Microsoft Secure Future Initiative (my thoughts)

I highly encourage everyone to read this blog from Microsoft on the Secure Future Initiative (SFI).

I have been with Microsoft for over 23 years and I’ve watched how Microsoft has responded as the world woke up to new major categories of security attack vectors and resulting security needs. While Microsoft certainly hasn't been perfect in all ways at all times, I have seen the company consistently rise to the occasion and lead the industry over these eras and am very excited to see the results of this work.

?

Era 1: Security is a feature

The initial decades of computing primarily treated security as a feature to be added when security wasn't being completely ignored ;-). There were definitely some forward thinking corners of the industry that were looking ahead, but the mainstream security requirements were mostly focused on features (Access Control Lists, Firewalls, etc.). Like many vendors at the time with government customers, Microsoft embraced this and got products certified (common criteria, etc.)

?

Era 2: Secure Code/Configuration

In the early 2000s, the world got their first big awakening to security with the onset of worms and viruses like Melissa, ILoveYou, Nimda, Blaster, Slammer, etc. This highlighted to the world (and Microsoft) how important it was to focus on secure coding practices, which led Microsoft to start the trustworthy computing initiative that resulted in innovations like automatic updating (now a common software feature), built-in firewall in Windows, and much more.

?

Era 3: Secure in Operation

This era began when attackers started exploiting weaknesses in common operational practices/processes at organizations. Attacks like pass-the-hash, pass-the-ticket, and so on allow attackers to gain privileged (administrative) access to organizations and access/damage/copy assets across the organization.

This technique (similar to stealing/cloning employee badges to get into a building) led to the rise of major breaches across organizations including many public ones in the headlines. Ransomware actors later amplified the business/societal impact of these attacks by bringing operations to a halt at many business, hospitals, and others.

Microsoft responded early with pass the hash whitepapers and continued to innovate with product changes to credential guard in windows, passwordless in Windows Hello, securing privileged access (SPA) guidance, FIDO2 support, and much more.

Today: Security at Cloud/AI speed and scale

These threats continue today and are growing to include attacks on AI, attacks using AI, attackers using cloud technology, and more. This steadily increasing threat environment drives up the speed and sophistication of attacks because of high attacker profitability, sophisticated criminal business models (a dark market with specialized jobs trading skills and goods), and our increasing dependency on technology and the internet to live our daily lives.

While it doesn’t always take a highly sophisticated attack like Storm-0558 to compromise an organization, those attackers are out there along with the high volume of ransomware and commercial commodity attackers continuously raiding organizations.

This massive speed, scale, and sophistication of the attacks today has led to Microsoft's current Secure Future Initiative focusing on:

1. Transforming software development

2. Implementing new identity protections

3. Driving faster vulnerability response.???

Conclusion

In closing, I don't think security will ever go away and I know most security problems can't be fixed overnight. Security is a long and ongoing journey of work, learning, and innovation.

As I said before Microsoft isn't perfect by any measure, but I am proud to work for a company that recognizes its unique responsibility and leading role to play in the world, learns from its mistakes, and consistently contributes to the security community and the world at large. I am also very proud to see Microsoft continue to focus on the real battle with the criminal and nation state attackers (vs. getting distracted by hyperbole from business competitors in the security industry).

I see these SFI measures being announced as significant and meaningful forward progress on top issues facing Microsoft and other organizations around the world. I also look forward to seeing what future releases will come from this initiative.