How CISOs are preparing to tackle 2022

By Pooja Parab

Looking back over the last year, the security landscape has continued to experience significant change and escalation. Every day, we see the toll this is taking on organizations of all sizes as they navigate the enduring challenges of the pandemic, the expansion of the digital estate, and the evolution of threats. As defenders ourselves, we understand the relentless commitment required to safeguard people and organizations in this environment. It is our mission to ensure security leaders have the tools and resources they need to succeed in this important work. To continually understand the priorities and concerns of our community, we run research with security leaders every six months. I wanted to share some of those insights with you, as you may find the information valuable in your work.

To begin, the top five challenges shown below, as reported by survey takers, are very consistent with what I’m hearing in my regular interactions with customers and partners. 

Addressing ransomware is number one, followed closely by cloud security

The security leaders we talk to are feeling the pressure—managing the risk of ransomware and cyber extortion was reported as their number one challenge this past year. According to the 2021 Ransomware Survey Report, ransomware grew by 1,070 percent between July 2020 and June 2021.1 Data from Microsoft’s Detection and Response Team (DART) in the latest Microsoft Digital Defense Report shows that cybercrime supply chains are consolidating and maturing.2 No longer do individual cybercriminals have to develop their own tools. Today, they can simply buy proven cybercrime kits and services to incorporate into their campaigns. This gives the average cybercriminal access to better tools and automation to enable scale and drive down costs. As a result, attacks of all types are on the rise, with the economics behind successful ransomware attacks fueling a rapid trajectory.

Cloud security has also been pushed into the forefront as security leaders adapt to the realities of the pandemic and the shift to hybrid work.3 The cloud represents significant opportunities for scale and agility. At the same time, cloud security technologies are evolving, and customers are looking for ways to simplify security across their entire portfolio.

Investment priorities for 2022

Aligned to the top cybersecurity challenges, cloud security lands as the top area of security investment over the next 12 months. For most security leaders, this means prioritizing investments that help them close gaps, protect workloads, and secure access to cloud resources. Security leaders tell us this is an area in which they’re looking for solutions that can help them tackle these challenges comprehensively—with so many organizations having a multi-cloud environment, the integration will be key. Microsoft is committed to delivering end-to-end cloud security that works across all clouds.

Protecting data is fundamental to positive business outcomes, so it’s not a surprise that data security continues to rank high on the list of priorities among respondents. Hybrid work and the acceleration of digital transformation are massively expanding the amount of data that needs to be protected, amplifying the need for comprehensive data security. We predict that organizations of all sizes will need to continue to evolve their data security strategy to keep up with changes in the digital environment.  

Following cloud and data security, we’re also hearing that decision-makers have increased interest in investing in vulnerability management and vulnerability assessment as they prioritize prevention initiatives. We are also seeing growing interest in emerging technologies like extended detection and response (XDR), IoT and operational technology (OT) security, and Secure Access Service Edge (SASE) solutions. With XDR, organizations can better detect and respond to threats across their complex ecosystems. Many organizations also use IoT and OT technologies and are looking for ways to close gaps in protection and address potential vulnerabilities. A SASE solution can help with providing secure access to resources at the edge, enabling more flexibility, visibility, and control.

Reading list for 2022

As security leaders look to mitigate threats now and in the near future, we’re seeing an increased focus on improving the prevention capabilities of the highest growth threat vectors, such as cloud security, access management, cloud workloads, hybrid work, and ransomware. An overarching component of that transformation includes increased attention on implementing Zero Trust—currently the top reported topic of interest from our research. Because Zero Trust architecture is essentially designed to prevent an attacker’s ability to move laterally, a Zero Trust strategy is extremely helpful in prioritizing and addressing prevention-focused investments. These include things like shutting down legacy authentication methods, providing secure access to resources using multifactor authentication (MFA), implementing risk-based access controls, and utilizing posture management tools to identify and remediate risks in cloud resources. By implementing a Zero Trust strategy, organizations can more safely embrace a hybrid workplace, and protect people, devices, apps, and data wherever they are located.

Read our Evolving Zero Trust whitepaper to learn how real-world deployments and attacks are shaping the future of Zero Trust strategies.

As part of the shift to the cloud, security leaders tell us they are also interested in learning more about how posture management, access management, and workload protection tools fit into their cloud security strategy. And given the concerns around the rise of ransomware and securing remote or hybrid work, it’s not surprising to see them as a priority topic of interest.

Check out our ransomware blog posts to keep up to date on the latest ransomware insights from Microsoft Security researchers and product updates.

Read our recommendations on securing a new world of hybrid work.

Perception of Microsoft

Serving our customers is our primary job and so it’s probably not surprising that we measure the perception of security leadership for various vendors, including ourselves, in a blind survey. We asked security decision-makers which companies they saw as leading the way in the security industry. Despite so many established vendors, we were honored that Microsoft was ranked in the top three by survey takers with a substantial increase in overall perception in the last year, following several years of steady growth. We hear from customers that our end-to-end solution with broad multi-cloud and multi-platform coverage and deep, industry-recognized protection has been an approach that resonates. We always have more work to do, and I’m sharing this because we want you to know that the success and protection of our customers is at the heart of everything we do. It drives our priorities and is fundamental to our mission. We’re thrilled to know we’re on the right track and we don’t take your trust or your partnership for granted.

Learn more

As the last couple of years have shown us, cybersecurity is a mission of great importance. It not only underpins the business resilience that enables your organization to thrive in times of uncertainty, but it’s also critical to the fight for digital safety for all. This isn’t something we can do alone. We must work together as a community, sharing insights and supporting each other, to defend against not only today’s attacks, but also be prepared for the threats of tomorrow. As part of our commitment to sharing insights and fostering cooperation among defenders, my colleague Rob Lefferts will be releasing a new quarterly report next month called CISO Insider, where we invite Chief Information Security Officers (CISOs) from around the globe to share their best practices and expertise.

For more information that can help you navigate the current challenges in the security landscape, check out the following resources:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

1Fortinet Ransomware Survey Shows Many Organizations Unprepared, Fortinet. 29 September 2021.

2How cyberattacks are changing according to new Microsoft Digital Defense Report, Amy Hogan-Burney, Microsoft. 11 October 2021.

3New data from Microsoft shows how the pandemic is accelerating the digital transformation of cyber-security, Andrew Conway, Microsoft. 19 August 2020.

Celebrating 20 Years of Trustworthy Computing

By Lauren Goodwin

20 years ago this week, Bill Gates sent a now-famous email to all Microsoft employees announcing the creation of the Trustworthy Computing (TwC) initiative. The initiative was intended to put customer security, and ultimately customer trust, at the forefront for all Microsoft employees. Gates’ memo called upon teams to deliver products that are “as available, reliable and secure as standard services such as electricity, water services, and telephony.”

Protecting customers is core to Microsoft’s mission. With more than 8,500 Microsoft security experts from across 77 countries, dedicated red and blue teams, 24/7 security operations centers, and thousands of partners across the industry, we continue to learn and evolve to meet the changing global threat landscape.

In 2003, we consolidated our security update process into the first Patch Tuesday to provide more predictability and transparency for customers. In 2008, we published the Security Development Lifecycle to describe Microsoft’s approach to security and privacy considerations throughout all phases of the development process.

Of course, the Trustworthy Computing initiative would not be where it is today without the incredible collaboration of the industry and community. In 2005, Microsoft held its first-ever “Blue Hat” security conference, where we invited external security researchers to talk directly to the Microsoft executives and engineers behind the products they were researching.

Today, the Microsoft Security Response Center (MSRC) works with thousands of internal and external security researchers and professionals to quickly address security vulnerabilities in released products. Over the past 20 years, MSRC has triaged more than 70,000 potential security vulnerability cases shared by thousands of external security researchers and industry partners through Coordinated Vulnerability Disclosure (CVD) we’ve since issued more than 7,600 CVEs to help keep customers secure.

Beginning in 2011 with the first Bluehat Award, we have rewarded more than $40 million through the Microsoft Bug Bounty Program to recognize these vital partnerships with the global security research community in over 60 countries.

The security journey that began with TwC has involved many thousands of people across Microsoft and the industry. To celebrate 20 years of this commitment, partnership, and learning in customer security, we’re sharing the thoughts and stories of some of these employees, industry partners, experts, and contributors that helped make this journey possible.

—Aanchal Gupta, VP of Microsoft Security Response Center

The genesis of Trustworthy Computing

In 2001 a small number of us “security people” started moving away from “security products” to think more about “securing features.” Many people think of ‘security’ as security products, like antimalware and firewalls. But this is not the whole picture. We formed a team named the Secure Windows Initiative (SWI) and worked closely with individual development teams to infuse more thought about securing their features.

It worked well, but, it simply wasn’t scalable.

David LeBlanc and I talked about things we had found working with various teams. We noticed we got asked the same code-level security questions time and again. So, we decided to write a book on the topic to cover the basics so we could focus on the hard stuff.

That book was Writing Secure Code.

During 2001, a couple of worms hit Microsoft products: CodeRed and Nimda. These two worms led some customers to rethink their use of Internet Information Services. Many of the learnings from this episode went into our book and made the book better. The worms also caused the C++ compiler team to start thinking about how they could add more defenses to the compiled code automatically. Microsoft Research began work on analysis tools to find security bugs. I could feel a change in the company.

In October, I was asked by the .NET security team to look at some security bugs they had found. Because of how great these findings were, we decided to pause development, equip everybody with the latest in security training, and go looking for more security bugs. A part of my job was to train the engineering staff and to triage bugs as they came in. We fixed bugs and added extra defenses to .NET and ASP.NET. This event was known as the “.NET Security Stand Down.”

Around the end of the Stand Down, I heard that Craig Mundie (who reported to Bill) was working on ‘something’ to move the company in a more security-focused direction. At the time, that’s all I knew.

In December 2001, Writing Secure Code finally came, and I was asked to present at a two-hour meeting with Bill Gates to explain the nuances of security vulnerabilities. At the end of the meeting, I gave him a copy of Writing Secure Code. The following Monday he emailed me to say he had read the book and loved it. A few days later, Craig Mundie shared what he had been thinking about. He wanted the company to focus on Security, Privacy, Reliability, and Business Practices. These became the four pillars of Trustworthy Computing. Bill was sold on it and this all led to the now-famous BillG Trustworthy Computing memo of January 2002.

—Michael Howard, Senior Principal Cybersecurity Consultant

The evolution of the Security Development Lifecycle

The Security Development Lifecycle (SDL) is around 20 years old now and has evolved significantly since its beginning with Windows. When we started to roll out the SDL across all products back then we often received criticism from teams that it was too Windows-centric. So, the first step was to make the SDL applicable to all teams—keeping the design goal of one SDL but understanding that requirements would vary based on features and product types. We shared our experiences and made the SDL public, followed by the release of tooling we developed including the Threat Modeling Tool, Attack Surface Analyzer (ASA), and DevSkim (these last two we published on GitHub as Open Source projects).

As Microsoft started to adopt agile development methodologies and build its cloud businesses, the SDL needed to evolve to embrace this new environment and paradigm. That meant major changes to key foundations of the SDL like the bug bar, our approach to threat modeling, and how tools are integrated into engineering environments. It also presented new challenges in keeping to the one SDL principle while realizing that cloud environments are very different from the on-premises software we had traditionally shipped to customers.

We have embraced new technologies such as IoT and made further adaptions to the SDL to handle non-Windows operating systems such as Linux and macOS. A huge change was Microsoft’s adoption of Open Source which extended the need for SDL coverage to many different development environments, languages, and platforms. More recently we have incorporated new SDL content to cover the development of Artificial Intelligence and Machine Learning solutions which bring a whole new set of attack vectors.

The SDL has evolved and adapted over the last 20 years but it remains, as always, one SDL.

—Mark Cartwright, Security Group Program Manager

Securing Windows

I started my career at Microsoft as a pen tester in Windows during one of the first releases to fully implement the SDL. I cherish that experience. Every day it felt like I was on the front lines of security. We had an incredible group of people—from superstar pen testers to superstar developers all working together to implement a security process for one of the world’s largest security products. It was a vibrant time and one of the first times I saw a truly cross-disciplinary team of security engineers, developers, and product managers all working together toward a common goal. This left a long-lasting and powerful impression on me personally and on the Windows security culture.

For me, the key lesson learned from Trustworthy Computing is that good security is a byproduct of good engineering. In my naïve view before this experience, I assumed that the best way to get security in a product is to keep hiring security engineers until security improves. In reality, that approach is not possible. There will never be enough scale with security engineers and simply put good security requires engineering expertise that pen testing alone cannot achieve.

—David Weston, Partner Director of OS Security and Enterprise

An ever-changing industry

The security industry is amazing in that it never stops changing. What’s even more amazing to me is that the core philosophies of the Trustworthy Computing initiative have continued to hold true—even during 20 years of drastic change.

Compilers are a great foundational example of this. 

In the early days of the Trustworthy Computing initiative, Microsoft and the broader security industry explored groundbreaking features to protect against buffer overflows, including StackGuard, ProPolice, and the /GS flag in Microsoft Visual Studio. As attacks evolved, the guiding principles of Trustworthy Computing led to Microsoft continuously evolving the foundational building blocks of secure software as well: Data Execution Protection (DEP), Address Space Layout Randomization (ASLR), Control-flow Enforcement Technology (CET) to defend against Return-Oriented Programming (ROP), and speculative execution protections, just to name a few. 

Just by compiling software with a few switches, everyday developers could protect themselves against entire classes of exploits. Matt Miller gives a fascinating overview of this history in his BlueHat Israel talk.

At a higher level, one of the things that I’ve been happiest to see change is the evolution away from security absolutism. 

In 2001, there was a lot of energy behind the “10 Immutable Laws of Security”, including several variants of “If an attacker can run a program on your computer, it’s not your computer anymore”. 

The real world, it turns out, is shades of grey. The landscape has evolved, and it’s not game over until defenders say it is. 

We have a rich industry that continually innovates around logging, auditing, forensics, incident response, and have evolved our strategies to include Assume Breach, Defense in Depth, “Impose Cost”, and more. For example: as dynamic runtimes have come of age (PowerShell, Python, C#), those that have evolved during the Trustworthy Computing era have become truly excellent examples of software that actively tilts the field in favor of defenders. 

While you may not be able to prevent all attacks, you can certainly make attackers regret using certain tools and regret landing on your systems. For a great overview of PowerShell’s journey, check out Defending Against PowerShell Attacks—PowerShell Team. 

When we launched the Trustworthy Computing effort, we never could have imagined the complexity of attacks the industry would be fending off in 2022—nor the incredible capability of Blue Teams defending against them. But by constantly refining and improving security as threats evolve, the world is far more secure today than it was 20 years ago.

—Lee Holmes, Principal Security Architect, Azure Security

The cloud is born

The TWC initiative and the SDL that it created recognized that security is a fundamental pillar of earning and keeping customer trust—so must be infused into all of Microsoft’s product development.

Since it was created, however, software has evolved from physical packages that Microsoft offers for customers to install, configure, and secure—to now include cloud services that Microsoft fully deploys and operates on behalf of customers. Microsoft’s responsibility to customers now includes not just developing secure software—but also operating it in a secure manner.

It also extends to ensuring that services and operational practices meet customer privacy promises and government privacy regulations. 

Microsoft Azure leveraged the SDL framework and Trustworthy Computing principles from the very beginning to incorporate these additional aspects of software security and privacy. Having this foundation in place meant that instead of starting from scratch, we could enhance and extend the tools and processes that were already there for box-product software. Tools and processes like Threat Modeling and static and dynamic analysis were incredibly useful all the way to cloud scenarios like hostile multi-tenancy and DevOps.

As we created, validated, and refined, we and other Microsoft cloud service teams contributed back to the SDL and tooling—including publishing many of these for use by our customers. It’s not an understatement to say that Microsoft Azure’s security and privacy traces its roots directly back to the TWC initiative launch 20 years ago.

The cloud is constantly changing with the addition of new application architectures, programming models, security controls, and technologies like confidential computing. Static analysis tools like CodeQL provide better detections and CI/CD pipeline checks like CredScan help prevent entirely new forms of vulnerabilities that are specific to services.

At the same time, the threat landscape continues to get more sophisticated. Software that does not necessarily follow SDL processes is now a critical part of every company’s supply chain.

Just as the SDL today is much more sophisticated and encompasses far more aspects of the software lifecycle than it did 20 years ago, Microsoft will continue to invest in the SDL to address tomorrow’s software lifecycle and threats.

—Mark Russinovich, Chief Technology Officer and Technical Fellow, Microsoft Azure

An amazing community of researchers

The introduction of the Trustworthy Computing initiative coincided with my first serious forays into Windows security research. For that reason, it has defined how I view the problems and challenges of information security, not just on Windows but across the industry. Many things that I take for granted, such as security-focused development practices or automatic updates were given new impetus from the expectations laid down 20 years ago. 

The fact that I’m still a Windows security researcher after all this time might give you the impression that the TwC initiative failed, but I think that’s an unfair characterization. The challenges of information security have not been static because the computing industry has not been static. Few would have envisaged quite how pervasive computing would be in our lives, and every connected endpoint can represent an additional security risk. 

For every security improvement a product makes, there’s usually a corresponding increase in system complexity which adds an additional attack surface. Finding exploitable bugs is IMO definitely harder than it was 20 years ago, and yet there are more places to look. No initiative is likely to be able to remove all security bugs from a product, at least not in anything of sufficient complexity. 

I feel the lasting legacy of the TwC initiative is not that it brought in a utopia of utmost security, regular news reports make it clear we’re not there yet. Instead, it brought security to the forefront, enabling it to become a first-class citizen in the defining industry of the 21st century. 

—James Forshaw, First Bluehat Mitigation Bounty Winner 

What I learned about Threat Intelligence from Trustworthy Computing

I spent 10 years at Microsoft in Trustworthy Computing (TwC). I remember being at the meeting with Bill Gates where we talked about the need for a memo on security. From the Windows security stand-down, to XP SP2, to the creation of the Security Development Lifecycle and driving it across every product, to meeting security researchers all over the world and learning from their brilliance and passion, the Trustworthy Computing initiative shaped my entire career. One aspect of security that carries forward with me to this day is about the attacks that take place. Spending time finding and fixing security bugs leads to the world of zero-day exploits and the attackers behind them. Today I run the Microsoft Threat Intelligence Center (MSTIC) and our focus is uncovering attacks by actors all over the globe and what we can do to protect customers from them.

One thing I took from my time in TwC was how important community is. No one company or organization can do it alone. That is certainly true in threat intelligence. It often feels like we hear about attacks as an industry, but defend alone. Yet when defenders work together, something amazing happens. We contribute our understanding of an attack from our respective vantage points and the picture suddenly gets clearer. Researchers contribute new attacker techniques to MITRE ATT&CK building our collective understanding. They publish detections in the form of Sigma and Yara rules, making knowledge executable. Analysts can create Jupyter notebooks so their expert analysis becomes repeatable by other defenders. A community-based approach can speed all defenders.

While much of my work in TwC was focused inward on Microsoft and the engineering of our products and services, today’s attacks really put customers and fellow defenders at the center. Defense is a global mission and I am excited and hopeful about the opportunity to work on today’s most challenging problems with the world’s defenders.

—John Lambert, Distinguished Engineer, Microsoft Threat Intelligence Center

Learn more

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

Build a stronger cybersecurity team through diversity and training

By Pooja Parab

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest post of our Voice of the Community blog series, Microsoft Security Product Marketing Manager Natalia Godyla talks with Heath Adams, Chief Executive Officer (CEO) at TCM Security about being a mentor, hiring new security talent, certifications, upskilling, the future of cybersecurity training, and lots more.

Natalia: What do you recommend to security leaders concerned with the talent shortfall?

Heath: There needs to be more openness and getting away from gatekeeping. In this industry, there’s a lot of, “I went through this path, so you need to go through this path.” Or “I did these certifications, so you need to do these certifications.” Everybody wants this perfect candidate—somebody who has 10 years of experience—even when they don’t necessarily need it. We need to be able to take somebody that’s more junior, who we can help train. Or take someone with a clean slate.

As a manager, be open to more than just what’s on the Human Resources job description. And be open to new people with different backgrounds. People are coming from all walks of life and age groups. So, if you put those biases aside and just consider the person that’s in front of you, that will help with the job shortage and help close the talent gap.

Natalia: And how has the pandemic and the shift to hybrid work changed cybersecurity skilling?

Heath: I think it’s been a positive. In our field, the ability to work remotely was always there. But the pandemic shifted things, so more companies are starting to realize that fact. I’ve worked jobs as a penetration tester where I had to relocate, even though I was working out of my home 95 percent of the time. Now, more companies are opening their eyes to talent that isn’t local. You no longer have to look in big markets; you can look at somebody on the other side of the country who’s studying cybersecurity, and they can be an asset to your team.

I was doing a lot of Twitch streaming during the shutdown, and I noticed our streams were way bigger than before. We had more people watching, more people interested. There’s a lot of people who took advantage of the shutdown to say, “Hey, this is my time to get focused. I want a new career.” There are high-paying jobs and there’s remote work. And as I mentioned, you don’t need a specific background or degree to get into this field. People can come from all walks of life. I think the pandemic helped shine a light on that.

Natalia: You’re well known as The Cyber Mentor™. How has mentoring impacted your career?

Heath: It keeps me on top of my game. I have to be able to give people direction and I don’t want to give out bad information, so, I’m making sure that I stay on top of what the industry changes are, where the jobs are heading, and how to interview properly—all of which seem to change from year to year. It helps me stay in touch with the next generation that’s coming into the security field as well.

Natalia: Do you have your own mentors that help you progress in your career?

Heath: I came up with what I call “community mentorship.” I have a Discord community, and we use that to encourage other people to give back. You want to be able to help people when they need it or get help when you need it while learning from each other. When it’s time for networking or needing a job, that goes a long way. For me, it’s more about being where there are groups of like-minded people. I’ve got a lot of friends that own penetration test companies, and we’ll get together, have lunch, talk strategies. What are you doing? What am I doing? That’s the kind of mentorship that we have with each other; just making sure we’re keeping each other in check, thinking about new things.

Natalia: What are the biggest struggles for early career mentees who are trying to grow their skills? And how can leaders address those challenges?

Heath: For a person looking to get a role, there are a few things to remember. One is to make sure you’re crawling before you walk, walking before you run. I’ll use hacking as an example. A lot of people get excited about hacking and think it sounds awesome. “You can get paid money to hack something? I want to do that!” And they try to jump right into it without building foundational skill sets, learning the parts of a computer, or learning how to do computer networking or basic troubleshooting. What I tell people is to break and fix computers. Understand basic hardware, basic computer networking, what IP addresses are, what a subnet is. Understand some coding, like Python. You don’t need a computer science background but having those foundational skills will go a long way.

If you don’t put a foundation under a house, it’s going to collapse. So, you need to think about your career in the same way. You must make sure you’re building a foundation. People don’t realize the amount of effort that goes into getting into the field. Do your due diligence beforehand.

There’s also a lot of imposter syndrome in cybersecurity. I tell people not to concern themselves with others, especially on social media. They say comparison is the thief of joy, and I truly believe that. You have to make sure you’re running your own race. Even if you run the same mile as somebody else, and they finish it in 5 minutes, and you finish it in 10; you still finish the same mile. What matters is that you got there. As long as you’re trying to be better than you were yesterday, you’re going to make it a lot farther than you think.

Finally, cybersecurity is a field that’s constantly changing. For somebody who is complacent—who wants to get a degree, get a job, and then is set—cybersecurity is not the right fit. Cybersecurity is for somebody who’s interested in constantly learning because there are always new vulnerabilities. There was just the Log4J vulnerability that caused everyone concern. I had a meeting today with a client, and if I’m not prepared, I’m letting them down. I’m letting their security down as well. I spent the weekend studying because I had to. That’s the business we’re in.

You must stay on top of this from an employer side as well—being able to train people and keep them up to date. TCM Security has a base foundation where we want our employees to be, and then we encourage them to gain knowledge where they’re most interested. I’ve been sent to a training that I had no interest in whatsoever and wanted to pull my hair out. As a manager, I ask, “What do you want to learn?” When I send an employee to a cybersecurity training that they’re interested in, they’re going to retain that information a lot better. They can then bring that information back to us, and we can use that in real-world scenarios.

Natalia: How can security leaders recruit security professionals to their teams better? What should they look out for? For example, how important are certifications?

Heath: For an entry-level role, certifications are important. Their importance diminishes once you get into the field. But I’m an advocate for them; they help prove some knowledge—so does having a blog, attending a conference, building a home lab, speaking at a conference, speaking at a local community group—anything that says, “I’m passionate about security.”

I have seen some entry-level roles where the interviewers have you code something, or have you fix broken code, just to make sure you logically understand what’s going on. You don’t have to be a developer or be able to code, but you must be able to understand what’s in front of you. Having some coding challenges during the hiring process can be beneficial—but it should be open book. For a security professional, using search is 90 percent of our job, honestly. If you’re limiting somebody from searching online, you’re setting false expectations.

I go back and re-watch videos and re-read blogs all the time, because there are so many different commands, and there’s no way of memorizing all of them. But you need to understand the concepts. If you understand the tool they might need to run or the concept of it, then you can search that, find the tool, and run it. That’s more important.

Natalia: We’ve all read the statistics about burnout in the security industry. What do you recommend for leaders who want to better retain their talent?

Heath: You must be pro-mental health. Make sure there’s ample paid time off (PTO) and encourage employees to use it. Also, make sure that your employees can take time off beyond PTO. If they’re sick, they shouldn’t feel like they’re letting people down. That’s why we have flexible schedules; we run on a 32-hour workweek. We try to give people as much time back and have a work-life balance. We also pay for training, so people can go and focus on topics they’re interested in. We make sure that we’re investing in our employees. It’s so much more expensive to rehire and retrain. I’d rather invest in an employee and keep their mental health at a high level, and make sure I’m giving them all the tools and training they need to perform successfully.

Natalia: What trends have you seen in cybersecurity skilling? What do you think is coming next in terms of how security professionals are trained up, recruited, and retained?

Heath: There are more people interested in the field, and that’s great. We’re starting to see a lot more training providers and training options. Back when I started, a lot of it was just reading blog posts, and there were maybe one or two training providers. Now, there are 10 or 15.

Misinformation can be out there, or outdated information. If you search online for certification companies—or even look at an online post from a year ago—that information could be outdated. So again, this comes back to due diligence and making sure that you’re doing your research, not just relying on one source. If I was going to look for certifications to get into this field, I’d look at 20 or 30 different resources, get a consensus of what polls the highest, then do my own research on those organizations. It’s great job skills practice to research and make sure you understand where you need to go.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Disclaimer: The views expressed here are solely those of the author and do not represent the views of Microsoft Corporation.

Destructive malware targeting Ukrainian organizations

By Microsoft 365 Defender Threat Intelligence Team

Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple organizations in Ukraine. This malware first appeared on victim systems in Ukraine on January 13, 2022. Microsoft is aware of the ongoing geopolitical events in Ukraine and surrounding region and encourages organizations to use the information in this post to proactively protect from any malicious activity.

While our investigation is continuing, MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.

At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues. These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine. We do not know the current stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations. However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.

Given the scale of the observed intrusions, MSTIC is not able to assess intent of the identified destructive actions but does believe these actions represent an elevated risk to any government agency, non-profit or enterprise located or with systems in Ukraine. We strongly encourage all organizations to immediately conduct a thorough investigation and to implement defenses using the information provided in this post. MSTIC will update this blog as we have additional information to share.

As with any observed nation-state actor activity, Microsoft directly and proactively notifies customers that have been targeted or compromised, providing them with the information they need to guide their investigations. MSTIC is also actively working with members of the global security community and other strategic partners to share information that can address this evolving threat through multiple channels. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor or merged with existing actors.

Observed actor activity

On January 13, Microsoft identified intrusion activity originating from Ukraine that appeared to be possible Master Boot Records (MBR) Wiper activity. During our investigation, we found a unique malware capability being used in intrusion attacks against multiple victim organizations in Ukraine.

Stage 1: Overwrite Master Boot Record to display a faked ransom note

The malware resides in various working directories, including C:PerfLogs, C:ProgramData, C:, and C:temp, and is often named stage1.exe. In the observed intrusions, the malware executes via Impacket, a publicly available capability often used by threat actors for lateral movement and execution.

The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note (Stage 1). The MBR is the part of a hard drive that tells the computer how to load its operating system. The ransom note contains a Bitcoin wallet and Tox ID (a unique account identifier used in the Tox encrypted messaging protocol) that have not been previously observed by MSTIC:

Your hard drive has been corrupted.
In case you want to recover all hard drives
of your organization,
You should pay us $10k via bitcoin wallet
1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via
tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65
with your organization name.
We will contact you to give further instructions.

The malware executes when the associated device is powered down, an action that is often an initial response to ransomware attacks.

Overwriting the MBR is atypical for cybercriminal ransomware. In reality, the ransomware note is a ruse and that the malware destructs MBR and the contents of the files it targets. There are several reasons why this activity is inconsistent with cybercriminal ransomware activity observed by MSTIC, including:

Ransomware payloads are typically customized per victim. In this case, the same ransom payload was observed at multiple victims.Virtually all ransomware encrypts the contents of files on the filesystem. The malware in this case overwrites the MBR with no mechanism for recovery. Explicit payment amounts and cryptocurrency wallet addresses are rarely specified in modern criminal ransom notes, but were specified by DEV-0586. The same Bitcoin wallet address has been observed across all DEV-0586 intrusions and at the time of analysis, the only activity was a small transfer on January 14.It is rare for the communication method to be only a Tox ID, an identifier for use with the Tox encrypted messaging protocol. Typically, there are websites with support forums or multiple methods of contact (including email) to make it easy for the victim to successfully make contact.Most criminal ransom notes include a custom ID that a victim is instructed to send in their communications to the attackers. This is an important part of the process where the custom ID maps on the backend of the ransomware operation to a victim-specific decryption key. The ransom note in this case does not include a custom ID.

Microsoft will continue to monitor DEV-0586 activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.

Stage 2: File corrupter malware

Stage2.exe is a downloader for a malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. The next-stage malware can best be described as a malicious file corrupter. Once executed in memory, the corrupter locates files in certain directories on the system with one of the following hardcoded file extensions:


If a file carries one of the extensions above, the corrupter overwrites the contents of the file with a fixed number of 0xCC bytes (total file size of 1MB). After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension. Analysis of this malware is ongoing.

Recommended customer actions

MSTIC and the Microsoft security teams are working to create and implement detections for this activity. To date, Microsoft has implemented protections to detect this malware family as WhisperGate (e.g., DoS:Win32/WhisperGate.A!dha) via Microsoft Defender Antivirus and Microsoft Defender for Endpoint, wherever these are deployed on-premises and cloud environments. We are continuing the investigation and will share significant updates with affected customers, as well as public and private sector partners, as get more information. The techniques used by the actor and described in the this post can be mitigated by adopting the security considerations provided below:

Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity.  NOTE: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure accounts.Enable Controlled folder Access (CFA) if using Microsoft Defender to prevent MBR/VBR modification.

Indicators of compromise (IOCs)

The following list provides IOCs observed during our investigation. We encourage customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

IndicatorTypeDescriptiona196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92SHA-256Hash of destructive malware stage1.exedcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78SHA-256Hash of stage2.execmd.exe /Q /c start c:stage1.exe 1 > \$__[TIMESTAMP] 2 >&1Command lineExample Impacket command line showing the execution of the destructive malware. The working directory has varied in observed intrusions.

NOTE: These indicators should not be considered exhaustive for this observed activity.


Microsoft 365 Defender


Learn about 4 approaches to comprehensive security that help leaders be fearless

By Emma Jones

The last 18 months have put unprecedented pressure on organizations to speed up their digital transformation as remote and hybrid work continue to become the new normal. Yet even with all the change and uncertainty, having the right security support system in place means your organization can still move forward confidently to turn your vision into reality. I’ve seen our customers demonstrate this fearlessness every day, and I love learning from them as we stand together against ongoing threats.
According to the Microsoft Zero Trust Adoption report,1 security is the top concern for organizations moving to hybrid work, and it’s the number one reason that security professionals are adopting a Zero Trust approach. According to the report, only 31 percent of organizations that reported being ahead with their Zero Trust implementation were impacted by NOBELIUM, the perpetrators of the SolarWinds attack.2 Compare that to the 75 percent negatively affected by this devastating cyberattack that reported lagging behind in their Zero Trust implementation.

Figure 1: Negative impacts of cyberattacks in relation to Zero Trust implementation.
Knowing that your organization is protected from such threats, both external and internal, helps build the confidence you need to succeed. Zero Trust is a strategy that will help you get there. At Microsoft Security, we’re embracing the new reality of hybrid work by providing comprehensive security with best-in-breed coverage—driven by AI and simplified for easy management—so you can be fearless in the pursuit of your vision. In this blog, I’ll share some of our customers’ stories and how they’ve empowered their teams to move forward with confidence during this time of unprecedented change.
1. Comprehensive means coverage of your entire environment
Microsoft unifies security, compliance, identity, and management to help you improve productivity and protect your entire digital estate. By providing an end-to-end solution, we’re able to integrate layers of protection across multiple clouds, platforms, endpoints, and devices—Windows, macOS, Linux, iOS, Android, Amazon Web Services (AWS), Workday, Salesforce, and more. This comprehensive approach reduces the risk of data breaches as well as compliance and privacy missteps. Once the user sets the polices, Microsoft solutions provide data governance that can help enact better security.

Figure 2: Microsoft Zero Trust architecture.
More than providing products and services, we collaborate with our customers to understand their environments and build solutions that fit their needs. One such collaboration was with Siemens where they moved from traditional on-premises security to a scalable, flexible solution to fit the company’s complex environment. Having built its reputation for innovation across diverse industries—energy, healthcare, industrial automation, building control systems, and more—research and development continues to play a vital role in the company’s success. For that reason, protecting the company’s staff and intellectual property is always top of mind. And with offices in 200 countries, managing cybersecurity amid a global landscape of shifting compliance and security regulations provides an ongoing challenge.
“There aren’t many vendors on the planet that can create a solution capable of providing consolidated insights into large, complex environments like ours. That’s why we chose Microsoft.”—Thomas Mueller-Lynch, Service Owner Lead, Digital Identity, Siemens.
“The sheer size of Siemens challenges us as to how we provide the best possible security,” explained Peter Stoll, Cybersecurity Officer and Program Lead for Zero Trust at Siemens IT Worldwide. “We like to make sure we get the benefits of emerging technologies.”
When Siemens decided to make the move from on-premises security to a Zero Trust approach, it turned to Microsoft Security. Their IT team implemented a range of security solutions through their Microsoft 365 subscriptions, including Microsoft Azure Active Directory (Azure AD) with Conditional Access as a policy engine, Microsoft Information Protection, Microsoft Defender for Endpoint, Microsoft Defender for Identity, and other solutions—creating a blueprint for ongoing security enhancements. “We chose the best of suite approach with the Microsoft 365 E5 solution,” explained Mueller-Lynch. “Now we have an overview of our environment that helps us react in real-time and defend against attacks proactively.”
2. Comprehensive isn’t just coverage—it’s best-in-breed protection
Today’s organization not only requires security coverage across their threat landscape but also the confidence that comes with knowing that your provider has a proven track record. Microsoft is a leader in five Gartner Magic Quadrants and eight Forrester Wave categories, and we ranked the highest in the MITRE Engenuity® ATT&CK Evaluations. Microsoft was also named a Leader in IDC MarketScape for Modern Endpoint Security. With best-in-breed protection across the Zero Trust security fundamentals shown in Figure 2, Microsoft provides a security safety net that’s not only comprehensive and fully integrated, but durable for the future. Microsoft’s comprehensive solution has innovation at its heart.
Duck Creek Technologies serves the global property and casualty insurance industry by providing cloud-based, software as a service (SaaS) solutions that help insurance carriers operate faster and smarter. When the company’s existing security information and event manager (SIEM) neared the limits of its processing capabilities, Duck Creek needed to upgrade without losing critical data or reducing its ability to detect threats. “Security is a very big part of how we’ve created the relationships we have with our illustrious list of customers,” says John Germain, Vice President and Chief Information Security Officer, Duck Creek Technologies. “I wanted to be sure that the solution we shifted to was best-in-class. Because Microsoft steadily improves its products and solutions to stay ahead of competing offerings, I know we’re in good hands.”
Duck Creek made a quick and painless migration to both Microsoft Defender for Cloud and Microsoft Sentinel. The company also uses Microsoft Endpoint Manager to manage its mobile-device security policies. Combining this functionality, Duck Creek has created single-pane-of-glass visibility for its remote workforce. “We now have incredible visibility across our entire technology stack, all in one place,” says Germain.
3. Integration and AI power Zero Trust security
Like Siemens, shifting from on-premises security to a multi-layered Zero Trust approach required the investment platform company eToro to reassess its infrastructure. As a social investing platform with more than 17 million registered users across more than 100 countries, their IT team has a lot to cover. “When we were operating our traditional third-party antivirus in parallel with our Microsoft solutions, we noticed that Microsoft Defender for Endpoint was acting as our first barrier against attackers. And in 99 percent of incidents, it was the first to detect and act on threats,” says Shay Zakai, Director of Corporate IT, eToro.
That level of protection gave eToro the confidence to remove its third-party antivirus software and rely on Microsoft’s comprehensive, integrated layers for Zero Trust security. That native integration enables Microsoft’s intelligent tools to cut alert volume by 90 percent while automatically remediating up to 97 percent of endpoint attacks. Today, eToro makes ample use of multiple components within Microsoft Defender for Endpoint—threat and vulnerability management, attack surface reduction, endpoint detection and response (EDR), and automatic investigation and remediation—to protect their global operations.
“Microsoft Cloud App Security [Microsoft Defender for Cloud Apps] gives us the ability to analyze and classify information from Google Workspace and our other third-party apps in conjunction with Microsoft’s compliance tools,” Zakai explains. “That level of information gives us the power to restrict activities and enforce regulations as we see fit.”
eToro also integrates Microsoft Intune, a component of Microsoft Endpoint Manager, for their mobile device and mobile application management. By adopting Microsoft’s integrated, AI-driven security, eToro not only automated threat detection and remediation but also increased mobility for employees while reducing their operating costs. “Because of our adoption of Intune and Microsoft Defender for Endpoint, we had virtually no security concerns as we adapted to COVID-19,” says Zakai. “We were more than 90 percent ready to move to a work-from-home model on day one of the crisis.”
4. Simplicity is stronger
Most security professionals agree that security silos bring risks.3 Microsoft enables organizations to simplify and strengthen their security by consolidating up to 50 disparate products—integrating with other tools to streamline investigation and remediation. When MVP Healthcare decided to divest from the numerous redundant security licenses they’d been relying on, it turned to Microsoft Security for a simpler, more easily managed security posture. The company was using roughly 300 different vendor solutions, many of them designed for specialized functions, and Chief Information Officer (CIO) Michael Della Villa wanted to simplify.
After replacing their legacy security solutions with Microsoft Sentinel, Microsoft Defender for Cloud, Azure Firewall, and other Microsoft security solutions, MVP Healthcare’s IT team was freed up to concentrate on crucial tasks that require human attention. “Microsoft offers the cohesive solution we need,” Della Villa says. “We spent so much time trying to maintain the prior system that we weren’t actually using it. Now we easily get very detailed information from Microsoft Sentinel because it’s so well connected across all of our Microsoft solutions. The focus and clarity we’ve gained is a crucial benefit.”
MVP Healthcare also uses Microsoft Defender for Cloud to protect hybrid workloads. “Alerts from Microsoft Defender for Cloud, Microsoft Defender for Cloud Apps, and other solutions are chained together in an actionable way,” adds MVP Healthcare cybersecurity consultant James Greene. “The entire security suite is seamlessly connected. We appreciate that because we can build a comprehensive policy for dealing with security issues in one place.”
As a global leader in technology manufacturing for IoT systems, machine automation, and embedded computing, Advantech found itself the target of a widely publicized ransomware attack in November 2020. The attack was limited to corporate network servers and was quickly mitigated, but it served as a wakeup call. Future threats could affect factory production, delay customer deliveries, lead to theft of sensitive intellectual property, and even result in safety risks.
“We did many proof of concepts (POCs) with many different vendors, but no one met our needs,” says Kevin Lin, IT Manager at Advantech. “We wanted a comprehensive solution to create better efficiency and visibility. We needed security without affecting efficiency on the client side, or requiring specialist installation and configuration by administrators. We decided on Microsoft.”
According to Kevin, Microsoft Security offers a distinct advantage in its holistic approach to services and security. “Other solutions were a little siloed, specialized, and required individual testing—both for the product and support,” he says. “Many didn’t adequately address operational technology (OT) requirements for manufacturing plants, and we recognized that Advantech’s environment called for a comprehensive solution like Microsoft Security, not a collection of solutions.”
Advantech’s security team is now looking to further raise visibility into their IoT and OT risk with agentless, network-layer security provided by Microsoft Defender for IoT—including asset discovery, vulnerability management, and continuous threat monitoring with anomaly detection. “We didn’t have staff dedicated to figuring out our security situation in our manufacturing plants (where IT security isn’t their specialty),” Kevin says. “This attack alerted senior management that they needed to deploy OT security monitoring in our factory networks as well.”
Helping you be fearless
Across the world with organizations of all sizes, from startups to multinational corporations, we see security teams behind the scenes quietly being fearless in achieving their goals. Despite the threats they face daily, these unsung leaders bravely continue the journey of helping their organizations digitally transform. They and you are the reason we want to show up for this important work. By providing not just comprehensive security, but best-in-breed protection with deep intelligence and simplified experiences—Microsoft Security is right there beside you. We want to help you secure everything and be fearless, and turn your vision into reality. To hear from our customers in their own words, visit Customer Stories to learn more. We look forward to our journey together, being fearless, and empowering each other to thrive!
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

1Zero Trust Adoption Report, Microsoft Security, Hypothesis Group 2021. July 2021.
2The hunt for NOBELIUM, the most sophisticated nation-state attack in history, John Lambert, Microsoft Security. 10 November 2021.
3Why Security Can’t Live In A Silo, Douglas Albert, Forbes Technology Council, Forbes. 5 October 2020.

Microsoft Zero Trust solutions deliver 92 percent return on investment, says new Forrester study

By Pooja Parab

In the last two years, we’ve seen a staggering increase in the adoption of cloud-based services, remote work solutions, bring your own device (BYOD), and IoT devices as organizations digitally transform themselves to enable a hybrid workforce.1 Zero Trust has become the essential security strategy for successfully preventing data breaches and mitigating risk in today’s complex cybersecurity landscape.

Implementing a Zero Trust security strategy, however, is a significant undertaking that requires in-depth planning, cross-company collaboration, and resources. Organizations need solutions that simplify and accelerate the adoption of Zero Trust by offering flexibility, integration, and a meaningful return on investment.

In the commissioned study The Total Economic ImpactTM of Zero Trust solutions from Microsoft, Forrester Consulting reports that adoption of Microsoft solutions to implement a Zero Trust security strategy delivers:

A three-year 92 percent return on investment (ROI) with a payback period of fewer than six months.  A 50 percent lower chance of a data breach. Numerous efficiency gains of 50 percent or higher across security processes.

To better understand the benefits, costs, and risks associated with this investment, Forrester Consulting interviewed eight decision-makers with experience using Microsoft Security solutions to implement a Zero Trust security strategy. These customers were able to improve their security posture, reduce costs, achieve greater business agility, and increase efficiency in managing security. 

Improved security posture 

Data breaches can be incredibly costly as organizations work to recover their environment and brand reputation. Forrester found that by adopting Microsoft security solutions for their Zero Trust strategy, organizations were able to reduce not only the risk of a breach but also the potential for regulatory violations. Customers also reported significant improvements in their security postures since beginning their journeys, a reduction of shadow IT, and increased compliance by meeting various regulatory requirements. 

Enhanced security reduced the risk of a data breach by 50 percent. Improved authentication, network, and endpoint security protocols coupled with increased visibility into the network allowed organizations to better protect themselves from data breaches. And with network segmentation, financial losses were contained in the event of a breach.

“[Implementing strong authentication strategies has] allowed us to provide our employees with a better, more secure environment.”—Principal Architect, Logistics

Reduced cost 

A comprehensive adoption of Zero Trust involves a significant transformation of the entire security strategy—and with it, a restructuring of costs. By eliminating legacy systems and improving processes, organizations uncover significant cost savings opportunities across the entire cybersecurity organization.  

With Microsoft Security solutions, customers were able to simplify their security strategy and retire unnecessary legacy software and infrastructure, resulting in cost savings of over USD7 million. This eliminates redundant security solutions delivered on average a $20 per employee per month savings.

Process efficiencies also led to cost savings. Calls placed to IT and help desk analysts decreased by 50 percent over a three-year period. The mean time to resolve (MTTR) per inquiry also decreased by 15 percent, leading to a total net present value (NPV) of USD1,773,095 over the three years. In addition, advanced audit and discovery capabilities in the Microsoft solution stack reduced the resources required for audit and compliance management by 25 percent, saving USD2 million NPV.

Greater business agility  

A simplified security architecture through Zero Trust improves business agility. Through efficient system management and user access, organizations can move quickly to pursue business opportunities, and support remote work while managing risk.

Microsoft Security solutions reduced the effort required to provision and secure new infrastructure by 80 percent through automated provisioning of new systems, from SQL servers to virtual machines for new applications. The time required to provision new infrastructure went from several months to days. Meanwhile, workers improved their productivity through better access. Frontline workers gained efficient access to business-critical applications and systems of record, saving them an average of 30 minutes per week.  

With many of the Microsoft solutions that support Zero Trust available on a software as a service (SaaS) basis, organizations can quickly expand or contract their environment without needing to purchase additional hardware or dedicate resources to implement changes. 

“[Using Microsoft security solutions] has allowed us to focus more on our future as opposed to worrying about infrastructure.”—Identity Engineer, Manufacturing 

Efficient security management  

Most organizations dedicate too much time to triaging, investigating, and remediating alerts. A simplified Zero Trust security framework can reduce management time, both by cutting down the number of security incidents and by improving security response. 

Customers that had implemented Microsoft’s Zero Trust security framework reported a 50 percent reduction in management time due to improved security processes. Security teams were able to provision and secure new infrastructure 80 percent more quickly and accelerate the process to set up users on new devices. They were able to more quickly remediate security issues using built-in automation in Microsoft solutions such as Microsoft Sentinel, Microsoft Azure Active Directory (Azure AD), and Microsoft 365 Defender.

“Azure AD has definitely allowed us to become more agile. We can make changes on a dime. Whereas, with our legacy system, product changes were far more cumbersome and painful. With our previous identity and access management (IAM) solution, we often had to write custom code and update our IAM solution across multiple data centers [and] then troubleshoot any problems. With Azure AD, everything is handled by Microsoft. This has allowed us to free up some of our resources and dedicate them to migrating our remaining applications to Azure AD.”—Principal Architect of Technical Services, Logistics Firm

Embrace proactive security with the Microsoft Zero Trust framework 

Zero Trust is the essential security strategy in today’s hybrid work environment. A complicated IT landscape of remote and group office users introduces more digital attack surfaces and risk, as perimeters are increasingly fluid. With security products and services that verify explicitly, grant least privileged access, and assume breaches, the Microsoft Zero Trust framework supports a proactive, integrated approach to security across all layers of the digital estate. We look forward to continuing to serve and protect our customers with a comprehensive Zero Trust strategy and solutions.

Learn more

Read our Zero Trust position paper for key insights, an example of a comprehensive security architecture, and a maturity model to help accelerate your adoption. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

1 New insights on cybersecurity in the age of hybrid work, Bret Arsenault, Microsoft Security, Microsoft. 27 October 2021.