Microsoft has made fresh commitments to harden the security of its software and cloud services after a year in which numerous members of the global infosec community criticized the company’s tech defenses.
Brad Smith, Microsoft president, pointed to significant technological developments across the industry as the reason for the move, including AI and the ever-growing capabilities of ransomware criminals and nation-state cyber operations.
“In recent months, we’ve concluded within Microsoft that the increasing speed, scale, and sophistication of cyberattacks call for a new response,” he said.
“Therefore, we’re launching today across the company a new initiative to pursue our next generation of cybersecurity protection – what we’re calling our Secure Future Initiative (SFI).”
The SFI is propped up by three key pillars. The long and short of it is that Microsoft is pushing the big AI button a few more times, more deeply embedding the tech throughout its security operations and products. An update of its software engineering practices is also on the horizon which again hinges on AI.
Microsoft has been in the front carriage of the AI hype train this year, and executives are refusing to climb down. Smith pointed to the AI-ification of pretty much everything in Microsoft’s security portfolio thus far – from brand-new standalone products to the deep embedment of the tech in its attack-detection tooling.
“AI is a game changer,” he said. “While threat actors seek to hide their threats like a needle in a vast haystack of data, AI increasingly makes it possible to find the right needle even in a sea of needles. And coupled with a global network of datacenters, we are determined to use AI to detect threats at a speed that is as fast as the internet itself.”
The AI train doesn’t stop there, either. The company said its software engineering practices are going to be overhauled, again citing the evolving threat landscape instead of the widely bemoaned issues in the company’s code.
One of the standout commitments Microsoft made was to ensure secure-by-design principles were adhered to going forward, heeding the numerous calls made by CISA this year to do just that.
The news will be welcomed by the security researchers who have been told their findings won’t be fixed by Microsoft because they’re not seen as genuine vulnerabilities, or aren’t deemed important enough to warrant immediate attention.
“Pleased to see Microsoft make a strong commitment to secure by design principles,” CISA director Jen Easterly said via X. “Look forward to seeing material progress on this effort. It’s imperative that tech manufacturers take ownership for the security outcomes of their customers.”
Secure code analysis is going to be bolstered by AI, we’re told, and a sharpened focus on using GitHub Copilot when auditing and testing code is also part of the company’s plans.
These measures are intended to reinforce what Microsoft calls the next stage of its Security Development Lifecycle, the full details of which can be read in the email sent to Microsoft’s security staff from Charlie Bell, EVP of Microsoft Security.
Microsoft has also committed to beefing up its identity protections, again citing the growth in sophisticated cyberattacks, as well as its goal of halving cloud vulnerability response and mitigation times.
The final pillar of SFI isn’t really to do with any actions Microsoft might take internally, at least in any material sense. Referred to as the “stronger application of international norms,” Smith essentially said the company will encourage better security practices across industry.
These include “abhorring” nation-state malware attacks, as opposed to, erm, the wide welcome they’ve received thus far. He differentiated them from espionage-based attacks because they are often designed in a way that could threaten the safety of civilians.
Microsoft will also promote better practices in the critical infrastructure space, lobbying governments to bring cloud computing under this umbrella term, too. Those governments should also be doing more to force accountability on those behind nation-state attacks.
Security under scrutiny
Criticism of Microsoft’s security practices has come from various corners of the industry, from infosec experts all the way to the US Senate.
On the second Tuesday of every month, IT admins gear up for a monster rush to fix the myriad flaws in Microsoft’s products and services. Patch Tuesday turned 20 years old last month and while the consistent scheduling makes admins’ lives easier, some have criticized the volume of fixes that need to be applied every month.
Speaking to Forbes, CrowdStrike’s CSO Shawn Henry made the point that Microsoft’s products are everywhere, from market-leading multinationals to governments of world powers.
“If we had the government buying tanks that stopped on the battlefield or jets that couldn’t take off – and it happened month after month, year after year for decades – I think there’d be an issue. There’d be a big problem,” he said.
Microsoft’s update packages themselves have also been prone to issues in the past. In just the past year we’ve seen servers breaking and blue screens aplenty – issues that drove some admins to make the risky decision to can the updates altogether and wait for a more stable batch the following month.
Henry’s comments came shortly after a very public spat between Microsoft and Amit Yoran of security shop Tenable after the CEO branded Microsoft’s handling of its vulnerability reports “grossly irresponsible, if not blatantly negligent.”
And all of this follows the US State Department losing 60,000 emails to Chinese cyberspies after Outlook and Exchange Online were broken into in July.
Despite the issues Microsoft has experienced with security this year, experts who spoke to The Register welcomed the news, seemingly acknowledging that flaws are always likely to be found in tech, especially when a company has so many lines to code to maintain.
Moreno Carullo, CTO at Nozomi Networks, said it’s “hard to tell” if Microsoft’s commitments will go far enough to adequately secure its products, but added that “it’s never too late to rethink about security.” ®