Microsoft Reforms ‘Weak’ Cyber Security Strategy

Uploaded on 2024-05-08 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Following harsh criticism for failing to contain several major cyber attacks, Microsoft’s CEO, Satya Nadella, has sent has sent a clear message to employees, urging them to make cyber security a top priority.

“If you’re faced with the trade-off between security and another priority, your answer is clear: Do security,” Nadella wrote in a company memo. “In some cases, this will mean prioritising security above other things we do, such as releasing new features or providing ongoing support for legacy systems.”

Microsoft's security and privacy is suffering in the wake of a highly critical US government report that condemned the company’s weak cyber security practices and lax corporate culture, Microsoft’s Security Chief Charlie Bell has pledged significant reforms and a strategic shift to prioritise security above all other product features.

“This is job number one for us,” Bell said in his first public comments since the Cyber Safety Review Board (CSRB) called public attention to “a cascade of avoidable Microsoft  errors” that led to one of the most daring APT attacks in history.

“We must and will do more. We are making security our top priority at Microsoft, above all else, over all other features,” said Bell  as he  announced plans to add Deputy CISOs into each product team and link a senior managers’ pay to making progress on meeting security goals.

Engineering teams across Microsoft Azure, Windows, Microsoft 365, and Security have begun what Bell described as 'engineering waves' to prioritise security enhancements and remediation within the compnany's Secure Future Initiative (SFI).

The SFI was announced in November 2023 ahead of the CSRB investigation, and promises faster cloud patches, better management of identity signing keys and products with a higher default security bar.

Bell, who was previously responsible for security at AWS, said that Microsoft will expand the scope of the security-themed initiative to adopt recommendations from the CSRB report and will add technical controls to reduce unauthorised access and lock down its corporate infrastructure. 

Microsoft will implement state-of-the-art standards for identity and secrets management, including hardware-protected key rotations and phishing-resistant multi-factor authentication for all user accounts.

Microsoft also committed to beefing up the protection of its network and tenant environments; removing all entity lateral movement pivots between tenants, environments, and clouds; and ensuring only secure, managed, healthy devices are granted access to Microsoft tenants.

The new strategy will also place an emphasis on protecting Microsoft’s production networks and systems by improving isolation, monitoring, inventory, and secure operations.

Furthermore, Microsoft plans to build and maintain inventory of software assets used to deploy and operate Microsoft products and services and ensure access to source code and engineering systems infrastructure is secured through Zero Trust and least-privilege access policies.

CISA     |     Security Week     |     ARS Technica     |    ARS Technica     |     Double Pulsar    |   Bloomberg     |    

The Information    |    FastCompany 

Image: Pixabay

You Might Also Read: 

The Evolving Cybersecurity Vulnerability Landscape:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Cyber Tensions & Capabilities In Asia
Neutralizing Cyber Threats In SaaS Applications »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Infosecurity Europe

Infosecurity Europe

Infosecurity Europe is Europe’s number one information security conference and exhibition.

Information Security Forum (ISF)

Information Security Forum (ISF)

The ISF is a leading authority on information security and risk management.

Green Hills Software

Green Hills Software

Green Hills Software is the largest independent vendor of embedded secure software solutions for applications including the Internet of Things.

Commissum

Commissum

Commissum specialise in information assurance and security testing services.

Basis Technology

Basis Technology

Basis Technology provides software solutions for text analytics, information retrieval, digital forensics, and identity resolution.

Nexus Group

Nexus Group

Nexus Group develops identity solutions for physical and digital access.

Global Cyber Alliance (GCA)

Global Cyber Alliance (GCA)

Global Cyber Alliance is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world.

ACM-CCAS

ACM-CCAS

ACM is a UKAS-accredited certification body helping businesses around the world perform to a higher standard. Our certifications include ISO 27001 and ISO 22301.

Carbonite

Carbonite

Carbonite offers all the tools necessary for protecting data from the most common forms of data loss, including ransomware, accidental deletions, hardware failures and natural disasters.

Granted Consultancy

Granted Consultancy

Granted Consultancy is a business consultancy that specialises in securing funding to support companies with the development and commercialisation of new and innovative products and technologies.

INVISUS

INVISUS

INVISUS protects businesses against the latest cyber risks – including business and employee identity theft, data breaches, and cybersecurity compliance.

Telsy

Telsy

Telsy is a security partner for ICT solutions and services. We help you implement effective security solutions that increase your risk mitigation ability and your responsiveness.

StickmanCyber

StickmanCyber

At StickmanCyber we are on a mission to create a digital world that is safe for everyone - we are your trusted cybersecurity partner.

PlexTrac

PlexTrac

PlexTrac is a cybersecurity reporting and workflow management platform that supercharges security programs, making them more effective, efficient, and proactive.

Entitle

Entitle

Entitle's SaaS-based platform automates how permissions are managed, enabling organizations to eliminate bottlenecks and implement robust cloud least privilege access.

Sage IT

Sage IT

Sage IT offer a wide range of professional and consulting services to help organizations overcome the challenges of today's ever-changing business environment.

National Cybersecurity Competence Center (NC3) - Luxembourg

National Cybersecurity Competence Center (NC3) - Luxembourg

The purpose of the is to strengthen the Country's ecosystem facing cyber Luxembourg National Cybersecurity Competence Centerthreats and risks.