News

Microsoft Secure Future Initiative Aims To Address Cybersecurity Problems

• By Kurt Mackie
• 11/03/2023

Microsoft on Thursday announced a Secure Future Initiative (SFI) approach to dealing with cybersecurity threats.

The SFI was highlighted by top Microsoft officials and appears to be both an internal engineering effort utilizing artificial intelligence (AI) for defense, plus an overall statement about the current cybersecurity milieu. The SFI was described as a kind of update to Microsoft's Trustworthy Computing effort that was initiated back in 2002, which produced the Microsoft Security Development Lifecycle (SDL) software engineering approach.

Brad Smith, Microsoft's vice chair and president, offered a general overview of SFI in this announcement. Microsoft also published a memo to its employees on the SFI, which was authored by Charlie Bell, executive vice president for Microsoft security, and other Microsoft luminaries.

Bell's memo offered some specific goals for SFI on the engineering front, including "transforming software development," "implementing new identity protections" and "driving faster vulnerability response."

Dynamic SDL Software Development
Microsoft plans to move toward so-called "dynamic SDL" software development approach, which Bell suggested would be a "continuous integration and continuous delivery" method that will "continuously integrate protections against emerging patterns as we code, test, deploy, and operate."

As part of its dynamic SDL effort, Microsoft will specifically use the CodeQL semantic code analysis engine to check code across "100 percent of commercial products." It also plans to use memory safe languages, "such as C#, Python, Java and Rust."

Microsoft additionally plans to lean more toward the proactive implementation of security measures vs. ensuring legacy software support. For instance, it is planning to implement its Azure tenant baseline across all tenants. Bell explained that Microsoft learned how to take such initiative with its earlier push to make multifactor authentication the default authentication approach for new customers.

"Multifactor authentication is just one area of defaults for us, but over the next year you will see us accelerate security defaults across the board, energized by our learnings and customer feedback," Bell indicated.

Smith offered some specifics, saying that "over the next year we will enable customers with more secure default settings for multifactor authentication (MFA) out-of-the-box."

New Identity Protections
One of the new identity protections proposed by Bell will be "moving identity signing keys to an integrated, hardened Azure HSM [hardware security module] and confidential computing infrastructure." The keys will be encrypted at rest, in transit and during computation. Also, "key rotation will also be automated allowing high-frequency key replacement with no potential for human access, whatsoever," Bell added.

While Bell didn't mention it, possibly Microsoft is adding protection against stolen signing keys, which happened to Microsoft itself, as it reported back in July.

Although it's maybe not new, Bell indicated that Microsoft "will enforce the use of standard identity libraries (such as Microsoft Authentication Library) across all of Microsoft." This approach will add "advanced identity defenses like token binding, continuous access evaluation, advanced application attack detections, and additional identity logging support."

Faster Cloud Security Response
Microsoft also plans to respond "50 percent" quicker to vulnerabilities that affect its cloud platforms. The faster response will happen via automation and AI-enabled processes.

In that context, Microsoft also pledged to publicly oppose technology providers (including other cloud services providers) that may put third-party researchers under nondisclosure agreements with regard to vulnerabilities. Microsoft wants to obtain "full transparency on vulnerabilities" regarding cloud services.

International Efforts Needed
Smith described Microsoft's SFI in broader terms and within the political context in which nation states are implementing their own surveillance and destructive malware as weapons. Cloud service providers, such as Microsoft, are getting targeted by them, he noted.

About "40 percent" of nation-state attacks in the past two years have targeted public infrastructure, "such as power grids, water systems, and health care facilities," Smith indicated, citing Microsoft estimates.

Smith suggested governments could do more and establish red lines on security that they'd pledge not to cross. Specifically, they should pledge not to use software vulnerabilities to "attack the networks of critical infrastructure providers such as energy, water, food, medical care, or other providers." Nation states also should abstain from targeting cloud service providers to "gain access to sensitive data, disrupt critical systems, or spread misinformation and propaganda."

Microsoft is using AI in the Microsoft Threat Analysis Center to "detect and analyze cyber threats," which is getting extended to Microsoft's security software customers, Smith noted. He suggested that Microsoft would use its datacenters and AI technologies to detect threats at Internet speeds.

Smith also pointed to the coming Microsoft Security Copilot AI product as getting informed by Microsoft's threat intelligence to catch threats. He touted the use of Microsoft Defender for Endpoint to find threats on unmanaged devices, which is the source of "more than 80 percent of ransomware compromises."

Ransomware criminal groups are getting smaller but are still persistent. Microsoft currently tracks "123 sophisticated ransomware-as-a-service affiliates." Ransomware attacks have increased "by more than 200 percent" since Sept. 2022.