Thursday, November 21, 2024

Microsoft Updates on Secure Future Initiative Progress

Microsoft’s Secure Future Initiative (SFI) is reportedly thriving and making steady strides in tackling fundamental issues that previously drew heavy criticism from American lawmakers, according to a recent progress report.

Launched in November 2023, the SFI emerged in response to several high-profile security breaches that impacted Microsoft technologies, including the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server exploited by ransomware groups, as well as the intrusions by the Chinese threat actor Storm-0558, who compromised government customer access through forged tokens.

Following the incidents linked to Storm-0558, Microsoft faced allegations of negligence from Washington, particularly after additional breaches were uncovered, including a January 2024 incident where Cozy Bear, associated with SolarWinds Sunburst, infiltrated Microsoft systems. These circumstances culminated in a critical report from the US Cyber Safety Review Board (CSRB), leading to expanded enhancements to the SFI.

In the summary of the report, Charlie Bell, Microsoft’s Executive Vice President of Security, reaffirmed the company’s commitment to security, emphasizing that consistent progress is more crucial than achieving perfection. He highlighted the extensive resources dedicated to the SFI, described as one of the largest cybersecurity projects to date, equivalent to the efforts of 34,000 full-time engineers.

“The collective work we are undertaking to enhance protection, eliminate outdated or non-compliant assets, and identify systems requiring monitoring effectively measures our progress,” he stated. Bell further added, “Looking forward, we remain dedicated to continual improvement. The SFI will adapt and evolve in response to new threats, while our commitment to transparency and collaboration within the industry remains steadfast. The efforts we have made thus far represent merely the beginning.” He concluded that as cyber threats evolve, Microsoft must evolve alongside them, fostering a culture of continuous learning to ensure security is a core foundation rather than just an added feature.

### Six Pillars of SFI
At the heart of the Microsoft SFI are six foundational pillars:

1. Protecting identities and secrets using advanced quantum-ready standards.
2. Safeguarding and isolating all Microsoft tenants and production systems.
3. Securing Microsoft production networks and isolating resources for Microsoft and its customers.
4. Protecting engineering systems, covering software assets, code security, and governance of the software supply chain.
5. Monitoring and detecting threats to provide thorough coverage and automated detection for Microsoft’s production infrastructure.
6. Accelerating response and remediation efforts for vulnerabilities to decrease the time taken to address high-severity issues and enhance public communication and transparency.

In discussing the first pillar, Bell noted upgrades to Microsoft Entra ID and Microsoft Account for public and government clouds to generate, store, and rotate access token signing keys, as well as the greater adoption of standard identity software development kits, boosting consistent token validation for over 73% of tokens issued by Entra ID in Microsoft applications.

Regarding the second pillar, Microsoft has completed an entire iteration of application lifecycle management in its production and productivity tenant estates, removing 730,000 unused software components and quietly decommissioning nearly six million inactive tenants to further mitigate security risks. A new streamlined system for setting up testing and experimentation tenants with secure defaults and strict management controls has also been introduced.

On the third pillar, more than 99% of physical assets on Microsoft’s production network are now documented in a central inventory, while virtual networks requiring backend connectivity have been isolated from the corporate network and are undergoing comprehensive security reviews to prevent unwanted lateral movement. For customers, Microsoft has enhanced platform capabilities, such as Admin Rules, to facilitate the isolation of platform-as-a-service resources.

Concerning the fourth pillar, over 85% of production build pipelines for Microsoft’s commercial cloud now utilize centrally governed pipeline templates, improving deployment efficiency and trustworthiness. The lifespan of Personal Access Tokens has been reduced to one week, SSH access to internal engineering repositories has been disabled, and the number of elevated access roles has been significantly decreased. Additionally, proof-of-presence checks have been established at critical stages in the development process.

For the fifth pillar, Microsoft reported notable advancements in enforcing standard libraries for security audit logs throughout its production infrastructure, with log retention now set to a minimum of two years. It also stated that over 99% of all network devices are equipped with centralized log collection and retention tools.

Finally, under the response and remediation pillar, Microsoft has updated its processes to enhance response times for critical cloud vulnerabilities and has begun publishing these vulnerabilities as CVEs, even when no action is required from customers. Furthermore, a Customer Security Management Office has been established to facilitate public communication and engagement.

### Fostering a Security Culture
Microsoft is not stopping there. The company announced new initiatives aimed at improving secure behavior among its workforce and ensuring appropriate responses to incidents. This includes establishing a Cybersecurity Governance Council and appointing deputy Chief Information Security Officers (CISOs) for crucial cyber functions and engineering divisions, overseen by CISO Igor Tsyganskiy, who will be responsible for managing overall risk, defense, and compliance.

In a further commitment, every employee will now be expected to agree to and be held accountable for core cyber requirements during performance evaluations, alongside the introduction of an internal security skills academy program. The senior leadership team is now required to review SFI progress weekly and provide updates to the board every three months, with their security performance directly affecting their compensation.