In the spirit of the EO and as part of our commitment to enhancing cybersecurity across the United States, we today announce that Tenable has expanded its collaboration with the Microsoft Intelligent Security Association (MISA). Tenable is a pioneer in the risk management market and creator of Nessus, one of the most widely deployed vulnerability assessment solutions in the cybersecurity industry. Together, Microsoft and Tenable will help enhance the United States government’s ability to quickly identify, investigate, prioritize, and remediate threats—and help collectively raise the country’s security posture.

Federal agencies will benefit from the two companies’ tighter collaboration, enhanced information sharing, and integrations. Specifically, Tenable and Microsoft are working together with the intent to integrate Tenable.io with Microsoft Defender for Cloud and Microsoft Sentinel solutions to support vulnerability assessments for hybrid cloud workloads that use FedRAMP moderate.

“The White House’s Cybersecurity Executive Order focuses heavily on Zero Trust initiatives,” said Glen Pendley, Chief Technology Officer, Tenable. “Zero Trust requires a foundation of strong cyber hygiene, with accurate visibility into all of the organization’s assets—IT, cloud, operational technology (OT), internet of things (IoT)—and continuous monitoring of user profiles and privileges. Furthermore, both Microsoft and Tenable are alliance partners in the Joint Cyber Defense Collaborative (JCDC) established by the Cybersecurity and Infrastructure Security Agency (CISA) to strengthen national cyber defense. Our collaboration with Microsoft supports the EO and CISA, both with respect to JCDC and Shields Up, helping federal agencies advance their Zero Trust objectives and improve resilience.”

Working together to advance agencies’ Cyber EO journey

The new capabilities forged by the Microsoft and Tenable collaboration will help agencies better orchestrate and unify the approach to security and vulnerability management and accelerate modernization in alignment with Cyber EO milestones, notably Sections 2, 3, 6, and 7.

To remove barriers to threat information as outlined in Section 2, Tenable will join as one of many independent software vendors and managed security service providers that have integrated their solutions with Microsoft’s to better defend against a world of increasing threats.

To support Section 3, Microsoft and Tenable are already collaborating with the National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) to develop practical, interoperable approaches to designing and building Zero Trust architectures and help shape the NIST cybersecurity practice guide.²      

Experts from Microsoft and Tenable will also lend best practice recommendations to CISA to standardize the federal government’s playbook for responding to vulnerabilities and incidents as outlined in Section 6.

Lastly, to improve the detection of cybersecurity vulnerabilities and incidents on government networks according to Section 7, the companies intend to mutually integrate Tenable.io with Microsoft Defender for Cloud for hybrid and multicloud agent deployment and to deliver a consolidated security recommendations view. Further, mutual integration between Tenable.io with Microsoft Sentinel, Microsoft’s cloud-native security information and event manager (SIEM) solution, is intended to help Tenable automatically feed into existing vulnerability management as agencies spin up new workloads in the cloud. This capability will be engineered to aggregate logs so top-level agencies can visualize security risks across Tenable.io and Microsoft Defender for Cloud in one place to improve threat hunting with and across agencies. Tenable will work with Microsoft to secure organizations’ on-premises, hybrid, and cloud-native Microsoft Azure Active Directory implementations in the federal space.

Microsoft’s collaboration with Tenable will strengthen agencies’ ability to identify and respond to risk at scale and extends beyond government.

To learn more about how Microsoft is bringing together public and private sector leaders to increase cyber resilience, visit our Cyber EO resource center.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹ The Cybersecurity Executive Order: What’s Next for Federal Agencies?, Jason Payne. June 17, 2021.

² Implementing a Zero Trust Architecture, National Cybersecurity Center of Excellence.

The post Microsoft collaborates with Tenable to support federal cybersecurity efforts appeared first on Microsoft Security Blog.

Girl Security, the organization I founded in 2016, builds more equitable pathways through learning, training, and mentorship for girls, women, and female-identifying and non-binary young people interested in national security careers. Ann Johnson, Corporate Vice President of Security, Compliance, and Identity Business Development at Microsoft Security, and I recently spoke about the unique challenges, like privacy, that youth confront as digital natives—defined as “a person born or brought up during the age of digital technology.”

Insights from Generation Z supplement the insights we get from adults and people currently in the workforce.  When Ann and I talked about Generation Z, we considered a couple of big questions: 

• How do younger generations think about and experience personal privacy in a digital world shaped by the sharing of personal information and narratives? 
• If young people forge a new understanding of privacy—where less privacy becomes the cultural norm—what might the implications be for society today and in the future? 

Privacy expectations have changed

To get answers, I recently sat down with nine remarkable future national security leaders, ages 16 to 19, who completed the 15-week Girl Security National Security Fellows Program, to discuss the experiences of girls and women online and how those experiences shape their understanding of cybersecurity.

In discussing what the internet and technology are getting right and what can be improved, the fellows explained that technology provides an unprecedented level of access to information and resources and is an affordable method of communication. However, they emphasized the need to make technology and cybersecurity education more accessible to more communities across the United States and globally through in-school learning, financial support for educational opportunities, and training programs like Girl Security.

Preventing large-scale disruptions through responsible technology is also crucial, according to Prachi, a 17-year-old high school student interested in cybersecurity. She noted that prevention can also be personalized with the use of multifactor authentication and password protection. Advancing more robust user-friendly policies, laws, and regulations is also imperative to maintaining digital trust.

Gurman, a 19-year-old who is pursuing a career in cybersecurity, added that the first step to protecting personal privacy in a shifting digital landscape is to acknowledge “how little is in our control.”

“The invasion of privacy is so normalized that we have stopped worrying about it in a way,” Gurman said. “Social media detoxes are becoming more popular because on some level, we understand as a society that living through a digital world isn’t healthy because it detaches us from reality. Yet, in my opinion, all of these things have the underlying assumption that tech is so pervasive, it cannot be controlled so we have to rationalize and normalize it as a way to seemingly maintain some control over our reality.” 

There’s a growing sense of apathy among younger generations with respect to personal security online and the proliferation of user data, according to Rachel, a 16-year-old interested in economic security. She emphasized young people’s willingness to readily share locational data and other personal data.

Amanda, a 17-year-old who is particularly interested in human rights and technology, added that while adults can benefit from tech education, young people are normalizing bad online behaviors by prioritizing convenience (like saved passwords) over privacy and security.

Security protection and consent remain a challenge

As we discussed the impact of a growing reliance on technology to share information among friends and family, attend school during the pandemic, run businesses, and more, the group considered what exactly should society seek to prevent, protect, preserve, and advance with technology.

“The government and industry should do more to prepare digital citizens for breaches or attacks that may compromise personal data and privacy,” according to Sama, an 18-year-old pursuing an interest in geopolitics and counterterrorism. She began using social media in elementary school and signed various consent forms regarding the use of her data. While aggregation of user data is not all bad—information can feed technology innovation—there need to be enhanced protections for youth on social media platforms, particularly around consent.

“Women and girls are empowered and more secure when they can claim more agency in their lives, especially in settings when they are not given choices,” explained Jasmine, a 19-year-old who is pursuing a career in international relations. “On the internet, I feel I have lost that control.” 

The burden is often placed on parents to educate youth about online harms, such as cyberbullying, harassment, image sharing, and doxing (when people reveal private information about someone), according to Jasmine. However, many Generation Z parents were born before the widespread advent of the internet and email, and often lack access to training and learning tools about the types of cybersecurity threats their children may confront online. 

In fact, some parents contribute to the sharing of children’s personal information online—sharenting is the sharing of a minor’s information by a parent or caregiver.¹ 

Nicole, a 16-year-old interested in climate security and technology, said she believes user-friendly policies, laws, and regulations might lessen generational tensions around sharenting. Such measures would build greater trust and confidence in the technology many youths in the United States and other parts of the world use every day. 

Making cybersecurity more accessible

Achieving greater individual online privacy and security for future generations and advancing government and industry standards requires adopting approaches like the Zero Trust model as well as installing mandatory reporting and incident notification systems, according to Sravya, a 16-year-old interested in cybersecurity and the role of language in our cybersecurity understanding. The fellows also emphasized the need to create a shared discourse across generations about the interconnectedness of personal privacy, cybersecurity, and national security. 

Generation Z perspectives can inform cybersecurity policies

We hope you’ve enjoyed hearing these Generation Z perspectives from the Girl Security fellows. In addition to the Girl Security National Security Fellows Program, girls interested in security pathways can also be mentored through Girl Security’s nationwide e-mentoring program and learn from leading experts from Microsoft Security and across government, industry, and the social sectors. In addition, Girl Security hosts summer empowerment programs, learning and training webinars, and community-based programming, including the Girl Scout patch Finding Your Superpowers in Cybersecurity created in partnership with Microsoft and Girl Security.

The program was kicked off to help young students learn security fundamentals, but it turns out, we have as much to learn from them about the importance of online privacy when developing cybersecurity policies and programs. Happy Women’s History Month!

Next steps

Learn more about Girl Security initiatives and the Cybersecurity Superpowers program.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Sharenting: 5 Questions to Ask Before You Post, Claire McCarthy, MD, FAAP, American Academy of Pediatrics. November 20, 2019.

Disclaimer: The views expressed here are solely those of the author and do not represent the views of Microsoft Corporation.

The post What Generation Z can teach us about cybersecurity appeared first on Microsoft Security Blog.

On a special episode of Afternoon Cyber Tea with Ann Johnson, Sandra Joyce, Executive Vice President and Head of Mandiant Intelligence at FireEye joined me to talk about threat attribution and accountability when it comes to the use of technology by bad actors to help spread misinformation.

As a US Air Force Reserve officer and faculty member at the National Intelligence University with four master’s degrees in cyber policy, international affairs, science and technology intelligence, and military operational art and science, Sandra is an expert in understanding how nation-state actors leverage traditional and social media channels to erode confidence in free and fair elections. Sometimes, those bad actors will use these core values, such as freedom of speech, against us, according to Sandra. For instance, she recounts the story of a foreign group that used those values against the US by fabricating letters from concerned citizens to be published in US newspapers.

In this powerful episode, Sandra discusses how threat actors are adopting new threat techniques—shifting from signature malware to commodity malware—and pivoting to smaller malware families that they hope will be overlooked by cybersecurity professionals. That combination will make it harder to detect threats amid the noise. She recommends that organizations research threats and undertake a threat profile on themselves to learn their vulnerabilities and the biggest threats that could target them. That can shape priorities. Using the metaphor of bank robbers, she says it’s not so hard to rush the guards in a building but is hard to learn the location of the safe, get the combination to the safe, and escape undetected. The latter is where the bulk of business intrusion happens. Companies need to root out threats in that lateral stage.

During our conversation, we also spoke about threat intelligence and what’s involved in threat actor attribution. After recognizing a cluster of threat activity, there’s a lot of work required to identify which organization or country is behind the threat. It usually takes months to collect information about the threat’s techniques, infrastructure, and command and control (C2) channel, which is the channel a threat actor uses to commandeer an individual host or to control a botnet of millions of machines. For years, FireEye’s Mandiant Threat Intelligence team has been tracking financial crime group Fin11, which deploys point-of-sale malware targeting the financial, retail, restaurant, and pharmaceutical industries. Both technical indicators and the targeting information prove useful in these investigations, in part as you learn about the bad actors’ intentions. To learn what organizations can do to combat threats, listen to Afternoon Cyber Tea with Ann Johnson: Taking a “when, not if” approach to cybersecurity on Apple Podcasts or PodcastOne.

What’s next

A new season of Afternoon Cyber Tea with Ann Johnson launches this October 2021 on The CyberWire! In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, IoT, and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

• Apple Podcasts: You can also download the episode by clicking the Episode Website link.
• PodcastOne: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
• CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

The post Afternoon Cyber Tea: Learn how to stop misinformation threats from nation-state bad actors appeared first on Microsoft Security Blog.

As CISO, Bret is responsible for disaster recovery at the enterprise level. He is the chair of Microsoft’s Risk Management Council and has directed Microsoft’s crisis management in the wake of COVID-19. It responds to 30 crises a year, with life safety the highest priority, followed by customers and Microsoft. The council focuses on preparation for four types of disaster and crisis recovery: planned acts (such as weather storms), unplanned acts (such as natural disasters), illegal attacks, and pandemics. Cyberattacks typically fall under illegal attacks. Certain events, such as the Olympics and elections, tend to draw out opportunistic bad actors more than others because people are more vulnerable to social engineering attacks.

Similarly, the pandemic and the social unrest in the United States have made people more susceptible to phishing scams and other cyberattacks. Before the pandemic, cybersecurity incidences had doubled every year for five years. During the pandemic, opportunistic campaigns, including a huge increase in human-operated ransomware attacks, have emerged because of people’s social engineering vulnerability. The number of phishing scams hasn’t changed much, however, the approach has shifted to mimicking health information sites and other pandemic-related schemes. Because more people are working from home, there’s been a big increase in bad actor campaigns targeting desktop protocol.

During our conversation, we also spoke about how to build a disaster recovery program and how moving to a Zero Trust security model helped Microsoft respond more agilely to the new security threats created by the pandemic. Over the past year, that approach has meant making sure all devices are managed, requiring multifactor authentication, figuring out how productivity apps work in a distributed way, and moving all meetings to Microsoft Teams. Microsoft also prioritized service monitoring and user identity and access.

Despite all the planning, there have been surprises, such as realizing that eight-hour all-hands meetings aren’t effective when online and that moving all meetings online creates a level playing field for employees. To learn what cybersecurity steps to take when your entire workforce is remote, listen to Afternoon Cyber Tea with Ann Johnson: Working Through It: Operational Resilience in the Face of Disaster on Apple Podcasts or PodcastOne.

What’s next

A new season of Afternoon Cyber Tea with Ann Johnson launches today featuring Admiral (RET) Mike Rogers, Former Head of United States Cyber Command, discussing the recent cyberattacks on the US supply chain and what we can do to stop them! Check out new episodes every Tuesday. In this important cyber series, Ann will talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, IoT, and other emerging tech.

“It isn’t just about technology. Never forget the human dynamic in all this. Again, I used to say this to our nation’s leadership, “Sir, you can write the biggest check in the world and it still won’t be enough. We can’t solve this by just throwing money at the problem.” Put another way, we can have the greatest technology with the highest level of investment, but if we don’t have a smart user community, that makes smart choices, that’s part of our strategy…. It’ll be totally undermined everyday by bad choices that our users are making.” – Admiral (RET) Michael Rogers, Former Head of United States Cyber Command

You can listen to Afternoon Cyber Tea with Ann Johnson on:

• Apple Podcasts: You can also download the episode by clicking the Episode Website link.
• PodcastOne: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
• CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Microsoft’s cybersecurity response to COVID-19 appeared first on Microsoft Security Blog.

When I spoke with Jules Okafor on an episode of Afternoon Cyber Tea with Ann Johnson, she shared how she has seen many cybersecurity projects fail not because of the technology put in place, but rather, the organization’s inability to communicate responsibilities or the expected results. One of the biggest pitfalls is the result of a very good intention when a new technology is excitedly implemented before developing a process.

Jules Okafor, JD, is the Founder and CEO of RevolutionCyber, a full-service privacy information security awareness and marketing communications firm, and the former Senior Vice President of Global Security Solutions for Fortress Information Security. Jules also advocates for greater diversity and inclusion in the cybersecurity industry. During our discussion, she shared how she believes the industry has been insulated from discussions about race because the focus has been on protecting companies from cyberattacks without the lens of futureproofing against biases. Companies can and should be doing more, including sharing examples of technology bias with the public, assessing their own practices to check for unintended bias, and listening when employees approach management and human resources with concerns. Many accomplished women and people of color are leaving the industry because they don’t feel heard.

In the real world, bias and racism are costing people their lives. In the online world, bias in technologies, like facial recognition software, can be detrimental. While on a recent Slack channel conversation where a participant mentioned a product that promised to let you undertake diversity and inclusion work via text message, she thought, “This is the problem.” This experience suggests that people are trying to automate complex, multi-generational problems to satisfy compliance. Until his death, civil rights activist and leader John Lewis was all-in when it came to fighting racial injustice and bias. Until people in the cybersecurity industry are all-in to that extent, there won’t be much change.

During our conversation, we also spoke about how a Craigslist post started her cybersecurity career and strategies to effectively sell cybersecurity solutions. One aspect of her job she especially enjoys is making the technical understandable to non-technical people. This can be a missing piece for some technology companies, too. Many are overly focused on building tools rather than on addressing business challenges. Most successful cybersecurity is invisible to most people, so purchasing technology becomes a tangible way to justify their role. To learn steps to take that show your company cares about becoming more diverse and solving business problems, listen to Afternoon Cyber Tea with Ann Johnson: Fortifying security strategies with a cyber mindset on Apple Podcasts or PodcastOne.

What’s next

A new season of Afternoon Cyber Tea with Ann Johnson will launch on June 15, 2021. In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, IoT, and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

• Apple Podcasts: You can also download the episode by clicking the Episode Website link.
• PodcastOne: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
• CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Cybersecurity challenged to meet diversity goals appeared first on Microsoft Security Blog.

In addition to being a Star Trek fan, Tarah Wheeler is an accomplished information security researcher, political scientist, Fulbright Scholar, and author of the best-selling book “Women in Tech: Take Your Career to the Next Level with Practical Advice and Inspiring Stories.” Just as with that infamous episode, there’s no way to meet in the middle when it comes to encryption according to Tarah. Encryption experts refuse to compromise because it simply isn’t possible when math is involved. Math can’t be half-implemented and taking a backdoor approach to encryption doesn’t work. This can confuse people because protection and the right to data privacy are not fundamental opposites. Instead of having to choose one or the other, companies should balance the two, which will achieve better than a zero-sum.

Tarah has previously said that the right to private and encrypted communication is a fundamental right of humanity. She’s heartened by the change in the perception of cybersecurity, which is now considered one of the pillars of supporting a business rather than something you bolt on from the side. Cybersecurity is viewed as just as important—and necessary—as keeping the lights on and training employees. Keeping the company’s digital assets safe has become as necessary as those fundamental practices for a modern business, and cybersecurity is as valued as the Human Resources and Legal departments. Securing assets before an attack can occur has become the priority versus cleaning up after a cyberattack.

This shift toward viewing cybersecurity as a cost center has been one of the biggest changes in international business over the last few years. But Tarah characterizes that shift as reluctant and frustrated. That frustration isn’t always due to attitude; sometimes, it’s because of the difficulty in demonstrating the cost incentives of internally treating cybersecurity like a cost center. However, the money saved from effective risk management is changing that. Some of the most successful cybersecurity departments report up to Risk or Finance and not to Technology. The biggest corporate impact of international cybersecurity has been regulatory regimes like the General Data Protection Regulation (GDPR), the European Union law on data protection and privacy. The passage of GDPR was a big wake-up call for how the US conducted its affairs in corporations because many companies were stunned that compliance on requirements like data deletion would be enforced.

During our in-depth conversation, we also had the opportunity to explore the concept of “imposter syndrome” in the cybersecurity community, in addition to the changing role of the Chief Security Information Officer in an organization. I invite you to listen to our discussion and learn more about this shift on Apple Podcasts or PodcastOne.

What’s next

In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, IoT, and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

• Apple Podcasts: You can also download the episode by clicking the Episode Website link.
• PodcastOne: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
• CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Cybersecurity has become a pillar of the business appeared first on Microsoft Security Blog.

In our first discussion, we sat down with 10 executive security leaders from prominent energy, finance, insurance, and manufacturing companies in a virtual roundtable, to understand what has worked and discover where they needed to adjust their Zero Trust security model. Our collective goal was to learn from one another and then share what we’ve learned with other organizations. Discussions like these give us valuable opportunities to grow and led us to publish an eBook to share those conversations with other cybersecurity professionals.

Today, we are publishing the “Examining Zero Trust: An executive roundtable discussion” eBook as a result of those conversations. The eBook describes how the Zero Trust security model involves thinking beyond perimeter security and moving to a more holistic security approach. The eBook complements other resources we have published to help organizations expedite their journeys in this critical area, such as the Microsoft Zero Trust Maturity Model and adoption guidance in the Zero Trust Deployment Center. Zero Trust assumes breach and verifies each request as if it originates from an uncontrolled network. If Zero Trust had a motto, it would be: never trust, always verify. That means never trusting anyone or anything—inside or outside the firewall, on the endpoint, on the server, or in the cloud.

Zero Trust strategies

Introducing Zero Trust into your organization requires implementing controls and technologies across all foundational elements: identities, devices, applications, data, infrastructure, and networks. Roundtable participants offered successful Zero Trust strategies that respect the value of each of these foundational elements.

Strategy #1 – Use identities to control access

Identities—representing people, services, and IoT devices—are the common denominator across networks, endpoints, and applications. In a Zero Trust security model, they function as a powerful, flexible, and granular way to control access to data. Or, as one participant explained it, “The new perimeter is identity, and you need a strong identity that is validated.”

When any identity attempts to access any resource, security controls should verify the identity with strong authentication, ensure access is compliant and typical for that identity, and confirm that the identity follows least privilege access principles.

Strategy #2 – Elevate authentication

Incorporating multifactor authentication or continuous authentication into your identity management strategy can substantially improve your organization’s information security posture. One roundtable participant shared that by extending identity management with continuous authentication capabilities, their organization can now validate identity when a user’s IP address or routine behavior pattern changes.

“Zero Trust will only work if it is transparent to the end-user,” said a participant. “You have to make it easy and transparent. If you want to authenticate every five minutes or every second, that’s fine, as long as the end-user doesn’t have to do anything—as long as you can validate through other methods. For example, the endpoint can be one of the factors for multifactor authentication.”

Strategy #3 – Incorporate passwordless authentication

Passwordless authentication replaces the traditional password with two or more verification factors secured with a cryptographic key pair. When registered, the device creates a public and private key. The private key can be unlocked using a local gesture, such as a PIN or biometric authentication (fingerprint scan, facial recognition, or iris recognition).

Strategy #4 – Segment your corporate network

Network segmentation can be a pain point for business IT because firewalls represent early segmentation, and this can complicate development and testing. Ultimately, the IT team relies more on security teams to fix networking connectivity and access issues.

However, segmenting networks and conducting deeper in-network micro-segmentation is important for Zero Trust because in a mobile- and cloud-first world, all business-critical data is accessed over network infrastructure. Networking controls provide critical functionality to enhance visibility and help prevent attackers from moving laterally across the network.

Strategy #5 – Secure your devices

With the Zero Trust model, the same security policies are applied whether the device is corporately owned or a personally owned phone or tablet, also called a “bring your own device” (BYOD). Corporate, contractor, partner, and guest devices are treated the same whether the device is fully managed by IT or only the apps and data are secured. And this is true whether these endpoints—PC, Mac, smartphone, tablet, wearable, or IoT device—are connected using the secure corporate network, home broadband, or public internet.

“In a BYOD world, the device is the explosive piece,” said one participant. “If you allow unpatched devices to connect to your network, it is, in essence, walking into your base with live ordinance, and it can go bad quickly. Why wouldn’t you test outside to begin with?”

Strategy #6 – Segment your applications

Benefitting fully from cloud apps and services requires finding the right balance between providing access and maintaining control to ensure that apps, and the data they contain, are protected. Apply controls and technologies to discover shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, monitor for abnormal behavior, restrict user actions, and validate secure configuration options.

“It is becoming easier and more achievable to have segmentation between the applications,” said a participant. “Being able to provide excessive privileges/role-based access is becoming part of the policy engine. The application piece of the puzzle seems to be solving itself more intelligently as time goes on. This approach gets validated every time I hear an end-user is able to dial in on the problem.”

Strategy #7 – Define roles and access controls

With the rapid rise in remote work, organizations must consider alternative ways of achieving modern security controls. It’s useful to operationalize roles and tie them to a policy as part of authorization, single sign-on, passwordless access, and segmentation. However, each role defined must be managed now and, in the future, so be selective about how many roles you create so there aren’t management challenges later.

“If you create a thousand roles in your organization to be that granular, you will have problems with management down the road,” said a participant. “You’re going to end up with massive amounts of accounts that are not updated, and that’s where you have breaches.”

The journey toward Zero Trust

The foundational focus of organizations varies as they start their Zero Trust journey. Some of the organizations represented by roundtable participants began their Zero Trust journey with user identity and access management, while others started with network macro- and micro-segmentations or application sides. These leaders agreed that developing a holistic strategy to address Zero Trust is critical and that you should start small and build confidence before rolling out Zero Trust across your organization.

That usually means taking a phased approach that targets specific areas based on the organization’s Zero Trust maturity, available resources, and priorities. For example, you could start with a new greenfield project in the cloud or experiment in a developer and test environment. Once you’ve built confidence, we recommend extending the Zero Trust model throughout the entire digital estate, while embracing it as an integrated security philosophy and end-to-end strategy moving forward. You’re not alone in this journey. Successful organizations have walked this path, and Microsoft is happy to be with you every step of the way.

Learn more

• Get details on Zero Trust security.
• Take the Zero Trust Assessment.
• Build a Zero Trust plan.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust: 7 adoption strategies from security leaders appeared first on Microsoft Security Blog.

The impact of this crisis makes it more important than ever to prioritize the education, careers, well-being, and growth of women at work. We are proud to be a part of a company and security team at Microsoft that makes it a priority to invest in programs and initiatives that will help support the role of women in the workforce today and in the future so they can bring their best selves to work every single day.

That is why as a collective group of security women, we feel it is important to share a bit about these efforts, as well as some thoughts from fellow leaders across our security teams on how we can work together to recognize and build on women’s achievements in cybersecurity.

New cybersecurity threats require diverse security perspectives

In addition to the personal impact it has had on so many, the pandemic has also threatened our cybersecurity community. With companies sending most of their employees home to work, cybercriminals have been eager to take advantage of new endpoints in their attempts to assess company systems. As well, phishing schemes have targeted people by mimicking pandemic healthcare alerts or unemployment information.

This increase in cybersecurity threats compounds the strain already placed on existing cyber defenders. With the cyber talent gap widening, we need more diverse cybersecurity professionals than ever to thwart them. Women make up just 24 percent of the cybersecurity workforce, according to the 2019 (ISC)² report, Cybersecurity Workforce Study: Women in Cybersecurity. That imbalance is a big problem and during an online discussion called “Future Proofing Against Bias in Tech,” participating women Microsoft leaders shared why. For one, gender-diverse teams make better business decisions 73 percent of the time, according to a Cleverpop study mentioned during the discussion.

It also is critical to catch cyber threats because limiting your hiring to only certain types of cybersecurity professionals can lead to biases and missed threat protection opportunities. And if there’s one thing we know about cybercriminals, it’s that they’re very good at exploiting our biases.

Joy Chik, who is Microsoft Corporate Vice President for the Identity division shares, “Building diverse cyber teams provides a strategic advantage. Diversity drives innovation and devalues group think. This helps to give us an edge in how we build our products, design our security programs, and respond to threats—ultimately giving us an upper hand against cybercriminals who exploit our biases.”

What’s Microsoft Security doing to help?

Cybersecurity represents an exciting career opportunity for women, especially now with cyber threats on the rise against a backdrop of women disproportionately affected by job loss due to the pandemic. It raises the importance of opening up more opportunities for women into higher-skilled professions, including technology. In response to the pandemic’s severe impact on parts of the labor market, Microsoft launched its Global Skills Initiative to help 25 million people worldwide acquire digital skills and certifications to find new jobs. With our mission of Security for all, Microsoft Security is making it possible through our sponsorships and programs to making cybersecurity available to everyone—as a professional option and as business protection against cyber threats.

Microsoft is partnering on several programs aimed at encouraging girls and women to consider careers in cybersecurity and expanding career opportunities for women. These programs include:

• Girls Go Cyberstart: Launched in 2017, this program aims to inspire and uncover future female talent by featuring a girls-only community in the national program CyberStart America. Female cybersecurity professionals at Microsoft have encouraged top high school Girls Go Cyberstart clubs by sharing how they got into security.
• WYiCyS: Established in 2012, this global community creates opportunities for women in cybersecurity through professional development programs, conferences, and career fairs.
• CyberShikshaa: Launched in 2018 by Microsoft India and the Data Security Council of India, this program is creating a pool of skilled female cybersecurity professionals.
• Microsoft Cybersecurity Professional Program: Launched in 2018, this program helps aspiring cybersecurity professionals, as well as late-stage career transformers, learn the necessary skills to start a career in cybersecurity. To date, we’ve seen over 4,000 registrations, spanning a diverse range of ages and abilities.
• DigiGirlz: This program gives high school girls the chance to participate in hands-on computer and technology workshops, learn about careers in technology, and connect with Microsoft employees. We also help girls grow their skills and love for technology through our support of TECHNOLOchicas, Black Girls CODE, and Girls Who Code.
• Microsoft Women in Security: This long-running, company-wide initiative was started with the goal of building a strong internal community of female cyber professionals through programs, mentorships, and week-long events.
• Cybersecurity Converge Tour: In partnership with organizations like the Security Advisory Alliance (SAA), Microsoft hosted students in New York City for a “Capture the Flag” interactive education and mentorship event with the goal of creating 20,000 internship opportunities and increasing the number of women and minority security professionals. We’ve also sponsored key events that support women like Executive Women’s Forum, The Diana Initiative, and Wicked 6 Cyber Games.

How to encourage more women in cybersecurity

Encouraging more girls and women to get into cybersecurity creates more effective companies. It can also help reduce the world’s shortage of qualified cybersecurity workers, which is expected to grow to 3.5 million in 2021.

As we look past the pandemic, we can expect that cybersecurity challenges will continue to evolve. AI, machine learning, and quantum computing will shape our response, but technology alone will not be enough. Some of our challenges can only be solved by people—those with different backgrounds, ideas, and experiences. Women are such a crucial part of this. We must continually commit to supporting and empowering women leaders so that we can grow and educate the next generation of female cybersecurity superheroes.

We are so lucky to work with so many talented woman leaders across the security teams at Microsoft. Together we’ve put together some tips on how we can all work to increase the number of women in cybersecurity.

1. Commit to recruiting more women and retaining them

Nothing will change unless your organization commits to increasing its diversity. That starts at the top, with senior executives and other company leaders prioritizing a diverse workforce and asking themselves tough questions about why there are no women or very few women on their technology teams.

We believe the persistent gender gap in STEM starts early, so we must as well. A few years ago, a colleague’s pre-teen daughter signed up for an after-school robotics class and when she arrived, saw only two girls in the room. Unfortunately, we’re losing many girls from STEM before they are even out of middle school. We’ve got to work harder to build curriculums that fit with their age and focus not just on the mechanics of coding but with more emphasis on creativity and real-world problem-solving. Giving them an opportunity to see the breadth of cybersecurity will encourage even our youngest future cyber warriors.

Once women are in those technology roles, it’s just as important to prevent a talent drain. 52 percent of women leave technology fields—nearly double the percentage of men who quit the technology field. In part, the problem can be attributed to women feeling stalled in their careers, with a Center for Talent Innovation study finding that 27 percent of women in tech jobs feeling that way and 32 percent were considering quitting in the next year.

2. Expand your definition of qualified candidates

Some hiring managers may reject qualified women candidates because they don’t fit a preconceived notion of a cybersecurity professional who checks all the expected boxes for age, gender, and race and has the technical skills, degrees, and certifications. This limited view causes companies to miss out on some incredible candidates.

The best cybersecurity professionals are insatiable learners and highly skilled problem-solvers. They may not work in cybersecurity or have a college degree but could become incredible assets to your organization.

According to one of our Microsoft Cyber Defense Operations Center (CDOC) Directors in the CISO Spotlight episode 7: People behind the cloud, “We want to bring in as many people of diverse backgrounds and skills as the problems we’re trying to solve. I’ve got university hires, military veterans, a mom who rides a motorcycle, people with advanced degrees, and just about everything in between. We do have some specialists who have done this for a really long time but we also get people who are coming in with a fresh perspective and they’re looking at things in a different way.”

3. Educate and encourage women on cybersecurity and how to apply

There are opportunities for women at all levels in cybersecurity and the field is much wider than many imagine, encompassing roles in security products, cybercrime, compliance, privacy, and other related domains. According to Julie Brill, Microsoft’s Chief Privacy Officer, women early in their careers or changing roles mid-career may underestimate their qualifications, in part because the industry may be sending the wrong message to women on the value they can add to an organization even in the early stages of their careers.

“Talent comes from many places and doesn’t require a decade of prior experience. Women who are earlier in their careers are more likely to be digital natives and facile with technology. This tech-savvy generation brings critical insight into how we can approach user-centric privacy features across our products. Enthusiastic women professionals can add value to the diverse teams that are working quickly to address the constantly changing cybersecurity and privacy landscape. We will always need innovative thinkers at any stage of their career who are passionate about the impact they can make for the tech industry and society overall. There is so much opportunity to pursue a career in privacy and cybersecurity, and there is plenty of work to be done.”—Julie Brill, Chief Privacy Officer at Microsoft

Given the potential, Microsoft Security is paving the way by sponsoring these cybersecurity programs listed in this blog. We believe it is important to educate mid-level school and high school students about these opportunities, coach them, and give them career guidance in addition to teaching security fundamentals. In the future, we will also collaborate and sponsor Girl Security with a fellowship program to provide career education and mentoring to people with diverse backgrounds—enabling security to benefit all.

4. Help candidates counter self-doubt

Imposter syndrome—candidates entering high skills fields can often feel self-doubt, insecurity, and undeserving of their role. Help set the right tone from the outset by reassuring them that they don’t need a perfect set of qualifications or an ideal background to become an amazing security engineer or cybercrime investigator.

No one was born with security knowledge and experience. People learn as they go along. As we’ve heard from Kristina in the CISO Spotlight Episode, people of all different backgrounds make good security professionals.

Support women in cybersecurity

The work to develop programs and practices that attract and retain women in the field of cybersecurity is ongoing and moves as quickly as the field changes. In April, Microsoft Security is kicking off the Girl Security Fellowship program, a series of webcasts and training sessions that lead into the summer sharing inspiring stories from many of our women cybersecurity leaders and helping high school students learn security fundamentals along with mentorships. More information on the Microsoft and Girl Security program will be mentioned in a subsequent blog post later in March.

By embracing cybersecurity for all, we can both expand women’s options in the workforce and more effectively secure companies against threats. Stay tuned for more blogs this month featuring our women leaders in Cybersecurity. Happy International Women’s Day!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Other blogs to reference:

• CISO Spotlight: How diversity of data (and people) defeats today’s cyber threats.
• Microsoft Security: How to cultivate a diverse cybersecurity team.
• New data from Microsoft shows how the pandemic is accelerating the digital transformation of cyber-security.
• Exploiting a crisis: How cybercriminals behaved during the outbreak.

The post International Women’s Day: How to support and grow women in cybersecurity appeared first on Microsoft Security Blog.

Our discussion really examines how the pandemic has pushed organizations toward greater cost efficiencies and a new mainstreaming of cybersecurity—democratizing the language and tools to make it part of everyone’s “9 to 5” experience.

“Everyone has a plan until they get hit in the face,” as James puts it. “Ransomware is off the hook—one organization just got hit with a 10 million dollar ransom. That’s more than the average Australian or New Zealand organization spends on security in a year.”

If the old saying that every crisis presents an opportunity holds true, James sees the pandemic as a tremendous catalyst for better information sharing amid budget cuts and a fragmented workforce. “The security operating centers at large banks are on speed-dial with each other because the attack against Company A hits Company B the next day. No organization, or even an entire country, can do it all by themselves.”

During our talk, we also touch on how the pandemic has pushed security professionals to look at new ways of optimizing delivery, such as utilizing an integrated security solution rather than an expensive niche product. “It’s given businesses a new appreciation for automatic patching,” James recounts. “My group of CISOs is discussing installing agents on personal devices; the legalities and logistics around that. Budgets are becoming an issue; so, I’m encouraging them to think like startups—get creative.”

James and I also examine how security professionals need to do a better job of evangelizing across the entire IT sector, including developing a ground-level understanding of your own organization’s business units. Cybersecurity will only be truly effective when it’s no longer part of an org chart but simply part of everyone’s job.

To hear my complete conversation with James Turner, listen to the full episode.

What’s next

In this ongoing podcast series, I talk with cybersecurity influencers about the evolving threat landscape and explore the promise of systems powered by AI, IoT, and other emerging tech. In every episode, we’ll look at empowering people and organizations to create a more secure, productive digital environment.

Listen to Afternoon Cyber Tea with Ann Johnson on:

• Apple Podcasts: You can also download the episode by clicking the Episode Website link.
• Podcast One: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
• CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Evaluating individual and organizational cyber risk in a pandemic appeared first on Microsoft Security Blog.

We know, however, that cybercriminals are taking advantage of this shift. We have seen them increase DDoS attacks, ransomware, and phishing campaigns. So how do you, as a cybersecurity professional help your organization facilitate remote work while strengthening security, reliability, and performance?

The first step is to examine your organization’s security strategy and adopt a Zero Trust approach.

Join me and Sinead O’Donovan, Director of Program Management for Azure Security, in the next Azure Security Experts Series on February 18, 2021, from 10:00 AM to 11:00 AM Pacific Time, as we’re going to focus on another important aspect of Zero Trust network security.

There, we’ll step through three strategies using the cloud-native network security services like Azure Front Door and Azure Firewall to perform:

• Segmentation: This includes apps and virtual network segmentation which aims to reduce the attack surface and prevent attackers from moving laterally.
• Encryption: Enforcing encryption on the communication channel between user-to-app or app-to-app with industry standards like TLS/SSL.
• Threat protection: Employing threat intelligence to help minimize risk from the most sophisticated attacks like bots and malware.

You’ll have the opportunity to take deep dives and see demos on how to use Azure network security cloud-native services for:

• Application security and acceleration: Utilize new integrated services like Azure Web Application Firewall and CDN technology to provide app security, scalability, and resiliency.
• Advanced cloud network threat protection: Apply advanced firewall capabilities for highly sensitive and regulated environments.

In just one hour, you’ll learn new networking strategies, improve your app security and performance, use cutting-edge network threat protection, and stay ahead of a constantly evolving threat landscape.

Register now.

Learn more

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Modernizing your network security strategy appeared first on Microsoft Security Blog.