Microsoft Reforms ‘Weak’ Cyber Security Strategy

Uploaded on 2024-05-08 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Following harsh criticism for failing to contain several major cyber attacks, Microsoft’s CEO, Satya Nadella, has sent has sent a clear message to employees, urging them to make cyber security a top priority.

“If you’re faced with the trade-off between security and another priority, your answer is clear: Do security,” Nadella wrote in a company memo. “In some cases, this will mean prioritising security above other things we do, such as releasing new features or providing ongoing support for legacy systems.”

Microsoft's security and privacy is suffering in the wake of a highly critical US government report that condemned the company’s weak cyber security practices and lax corporate culture, Microsoft’s Security Chief Charlie Bell has pledged significant reforms and a strategic shift to prioritise security above all other product features.

“This is job number one for us,” Bell said in his first public comments since the Cyber Safety Review Board (CSRB) called public attention to “a cascade of avoidable Microsoft  errors” that led to one of the most daring APT attacks in history.

“We must and will do more. We are making security our top priority at Microsoft, above all else, over all other features,” said Bell  as he  announced plans to add Deputy CISOs into each product team and link a senior managers’ pay to making progress on meeting security goals.

Engineering teams across Microsoft Azure, Windows, Microsoft 365, and Security have begun what Bell described as 'engineering waves' to prioritise security enhancements and remediation within the compnany's Secure Future Initiative (SFI).

The SFI was announced in November 2023 ahead of the CSRB investigation, and promises faster cloud patches, better management of identity signing keys and products with a higher default security bar.

Bell, who was previously responsible for security at AWS, said that Microsoft will expand the scope of the security-themed initiative to adopt recommendations from the CSRB report and will add technical controls to reduce unauthorised access and lock down its corporate infrastructure. 

Microsoft will implement state-of-the-art standards for identity and secrets management, including hardware-protected key rotations and phishing-resistant multi-factor authentication for all user accounts.

Microsoft also committed to beefing up the protection of its network and tenant environments; removing all entity lateral movement pivots between tenants, environments, and clouds; and ensuring only secure, managed, healthy devices are granted access to Microsoft tenants.

The new strategy will also place an emphasis on protecting Microsoft’s production networks and systems by improving isolation, monitoring, inventory, and secure operations.

Furthermore, Microsoft plans to build and maintain inventory of software assets used to deploy and operate Microsoft products and services and ensure access to source code and engineering systems infrastructure is secured through Zero Trust and least-privilege access policies.

CISA     |     Security Week     |     ARS Technica     |    ARS Technica     |     Double Pulsar    |   Bloomberg     |    

The Information    |    FastCompany 

Image: Pixabay

You Might Also Read: 

The Evolving Cybersecurity Vulnerability Landscape:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« New AWS Webinar: Harnessing The Power Of SIEM
Neutralizing Cyber Threats In SaaS Applications »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

European Defence Agency (EDA)

European Defence Agency (EDA)

EDAs mission is to improve European defence capabilities. Programme areas include Cyber Defence.

DoD Cyber Crime Center (DC3)

DoD Cyber Crime Center (DC3)

DC3 is a US Department of Defense (DoD) center of excellence for Digital and Multimedia forensics.

CYBERPOL

CYBERPOL

CYBERPOL's mission is to facilitate the widest possible mutual assistance between all cyber crime law enforcement authorities to help mitigate global cyber threats.

Prim'X Technologies

Prim'X Technologies

Prim'X Technologies provides information protection solutions to prevent unauthorised access to sensitive data.

Gate 15

Gate 15

Gate 15 provide risk management services focusing primarily on information, intelligence and threat analysis, operational support and preparedness.

BigID

BigID

BigID is redefining personal data protection and privacy. BigID software helps companies secure their customer data & satisfy privacy regulations like GDPR.

Shape Security

Shape Security

Shape Security provide best-in-class defense against malicious automated cyberattacks on web and mobile applications.

Computer Forensic Services

Computer Forensic Services

Computer Forensic Services are digital evidence specialists. Practice areas include Information Security, e-Discovery, Law Enforcement Support and Litigation.

Aptiv

Aptiv

Aptiv is a global technology company that develops safer, greener and more connected solutions enabling the future of mobility.

Dellfer

Dellfer

Dellfer secures connected cars and other IOT devices through Intrinsic protection, enabling the most sophisticated cybersecurity attacks to be seen instantly and remediated with precision.

Cyber Physical Security Research Center (CPSEC)

Cyber Physical Security Research Center (CPSEC)

CPSEC aims to contribute to the security enhancement of industrial infrastructure that creates value across cyber space and physical space.

Ridge Global

Ridge Global

Ridge Global works with C-suite executives and corporate directors to build more resilient organizations through innovative preparedness, protection, response and education capabilities.

DNX Ventures

DNX Ventures

Based in Silicon Valley and Tokyo, DNX Ventures is an early stage VC for B2B startups in sectors including Cybersecurity.

World Cyber Security Summit

World Cyber Security Summit

World Cyber Security Summit, by Trescon, is a thought-leadership driven platform for CISOs who are looking to explore new-age threats and the technologies/strategies that can help mitigate them.

Crispmind

Crispmind

Crispmind creates innovative solutions to some of today’s most challenging technology problems.

Zluri

Zluri

Zluri is a cloud-native SaaSOps platform enabling modern enterprises with SaaS Management and Identity Governance.