Ten years ago, I walked onto Microsoft’s Redmond campus to take a role on a team that partnered with governments and CERTs on cybersecurity. I’d just left a meaningful career in US federal government service because I thought it would be fascinating to experience first-hand the security challenges and innovation from the perspective of the IT industry, especially within Microsoft, given its presence around the US federal government. I fully expected to spend a year or two in Microsoft and then resume my federal career with useful IT industry perspectives on security. Two days after I started, Popular Science’s annual “Ten worst jobs in science” survey came out, and I was surprised to see “Microsoft Security Grunt” in sixth place. Though the article was tongue-in-cheek, saluting those who take on tough challenges, the fact that we made this ignominious list certainly made me wonder if I’d made a huge mistake.
I spent much of my first few years hearing from government and enterprise executives that Microsoft was part of the security problem. Working with so many hard-working engineers, researchers, security architects, threat hunters, and developers trying to tackle these increasingly complex challenges, I disagreed. But, we all recognized that we needed to do more to defend the ecosystem, and to better articulate our efforts. We’d been investing in security well before 2007, notably with the Trustworthy Computing Initiative and Security Development Lifecycle, and we continue to invest heavily in technologies and people – we now employ over 3,500 people in security across the company. I rarely hear anymore that we are perceived as a security liability, but our work isn’t done. Ten years later, I’m still here, busier than ever, delaying my long-expected return to federal service, helping enterprise CISOs secure their environments, their users, and their data.
Complexity vs. security
Is it possible, however, that our industry’s investments in security have created another problem – that of complexity? Have we innovated our way into a more challenging situation? My fellow security advisors at Microsoft have shared customer frustrations over the growing security vendor presence in their environments. While these different technologies may solve specific requirements, in doing so, they create a management headache. Twice this week in Redmond, CISOs from large manufacturers challenged me to help them better understand security capabilities they already owned from Microsoft, but weren’t aware of. They sought to use this discovery process to identify opportunities to rationalize their security vendor presence. As one CISO said, “Just help me simplify all of this.”
There is a large ecosystem of very capable and innovative professionals delivering solutions into a vibrant and crowded security marketplace. With all of this IP, how can we best help CISOs use important innovation while reducing complexity in their environments? And, can we help them maximize value from their investments without sacrificing security and performance?
Large enterprises may employ up to 100 vendors’ technologies to handle different security functions. Different vendors may handle identity and access management, data loss prevention, key management, service management, cloud application security, and so on. Many companies are now turning to machine learning and user behavior technologies. Many claim “best of breed” or “best in class,” capabilities and there is impressive innovation in the marketplace. Recognizing this, we have made acquisition a part of Microsoft’s security strategy – since 2013 we’ve acquired companies like Aorato, Secure Islands, Adallom, and most recently Hexadite.
Microsoft’s experience as a large global enterprise is similar to our enterprise customers. We’ve been working to rationalize the 100+ different security providers in our infrastructure to help us better manage our external dependencies and more efficiently manage budgets. We’ve been moving toward a default policy of “Microsoft first” security technology where possible in our environment. Doing so helps us standardize on newer and familiar technologies that complement each other.
That said, whether we build or buy, our focus is to deliver an overall “best in suite” approach to help customers deploy, maintain, monitor, and protect our enterprise products and services as securely as possible. We are investing heavily in the Intelligent Security Graph. It leverages our vast security intelligence, connects and correlates information, and uses advanced analytics to help detect and respond to threats faster. If you are already working with Microsoft to advance your productivity and collaboration needs by deploying Windows 10, Office 365, Azure, or other core enterprise services, you should make better use of these investments and reduce dependency on third-party solutions by taking advantage of built-in monitoring and detection capabilities in these solutions. A best-of-suite approach also lowers the costs and complexity of administering a security program, e.g. making vendor assessments and procurement easier, reducing training and learning curves, and standardizing on common dashboards.
Reducing complexity also requires that we make our security technologies easy to acquire and use. Here are some interesting examples of how our various offerings connect to each other and have built-in capabilities:
- The Windows Defender Advanced Threat Protection (ATP) offer seamlessly integrates with O365 ATP to provide more visibility into adversary activity against devices and mailboxes, and to give your security teams more control over these resources. Watch this great video to learn more about the services integration. Windows Defender ATP monitors behaviors on a device and sends alerts on suspicious activities. The console provides your security team with the ability to perform one-click actions such as isolating a machine, collecting a forensics package, and stopping and quarantining files. You can then track the “kill chain” into your O365 environment if a suspicious file on the device arrived via email. Once in O365 ATP, you can quarantine the email, detonate a potentially malicious payload, block the traffic from your environment, and identify other users who may have been targeted.
- Azure Information Protection provides built-in capabilities to classify and label data, apply rights-management protections (that follows the data object) and gives data owners and admins visibility into, and control over, where that data goes and whether recipients attempt to violate policy.
Thousands of companies around the world are innovating, competing, and partnering to defeat adversaries and to secure the computing ecosystem. No single company can do it all. But by making it as convenient as possible for you to acquire and deploy technologies that integrate, communicate and complement each other, we believe we can offer a best-of-suite benefit to help secure users, devices, apps, data, and infrastructure. Visit https://www.microsoft.com/secure to learn about our solutions and reach out to your local Microsoft representative to learn more about compelling security technologies that you may already own. For additional information, and to stay on top of our investments in security, bookmark this Microsoft Secure blog.
Mark McIntyre, CISSP, is an Executive Security Advisor (ESA) in the Microsoft Enterprise and Cybersecurity Group. Mark works with global public sector and commercial enterprises, helping them transform their businesses while protecting data and assets by moving securely to the Cloud. As an ESA, Mark supports CISOs and their teams with cybersecurity reviews and planning. He also helps them understand Microsoft’s perspectives on the evolving cyber threat landscape and how Microsoft defends its enterprise, employees and users around the world.