Microsoft has had a rough few years of cybersecurity incidents. It found itself at the center of the SolarWinds attack nearly three years ago, one of the most sophisticated cybersecurity attacks we’ve ever seen. Then, 30,000 organizations’ email servers were hacked in 2021 thanks to a Microsoft Exchange Server flaw. If that weren’t enough already, Chinese hackers breached US government emails via a Microsoft cloud exploit earlier this year.
Something had to give.
Microsoft is now announcing a huge cybersecurity effort, dubbed the Secure Future Initiative (SFI). This new approach is designed to change the way Microsoft designs, builds, tests, and operates its software and services. It’s the biggest change to security efforts inside Microsoft since the company announced its Security Development Lifecycle (SDL) in 2004 after Windows XP fell victim to a huge Blaster worm attack that knocked PCs offline in 2003. That push came just two years after co-founder Bill Gates had called on a trustworthy computing initiative in an internal memo.
Microsoft now plans to use automation and AI during software development to improve the security of its cloud services, cut the time it takes to fix cloud vulnerabilities, enable better security settings out of the box, and harden its infrastructure to protect against encryption keys falling into the wrong hands.
In an internal memo to Microsoft’s engineering teams today, the company’s leadership has outlined its new cybersecurity approach. It comes just months after Microsoft was accused of “blatantly negligent” cybersecurity practices related to a major breach that targeted its Azure platform. Microsoft has faced mounting criticism of its handling of a variety of cybersecurity issues in recent years.
“Satya Nadella, Rajesh Jha, Scott Guthrie, and I have put significant thought into how we should respond to the increasingly more sophisticated threats,” explains Charlie Bell, head of Microsoft security, in an internal memo distributed today. “To this end, we have committed to three specific engineering advances we are taking on our journey of continually improving the built-in security of our products and platforms. These advances comprise what we’re calling the Secure Future Initiative. Collectively, they improve security for customers both in the near term and against threats we know will increase over the horizon.”
The first big change is how Microsoft develops its software. The company will rely on more automation and AI to catch security risks and vulnerabilities. This includes leveraging CodeQL, GitHub’s code analysis engine, to automate security checks during development. “Our goal is to accelerate the deployment of CodeQL integrated with GitHub Copilot learnings,” says Bell. “We will use CodeQL to perform static and dynamic code analysis, helping our teams find and fix bugs in our code at AI speed and scale.”
This AI push for security won’t be limited to software development at Microsoft, either. “As a company, we are committed to building an AI-based cyber shield that will protect customers and countries around the world,” explains Brad Smith, Microsoft vice chair and president, in a blog post today. “AI is a game changer. While threat actors seek to hide their threats like a needle in a vast haystack of data, AI increasingly makes it possible to find the right needle even in a sea of needles. And coupled with a global network of datacenters, we are determined to use AI to detect threats at a speed that is as fast as the interest itself.”
Part of the criticism leveled at Microsoft in recent months has been focused on the amount of time it takes the company to respond to major security vulnerabilities. Cybersecurity company Tenable originally discovered an Azure flaw in March, but it says it took Microsoft “more than 90 days to implement a partial fix” that only applied to new Azure applications.
“We plan to cut the time it takes to mitigate cloud vulnerabilities by 50 percent,” says Bell in his memo. “We are in a position to achieve this because of our investment and learnings in automation, orchestration, and intelligence-driven tools and processes.” Ninety days is the typical industry window for security fixes, so if Microsoft can reliably cut that to 45 days, then that’s a great start to this new security initiative.
Microsoft is also looking at hardening the platforms that protect its encryption keys. Chinese hackers breached US government emails after stealing signing keys that allowed them to break into dozens of email inboxes earlier this year.
“To stay ahead of bad actors, we are moving identity platforms to confidential computing infrastructure that we helped pioneer,” says Bell. “In this architecture, data governing identities is encrypted not only at rest and transit but during computational processes as well. This means that even if an attacker gets through our layered defenses in the course of targeting encryption keys, the key data is designed to be inaccessible within automated systems that do not require human touch.”
Microsoft is also focusing on improving security defaults. “Over the next year we will enable customers with more secure default settings for Multi-Factor Authentication (MFA) out-of-the-box,” says Smith. “This will expand our current default policies to a wider band of customer services, with a focus on where customers need this protection the most.”
In September, cybersecurity research firm Wiz disclosed that 38TB of data had accidentally been exposed by Microsoft AI researchers thanks to an Azure feature called SAS tokens. “Account SAS tokens are extremely hard to manage and revoke,” said Wiz researchers at the time. Microsoft doesn’t specifically mention SAS tokens in its new security initiative, but hopefully it’s something the company is looking at, too.
While this is Microsoft’s biggest commitment to cybersecurity in more than a decade, I can also sense that the company is increasingly angered by the attacks it has found itself at the center of. “We should all abhor determined nation state efforts that seek to install malware or create or exploit other cybersecurity weaknesses in the networks of critical infrastructure providers,” says Smith in his blog post today. “These bear no connection to the espionage efforts that governments have pursued for centuries and instead appear designed to threaten the lives of innocent civilians in a future crisis or conflict.”
Smith calls on states to “recognize cloud services as critical infrastructure, with protection against attack under international law” and for greater accountability for nation-states involved in undermining cloud security. “All states should commit publicly that they will not plant software vulnerabilities in the networks of critical infrastructure providers such as energy, water, food, medical care, or other providers,” says Smith. “They should also commit that they will not permit any persons within their territory or jurisdiction to engage in cybercriminal operations that target critical infrastructure.”
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!