Remote Desktop Access Platform enables seamless work-from-anywhere flexibility while maintaining security and constant visibility of users.

Nukke

Nukke

Nukke offers advanced cybersecurity software and tailored solutions for your business.

3DOT Solutions

3DOT Solutions

3DOT Solutions is an established UK cybersecurity consultancy focused on delivering end-to-end cyber security solutions for private and public sector customers.

Simpson Associates

Simpson Associates

Simpson Associates is a Data Transformation and managed services provider that helps organisations gain valuable insights from their data and make better-informed decisions.

aiComply

aiComply

aiComply's AI-driven platform offers automated intelligence for an efficient cybersecurity compliance workflow, eliminating onerous manual and time-consuming paperwork.