Microsoft Reforms ‘Weak’ Cyber Security Strategy

Uploaded on 2024-05-08 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Following harsh criticism for failing to contain several major cyber attacks, Microsoft’s CEO, Satya Nadella, has sent has sent a clear message to employees, urging them to make cyber security a top priority.

“If you’re faced with the trade-off between security and another priority, your answer is clear: Do security,” Nadella wrote in a company memo. “In some cases, this will mean prioritising security above other things we do, such as releasing new features or providing ongoing support for legacy systems.”

Microsoft's security and privacy is suffering in the wake of a highly critical US government report that condemned the company’s weak cyber security practices and lax corporate culture, Microsoft’s Security Chief Charlie Bell has pledged significant reforms and a strategic shift to prioritise security above all other product features.

“This is job number one for us,” Bell said in his first public comments since the Cyber Safety Review Board (CSRB) called public attention to “a cascade of avoidable Microsoft  errors” that led to one of the most daring APT attacks in history.

“We must and will do more. We are making security our top priority at Microsoft, above all else, over all other features,” said Bell  as he  announced plans to add Deputy CISOs into each product team and link a senior managers’ pay to making progress on meeting security goals.

Engineering teams across Microsoft Azure, Windows, Microsoft 365, and Security have begun what Bell described as 'engineering waves' to prioritise security enhancements and remediation within the compnany's Secure Future Initiative (SFI).

The SFI was announced in November 2023 ahead of the CSRB investigation, and promises faster cloud patches, better management of identity signing keys and products with a higher default security bar.

Bell, who was previously responsible for security at AWS, said that Microsoft will expand the scope of the security-themed initiative to adopt recommendations from the CSRB report and will add technical controls to reduce unauthorised access and lock down its corporate infrastructure. 

Microsoft will implement state-of-the-art standards for identity and secrets management, including hardware-protected key rotations and phishing-resistant multi-factor authentication for all user accounts.

Microsoft also committed to beefing up the protection of its network and tenant environments; removing all entity lateral movement pivots between tenants, environments, and clouds; and ensuring only secure, managed, healthy devices are granted access to Microsoft tenants.

The new strategy will also place an emphasis on protecting Microsoft’s production networks and systems by improving isolation, monitoring, inventory, and secure operations.

Furthermore, Microsoft plans to build and maintain inventory of software assets used to deploy and operate Microsoft products and services and ensure access to source code and engineering systems infrastructure is secured through Zero Trust and least-privilege access policies.

CISA     |     Security Week     |     ARS Technica     |    ARS Technica     |     Double Pulsar    |   Bloomberg     |    

The Information    |    FastCompany 

Image: Pixabay

You Might Also Read: 

The Evolving Cybersecurity Vulnerability Landscape:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Cyber Tensions & Capabilities In Asia
Neutralizing Cyber Threats In SaaS Applications »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CANVAS Consortium

CANVAS Consortium

The CANVAS Consortium aims to unify technology developers with legal and ethical scholar and social scientists to approach the challenges of cybersecurity.

Early Warning Services

Early Warning Services

Early Warning is committed to providing awareness, education, and enablement around fraud prevention.

STM

STM

STM provides system engineering, technical support, project management, technology transfer and logistics support services for the Turkish Armed Forces.

Shieldfy

Shieldfy

Shieldfy is a cloud-based security shield for your website to protect it from cyber attacks and malwares.

Trinity Cyber

Trinity Cyber

Trinity Cyber’s patent-pending technology stops attacks before they reach internal networks,reducing risk and increasing cost to adversaries.

Ensighten

Ensighten

Ensighten is a leader in Website Security & Privacy Compliance. Protect your website from malicious attacks, monitor & detect vulnerabilities, protect consumer data.

Sygnia

Sygnia

Sygnia is a cyber technology and services company, providing high-end consulting and incident response support for organizations worldwide.

Arcturus Security

Arcturus Security

Arcturus is a CREST-approved cyber security consultancy created by experts in the field.

Firmus

Firmus

As the leading penetration testing services provider in Malaysia, Firmus evaluates the ability of your internal or external information assets to withstand attacks.

CFTS

CFTS

CFTS 'Computer Facilities Technical Services' is a Ugandan ICT Support Company that specialises in infrastructure and support services including network security.

SHI International

SHI International

SHI International deliver against your IT and business needs, helping you build strategies and solutions that will drive innovation, collaboration and security.

OSC Edge

OSC Edge

OSC was founded with the vision of providing expert solutions in IT to government and businesses. OSC Edge empowers organizations with solutions that prepare them for today and tomorrow.

DIGISOC

DIGISOC

DIGISOC, a leader in Latin America in Cybersecurity solutions, combines machine learning with human intelligence to be effective in detecting cyber threats.

OxCyber

OxCyber

OxCyber's mission is to ignite and encourage cybersecurity and technology growth in the Thames Valley through meetings, webinars, in person events, workshops and mentorship programs.

Digital.ai

Digital.ai

Digital.ai empowers organizations to scale software development teams, continuously deliver software with greater quality and security.

Synersoft BLACKbox

Synersoft BLACKbox

Synersoft, the maker of path-breaking and disruptive technology for SMEs, now branded as BLACKbox, is an incubated and invested portfolio company of CIIE - IIM-Ahmedabad.