Microsoft says five of the 28 objectives it set for overhauling the way it designs, builds, tests, and operates products and services to improve security are nearing completion, although there are still years to go under what it calls the Secure Future Initiative (SFI).
In addition, Microsoft says there has been “significant progress” on 11 of the remaining objectives — meaning they are at least 66% done — and the company is making progress on the rest.
The latest accounting comes in today’s third report on progress being made under the SFI. It was announced in November 2023, after Microsoft suffered major hacks, and after years of complaints about Windows and Office vulnerabilities.
Among other things, it notes that as of now:
more than 99% of employees have completed the Security Foundations and Trust Code courses, increasing awareness of cybersecurity best practices;
the Microsoft Security Academy has provided tailored learning to more than 50,000 employees to improve their security skills, and the company’s internal hub for security content has contributed to a 25% reduction in incidents. Early data from completed responses indicates that employees who completed the training were 50% less susceptible to phishing and 20% more likely to report phishing attempts;
since September, the company has added more than 200 detections of top tactics, techniques, and procedures (TTPs) across the Microsoft infrastructure, enhancing its ability to detect threat actor activities. Applicable detections will also be integrated into Microsoft Defender.
“I’m supersatisfied with the culture changes, I’m supersatisfied with the engineering improvements that we need to do,” Bret Arsenault, Microsoft’s corporate vice-president and chief security advisor, said in an interview.
He feels Microsoft has the mechanisms in place now to build capabilities faster than in the past as the threat landscape evolves, even if the changes have a business impact.
November 2024 progress report
Some of the achievements this latest progress report notes include:
Microsoft has filled the Deputy CISO for Business Applications post (which includes Windows, Microsoft 365 and Office);
all 14 Deputy CISOs have completed a comprehensive risk inventory of their platform and function, aligning risks to current threat intelligence and product domains;
recently, the company launched a Secure by Design UX Toolkit for Microsoft developers, to improve user experience (UX) and security integration in all products. There’s also a customer-facing version. The toolkit has been deployed to 22,000 employees, embedding security best practices in product development and ensuring product interfaces are designed to be intuitive, non-intrusive, and help protect customer data;
Azure launched a fraud prevention feature incorporating multi-factor authentication (MFA) for logging into the Azure Portal to prevent unauthorized party abuse. This adds to the October 2024 implementation of mandatory multifactor authentication for the Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center;
MFA enforcement for all Microsoft 365 admin center users is being rolled out. Additionally, there’s a new AI administrator role for efficient administration of Microsoft 365 Copilot and enterprise AI services without the extensive permissions required for the global admin role;
90% of identity tokens from Microsoft Entra ID for Microsoft apps are validated using one standard identity SDK, which provides a consistent and hardened implementation, improving security;
phishing-resistant MFA now protects 100% of Microsoft production system accounts and 82% of employee productivity accounts. Additionally, more than 19 million resources in Microsoft Azure now adhere to Microsoft’s safe secrets standard.
on March 26, Microsoft launched a new sign-in experience for more than 1 billion users. By the end of this month, most Microsoft account users will see updated sign-in and sign-up user experience flows for web and mobile apps. This new user experience is optimized for a passwordless and passkey-first experience. Microsoft is also updating the account sign-in logic to make passkey the default sign-in choice whenever possible.
more than 97% of Microsoft’s production infrastructure assets have been inventoried and are being tracked. In addition, 99% of network devices, and more than 95% of nodes/machines, have central security log collection with a two-year retention policy enforced.
The Microsoft Secure Future Initiative (SFI) is, the company said, a multiyear effort to “revolutionize the way we design, build, test, and operate our products and services, to achieve the highest security standards.” Some objectives will take several years to complete. Others, like work on post-quantum cryptography and the orderly sunsetting of cryptographic techniques as they age, will take much longer.
The company calls SFI “the largest cybersecurity engineering project in history.” Goals are aligned with the security principles of Secure by Design, Secure by Default, and Secure Operations.
Asked what CISOs at organizations will get out of SFI, Arsenault said “the improvements we’ve made here [mean] a rising tide lifts all boats. There’s nothing you have to do.”
CISOs can also learn about improving their culture and governance through shared practices outlined in this new report, he added, such as moving from two-step MFA to phishing-resistant MFA.
No Responses