How CISOs are preparing to tackle 2022

By Pooja Parab

Looking back over the last year, the security landscape has continued to experience significant change and escalation. Every day, we see the toll this is taking on organizations of all sizes as they navigate the enduring challenges of the pandemic, the expansion of the digital estate, and the evolution of threats. As defenders ourselves, we understand the relentless commitment required to safeguard people and organizations in this environment. It is our mission to ensure security leaders have the tools and resources they need to succeed in this important work. To continually understand the priorities and concerns of our community, we run research with security leaders every six months. I wanted to share some of those insights with you, as you may find the information valuable in your work.

To begin, the top five challenges shown below, as reported by survey takers, are very consistent with what I’m hearing in my regular interactions with customers and partners. 

Addressing ransomware is number one, followed closely by cloud security

The security leaders we talk to are feeling the pressure—managing the risk of ransomware and cyber extortion was reported as their number one challenge this past year. According to the 2021 Ransomware Survey Report, ransomware grew by 1,070 percent between July 2020 and June 2021.1 Data from Microsoft’s Detection and Response Team (DART) in the latest Microsoft Digital Defense Report shows that cybercrime supply chains are consolidating and maturing.2 No longer do individual cybercriminals have to develop their own tools. Today, they can simply buy proven cybercrime kits and services to incorporate into their campaigns. This gives the average cybercriminal access to better tools and automation to enable scale and drive down costs. As a result, attacks of all types are on the rise, with the economics behind successful ransomware attacks fueling a rapid trajectory.

Cloud security has also been pushed into the forefront as security leaders adapt to the realities of the pandemic and the shift to hybrid work.3 The cloud represents significant opportunities for scale and agility. At the same time, cloud security technologies are evolving, and customers are looking for ways to simplify security across their entire portfolio.

Investment priorities for 2022

Aligned to the top cybersecurity challenges, cloud security lands as the top area of security investment over the next 12 months. For most security leaders, this means prioritizing investments that help them close gaps, protect workloads, and secure access to cloud resources. Security leaders tell us this is an area in which they’re looking for solutions that can help them tackle these challenges comprehensively—with so many organizations having a multi-cloud environment, the integration will be key. Microsoft is committed to delivering end-to-end cloud security that works across all clouds.

Protecting data is fundamental to positive business outcomes, so it’s not a surprise that data security continues to rank high on the list of priorities among respondents. Hybrid work and the acceleration of digital transformation are massively expanding the amount of data that needs to be protected, amplifying the need for comprehensive data security. We predict that organizations of all sizes will need to continue to evolve their data security strategy to keep up with changes in the digital environment.  

Following cloud and data security, we’re also hearing that decision-makers have increased interest in investing in vulnerability management and vulnerability assessment as they prioritize prevention initiatives. We are also seeing growing interest in emerging technologies like extended detection and response (XDR), IoT and operational technology (OT) security, and Secure Access Service Edge (SASE) solutions. With XDR, organizations can better detect and respond to threats across their complex ecosystems. Many organizations also use IoT and OT technologies and are looking for ways to close gaps in protection and address potential vulnerabilities. A SASE solution can help with providing secure access to resources at the edge, enabling more flexibility, visibility, and control.

Reading list for 2022

As security leaders look to mitigate threats now and in the near future, we’re seeing an increased focus on improving the prevention capabilities of the highest growth threat vectors, such as cloud security, access management, cloud workloads, hybrid work, and ransomware. An overarching component of that transformation includes increased attention on implementing Zero Trust—currently the top reported topic of interest from our research. Because Zero Trust architecture is essentially designed to prevent an attacker’s ability to move laterally, a Zero Trust strategy is extremely helpful in prioritizing and addressing prevention-focused investments. These include things like shutting down legacy authentication methods, providing secure access to resources using multifactor authentication (MFA), implementing risk-based access controls, and utilizing posture management tools to identify and remediate risks in cloud resources. By implementing a Zero Trust strategy, organizations can more safely embrace a hybrid workplace, and protect people, devices, apps, and data wherever they are located.

Read our Evolving Zero Trust whitepaper to learn how real-world deployments and attacks are shaping the future of Zero Trust strategies.

As part of the shift to the cloud, security leaders tell us they are also interested in learning more about how posture management, access management, and workload protection tools fit into their cloud security strategy. And given the concerns around the rise of ransomware and securing remote or hybrid work, it’s not surprising to see them as a priority topic of interest.

Check out our ransomware blog posts to keep up to date on the latest ransomware insights from Microsoft Security researchers and product updates.

Read our recommendations on securing a new world of hybrid work.

Perception of Microsoft

Serving our customers is our primary job and so it’s probably not surprising that we measure the perception of security leadership for various vendors, including ourselves, in a blind survey. We asked security decision-makers which companies they saw as leading the way in the security industry. Despite so many established vendors, we were honored that Microsoft was ranked in the top three by survey takers with a substantial increase in overall perception in the last year, following several years of steady growth. We hear from customers that our end-to-end solution with broad multi-cloud and multi-platform coverage and deep, industry-recognized protection has been an approach that resonates. We always have more work to do, and I’m sharing this because we want you to know that the success and protection of our customers is at the heart of everything we do. It drives our priorities and is fundamental to our mission. We’re thrilled to know we’re on the right track and we don’t take your trust or your partnership for granted.

Learn more

As the last couple of years have shown us, cybersecurity is a mission of great importance. It not only underpins the business resilience that enables your organization to thrive in times of uncertainty, but it’s also critical to the fight for digital safety for all. This isn’t something we can do alone. We must work together as a community, sharing insights and supporting each other, to defend against not only today’s attacks, but also be prepared for the threats of tomorrow. As part of our commitment to sharing insights and fostering cooperation among defenders, my colleague Rob Lefferts will be releasing a new quarterly report next month called CISO Insider, where we invite Chief Information Security Officers (CISOs) from around the globe to share their best practices and expertise.

For more information that can help you navigate the current challenges in the security landscape, check out the following resources:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

1Fortinet Ransomware Survey Shows Many Organizations Unprepared, Fortinet. 29 September 2021.

2How cyberattacks are changing according to new Microsoft Digital Defense Report, Amy Hogan-Burney, Microsoft. 11 October 2021.

3New data from Microsoft shows how the pandemic is accelerating the digital transformation of cyber-security, Andrew Conway, Microsoft. 19 August 2020.

Build a stronger cybersecurity team through diversity and training

By Pooja Parab

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest post of our Voice of the Community blog series, Microsoft Security Product Marketing Manager Natalia Godyla talks with Heath Adams, Chief Executive Officer (CEO) at TCM Security about being a mentor, hiring new security talent, certifications, upskilling, the future of cybersecurity training, and lots more.

Natalia: What do you recommend to security leaders concerned with the talent shortfall?

Heath: There needs to be more openness and getting away from gatekeeping. In this industry, there’s a lot of, “I went through this path, so you need to go through this path.” Or “I did these certifications, so you need to do these certifications.” Everybody wants this perfect candidate—somebody who has 10 years of experience—even when they don’t necessarily need it. We need to be able to take somebody that’s more junior, who we can help train. Or take someone with a clean slate.

As a manager, be open to more than just what’s on the Human Resources job description. And be open to new people with different backgrounds. People are coming from all walks of life and age groups. So, if you put those biases aside and just consider the person that’s in front of you, that will help with the job shortage and help close the talent gap.

Natalia: And how has the pandemic and the shift to hybrid work changed cybersecurity skilling?

Heath: I think it’s been a positive. In our field, the ability to work remotely was always there. But the pandemic shifted things, so more companies are starting to realize that fact. I’ve worked jobs as a penetration tester where I had to relocate, even though I was working out of my home 95 percent of the time. Now, more companies are opening their eyes to talent that isn’t local. You no longer have to look in big markets; you can look at somebody on the other side of the country who’s studying cybersecurity, and they can be an asset to your team.

I was doing a lot of Twitch streaming during the shutdown, and I noticed our streams were way bigger than before. We had more people watching, more people interested. There’s a lot of people who took advantage of the shutdown to say, “Hey, this is my time to get focused. I want a new career.” There are high-paying jobs and there’s remote work. And as I mentioned, you don’t need a specific background or degree to get into this field. People can come from all walks of life. I think the pandemic helped shine a light on that.

Natalia: You’re well known as The Cyber Mentor™. How has mentoring impacted your career?

Heath: It keeps me on top of my game. I have to be able to give people direction and I don’t want to give out bad information, so, I’m making sure that I stay on top of what the industry changes are, where the jobs are heading, and how to interview properly—all of which seem to change from year to year. It helps me stay in touch with the next generation that’s coming into the security field as well.

Natalia: Do you have your own mentors that help you progress in your career?

Heath: I came up with what I call “community mentorship.” I have a Discord community, and we use that to encourage other people to give back. You want to be able to help people when they need it or get help when you need it while learning from each other. When it’s time for networking or needing a job, that goes a long way. For me, it’s more about being where there are groups of like-minded people. I’ve got a lot of friends that own penetration test companies, and we’ll get together, have lunch, talk strategies. What are you doing? What am I doing? That’s the kind of mentorship that we have with each other; just making sure we’re keeping each other in check, thinking about new things.

Natalia: What are the biggest struggles for early career mentees who are trying to grow their skills? And how can leaders address those challenges?

Heath: For a person looking to get a role, there are a few things to remember. One is to make sure you’re crawling before you walk, walking before you run. I’ll use hacking as an example. A lot of people get excited about hacking and think it sounds awesome. “You can get paid money to hack something? I want to do that!” And they try to jump right into it without building foundational skill sets, learning the parts of a computer, or learning how to do computer networking or basic troubleshooting. What I tell people is to break and fix computers. Understand basic hardware, basic computer networking, what IP addresses are, what a subnet is. Understand some coding, like Python. You don’t need a computer science background but having those foundational skills will go a long way.

If you don’t put a foundation under a house, it’s going to collapse. So, you need to think about your career in the same way. You must make sure you’re building a foundation. People don’t realize the amount of effort that goes into getting into the field. Do your due diligence beforehand.

There’s also a lot of imposter syndrome in cybersecurity. I tell people not to concern themselves with others, especially on social media. They say comparison is the thief of joy, and I truly believe that. You have to make sure you’re running your own race. Even if you run the same mile as somebody else, and they finish it in 5 minutes, and you finish it in 10; you still finish the same mile. What matters is that you got there. As long as you’re trying to be better than you were yesterday, you’re going to make it a lot farther than you think.

Finally, cybersecurity is a field that’s constantly changing. For somebody who is complacent—who wants to get a degree, get a job, and then is set—cybersecurity is not the right fit. Cybersecurity is for somebody who’s interested in constantly learning because there are always new vulnerabilities. There was just the Log4J vulnerability that caused everyone concern. I had a meeting today with a client, and if I’m not prepared, I’m letting them down. I’m letting their security down as well. I spent the weekend studying because I had to. That’s the business we’re in.

You must stay on top of this from an employer side as well—being able to train people and keep them up to date. TCM Security has a base foundation where we want our employees to be, and then we encourage them to gain knowledge where they’re most interested. I’ve been sent to a training that I had no interest in whatsoever and wanted to pull my hair out. As a manager, I ask, “What do you want to learn?” When I send an employee to a cybersecurity training that they’re interested in, they’re going to retain that information a lot better. They can then bring that information back to us, and we can use that in real-world scenarios.

Natalia: How can security leaders recruit security professionals to their teams better? What should they look out for? For example, how important are certifications?

Heath: For an entry-level role, certifications are important. Their importance diminishes once you get into the field. But I’m an advocate for them; they help prove some knowledge—so does having a blog, attending a conference, building a home lab, speaking at a conference, speaking at a local community group—anything that says, “I’m passionate about security.”

I have seen some entry-level roles where the interviewers have you code something, or have you fix broken code, just to make sure you logically understand what’s going on. You don’t have to be a developer or be able to code, but you must be able to understand what’s in front of you. Having some coding challenges during the hiring process can be beneficial—but it should be open book. For a security professional, using search is 90 percent of our job, honestly. If you’re limiting somebody from searching online, you’re setting false expectations.

I go back and re-watch videos and re-read blogs all the time, because there are so many different commands, and there’s no way of memorizing all of them. But you need to understand the concepts. If you understand the tool they might need to run or the concept of it, then you can search that, find the tool, and run it. That’s more important.

Natalia: We’ve all read the statistics about burnout in the security industry. What do you recommend for leaders who want to better retain their talent?

Heath: You must be pro-mental health. Make sure there’s ample paid time off (PTO) and encourage employees to use it. Also, make sure that your employees can take time off beyond PTO. If they’re sick, they shouldn’t feel like they’re letting people down. That’s why we have flexible schedules; we run on a 32-hour workweek. We try to give people as much time back and have a work-life balance. We also pay for training, so people can go and focus on topics they’re interested in. We make sure that we’re investing in our employees. It’s so much more expensive to rehire and retrain. I’d rather invest in an employee and keep their mental health at a high level, and make sure I’m giving them all the tools and training they need to perform successfully.

Natalia: What trends have you seen in cybersecurity skilling? What do you think is coming next in terms of how security professionals are trained up, recruited, and retained?

Heath: There are more people interested in the field, and that’s great. We’re starting to see a lot more training providers and training options. Back when I started, a lot of it was just reading blog posts, and there were maybe one or two training providers. Now, there are 10 or 15.

Misinformation can be out there, or outdated information. If you search online for certification companies—or even look at an online post from a year ago—that information could be outdated. So again, this comes back to due diligence and making sure that you’re doing your research, not just relying on one source. If I was going to look for certifications to get into this field, I’d look at 20 or 30 different resources, get a consensus of what polls the highest, then do my own research on those organizations. It’s great job skills practice to research and make sure you understand where you need to go.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Disclaimer: The views expressed here are solely those of the author and do not represent the views of Microsoft Corporation.

Microsoft Zero Trust solutions deliver 92 percent return on investment, says new Forrester study

By Pooja Parab

In the last two years, we’ve seen a staggering increase in the adoption of cloud-based services, remote work solutions, bring your own device (BYOD), and IoT devices as organizations digitally transform themselves to enable a hybrid workforce.1 Zero Trust has become the essential security strategy for successfully preventing data breaches and mitigating risk in today’s complex cybersecurity landscape.

Implementing a Zero Trust security strategy, however, is a significant undertaking that requires in-depth planning, cross-company collaboration, and resources. Organizations need solutions that simplify and accelerate the adoption of Zero Trust by offering flexibility, integration, and a meaningful return on investment.

In the commissioned study The Total Economic ImpactTM of Zero Trust solutions from Microsoft, Forrester Consulting reports that adoption of Microsoft solutions to implement a Zero Trust security strategy delivers:

A three-year 92 percent return on investment (ROI) with a payback period of fewer than six months.  A 50 percent lower chance of a data breach. Numerous efficiency gains of 50 percent or higher across security processes.

To better understand the benefits, costs, and risks associated with this investment, Forrester Consulting interviewed eight decision-makers with experience using Microsoft Security solutions to implement a Zero Trust security strategy. These customers were able to improve their security posture, reduce costs, achieve greater business agility, and increase efficiency in managing security. 

Improved security posture 

Data breaches can be incredibly costly as organizations work to recover their environment and brand reputation. Forrester found that by adopting Microsoft security solutions for their Zero Trust strategy, organizations were able to reduce not only the risk of a breach but also the potential for regulatory violations. Customers also reported significant improvements in their security postures since beginning their journeys, a reduction of shadow IT, and increased compliance by meeting various regulatory requirements. 

Enhanced security reduced the risk of a data breach by 50 percent. Improved authentication, network, and endpoint security protocols coupled with increased visibility into the network allowed organizations to better protect themselves from data breaches. And with network segmentation, financial losses were contained in the event of a breach.

“[Implementing strong authentication strategies has] allowed us to provide our employees with a better, more secure environment.”—Principal Architect, Logistics

Reduced cost 

A comprehensive adoption of Zero Trust involves a significant transformation of the entire security strategy—and with it, a restructuring of costs. By eliminating legacy systems and improving processes, organizations uncover significant cost savings opportunities across the entire cybersecurity organization.  

With Microsoft Security solutions, customers were able to simplify their security strategy and retire unnecessary legacy software and infrastructure, resulting in cost savings of over USD7 million. This eliminates redundant security solutions delivered on average a $20 per employee per month savings.

Process efficiencies also led to cost savings. Calls placed to IT and help desk analysts decreased by 50 percent over a three-year period. The mean time to resolve (MTTR) per inquiry also decreased by 15 percent, leading to a total net present value (NPV) of USD1,773,095 over the three years. In addition, advanced audit and discovery capabilities in the Microsoft solution stack reduced the resources required for audit and compliance management by 25 percent, saving USD2 million NPV.

Greater business agility  

A simplified security architecture through Zero Trust improves business agility. Through efficient system management and user access, organizations can move quickly to pursue business opportunities, and support remote work while managing risk.

Microsoft Security solutions reduced the effort required to provision and secure new infrastructure by 80 percent through automated provisioning of new systems, from SQL servers to virtual machines for new applications. The time required to provision new infrastructure went from several months to days. Meanwhile, workers improved their productivity through better access. Frontline workers gained efficient access to business-critical applications and systems of record, saving them an average of 30 minutes per week.  

With many of the Microsoft solutions that support Zero Trust available on a software as a service (SaaS) basis, organizations can quickly expand or contract their environment without needing to purchase additional hardware or dedicate resources to implement changes. 

“[Using Microsoft security solutions] has allowed us to focus more on our future as opposed to worrying about infrastructure.”—Identity Engineer, Manufacturing 

Efficient security management  

Most organizations dedicate too much time to triaging, investigating, and remediating alerts. A simplified Zero Trust security framework can reduce management time, both by cutting down the number of security incidents and by improving security response. 

Customers that had implemented Microsoft’s Zero Trust security framework reported a 50 percent reduction in management time due to improved security processes. Security teams were able to provision and secure new infrastructure 80 percent more quickly and accelerate the process to set up users on new devices. They were able to more quickly remediate security issues using built-in automation in Microsoft solutions such as Microsoft Sentinel, Microsoft Azure Active Directory (Azure AD), and Microsoft 365 Defender.

“Azure AD has definitely allowed us to become more agile. We can make changes on a dime. Whereas, with our legacy system, product changes were far more cumbersome and painful. With our previous identity and access management (IAM) solution, we often had to write custom code and update our IAM solution across multiple data centers [and] then troubleshoot any problems. With Azure AD, everything is handled by Microsoft. This has allowed us to free up some of our resources and dedicate them to migrating our remaining applications to Azure AD.”—Principal Architect of Technical Services, Logistics Firm

Embrace proactive security with the Microsoft Zero Trust framework 

Zero Trust is the essential security strategy in today’s hybrid work environment. A complicated IT landscape of remote and group office users introduces more digital attack surfaces and risk, as perimeters are increasingly fluid. With security products and services that verify explicitly, grant least privileged access, and assume breaches, the Microsoft Zero Trust framework supports a proactive, integrated approach to security across all layers of the digital estate. We look forward to continuing to serve and protect our customers with a comprehensive Zero Trust strategy and solutions.

Learn more

Read our Zero Trust position paper for key insights, an example of a comprehensive security architecture, and a maturity model to help accelerate your adoption. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

1 New insights on cybersecurity in the age of hybrid work, Bret Arsenault, Microsoft Security, Microsoft. 27 October 2021.

Align your security and network teams to Zero Trust security demands

By Pooja Parab

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Security Product Marketing Manager Natalia Godyla talks with Jennifer Minella, Founder and Principal Advisor on Network Security at Viszen Security about strategies for aligning the security operations center (SOC) and network operations center (NOC) to meet the demands of Zero Trust and protect your enterprise.

Natalia: In your experience, why are there challenges bringing together networking and security teams?

Jennifer: Ultimately, it’s about trust. As someone who’s worked on complex network-based security projects, I’ve had plenty of experience sitting between those two teams. Often the security teams have an objective, which gets translated into specific technical mandates, or even a specific product. As in, we need to achieve X, Y, and Z level security; therefore, the networking team should just go make this product work. That causes friction because sometimes the networking team didn’t get a voice in that.

Sometimes it’s not even the right product or technology for what the actual goal was, but it’s too late at that point because the money is spent. Then it’s the networking team that looks bad when they don’t get it working right. It’s much better to bring people together to collaborate, instead of one team picking a solution.

Natalia: How does misalignment between the SOC and NOC impact the business?

Jennifer: When there’s an erosion of trust and greater friction, it makes everything harder. Projects take longer. Decisions take longer. That lack of collaboration can also introduce security gaps. I have several examples, but I’m going to pick healthcare here. Say the Chief Information Security Officer’s (CISO) team believes that their bio-medical devices are secured a certain way from a network perspective, but that’s not how they’re secured. Meaning, they’re secured at a lower level that would not be sufficient based on how the CISO and the compliance teams were tracking it. So, there’s this misalignment, miscommunication. Not that it’s malicious; nobody is doing it on purpose, but requirements aren’t communicated well. Sometimes there’s a lack of clarity about whose responsibility it is, and what those requirements are. Even within larger organizations, it might not be clear what the actual standards and processes are that support that policy from the perspective of governance, risk, and compliance (GRC).

Natalia: So, what are a few effective ways to align the SOC and NOC?

Jennifer: If you can find somebody that can be a third party—somebody that’s going to come in and help the teams collaborate and build trust—it’s invaluable. It can be someone who specializes in organizational health or a technical third party; somebody like me sitting in the middle who says, “I understand what the networking team is saying. I hear you. And I understand what the security requirements are. I get it.” Then you can figure out how to bridge that gap and get both teams collaborating with bi-directional communication, instead of security just mandating that this thing gets done.

It’s also about the culture—the interpersonal relationships involved. It can be a problem if one team is picked (to be in charge) instead of another. Maybe it’s the SOC team versus the NOC team, and the SOC team is put in charge; therefore, the NOC team just gives up. It might be better to go with a neutral internal person instead, like a program manager or a digital-transformation leader—somebody who owns a program or a project but isn’t tied to the specifics of security or network architecture. Building that kind of cross-functional team between departments is a good way to solve problems.

There isn’t a wrong way to do it if everybody is being heard. Emails are not a great way to accomplish communication among teams. But getting people together, outlining what the goal is, and working towards it, that’s preferable to just having discrete decision points and mandates. Here’s the big goal—what are some ideas to get from point A to point B? That’s something we must do moving into Zero Trust strategies.

Natalia: Speaking of Zero Trust, how does Zero Trust figure into an overarching strategy for a business?

Jennifer: I describe Zero Trust as a concept. It’s more of a mindset, like “defense in depth,” “layered defense,” or “concepts of least privilege.” Trying to put it into a fixed model or framework is what’s leading to a lot of the misconceptions around the Zero Trust strategy. For me, getting from point A to point B with organizations means taking baby steps—identifying gaps, use cases, and then finding the right solutions.

A lot of people assume Zero Trust is this granular one-to-one relationship of every element on the network. Meaning, every user, every endpoint, every service, and application data set is going to have a granular “allow or deny” policy. That’s not what we’re doing right now. Zero Trust is just a mindset of removing inherent trust. That could mean different things, for example, it could be remote access for employees on a virtual private network (VPN), or it could be dealing with employees with bring your own device (BYOD). It could mean giving contractors or people with elevated privileges access to certain data sets or applications, or we could apply Zero Trust principles to secure workloads from each other.

Natalia: And how does Secure Access Service Edge (SASE) differ from Zero Trust?

Jennifer: Zero Trust is not a product. SASE, on the other hand, is a suite of products and services put together to help meet Zero Trust architecture objectives. SASE is a service-based product offering that has a feature set. It varies depending on the manufacturer, meaning, some will give you these three features and some will give you another five or eight. Some are based on endpoint technology, some are based on software-defined wide area network (SD-WAN) solutions, while some are cloud routed.

Natalia: How does the Zero Trust approach fit with the network access control (NAC) strategy?

Jennifer: I jokingly refer to Zero Trust as “NAC 4.0.” I’ve worked in the NAC space for over 15 years, and it’s just a few new variables. But they’re significant variables. Working with cloud-hosted resources in cloud-routed data paths is fundamentally different than what we’ve been doing in local area network (LAN) based systems. But if you abstract that—the concepts of privilege, authentication, authorization, and data paths—it’s all the same. I lump the vendors and types of solutions into two different categories: cloud-routed versus traditional on-premises (for a campus environment). The technologies are drastically different between those two use cases. For that reason, the enforcement models are different and will vary with the products. 

Natalia: How do you approach securing remote access with a Zero Trust mindset? Do you have any guidelines or best practices?

Jennifer: It’s alarming how many organizations set up VPN remote access so that users are added onto the network as if they were sitting in their office. For a long time that was accepted because, before the pandemic, there was a limited number of remote users. Now, remote access, in addition to the cloud, is more prevalent. There are many people with personal devices or some type of blended, corporate-managed device. It’s a recipe for disaster.

The threat surface has increased exponentially, so you need to be able to go back in and use a Zero Trust product in a kind of enclave model, which works a lot like a VPN. You set up access at a point (wherever the VPN is) and the users come into that. That’s a great way to start and you can tweak it from there. Your users access an agent or a platform that will stay with them through that process of tweaking and tuning. It’s impactful because users are switching from a VPN client to a kind of a Zero Trust agent. But they don’t know the difference because, on the back end, the access is going to be restricted. They’re not going to miss anything. And there’s lots of modeling engines and discovery that products do to map out who’s accessing what, and what’s anomalous. So, that’s a good starting point for organizations.

Natalia: How should businesses think about telemetry? How can security and networking teams best use it to continue to keep the network secure?

Jennifer: You need to consider the capabilities of visibility, telemetry, and discovery on endpoints. You’re not just looking at what’s on the endpoint—we’ve been doing that—but what is the endpoint talking to on the internet when it’s not behind the traditional perimeter. Things like secure web gateways, or solutions like a cloud access security broker (CASB), which further extends that from an authentication standpoint, data pathing with SD-WAN routing—all of that plays in.

Natalia: What is a common misconception about Zero Trust?

Jennifer: You don’t have to boil the ocean with this. We know from industry reports, analysts, and the National Institute of Standards and Technology (NIST) that there’s not one product that’s going to meet all the Zero Trust requirements. So, it makes sense to chunk things into discrete programs and projects that have boundaries, then find a solution that works for each. Zero Trust is not about rip and replace.

The first step is overcoming that mental hurdle of feeling like you must pick one product that will do everything. If you can aggregate that a bit and find a product that works for two or three, that’s awesome, but it’s not a requirement. A lot of organizations are trying to research everything ad nauseum before they commit to anything. But this is a volatile industry, and it’s likely that with any product’s features, the implementation is going to change drastically over the next 18 months. So, if you’re spending nine months researching something, you’re not going to get the full benefit in longevity. Just start with something small that’s palatable from a resource and cost standpoint.

Natalia: What types of products work best in helping companies take a Zero Trust approach?

Jennifer: A lot of requirements stem from the organization’s technological culture. Meaning, is it on-premises or a cloud environment? I have a friend that was a CISO at a large hospital system, which required having everything on-premises. He’s now a CISO at an organization that has zero on-premises infrastructure; they’re completely in the cloud. It’s a night-and-day change for security. So, you’ve got that, combined with trying to integrate with what’s in the environment currently. Because typically these systems are not greenfield, they’re brownfield—we’ve got users and a little bit of infrastructure and applications, and it’s a matter of upfitting those things. So, it just depends on the organization. One may have a set of requirements and applications that are newer and based on microservices. Another organization might have more on-premises legacy infrastructure architectures, and those aren’t supported in a lot of cloud-native and cloud-routed platforms.

Natalia: So, what do you see as the future for the SOC and NOC?

Jennifer: I think the message moving forward is—we must come together. And it’s not just networking and security; there are application teams to consider as well. It’s the same with IoT. These are transformative technologies. Whether it’s the combination of operational technology (OT) and IT, or the prevalence of IoT in the environment, or Zero Trust initiatives, all of these demand cross-functional teams for trust building and collaboration. That’s the big message.

Learn more

Get key resources from Microsoft Zero Trust strategy decision makers and deployment teams. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

What you need to know about how cryptography impacts your security strategy

By Pooja Parab

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest post of our Voice of the Community blog series post, Microsoft Security Product Marketing Manager Natalia Godyla talks with Taurus SA Co-founder and Chief Security Officer Jean-Philippe “JP” Aumasson, author of “Serious Cryptography.” In this blog post, JP shares insights on learning and applying cryptography knowledge to strengthen your cybersecurity strategy.

Natalia: What drew you to the discipline of cryptography?

JP: People often associate cryptography with mathematics. In my case, I was not good at math when I was a student, but I was fascinated by the applications of cryptography and everything that has to do with secrecy. Cryptography is sometimes called the science of secrets. I was also interested in hacking techniques. At the beginning of the internet, I liked reading online documentation magazines and playing with hacking tools, and cryptography was part of this world.

Natalia: In an organization, who should be knowledgeable about the fundamentals of cryptography?

JP: If you had asked me 10 to 15 years ago, I might have said all you need is to have an in-house cryptographer who specializes in crypto and other people can ask them questions. Today, however, cryptography has become substantially more integrated into several components that we work with and those engineers must develop.

The good news is that crypto is far more approachable than it used to be, and is better documented. The software libraries and APIs are much easier to work with for non-specialists. So, I believe that all the engineers who work with software—from a development perspective, a development operations (DevOps) perspective, or even quality testing—need to know some basics of what crypto can and cannot do and the main crypto concepts and tools.

Natalia: Who is responsible for educating engineering on cryptography concepts?

JP: It typically falls on the security team—for example, through security awareness training. Before starting development, you create the functional requirements driven by business needs. You also define the security goals and security requirements, such as personal data, that must be encrypted at rest and in transit with a given level of security. It’s truly a part of security engineering and security architecture. I advocate for teaching people fundamentals, such as confidentiality, integrity, authentication, and authenticated encryption.

As a second step, you can think of how to achieve security goals thanks to cryptography. Concretely, you have to protect some data, and you might think, “What does it mean to encrypt the data?” It means choosing a cipher with the right parameters, like the right key size. You may be restricted by the capability of the underlying hardware and software libraries, and in some contexts, you may have to use Federal Information Processing Standard (FIPS) certified algorithms.

Also, encryption may not be enough. Most of the time, you also need to protect the integrity of the data, which means using an authentication mechanism. The modern way to realize this is by using an algorithm called an authenticated cipher, which protects confidentiality and authenticity at the same time, whereas the traditional way to achieve this is to combine a cipher and a message authentication code (MAC).

Natalia: What are common mistakes practitioners tend to make?

JP: People often get password protection wrong. First, you need to hash passwords, not encrypt them—except in some niche cases. Second, to hash passwords you should not use a general-purpose hash function such as SHA-256 or BLAKE2. Instead, you should use a password hashing function, which is a specific kind of hashing algorithm designed to be slow and sometimes use a lot of memory, to make password cracking harder.

A second thing people tend to get wrong is authenticating data using a MAC algorithm. A common MAC construction is the hash-based message authentication code (HMAC) standard. However, people tend to believe that HMAC means the same thing as MAC. It’s only one possible way to create a MAC, among several others. Anyway, as previously discussed, today you often won’t need a MAC because you’ll be using an authenticated cipher, such as AES-GCM.

Natalia: How does knowledge of cryptography impact security strategy?

JP: Knowledge of cryptography can help you protect the information more cost-effectively. People can be tempted to put encryption layers everywhere but throwing crypto at a problem does not necessarily solve it. Even worse, once you choose to encrypt something, you have a second problem—key management, which is always the hardest part of any cryptographic architecture. So, knowing when and how to use cryptography will help you achieve sound risk management and minimize the complexity of your systems. In the long run, it pays off to do the right thing.

For example, if you generate random data or bytes, you must use a random generator. Auditors and clients might be impressed if you tell them that you use a “true” hardware generator or even a quantum generator. These might sound impressive, but from a risk management perspective, you’re often better off using an established open-source generator, such as that of the OpenSSL toolkit.

Natalia: What are the biggest trends in cryptography?

JP: One trend is post-quantum cryptography, which is about designing cryptographic algorithms that would not be compromised by a quantum computer. We don’t have quantum computers yet, and the big question is when, if ever, will they arrive? Post-quantum cryptography consequently, can be seen as insurance.

Two other major trends are zero-knowledge proofs and multi-party computation. These are advanced techniques that have a lot of potential to scale decentralized applications. For example, zero-knowledge proofs can allow you to verify that the output of a program is correct without re-computing the program by verifying a short cryptographic proof, which takes less memory and computation. Multi-party computation, on the other hand, allows a set of parties to compute the output of a function without knowing the input values. It can be loosely described as executing programs on encrypted data. Multi-party computation is proposed as a key technology in managed services and cloud applications to protect sensitive data and avoid single points of failure.

One big driver of innovation is the blockchain space, where zero-knowledge proofs and multi-party computation are being deployed to solve very real problems. For example, the Ethereum blockchain uses zero-knowledge proofs to improve the scalability of the network, while multi-party computation can be used to distribute the control of cryptocurrency wallets. I believe we will see a lot of evolution in zero-knowledge proofs and multi-party computation in the next 10 to 20 years, be it in the core technology or the type of application.

It would be difficult to train all engineers in these complex cryptographic concepts. So, we must design systems that are easy to use but can securely do complex and sophisticated operations. This might be an even bigger challenge than developing the underlying cryptographic algorithms.

Natalia: What’s your advice when evaluating new cryptographic solutions?

JP: As in any decision-making process, you need reliable information. Sources can be online magazines, blogs, or scientific journals. I recommend involving cryptography specialists to:

Gain a clear understanding of the problem and the solution needed.Perform an in-depth evaluation of the third-party solutions offered.

For example, if a vendor tells you that they use a secret algorithm, it’s usually a major red flag. What you want to hear is something like, “We use the advanced encryption standard with a key of 256 bits and an implementation protected against side-channel attacks.” Indeed, your evaluation should not be about the algorithms, but how they are implemented. You can use the safest algorithm on paper, but if your implementation is not secure, then you have a problem.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The final report on NOBELIUM’s unprecedented nation-state attack

By Pooja Parab

This is the final post in a four-part series on the NOBELIUM nation-state cyberattack. In December 2020, Microsoft began sharing details with the world about what became known as the most sophisticated nation-state cyberattack in history. Microsoft’s four-part video series “Decoding NOBELIUM” pulls the curtain back on the NOBELIUM incident and how world-class threat hunters from Microsoft and around the industry came together to take on the most sophisticated nation-state attack in history. In this last post, we’ll reflect on lessons learned as covered in the fourth episode of the docuseries. 

Nation-state attacks are a serious and growing threat that organizations of all sizes face. Their primary objective is to gain strategic advantage for their country, such as by stealing secrets, gathering cyber intelligence, conducting reconnaissance, or disrupting operations. These efforts are typically conducted by state-sponsored actors with significant expertise and funding, making them a particularly challenging adversary to defend against.

NOBELIUM, a Russian-linked group, is perhaps best known for the widespread SolarWinds supply chain breach. The incident was part of an even larger and more advanced campaign that had been quietly underway for more than a year. As details of this attack were uncovered, it became clear that it was the most sophisticated nation-state cyberattack in history.

In the final episode of our “Decoding NOBELIUM” series, we provide an after-action report that explores Microsoft’s findings and discusses lessons learned.

NOBELIUM deployed extensive tactics

Let’s start by reviewing the key stages of the attack.

The intrusion

It’s critical to understand how NOBELIUM achieved penetration into environments. Going beyond the supply chain compromise, this actor also deployed many common-place tactics like password spraying or exploiting the vulnerabilities of unpatched devices to steal credentials and gain access to systems. Ultimately, NOBELIUM leveraged a wide range of techniques to achieve penetration and adapted their toolset to each victim’s unique environment in order to achieve their goals.

The exploitation

Once NOBELIUM had gained entry, they followed the typical pattern for internal reconnaissance: discover the elevated accounts, find out which machines were there, and create a sophisticated map to understand how to reach their targets. They demonstrated extensive knowledge of enterprise environments and cybersecurity systems by evading defenses, masking activities in regular system processes, and hiding malware under many layers of code.

The exfiltration

Armed with an understanding of their target’s environment, NOBELIUM executed their plan—gaining access to their source codes, harvesting emails, or stealing production secrets.

NOBELIUM demonstrated patience and stealth

The NOBELIUM group moved methodically to avoid getting caught. “They were so deliberate and careful about what they did. It wasn’t like a smash and grab, where they came in and just vacuumed up everything and fled,” said Security Analyst Joanne of the Microsoft Digital Security and Resilience (DSR) Security Operations Center (SOC) Hunt Team.

It took time to move undetected through networks, gathering information and gaining access to privileged networks. For example, they disabled organizations’ endpoint detection and response (EDR) solutions from being launched upon system startups. NOBELIUM then waited up to a month for computers to be rebooted on a patch day and took advantage of vulnerable machines that hadn’t been patched.

“The adversary showed discipline in siloing all of the technical indicators that would give up their presence,” said John Lambert, General Manager of the Microsoft Threat Intelligence Center. “Malware was named different things. It was compiled in different ways. The command and control domains they would use differed per victim. As they moved laterally within a network from machine to machine, NOBELIUM took great pains to clean up after each step.”

Preparing for future nation-state attacks

When adversaries take this much care in hiding their activities, it can take the detection of many seemingly benign activities across different vectors pulled together to highlight one overall technique.

“In order to respond to an attack like NOBELIUM, with its scope and breadth and sophistication, you need to have visibility into various entities across your entire digital state,” explains Sarah Fender, Partner Group Program Manager for Microsoft Sentinel. “You need to have visibility into security data and events relating to users and endpoints, infrastructure, on-premises and in the cloud, and the ability to quickly analyze that data.”

NOBELIUM leveraged users and credentials as a critical vector for intrusion and escalation. Identity-based attacks are on the rise. “Once I can authenticate into your environment, I don’t need malware anymore, so that means monitoring behaviors,” says Roberto, Principal Consultant and Lead Investigator for Microsoft’s Detection and Response Team. “Building a profile for when Roberto’s using his machine, he accesses these 25 resources, and he does these kinds of things and he’s never been in these four countries. If I ever see something that doesn’t fit that pattern, I need to alert on it.” 

Bottom line: ensure you are protecting your identities.

Finally, if we’ve learned anything, it’s that we need to take care of our security teams, especially during a cybersecurity incident. 

“Defender fatigue is a real thing,” says Lambert. “You have to be able to invest in those defenders so that they can surge when they need to. Security, like other professions, is not just a job, it’s also a calling. But it also leads to fatigue and exhaustion if the incident drumbeat is too strong. You have to have reserves and plan for that so that you can support your defenders and rest them in between incidents.”

As we prepare for future attacks, it comes down to joining forces. 

“When I think about what this incident means going forward, it certainly reinforces the need for the world to work together on these threats,” explains Lambert. “No one company sees it all and it is very important, especially with sophisticated threats, to be able to work very quickly with lines of trust established. This is not just about companies working together, it’s also about individuals trusting each other, impacted companies, fellow security industry companies, and government institutions.”

How can you protect your organization and defenders?

Learn more in the final episode of our four-part video series “Decoding NOBELIUM,” where security professionals give insights from the after-action report on NOBELIUM. Thanks for joining us for this series and check out the other posts in the series:

Microsoft is committed to helping organizations stay protected from cyberattacks, whether cybercriminal or nation-state. Consistent with our mission to provide security for all, Microsoft will use our leading threat intelligence and a global team of dedicated cybersecurity defenders to partner across the security industry and help protect our customers and the world. Just some recent examples of Microsoft’s efforts to combat nation-state attacks include:

The investigation of ongoing targeted activity by NOBELIUM against privileged accounts of service providers to gain access to downstream customers.The September 2021 discovery and investigation of a NOBELIUM malware referred to as FoggyWeb.The May 2021 profiling of NOBELIUM’s early-stage toolset of EnvyScout, BoomBox, NativeZone, and VaporRage.Issuing more than 1,600 notifications to more than 40 IT companies alerting them to targeting by several Iranian threat groups (from May through October, those threats were 10 to 13 percent of the total notifications).The seizure of websites operated by NICKEL, a China-based threat actor, and the disruption of ongoing attacks targeting organizations in 29 countries.The investigation of Iran-linked DEV-0343, conducting password spraying focused on United States and Israeli defense technology companies, Persian Gulf ports of entry, and global maritime transportation companies with a business presence in the Middle East.

For immediate support, visit the Microsoft Security Response Center (MSRC) where you can report an issue and get guidance from the latest security reports and Microsoft Security Response Center blog posts.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.