Microsoft Reforms ‘Weak’ Cyber Security Strategy

Uploaded on 2024-05-08 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Following harsh criticism for failing to contain several major cyber attacks, Microsoft’s CEO, Satya Nadella, has sent has sent a clear message to employees, urging them to make cyber security a top priority.

“If you’re faced with the trade-off between security and another priority, your answer is clear: Do security,” Nadella wrote in a company memo. “In some cases, this will mean prioritising security above other things we do, such as releasing new features or providing ongoing support for legacy systems.”

Microsoft's security and privacy is suffering in the wake of a highly critical US government report that condemned the company’s weak cyber security practices and lax corporate culture, Microsoft’s Security Chief Charlie Bell has pledged significant reforms and a strategic shift to prioritise security above all other product features.

“This is job number one for us,” Bell said in his first public comments since the Cyber Safety Review Board (CSRB) called public attention to “a cascade of avoidable Microsoft  errors” that led to one of the most daring APT attacks in history.

“We must and will do more. We are making security our top priority at Microsoft, above all else, over all other features,” said Bell  as he  announced plans to add Deputy CISOs into each product team and link a senior managers’ pay to making progress on meeting security goals.

Engineering teams across Microsoft Azure, Windows, Microsoft 365, and Security have begun what Bell described as 'engineering waves' to prioritise security enhancements and remediation within the compnany's Secure Future Initiative (SFI).

The SFI was announced in November 2023 ahead of the CSRB investigation, and promises faster cloud patches, better management of identity signing keys and products with a higher default security bar.

Bell, who was previously responsible for security at AWS, said that Microsoft will expand the scope of the security-themed initiative to adopt recommendations from the CSRB report and will add technical controls to reduce unauthorised access and lock down its corporate infrastructure. 

Microsoft will implement state-of-the-art standards for identity and secrets management, including hardware-protected key rotations and phishing-resistant multi-factor authentication for all user accounts.

Microsoft also committed to beefing up the protection of its network and tenant environments; removing all entity lateral movement pivots between tenants, environments, and clouds; and ensuring only secure, managed, healthy devices are granted access to Microsoft tenants.

The new strategy will also place an emphasis on protecting Microsoft’s production networks and systems by improving isolation, monitoring, inventory, and secure operations.

Furthermore, Microsoft plans to build and maintain inventory of software assets used to deploy and operate Microsoft products and services and ensure access to source code and engineering systems infrastructure is secured through Zero Trust and least-privilege access policies.

CISA     |     Security Week     |     ARS Technica     |    ARS Technica     |     Double Pulsar    |   Bloomberg     |    

The Information    |    FastCompany 

Image: Pixabay

You Might Also Read: 

The Evolving Cybersecurity Vulnerability Landscape:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Cyber Tensions & Capabilities In Asia
Neutralizing Cyber Threats In SaaS Applications »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Aeriandi

Aeriandi

Aeriandi is a leading provider of hosted PCI security compliance solutions for call centres, trusted by high street banks and major Telcos.

DCIT

DCIT

DCIT is a specialist in providing comprehensive consulting and auditing services in the field of information technology, PROVYS development software and security system AuditSquare.

Sliced Tech

Sliced Tech

Sliced Tech provides enterprise grade managed Cloud services, including Security-as-a-Services, aimed at meeting the needs of commercial and government clients from within Australia.

Data Terminator

Data Terminator

Data Terminator provide a comprehensive range of secure data destruction equipment and services are in compliance to US Department of Defense (DoD) and National Security Agency (NSA) standards.

Hassans International Law Firm

Hassans International Law Firm

Hassans is the largest law firm in Gibraltar, providing a full range of legal services across corporate and commercial law including Data Protection and GDPR compliance.

HighPoint

HighPoint

HighPoint is a leading technology infrastructure solutions provider offering consultancy, solutions and managed services for network infrastructure and cybersecurity.

Noetic Cyber

Noetic Cyber

Noetic provides a proactive approach to cyber asset and controls management, empowering security teams to see, understand, and optimize their cybersecurity posture.

Shorebreak Security

Shorebreak Security

Shorebreak Securioty specialize in conducting highly accurate, safe, and reliable Information Security tests to determine the risks posed to your business.

GeoEdge

GeoEdge

GeoEdge is the premier provider of ad security and quality solutions for the online and mobile advertising ecosystem.

Xalient

Xalient

Xalient is an IT consulting and managed services business, specialising in modern, software-defined networking, security and communications technologies.

Seemplicity

Seemplicity

Seemplicity revolutionizes the way security teams work by automating, optimizing and scaling all risk reduction workflows in one workspace.

Softwerx

Softwerx

Softwerx is the UK’s leading Microsoft cloud security practice. We’ve been helping forward-thinking companies better secure their businesses for nearly twenty years.

Crypto Legal

Crypto Legal

Crypto Legal is a leading UK-based law firm specialising in blockchain forensics and legal services.

DIGISOC

DIGISOC

DIGISOC, a leader in Latin America in Cybersecurity solutions, combines machine learning with human intelligence to be effective in detecting cyber threats.

Stratascale

Stratascale

Stratascale is a consultant, systems integrator, and technology advisor with expertise in Automation, Cloud Ascension, Cybersecurity, Data Intelligence, and Digital Experience solutions.

MIS Solutions

MIS Solutions

MIS Solutions is a managed cloud and IT security partner making technology work for you.