According to a recent survey conducted by ISMG, the top concerns for both business executives and security leaders on using generative AI in their organization range, from data security and governance, transparency and accountability to regulatory compliance.¹ In this paper, the first in a series on AI compliance, governance, and safety from the Microsoft Security team, we provide business and technical leaders with an overview of potential security risks when deploying generative AI, along with insights into recommended safeguards and approaches to adopt the technology responsibly and effectively.

Learn how to deploy generative AI securely and responsibly

In the paper, we explore five critical areas to help ensure the responsible and effective deployment of generative AI: data security, managing hallucinations and overreliance, addressing biases, legal and regulatory compliance, and defending against threat actors. Each section provides essential insights and practical strategies for navigating these challenges. 

Data security

Data security is a top concern for business and cybersecurity leaders. Specific worries include data leakage, over-permissioned data, and improper internal sharing. Traditional methods like applying data permissions and lifecycle management can enhance security. 

Managing hallucinations and overreliance

Generative AI hallucinations can lead to inaccurate data and flawed decisions. We explore techniques to help ensure AI output accuracy and minimize overreliance risks, including grounding data on trusted sources and using AI red teaming. 

Defending against threat actors

Threat actors use AI for cyberattacks, making safeguards essential. We cover protecting against malicious model instructions, AI system jailbreaks, and AI-driven attacks, emphasizing authentication measures and insider risk programs. 

Addressing biases

Reducing bias is crucial to help ensure fair AI use. We discuss methods to identify and mitigate biases from training data and generative systems, emphasizing the role of ethics committees and diversity practices.

Legal and regulatory compliance

Navigating AI regulations is challenging due to unclear guidelines and global disparities. We offer best practices for aligning AI initiatives with legal and ethical standards, including establishing ethics committees and leveraging frameworks like the NIST AI Risk Management Framework.

Explore concrete actions for the future

As your organization adopts generative AI, it’s critical to implement responsible AI principles—including fairness, reliability, safety, privacy, inclusiveness, transparency, and accountability. In this paper, we provide an effective approach that uses the “map, measure, and manage” framework as a guide; as well as explore the importance of experimentation, efficiency, and continuous improvement in your AI deployment.

I’m excited to launch this series on AI compliance, governance, and safety with a strategy paper on minimizing risk and enabling your organization to reap the benefits of generative AI. We hope this series serves as a guide to unlock the full potential of generative AI while ensuring security, compliance, and ethical use—and trust the guidance will empower your organization with the knowledge and tools needed to thrive in this new era for business.

Additional resources

• Get the Grow Your Business with AI You Can Trust e-book.
• Explore the Introduction to Generative AI and Safety guide.

Minimize Risk and Reap the Benefits of AI

Get more insights from Bret Arsenault on emerging security challenges from his Microsoft Security blogs covering topics like next generation built-in security, insider risk management, managing hybrid work, and more.

^{1, 2} ISMG’s First annual generative AI study – Business rewards vs. security risks: Research report, ISMG.

The post More value, less risk: How to implement generative AI across the organization securely and responsibly appeared first on Microsoft Security Blog.

Secure Future Initiative

A new world of security.

Learn more

Microsoft’s mission to empower every person and every organization on the planet to achieve more depends on security. We recognize that when Microsoft plays a role in pioneering cutting-edge technology, we also have the responsibility to lead the way in protecting our customers and our own infrastructure from cyberthreats. Against the exponentially increasing pace, scale, and complexity of the security landscape, it’s critical that we evolve to be more dynamic, proactive, and integrated in our security model to continue meeting the changing needs and expectations of our customers and the market. Our rich history in innovation is a testament to our commitment to delivering impactful and trustworthy products and services that that shape industries and transform lives. This legacy continues as we consistently work to set new benchmarks for safeguarding our digital future.

Expanding upon our foundation of built-in security, in November 2023 we launched the Secure Future Initiative (SFI) to directly address the escalating speed, scale, and sophistication of cyberattacks we’re witnessing today. This initiative is an anticipatory strategy reflecting the actions we are taking to “build better and respond better” in security, using automation and AI to scale this work, and strengthen identity protection against highly sophisticated cyberattacks. It’s not about tailoring our defenses to a single cyberattack: SFI underscores the importance of a continually and proactively evolving security model that adapts to the ever-changing digital landscape.

Four months have passed since we introduced SFI, and the achievements in our engineering developments demonstrate the concrete actions we’ve implemented to make sure that Microsoft’s security infrastructure stays strong in a constantly changing digital environment.  Read more below for updates on the initiative.

Transforming software development with automation and AI

As noted in our November 2, 2023 SFI announcement, we’re evolving our security development lifecycle (SDL) to continuous SDL—which we define as applying systematic processes to continuously integrate cybersecurity protection against emerging threat patterns as our engineers code, test, deploy, and operate our systems and service. Read more about continuous SDL here.

As part of our evolution to continuous SDL, we’re deploying CodeQL for code analysis to 100% of our commercial products. CodeQL is a powerful static analysis tool in the software security space. It offers advanced capabilities across numerous programming languages that detect complex security mistakes within source code. While our code repos go through rigorous SDL assessment leveraging traditional tooling, as part of our SFI work we now use CodeQL to cover 86% of our Azure DevOps code repositories from our commercial businesses in our Cloud and AI, enterprise and devices, security and strategic missions, and technology groups. We are expanding this further and anticipate that completing the consolidation process of the last 14% will be a complex, multi-year journey due to specific code repositories and engineering tools requiring additional work. In 2023, we onboarded more than one billion lines of source code to CodeQL, which highlights our commitment toward progress.

As part of efforts to broaden adoption of memory safe languages, we donated USD1 million in December 2023 to the Rust Foundation, an integral partner in stewarding the Rust programming language. Additionally, we’re providing an additional USD3.2 million to the Alpha-Omega project. In partnership with the Open Source Security Foundation (OpenSSF) and co-led with Google and Amazon, Alpha-Omega’s mission is to catalyze security improvements to the most widely deployed open source software projects and ecosystems critical to global infrastructure. Our contribution this year will help expand coverage, more than doubling the number of widely deployed open source projects we analyze, including 100 of the most commonly used open source AI libraries. The Alpha-Omega 2023 Annual Report highlights security and process improvements from last year and strides toward fostering a sustainable culture of security within open source communities.  

Together, our SFI-driven advances in expanding continuous SDL, fostering secure open source updates, and adopting memory safe languages strengthen the foundation of software throughout Microsoft’s own products and platforms, as well as the wider industry.

Strengthening identity protection against highly sophisticated attacks

As part of our SFI engineering advances, we’re enforcing the use of standard identity libraries such as the Microsoft Authentication Library (MSAL) enterprise-wide across Microsoft. This initiative is pivotal in achieving a cohesive and reliable identity verification framework. It facilitates seamless, policy-compliant management of user, device, and service identities across all Microsoft platforms and products, ensuring a fortified and consistent security posture.

Our efforts have already seen noteworthy achievements in several key areas. We’ve reached a major milestone with full integration of MSAL into Microsoft 365 across all four major platforms: Windows, macOS, iOS, and Android marking a significant advancement toward universal standardization. This integration ensures that Microsoft 365 applications are underpinned by a unified authentication mechanism. In the Azure ecosystem, encompassing critical tools such as Microsoft Visual Studio, Azure SDK, and Microsoft Azure CLI, MSAL has been fully adopted, underscoring our commitment to secure and streamlined authentication processes within our development tools. Furthermore, over 99% of internal service-to-service authentication requests, using Microsoft Entra for authorization, now utilize MSAL, highlighting our dedication to boosting security and efficiency in inter-service communications. Ultimately, these milestones further harden identity and authorization across our vast estate, making it increasingly difficult for threats and intruders to move between users and systems.

Looking ahead, we’re setting ambitious objectives to further bolster our security infrastructure. By the end of this year, we aim to fully automate the management of Microsoft Entra ID and Microsoft Account (MSA) keys. This process will include rapid rotation and secure storage of keys within Hardware Security Modules (HSMs), significantly enhancing our security measures. Additionally, we’re on track to ensure that Microsoft’s most widely used applications transition to standard identity libraries by the end of the year. Through these collective efforts we aim to not only enhance security but also improve the user experience and streamline authentication processes across our product suite.

Stay up to date on the latest Secure Future Initiative updates

As we forge ahead with the SFI, Microsoft remains unwavering in its commitment to continuously evolve our security posture and provide transparency in our communications. We’re dedicated to innovating, protecting, and leading in an era where digital threats are constantly changing. The progress we’ve shared today is only a fraction of our comprehensive strategy to safeguard the digital infrastructure and our customers who rely on it.

In the coming months, we will continue to share our progress on enhancing our capabilities, deploying innovative technologies, and strengthening our collaborations to address the complexities of cybersecurity. We’re committed to building a safer, more resilient digital world, with a focus on transparency and safety in every step.

To learn more  about the Microsoft SFI and read more details on our three engineering advances, visit our built-in security site.

Learn more about Microsoft Security solutions and bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Enhancing protection: Updates on Microsoft’s Secure Future Initiative appeared first on Microsoft Security Blog.

Core to a security team’s mission is protecting the company’s assets, especially its data. Strong data protection requires securing the most sensitive or critical data, preventing that data from leaving the organization, and managing potential risks inside and outside of your environment.

And managing internal risks can be challenging because it requires analyzing millions of daily signals to detect potentially risky user actions that may lead to a data security incident. For example, what confidential files are your users sharing or accessing? Are users sharing sensitive files externally? Are they downloading files to unapproved devices or uploading them to unapproved locations? All the while, you must balance security controls and productivity, and ensure user privacy is built into your program.

To be effective in addressing insider risks, it’s critical that organizations start thinking about how and why they should be implementing a holistic data protection strategy across their entire organization that encompasses people, processes, training, and tools. At Microsoft, we transitioned from a fragmented insider risk management approach to one in which we addressed it holistically by taking a more comprehensive approach, getting more buy-in from organizational leadership, and making sure user privacy is built in from the get-go.

Following our own transition, Microsoft wanted to better understand how organizations are approaching insider risk management, specifically how some of these security and compliance teams were thinking about insider risk management holistically. Today we’re publishing our first Microsoft report specifically addressing insider risk, “Building a Holistic Insider Risk Management program.”

This Microsoft-commissioned report lays out several new insights about how organizations go from a fragmented approach to insider risk management to a holistic one, addressing potential risks from multiple lenses as part of a greater data protection strategy, with cross-leadership buy-in. For example, we found that more than 90 percent of holistic organizations believe privacy controls should be used in the early stages of investigations. Holistic organizations also get more buy-in on their risk programs from other departments, like legal, HR, or compliance teams, which is critical to building a culture of security. Furthermore, they put a greater emphasis on training with 92 percent agreeing that “training and education are vital to proactively address and reduce insider risks,” compared with 50 percent of fragmented organizations.

The report also shares best practices for organizations who endeavor to approach insider risk management more holistically and build a program that fosters trust, empowers users, and makes privacy a priority.

You can read the full report here.

Learn more

Learn more about Microsoft Purview.

Learn more about insider threats and the types of threats possible.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Volume of data/information created, captured, copied, and consumed worldwide from 2010 to 2020, with forecasts from 2021 to 2025, Statista. September 8, 2022.

The post Microsoft publishes new report on holistic insider risk management appeared first on Microsoft Security Blog.

Figure 1: Rate of onsite versus remote work at Microsoft (Jan 2020 to Aug 2021).

Organizations that don’t maintain basic security hygiene practices in the new workplace—applying updates, turning on multifactor authentication (MFA)—are placing their data, reputation, and employees’ privacy at much greater risk. On October 7, 2021, we published the 2021 Microsoft Digital Defense Report (MDDR) with input from thousands of security experts spanning 77 countries. In the report, we examine the current state of hybrid work and recent trends in cybercrime. You’ll also get actionable insights for strengthening defenses across your entire organization.

Hybrid work requires a Zero Trust strategy

Along with basic security hygiene, adopting a Zero Trust security strategy protects your digital estate by applying a “never trust, always verify” approach. The prevalence of cloud-based services, IoT, and the use of personal devices (also known as bring your own device or BYOD) in hybrid work environments has changed the landscape for today’s enterprise. Unfortunately, security architectures that rely on network firewalls and virtual private networks (VPNs) to isolate and restrict access to resources won’t cut it for a workforce that operates beyond traditional network boundaries.

There is no one-size-fits-all approach to Zero Trust implementation, and that’s a good thing. It means you’re free to start anywhere. Organizations of all sizes begin in different areas, based on their immediate needs and available resources. Most organizations approach Zero Trust as an end-to-end strategy that can be completed over time.

Figure 2: Zero Trust implementation areas (from the Microsoft Security Zero Trust Adoption Report).

6 pillars for securing your hybrid workforce

Zero Trust controls and technologies are deployed across six technology pillars. Each pillar in a control plane is interconnected by automated enforcement of security policy, correlation of signal and security automation, and orchestration:

1. Identities

Identities can represent people, services, or IoT devices. As companies adapt for a hybrid workforce, we’ve seen more than a 220 percent increase in strong authentication usage (like MFA) in the last 18 months. Still, in Azure AD for the calendar year to date, we’re observing 61 million password attacks daily. Strong authentication can protect against 99.9 percent of identity attacks, but even better is passwordless authentication, which can provide the most usable and secure authentication experience. Legacy protocols, such as IMAP, SMTP, POP, and MAPI, are another major source of compromise. These older protocols do not support MFA; for that reason, 99 percent of password spray and 97 percent of credential-stuffing attacks exploit legacy authentication.

2. Endpoints

Once an identity has been granted access, data can flow to different endpoints—from IoT devices to smartphones, BYOD to partner-managed devices, on-premises workloads to cloud-hosted servers—creating a massive attack surface. With the Zero Trust model, enterprises can reduce provisioning costs and avoid additional hardware purchases for work-from-home use. For example, an administrator can grant access only to verified and compliant devices while blocking access from a personal device that’s been rooted or jailbroken (modified to remove manufacturer or operator restrictions) to ensure that enterprise applications aren’t exposed to known vulnerabilities.

3. Applications

Modernized applications and services require users to be authenticated prior to having access. However, thousands of applications and services still remain heavily reliant on network firewalls and VPNs to restrict access. These traditional architectures built for legacy applications were designed for lateral connectivity (CorpNet) rather than micro-segmentation. They violate the fundamental Zero Trust principle of “least-privilege access” and are more vulnerable to lateral movement across the network by an adversary. To modernize your applications, deploy one of these three solutions:

• Move to a serverless, cloud-based software as a service (SaaS) or platform as a service (PaaS).
• Utilize application tiers that only expose minimal least-privileged-access endpoints.
• Add an internet hybrid endpoint, such as a reverse proxy or other secure-access service edge system (SASE).

4. Network

Microsoft Azure Firewall blocks millions of attempted exploits daily. Our signals show that attackers most commonly used malware, phishing, web applications, and mobile malware in their attempts at network attacks during July 2021. Also in July, there was a significant uptick in the use of coin miners, a type of malware that uses the network to mine cryptocurrency. Protocols leveraged most often in attacks were HTTP, TCP, and DNS, since these are open to the internet. A Zero Trust approach assumes your network is always under attack; therefore, you need to be prepared with a segmented layout that minimizes the blast radius.

Figure 3: Top 10 network threats (July 2021).

Distributed denial of service (DDoS) attacks on internet-facing endpoints ramped up significantly this year. Compared to the latter part of 2020, the average daily number of attack mitigations in the first half of 2021 increased by 25 percent while the average attack bandwidth per public IP increased by 30 percent. Microsoft Azure DDoS Protection mitigated 1,200 to 1,400 unique DDoS attacks every day in the first half of 2021. Europe, Asia, and the United States remain the most attacked regions because of the concentration of financial services and gaming industries in those regions. Over 96 percent of the attacks were of short duration—less than four hours. To get our latest research on DDoS attacks, download the 2021 MDDR.

Figure 4: DDoS attack destination regions.

5. Infrastructure

Infrastructure—whether on-premises, cloud-based, virtual machines (VMs), containers, or micro-services—represents a critical threat vector. As the move to the cloud enables a more secure hybrid workforce, organizations are also increasing their dependency on cloud storage, requiring effective threat protection, mitigation strategies, and tools to manage access. Azure Defender treats data-centric services, such as cloud storage accounts and big data analytics platforms, as part of the security perimeter and provides prioritization and mitigation of threats. We’ve produced a threat matrix for storage to help organizations identify gaps in their defenses, with the expectation that the matrix will evolve as more threats are discovered and cloud infrastructures constantly progress toward securing their services.

6. Data

With the rise of hybrid work, it’s especially important that data remain protected even if it leaves the devices, apps, infrastructure, and networks your organization controls. While classification, labeling, encryption, and data loss prevention remain core data security components, organizations that effectively manage the lifecycle and flow of their sensitive data as part of their business operations make it much easier for data security and compliance teams to reduce exposure and manage risk. Reducing that risk means reevaluating how your organization conducts business with sensitive data to ensure its proper storage, access, flow, and lifecycle.

Figure 5. The cumulative impact of unified data governance and security on sensitive data risk.

Actionable insights

As we adapt to a hybrid work world, Microsoft is aware of cybersecurity paradigm shifts that will support the evolution of work in a way that centers on the inclusivity of people and data.

Practice digital empathy

By applying empathy to digital solutions, we can make them more inclusive toward people with diverse perspectives and varied abilities. Factoring in digital empathy leads to the inclusion of security professionals with a broader range of abilities, skill sets, and perspectives—increasing the effectiveness of cybersecurity solutions. It also means developing technology that can forgive mistakes. Whether as an organization or an individual, our ability to be empathetic will help us to adapt during this time of constant change.

Don’t wait to start your Zero Trust journey

As we look past the pandemic to a time when workforces and budgets finally rebound, Zero Trust will become the biggest area of investment for cybersecurity. This means that right now, every one of us is on a Zero Trust journey—whether we know it or not. As shown in Figure 2, it doesn’t matter whether you start in endpoints, applications, or infrastructure, all that matters is that you get started now. Something as simple as enabling MFA (free with Microsoft Security solutions) can prevent 99 percent of credential theft.  To see where you are at in your Zero Trust journey, take the Zero Trust Assessment.

Diversity of data sources matters

Microsoft processes over 24 trillion daily security signals across a diverse set of endpoints, products, services, and feeds from around the globe. We were able to identify and block new COVID-19-themed threats—sometimes in a fraction of a second—before they reached customers. Our rich diversity of data allowed Microsoft cyber defenders to understand COVID-19-themed attacks in a broader context—determining that attackers were primarily adding new pandemic-themed lures to familiar malware. This is just one example of how the diversity of data and the power of the cloud deliver a clear advantage in combating threats.

Cyber resilience equals business resilience

The latest cyberattacks are deliberately targeting core business systems to maximize destructive impact and increase the likelihood of a ransomware payout. Knowing this, it’s imperative that a comprehensive approach to operational resilience includes cyber-resilience. At Microsoft, our strategy focuses on four basic threat scenarios: events we can plan for, such as extreme weather; unforeseen natural events, such as earthquakes; legal events, such as cyberattacks; and deadly pandemics, such as COVID-19. Cloud technology, due to its scalability and agility, helps organizations develop a comprehensive cyber-resilience strategy and makes preparing for contingencies less complicated.

Focus on integrated security

Recent attacks by nation-state actors against Microsoft Exchange, Colonial Pipeline, and JBS USA brought into stark reality the agility and callousness of our adversaries. To uncover shifting attack techniques and stop them before they do serious damage, organizations need to have complete visibility across their own applications, endpoints, network, and users. To do this, while simplifying and reducing costs, businesses can adopt the security capabilities built into the cloud and productivity platforms they’re already using. Security tools that are fully integrated help improve efficacy and provide the end-to-end visibility today’s organization needs.

While digital acceleration will continue to drive these paradigm shifts, one thing remains the same: security technology is about improving productivity and collaboration through secure and inclusive user experiences. By practicing security for all, Microsoft is committed to making cybersecurity empowering for your organization every day.

Learn more

Hybrid work is the new normal, and organizations need the latest data on how to defend themselves in a constantly evolving threat landscape. To get 100 plus pages of insights gathered across more than 23 billion daily security signals across the Microsoft cloud, endpoints, and intelligent edge, download the 2021 Microsoft Digital Defense Report. Also, see our past blog posts providing information for each themed week of Cybersecurity Awareness Month 2021. Read our latest posts:

• #BeCyberSmart: When we learn together, we’re more secure together
• How cyberattacks are changing according to new Microsoft Digital Defense Report
• Get career advice from 7 inspiring leaders in cybersecurity
• Defenders wanted—building the new cybersecurity professionals
• New insights on nation-state attacks

Be sure to visit our Cybersecurity Awareness Month page for more resources and information on protecting your organization year-round. Do your part. #BeCyberSmart

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post New insights on cybersecurity in the age of hybrid work appeared first on Microsoft Security Blog.

Strengthen your cybersecurity team through diversity

Geoff, who joined LinkedIn in 2019, leads the organization’s internal security teams in building a safe, trusted, and professional platform. He brings more than 22 years of experience in network architecture and security leadership to his role at LinkedIn. He previously was the CISO at Slack, where he built the security organization from the ground up, including laying the groundwork for Slack’s production incident management process. He earned a Bachelor of Science degree in Business Management at Western Governors University. One of his favorite things about cybersecurity is that it’s a multi-disciplinary and inter-disciplinary practice where people from different specialties, including business and other non-technical backgrounds, can contribute.

One of cybersecurity’s much-discussed biggest challenges is the skills gap. The cybersecurity industry is projected to triple year-over-year through 2022, but the shortage of cybersecurity professionals is in the millions globally, according to an article in The CyberWire¹. The skills gap is caused, in part, because the industry is relatively new and people don’t receive training on how to work in cybersecurity, according to Geoff. If a company wants to interview 10 candidates with 20 years of experience for a cloud security engineer role, it could be waiting for a very long time.

He recommends that organizations expand their idea of the right person for an open cybersecurity position. Stop thinking that the only person that is right for a role in cybersecurity majored in cybersecurity in college and that a principal-level network security cloud architect will be an expert in all three cloud platforms. Instead, consider people who can process and analyze a collection of information, understand your company’s technology, and understand what the organization is trying to accomplish and the tools available. Inquisitive people who are passionate about problem-solving can grow into a cybersecurity position and become effective contributors to the organization. By investing in people with useful raw skills and developing their cybersecurity skills, organizations fill roles and add valuable diverse perspectives to their cybersecurity teams.

Once you fill those cybersecurity roles, retaining employees is critical. The secret to that is always company culture, Geoff said. Compassion and empathy are not only good traits to adopt but also essentials for an organization wanting to attract and retain the best talent. Authentic organizations care about their people and recognize that they need time outside work. After all, psychologically healthy people are the best asset for any organization.

During our conversation, Geoff also shared his appreciation for the Zero Trust approach because it reinforces the idea that there is no safe haven. Security is a thought process rather than an end goal you can attain. Acknowledging that there is no castle where you can lock away your data and keep it safe makes you rethink your production environment and your risk assessment. That’s a powerful realization because it puts you on a path to explore why things aren’t as secure as they should be, according to Geoff. To learn why he thinks cybersecurity professionals from nontraditional career paths can be especially successful in a Zero Trust environment, listen to Building a Stronger Security Team on The CyberWire.

What’s next

In this important cyber series, I talk with cybersecurity peers and Microsoft leaders about today’s biggest challenges in cybersecurity and practical guidance for security practitioners.

You can listen to Security Unlocked with Bret Arsenault on:

• Apple Podcasts, Amazon Music, Google Podcasts, and Spotify. You can also download the episode by clicking The CyberWire link below.
• The CyberWire: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
• CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics, such as building a security team and securing hybrid work.

To learn more, visit our website. In the meantime, bookmark the Security blog to keep up with our coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Understanding the cybersecurity skills gap and how education can solve it, Ingrid Toppelberg, The CyberWire, 19 April 2021.

The post Why diversity is important for a strong cybersecurity team appeared first on Microsoft Security Blog.

The importance of employee inclusion and security

When employees don’t feel included, they’re not going to do their best work, according to Emma, who is Vodafone’s Global Cybersecurity Director. She believes it’s up to managers, supervisors, and global security directors to create a workplace where everyone feels heard.

Emma recalls attending her first industry event after taking over as Chief Information Security Officer at Royal Bank of Scotland in 2011. She was one of only six women out of 120 people in the room. That experience made her personally aware of how important it is to feel included and she said workplace inclusion is a subject she holds close to her heart. Vodafone focuses on diversity and inclusion and on how to hire, retain, and progress people of different backgrounds, ethnicities, genders, and ages.

Besides looking out for employees on the issue of inclusion, companies should protect them from security threats. One consistent cybersecurity message from employees—as well as from customers and security teams—is that passwords are extremely frustrating, according to Emma. Because of people’s strong views on passwords, Vodafone has been on a mission to remove them from its environments entirely and instead use secure, simple multifactor authentication. It’s an objective that also comes from knowing there’s one group that loves passwords: cybercriminals. Switching to multifactor authentication can help remove them from the equation by eliminating a favorite way to sneak into a network.

To fight cyber threats, it’s important that threat intelligence teams collaborate with colleagues from different companies to share information on threats and prevention strategies. Fighting as one security community is far more powerful than trying to do it on our own, Emma explains.

During our conversation, Emma also shared her thoughts on the benefits of cloud and secure developer operations (DevSecOps) in cybersecurity and offered four cybersecurity strategies that security practitioners should implement immediately to secure employees, data, and devices. One of them? Don’t get so distracted by new and shiny cybersecurity techniques that you forget security basics. To hear details of this strategy and learn about the other three strategies, listen to Leading an Inclusive Workforce on The CyberWire.

Guest bio

Emma Smith is Global Cybersecurity Director at Vodafone. She began her career in auditing. She worked for two years at Royal Bank of Scotland as Head of Internal Audit, Technology, before taking roles at the bank as Head of Group Information Security, Records and Payments Security, Chief Information Security Officer, and Director of Security and Resilience.

Bret Arsenault bio

Bret Arsenault is Corporate and Chief Information Security Officer at Microsoft, where he’s responsible for enterprise-wide information security, compliance, and business continuity efforts. He has more than 25 years of cybersecurity experience. He is Chairman of Microsoft’s Information Risk Management Council and hosts Microsoft’s Security Council.

What’s next

In this podcast series, I talk with cybersecurity peers and Microsoft leaders about today’s biggest challenges in cybersecurity and practical guidance for security practitioners. To learn more, visit our website. In the meantime, bookmark the Security blog to keep up with our coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

You can listen to “Security Unlocked: CISO Series with Bret Arsenault” on:

• Apple Podcasts, Google Podcasts, Amazon Music, and Spotify. You can also download the episode by clicking the episode website link.
• CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics, such as building a security team and securing hybrid work.

The post How Vodafone Global Security Director creates an inclusive and secure workplace appeared first on Microsoft Security Blog.

The good news is that there is a solution. Zero Trust is a security strategy that upends the current broad trust model. Instead of assuming trustworthiness, it requires validation at every step of the process. This means that all touchpoints in a system—identities, devices, and services—are verified before they are considered trustworthy. It also means that user access is limited to only the data, systems, and applications required for their role. By moving from a model that assumes trust to one that requires verification, we can reduce the number and severity of security breaches.

You can begin implementing a Zero Trust access model now. Expect this to be a multi-year process, but with every action, you’ll make incremental progress that improves your security posture. Start with implementing Multi-Factor Authentication (MFA) to better protect your identities and then develop a phased plan to address identity access, device access, and network access. This is the approach that Microsoft has taken.

Take a look at our Zero Trust access model implementation plan for more ideas on how to structure each phase. You can also look at my advice on preparing your organization for passwordless for tips on better securing your identities.

We are on this journey together. I will continue to share insights and advice in the coming months and years.

• Read more about how Microsoft is approaching Zero Trust.
• Download the Microsoft Zero Trust access architecture implementation plan.
• Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Improve security with a Zero Trust access model appeared first on Microsoft Security Blog.

I can tell you that deploying a companywide strategy for eliminating passwords isn’t easy, but it’s also probably not as hard as you think, either. When I told our senior leaders that we’d be eliminating passwords in about 24 months, they applauded. When I said getting there would temporarily disrupt support for select line of business apps and devices, they had questions. What I share with you today is based on what we’ve learned in this process.

I’ve been talking about eliminating passwords for a while now, aligning to our principles for identity strategy, and the most common response I get from my peers is: “Great, how can I do it at my company?” Today, I’m outlining the basic steps necessary to eliminate passwords, with the acknowledgement that we’re still on the journey. I believe we’ve mapped out the right path, but we aren’t finished yet.

The first step is to segment the user population in your network. You’ll have to bifurcate your users into two groups: 1) those users in a compliance boundary (for example, people who handle credit card/payment information); and 2) everyone else. This segmentation is necessary because there are compliance requirements in some industries that essentially require using user names and passwords. Until the regulations catch up with the technology, the people in this segment will be forced to continue using passwords. The good news is that the rest of your user population is probably quite sizable and can move forward on the journey towards eliminating passwords.

Once the user population is segmented, the remaining steps can be pursued, and they don’t have to be done sequentially. If you follow these steps, you’ll have a vastly superior user experience for your employees and a more secure network while you’re on the path to ending passwords in your own environment:

• Banned passwords—Create a list of banned passwords that your user population is prevented from using. These are passwords that are commonly used, such as qwerty123, 123456, password1, and those that are easily guessable, like sports teams and month/year combinations. This list can be created using Azure Active Directory (Azure AD) password protection, which works in a hybrid environment and leverages machine learning from 650B authorizations every month. You could also create a list via other service offerings available in the industry.
• Use Multi–Factor Authentication (MFA)—MFA, or two-factor authentication, is a secure authentication method in which a user is only granted access after successfully presenting at least two separate pieces of evidence to an authentication mechanism. Using MFA is the single most effective security practice that companies are NOT employing. We employ MFA in our environment via Windows Hello, Microsoft Authenticator, and/or Azure MFA, but there are multiple options for implementing MFA including FIDO keys, smart cards, and tokens. In fact, we recently announced that companies can now go passwordless with the public preview of FIDO2 security keys support in Azure AD, making it even easier to implement MFA. And, contrary to popular belief, we are not a Microsoft-only environment; our network includes every operating system and platform available.
• Modernize hardware—Ideally, you would update your hardware to add biometric reader capabilities and Trusted Platform Module 2.0 (TPM2.0), or FIDO 2.0 and above. Biometrics can replace passwords and create a nearly friction-free experience for users. There are other hardware options that support MFA, which don’t provide a user experience as smooth as biometrics, but still support MFA and offer much better security. TPM technology provides hardware-based, security-related functions which can also be used in place of traditional passwords.
• Legacy authentication—The final and most difficult step in the process is eliminating the use of legacy authentication. This includes all protocols that use basic authentication and can’t enforce any type of second factor authentication. This step is time consuming, laborious, and can create headaches when it occasionally breaks services. If your company is already completely in the cloud, and doesn’t have any legacy authentication anywhere, you can eliminate passwords very quickly. For the rest of us, it will take longer. There are features in Azure AD that allow a view into the audit logs and help identify the applications which are using legacy authentication. One approach to this step is to block legacy authentication through conditional access.

My last advice is to think carefully about how you engage with users to implement all the steps I outlined in this blog. Promote the user benefits at the outset of your program. This is a lesson I learned the hard way. When we first started on this path, I started promoting the use of “MFA everywhere” to our employees. People interpreted this as requiring smart cards everywhere. They saw this as one more technical, cumbersome requirement from the IT department. Eventually I figured out that our employees were universally excited about eliminating passwords, so I communicated with them about how each step helped us with that goal. I got a much more positive response. When people see that our efforts make their experience better, it is easy to get their enthusiastic participation.

As I mentioned above, we’re still on this journey, and we’re wrestling with the same challenges everyone else faces. One thing I try to remember is the adage about not letting perfection stand in the way of progress. Taking any of the steps I’ve outlined above will help improve your security environment, even if the total elimination of passwords is something you won’t achieve for years. We haven’t achieved our end goal, but we’re making progress and currently over 90 percent of our employees are able to sign in to our network without entering a password. Once our users no longer need to enter a password for anything, we can eliminate passwords entirely. We believe we’ll achieve this in about 18-24 months. As we make progress on our quest to eliminate passwords, I’ll continue to share what we’ve learned.

To learn more about going passwordless visit The end of passwords.

The post Preparing your enterprise to eliminate passwords appeared first on Microsoft Security Blog.

This list is by no means exhaustive, but I hope it is a helpful starting point for those looking for more guidance on how to help protect their environments from present and future threats:

1. Implement robust update deployment technologies and operational practices so you can deploy updates as consistently and quickly as possible. Companies with complex deployment needs might consider working with IBM BigFix, Landesk/Ivanti, or Microsoft’s System Center Configuration Manager. Our customers can use Windows Update and Windows Update for Business, free of charge. (This is a multi-faceted issue so I’ve added more thoughts below.)
2. Limit the impact of email as an infection vector. This is particularly important given that more than 90% of cyberattacks start with a phishing email. Developing strong user education and awareness programs can help individual employees identify and avoid phishing emails. Barracuda, FireEye, and Office 365’s Exchange Online Protection and Advanced Threat Protection all provide technology to help prevent phishing and spam emails and other links to malware from getting through to your users.
3. Ensure the broad deployment of up-to-date anti-malware software. Solutions from industry partners like those in the Microsoft Active Protections Program, as well as technologies like Windows Defender and Advanced Threat Protection, can help protect users and systems from attacks and exploits.
4. Implement protected backups in the cloud or on-premises, also known as a data protection service. Having multiple versions of your data backed up and protected by measures such as dual factor authentication is a critical layer of protection to help prevent ransomware or malware from compromising your data. Companies can look to vendors like NetApp, CommVault, or Microsoft with Azure Backup for solutions.
5. Implement multi-factor authentication to protect user identities and minimize the probability of unauthorized access to company resources and data with technologies like RSA SecurID, Ping Identity, Microsoft Authenticator and Windows Hello.
6. Improve your team’s situational awareness and response capability across your enterprise all the way to the cloud. Cybersecurity attacks are increasingly complex, so businesses need a holistic view of their environment, vulnerability, real-time threat detection, and ideally, the ability to quarantine compromised users and systems. Several companies offer cutting edge capabilities in this regard, including Qualys, Tenable, Rapid7 and Microsoft’s own Azure Security Center and Windows Defender Advanced Threat Protection (WDATP).
7. Store and analyze your logs to track where an infection starts, how far into your enterprise it went and how to remediate it. Splunk, ArcSight, IBM and Microsoft with our Operations Management Suite – Security all offer capabilities in this area.

Keeping systems up to date is critical so I want to share a few more thoughts about how we approach it as part of our overall security posture. First, there is no one-size-fits-all strategy. A comprehensive approach to operational security – with layers of offense and defense – is critical because attackers will go after every chink in your armor they can find. That said, updating can be difficult in complex environments, and admittedly no environment is 100% secure, but keeping your software up to date is still the number one way to stay secure in a world of motivated attackers and constantly evolving threats.

In terms of how we approach patching and updating at Microsoft, I’m fortunate to have passionate teams working around the clock to limit the impact of infections and update vulnerable systems as quickly as possible. I also know that the Windows team works hard to ensure that they consistently deliver high quality updates that can be trusted by hundreds of millions of users. They conduct thousands of manual and automated tests that cover the core Windows functionality, the most popular and critical applications used by our customers, and the APIs used by our broad ecosystem of Windows apps and developers. The team also reasons over the data, problem and usage reports received from hundreds of millions of devices and triages that real world usage information to proactively understand and fix application compatibility issues as quickly as possible. With all of this context in mind, I want to acknowledge that even more work is needed to make updates easier to deploy and we have teams across the company hard at work improving the experience.

Whether you are a vendor like Microsoft or one of the billions of businesses who count on IT to function, security is a journey, not a destination. That means constant vigilance is required. I hope you find this information helpful on your own journey and as you assess you readiness in light of recent attacks.

You can read more about the WannaCrypt attack in the MSRC Blog, as well as Microsoft President Brad Smith’s perspective on the need for collaboration across industry, government and customers to improve cybersecurity. Visit our Get Secure, Stay Secure page regularly for additional guidance, including new insights on ransomware prevention in Windows 10.

The post The CISO Perspective: Putting lessons from WannaCrypt into practice to avoid future threats appeared first on Microsoft Security Blog.