Microsoft overhauls cyber strategy to finally embrace security by … – Cybersecurity Dive

Let Cybersecurity Dive’s free newsletter keep you informed, straight from your inbox.

The plan follows major backlash Microsoft experienced earlier this year for charging customers for additional security features.
Microsoft is overhauling its cybersecurity strategy, called the Secure Future Initiative, to incorporate key security features into its core set of technology platforms and cloud services. 
The plan follows a massive government and industry backlash to Microsoft after the state-linked email theft from the U.S. State Department. Microsoft came under fierce criticism from key members of Congress and federal officials who were concerned that the company was forcing federal agencies to rely on software products that lacked the necessary security features to protect against sophisticated attackers. 
The pushback related to the the State Department case was that Microsoft was upcharging customers for additional, important security features. 
Microsoft plans to enable secure default settings out of the box, so customers will not have to engage with multiple configurations to make sure a product is protected against hackers. 
For example, Microsoft will implement Azure baseline controls, which includes 99 controls across nine security domains, by default. 
“What is different now, is there has been a step change in the scale, speed and sophistication of the threat landscape, and we must meet that challenge,” Microsoft told Cybersecurity Dive in a statement. “Microsoft has been anticipating these steps and working toward them thoughtfully, given their scale and complexity.”
The Secure Future Initiative will include three major changes in its security development and response practices, according to a blog post by Charlie Bell, EVP at Microsoft Security: 
The company will evolve its security development lifecycle (SDL) into something it calls dynamic SDL. Microsoft will incorporate continuous integration and continuous delivery (CI/CD) into its product development process so capabilities evolve along with emerging threats. 
Microsoft will develop software using memory-safe languages, including C#, Java, Rust and Python. The company will expand the use of threat modeling and deploy CodeQL for code analysis for all of its commercial products. 
The changes span the full technology stack, from identity through cloud. Microsoft will enforce the use of standard identity libraries across all products, and signing keys will move to a hardened Azure hardware security module and confidential computing infrastructure. 
The company said it will reduce the time to mitigate cloud vulnerabilities by 50% and take a more forceful public stance on third-party researchers not being forced to operate under non-disclosure agreements. 
Given the company’s considerable market strength, such a change in development policies may encourage other software and security companies to accelerate their embrace of secure development practices, too, according to analysts. 
“One advantage of being Microsoft: Announcements have an enormous ripple effect based on the sheer number of customers and partners it has,” Jeff Pollard, VP and principal analyst at Forrester, said via email. “That said, there’s a clear marketing element to this considering recent vulnerabilities.”
As part of its security strategy overhaul, Microsoft said it is taking steps to better protect identities across all of its products. This will prevent adversary-in-the-middle attacks, token theft and other malicious hacking methods, the company said.
Microsoft plans to boost its use of AI in threat analysis, research and detection, according to Brad Smith, vice chair and president of the company. 
The company is calling for international reforms, including national commitments against planting vulnerabilities into key critical infrastructure providers, such as energy providers, hospitals, water facilities and food producers.
Get the free daily newsletter read by industry experts
Active exploits already resulted in a follow-on attack that’s impacted multiple organizations. Threat hunters are on guard and anticipate more victims.
The retail behemoth invited a handful of journalists to its tech offices in Bentonville, Arkansas. The scope of Walmart’s operations speaks to the lengths enterprises must go to remain secure. 
Keep up with the story. Subscribe to the Cybersecurity Dive free daily newsletter
Keep up with the story. Subscribe to the Cybersecurity Dive free daily newsletter
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Want to share a company announcement with your peers?
Share your announcement
Active exploits already resulted in a follow-on attack that’s impacted multiple organizations. Threat hunters are on guard and anticipate more victims.
The retail behemoth invited a handful of journalists to its tech offices in Bentonville, Arkansas. The scope of Walmart’s operations speaks to the lengths enterprises must go to remain secure. 
The free newsletter covering the top industry headlines

source

Related Posts

After 6 months and little explanation, Norton Healthcare patients, employees still feeling effects of cyber attack – WDRB

Spotty shower possible. Storms after midnight Updated: April 16, 2024 @ 12:31 pmNorton Healthcare, a company serving about 600,000 patients a year with nearly $5 billion in assets, continues to…

Read more

CA's top cybersecurity job has been vacant for almost 2 years – CalMatters

Technology Californians get hacked all the time. The state’s top cybersecurity job is vacant In summaryGov. Newsom has yet to appoint a commander who is tasked with informing businesses and…

Read more

13 Cyber Security Measures Your Small Business Must Take – Tech.co

Our content is funded in part by commercial partnerships, at no extra cost to you and without impact to our editorial impartiality. Click to Learn MoreCybersecurity has been important to…

Read more

AVG Antivirus Free review – Ghacks

AVG AntiVirus Free is a longstanding security program for Microsoft Windows that protects computer systems from viruses, trojans and other malicious code.One interesting fact about AVG is that it maintains…

Read more

Vlog Episode #247: Chris Long on Improving Technical SEO Skills & Playing Offense SEO – Search Engine Roundtable

In part one, we learned about Chris Long and his experience working with Bill Slawski. Then, in part two, we spoke about helping people with SEO on LinkedIn and using…

Read more

Information Security Vs. Cybersecurity: What's The Difference? – Forbes

Information Security Vs. Cybersecurity: What’s The Difference?  Forbessource

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *