Microsoft is doubling down on its recently-launched Secure Future Initiative (SFI), expanding the programme – which sets out to address the software and vulnerability issues frequently exploited by threat actors – in the wake of the United States government Cyber Safety Review Board (CSRB) report on last year’s Storm-0558 intrusion and the January 2024 Midnight Blizzard (Cozy Bear) attack.
Redmond said that the rapid evolution of the threat landscape underscored the severity of the threats that face both its own operations and those of its customers, and acknowledged that given its central role in the world’s IT ecosystem, it had a “critical responsibility” to earn and maintain trust.
“We are making security our top priority at Microsoft, above all else – over all other features. We’re expanding the scope of SFI, integrating the recent recommendations from the CSRB as well as our learnings from Midnight Blizzard to ensure that our cyber security approach remains robust and adaptive to the evolving threat landscape,” said Charlie Bell, executive vice president of Microsoft Security.
“We will mobilise the expanded SFI pillars and goals across Microsoft and this will be a dimension in our hiring decisions. In addition, we will instil accountability by basing part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones,” he said.
The SFI, as initially outlined by Microsoft vice chair and president Brad Smith in November 2023, centres three core pillars – developing and improving AI-based cyber defences, improving software engineering practice, and advocating for stronger application of international norms in cyber space.
In a blog post setting out the SFI expansion, Bell explained that this approach would now evolve with the work to be guided by three new principles:
- Security by design, as a primary consideration in the design and development of any Microsoft product or service;
- Security by default, with protections enabled and enforced by default, requiring no extra effort from users, but equally with no opt-outs for them;
- Secure operations, with controls and monitoring continuously improving to meet changing threats head on.
Added to this, Microsoft will now align a set of expanded goals and actions to six prioritised pillars, as follows:
- The protection of identities and secrets using best-in-class, quantum-ready standards;
- The protection and isolation of all Microsoft tenants and production systems;
- The protection of Microsoft production networks, and the isolation of Microsoft and customer resources;
- The protection of engineering systems, encompassing software assets, code security, and governance of the software supply chain;
- The monitoring and detection of threats, providing comprehensive coverage and automatic detection of threats to Microsoft production infrastructure;
- The acceleration of response and remediation to vulnerabilities, reducing time to mitigate for high-severity bugs and improving public messaging and transparency.
“These goals directly align to our learnings from the Midnight Blizzard incident as well as all four CSRB recommendations to Microsoft and all 12 recommendations to cloud service providers (CSPs), across the areas of security culture, cyber security best practices, auditing logging norms, digital identity standards and guidance, and transparency,” said Bell.
“We are delivering on these goals through a new level of coordination with a new operating model that aligns leaders and teams to the six SFI pillars, in order to drive security holistically and break down traditional silos,” he added.
Internally, Microsoft is also taking steps to improve how its people respond as a collective, implementing new initiatives to help operationalise its learnings from incidents, and instituting a new governance framework overseen by its CISO Igor Tsyganskiy, which introduces a partnership between engineering teams and a newly-created group of deputy CISOs, and will be backed by the full breadth of Microsoft’s existing nation state actor and threat hunting capabilities.
It also plans to do more to instil a security-first culture, and will be starting broadscale weekly and monthly operational meetings to include all levels of management and senior- individual contributors working on detailed execution and continuous improvement of security.
“Ultimately, Microsoft runs on trust and this trust must be earned and maintained. As a global provider of software, infrastructure, and cloud services, we feel a deep responsibility to do our part to keep the world safe and secure. Our promise is to continually improve and adapt to the evolving needs of cyber security. This is job number one for us,” said Bell.
“Microsoft has some really ambitious goals in their Secure Future Initiative. Most organisations have neither the will nor the technical ability to achieve these goals, but any organisation that does will be in a prime position to repel most intrusions,” said Jake Williams, a faculty member at cyber research firm IANS Research, and a former hacker for the NSA. “Microsoft certainly has the technical ability to implement these, but that’s always been the case. It appears they now have the political will to do so as well.
“There are plenty of details about significant technical security enhancements Microsoft is making. The hardest part of most of these is getting to 100%. Anything less than 100% leaves a residual attack surface that threat actors will exploit. These efforts follow the old 80/20 rule where most of the effort is expended getting the last holdouts onboarded into the new security regime. The thing that gives me the most confidence that Microsoft will get there is the emphasis that engineer SVPs are holding regular operational meetings with all levels of management and senior ICs. That’s how you reinforce cultural change and make sure that it sticks,” he said.