Microsoft is overhauling its software security after major Azure cloud attacks
Microsoft has had a rough few years when it comes to cybersecurity incidents. He found himself at the center of the SolarWinds attack almost three years ago, one of the most sophisticated cybersecurity attacks we have ever seen. Then, 30,000 organizations email servers were hacked in 2021 thanks to a vulnerability in Microsoft Exchange Server. As if that wasn’t already enough, Chinese hackers hacking of US government emails via a Microsoft cloud exploit earlier this year.
Microsoft is now announcing a massive cybersecurity effort, dubbed the Secure Future Initiative (SFI). This new approach is designed to change the way Microsoft designs, builds, tests and operates its software and services today. This is the biggest change in security efforts within Microsoft since the company announced its Security Development Lifecycle (SDL) in 2004 after Windows XP fell victim to a massive worm attack. Blaster that took PCs offline in 2003. The push came just two years after co-founder Bill Gates called for a trustworthy computing initiative in an internal note.
Microsoft now plans to use automation and AI during software development to improve the security of its cloud services, reduce the time it takes to patch cloud vulnerabilities, enable better security settings from the start, and strengthen its infrastructure to protect against the loss of encryption keys. in the wrong hands.
In a Internal memo Today, to Microsoft’s engineering teams, the company’s leadership presented its new approach to cybersecurity. This comes just months after Microsoft was accused of “blatantly negligent” cybersecurity practices linked to a major breach which targeted its Azure platform. Microsoft has faced increasing criticism over its handling of various cybersecurity issues in recent years.
“Satya Nadella, Rajesh Jha, Scott Guthrie and I have thought long and hard about how we should respond to increasingly sophisticated threats,” said Charlie Bell, Microsoft’s chief security officer, in an internal memo distributed today. today. “To this end, we have committed to three specific technical advancements as part of our journey to continually improve the built-in security of our products and platforms. These advances constitute what we call the Secure Future Initiative. Collectively, they improve customer security in the near term and against threats that we know will increase on the horizon.
The first big change concerns the way Microsoft develops its software. The company will rely on more automation and AI to detect security risks and vulnerabilities. This includes leveraging CodeQL, the code analysis engine developed by GitHub, to automate security checks during development. “Our goal is to accelerate the deployment of CodeQL integrated with GitHub Copilot learnings,” says Bell. “We will use CodeQL to perform static and dynamic code analysis, helping our teams find and fix bugs in our code at the speed and scale of AI.”
Microsoft is building an AI-based “cyber shield”
This AI push for security won’t be limited to software development at Microsoft, either. “As a company, we are committed to building an AI-powered cyber shield that will protect customers and countries around the world,” says Brad Smith, vice president and president of Microsoft, in a blog post today. “AI is a game changer. As threat actors seek to hide their threats like a needle in a vast haystack of data, AI is increasingly making it possible to find the right needle, even in a sea of needles. And coupled with a global network of data centers, we are committed to using AI to detect threats as fast as the interest itself.
Some of the criticism leveled at Microsoft in recent months has focused on the time it takes the company to respond to major security breaches. Cybersecurity company Tenable initially discovered a Azure Rift in March, but it says it took Microsoft “more than 90 days to implement a partial fix” that only applied to new Azure apps.
“We plan to reduce the time it takes to mitigate cloud vulnerabilities by 50%,” Bell said in his note. “We are able to achieve this through our investments and knowledge in automation, orchestration and intelligence-driven tools and processes. » Ninety days is the typical industry window for security patches, so if Microsoft can reliably reduce that time frame to 45 days, then that’s a good start for this new security initiative.
Microsoft also plans to strengthen the platforms that protect its encryption keys. Chinese hackers breached US government emails after stealing signing keys that allowed them to access dozens of inboxes earlier this year.
“To stay ahead of bad actors, we’re moving identity platforms to confidential IT infrastructure that we helped build,” says Bell. “In this architecture, data governing identities is encrypted not only at rest and in transit, but also during computing processes. This means that even if an attacker manages to bypass our layered defenses by targeting encryption keys, the key data is designed to be inaccessible in automated systems that do not require human contact.
Microsoft is also focusing on improving default security settings. “Over the next year, we will offer our customers more secure default settings for multi-factor authentication (MFA) out of the box,” says Smith. “This will extend our current default policies to a broader range of customer services, focusing on areas where customers need this protection most.”
In September, the cybersecurity research firm Wiz disclosed that 38TB of data was accidentally exposed by Microsoft AI researchers using an Azure feature called SAS tokens. “SAS account tokens are extremely difficult to manage and revoke,” Wiz researchers said at the time. Microsoft doesn’t specifically mention SAS tokens in its new security initiative, but I hope it’s something the company is considering as well.
While this is Microsoft’s biggest commitment to cybersecurity in over a decade, I can also sense that the company is growing increasingly irritated by the attacks it has found itself at the center of. “We should all abhor determined efforts by nation states to install malware or create or exploit other cybersecurity weaknesses in the networks of critical infrastructure providers,” Smith says in his blog. Today. “These measures have no connection to centuries-old espionage efforts by governments and instead appear intended to threaten the lives of innocent civilians in a future crisis or conflict. »
Smith calls on states to “recognize cloud services as critical infrastructure, with protection against attack under international law” and for greater accountability for nation states involved in undermining cloud security. “All states should publicly commit not to implement software vulnerabilities in the networks of critical infrastructure providers such as energy, water, food, medical care or other providers,” Smith says. “They should also commit not to allow any person within their territory or jurisdiction to engage in cybercriminal operations targeting critical infrastructure. »
