Brooke: Tell us about yourself, Jason.

Jayson: I have always found that it was better to make bad guys have bad days than to be a bad guy. I used to work defending banks, and I was so good at that, I started testing their security. Through doing that, I realized I was good at robbing banks, and so now, I virtually “rob” banks for a living to help people be better protected and secured. I rob banks in Jordan and Jamaica and from Lebanon to Louisiana. I have robbed hotels from Malaysia to Germany to Maine.

I make sure that I get caught because I am not there trying to break things. It is about education, not exploitation. I am there to teach, not to test you. I go back after I have compromised the site and educate every person who let me do something that was bad. I tell them, “I lied to you. I was doing a bad guy thing, and this is what you can do better. Now you know what it looks like.” I turn this negative experience for them into a positive one.

I do not record the names of anyone who fails that part of the test. I record the people who did something good because then you have someone for employees to look up to. No matter how bad the report is, people can say, “Bob in accounting questioned the attempt. He did the right thing.” I have had to do some of the most outlandish things to get caught but I guarantee that I will get caught by the end of the engagement.

Brooke: How can organizations and people improve their security posture?

Jayson: People say, “We are different here.” No, you are not. People are people. The myth that a person is built differently or runs internally differently is absurd. When anyone is at a workspace, you have certain expectations versus the expectations if you were in a public place. Your mannerisms change from the workspace to the public environment.

I gave a talk last year where I talked about perception. If I dress up in a suit, have a USB drive, and am coming in to do an audit, I am going into a private area. I have already made it through your first layer of security because that is usually a joke. One time, I walked straight to a bank’s breakroom, sat down, drank some water, walked into the teller area, did not even say anything to anyone, just nodded to the guy depositing money beside me, unplugged the computer, and walked out of the bank with it.

Improving security posture, including training your employees well, is important. On the first day of your job, you were told what is expected for your job. They tell you what your role is going to be, and they show you what equipment you have, and that you are responsible for that equipment. If you were given a van, which is a piece of equipment, do they give you the keys on the first day without making sure you have proper training and understand all their rules? When you are given a laptop, it is a piece of equipment. You were told that you were responsible for not just how you operate this equipment but also the security of this equipment.

The first time you click on a phishing link, whether it is a test or not, no harm, no foul. But all you have to do is go through an extra hour of training. The second time, in order to train employees better, I suggest that you do something more along the lines of, “Your email has now been turned into a gateway. All your incoming emails are held on our server, and we send you a whitelisted digest. You must go through the emails and check the ones that you want to receive. You are going to have to do that for three months. If you click on a third phishing email within the same year, you are fired.” Security must be top of mind for your employees to improve your security posture.

Brooke: What are the current top threats you are seeing and have they changed?

Jayson: The technology keeps improving and it is harder to break. We are stuck in the mindset that we still need to break technology or we can just buy another blinky box to combat people breaking into technology. The defenses are not going to be walls anymore. Walls don’t work.

People need to protect technology instead of trying to make the technology be the barrier for the people. Technology should be the safety net for when people make a mistake because more attackers are no longer going after the technology. In our industry, we want things to be quick, but if you are not doing patch management and asset management, you are not going to be prepared for anything that is going to happen. They are the foundation.

People forget that foundations are demanding work. They are ugly. They are concrete blobs. There is nothing pretty about a foundation, but if you do not have one, it does not matter how pretty that house is that you are building on it. It is not going to last. We must work on our foundations and make sure when a new machine pops up, someone gets an alert saying the machine popped up on the network.

Brooke: What advice would you give to chief information security officers (CISOs) on security awareness training?

Jayson: It is okay to not understand all the different technologies. It is hard to combat the Hounds of the Baskerville syndrome, which is when Security comes to you and says, “We did a really excellent job this year. Nothing happened. If you give us $2 million more for next year’s budget, we will make sure nothing happens again.” If the hounds are not barking, how do you know how they would respond in a threatening situation?

To succeed at securing their enterprise, the chief executive officer (CEO), chief financial officer (CFO), and chief operating officer (COO) need to live by the security policies they establish. If the CEO is taking patch management seriously, if the CFO is making sure their badge is visible when they go into work, if the CISO is making sure that their workstation gets locked out after 15 minutes and turns onto a screen saver or lock screen, then the people who report to them know to take security seriously. And then the people who report to those people will do it.

If a CEO or a CISO says, “That does not really apply to me,” every person beneath them is going to say, “I work for them, so that does not apply to me,” and every person who works beneath them is going to say the same.

Tell the executives, “If you were breached for five minutes and a quick-thinking employee realized what happened and you can start your incident response within five minutes, that is going to cost you a week’s worth of time to make sure everything is taken care of. Imagine how much time a breach is going to take if that lasted for five months.”

Brooke: How should the cybersecurity team respond when an employee clicks on a phishing link?

Jayson: I have never met a server that got upset when they got popped with Microsoft 365. But when a person clicks on an email or makes a mistake and allows someone in or answers a phishing email, how we respond to them matters because they do have feelings. One of the biggest myths is when people say a “stupid user” clicked on a link or went to a website. I do not think people are stupid. I just think that information security did not properly train its users.

Cybersecurity should let people know that they are not a liability but an asset and part of their team. Employees have feelings and they do not want to fail. Many insiders are not an insider threat because of maliciousness. It is because of ignorance. But ignorance means that you can be educated on it and learn. And that is the most vital part when securing your organization.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post How to build stronger security teams appeared first on Microsoft Security Blog.

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with ramsac Founder and Managing Director Rob May, who gave a TED Talk called “Your Human Firewall: The Answer to the Cyber Security Problem.” The thoughts below reflect Rob’s views, not the views of Rob’s company or Microsoft, and are not legal advice. In this blog post, Rob talks about security operations (SecOps) challenges and how automation can address them, and shares phishing attack protection strategies.

Brooke: What are the biggest challenges in SecOps?

Rob: SecOps is the team responsible for the security of an organization’s IT infrastructure, and for monitoring and responding to security threats and implementing security controls. One challenge for SecOps professionals is keeping up-to-date on the latest trends and tactics used by cyberattackers because threats to security are constantly evolving.

Another challenge is alert fatigue. Security teams are bombarded with alerts from their monitoring tools, and this can make it difficult to identify and respond to real threats. Many of the alerts that security teams receive are false positives that waste time and resources that could be better spent responding to real threats. In the industry, we talk about the utopia of having a single pane of glass that we can look through and get a view of everything. The reality is, in lots of organizations, they are not achieving that.

Balancing security with business needs is always a challenge. Security measures can sometimes conflict with the needs of users in the business, such as usability and accessibility. Professionals have to balance security needs with business needs so that security measures do not get in the way of productivity. Security teams often lack the resources to do their jobs effectively, and that might be budget, staffing, tools, or incident response training.

When a security incident occurs, SecOps professionals have to act quickly to investigate and contain the threat. Organizations are subject to a whole range of regulatory requirements depending on their geography and industry, and that can be complex and time-consuming to maintain. A SecOps professional has to think critically, work under pressure, and stay up-to-date with the latest trends and technologies in order to be successful in their role.

Brooke: Can automation help address any of these challenges?

Rob: Definitely. Automation is a powerful tool in SecOps that helps reduce the workload on the team and improve the efficiency and effectiveness of SecOps generally. An automated incident response system can detect unusual activity on the network and take action to contain and remediate that threat. Or it might detect an impossible activity, such as if you spent the day in the office in London and half an hour later, it appears that you are trying to log in in Russia.

Vulnerability management automation can be used to identify vulnerabilities, systems, and applications, prioritize them based on risk, and recommend remediation actions. Threat intelligence can help gather, analyze, and act on threat intelligence data from various sources, including open-source feeds, dark web forums, internal security logs, and compliance monitoring.

We can help ensure compliance with regulatory requirements and internal security policies by continuously monitoring systems and applications for compliance violations and security testing. We can use automation to conduct regular security tests such as penetration testing and vulnerability scanning to identify potential vulnerabilities and weaknesses.

Automation is not a replacement for human expertise and judgment. They go hand in hand. Automation helps improve the efficiency and effectiveness of security operations, and experienced SecOps professionals interpret what it is saying and act on the data provided by the tools.

Brooke: Have you seen a change in sentiment towards automation in the industry?

Rob: If you leave everything to automation, it has more potential to go wrong. For instance, if it detects something and blocks someone out of their account, and there is no human getting involved for a sanity check, all it is going to take is somebody in the C-suite not being able to do their job when they need to for them to think, “Oh, this is rubbish.”

Of course, it is not rubbish. It is an incredibly powerful tool. We just need to be able to interpret that as well. If I look at my own business and how we use something like Microsoft Sentinel, it is a positive thing, but we have used automation to take all the legwork out of it. A very large number of data incidents can be looked at to flush out a much smaller number that then is then investigated. There is no way you could do that without automation. Without a doubt, it is a game-changer.

Brooke: What does it mean to be a “human firewall?” 

Rob: The human firewall is the collective efforts, behaviors, and habits of the people within an organization. Many commentators say that when it comes to cybersecurity, people are our weakest link. My view is that it is essential that we also consider the flip side of that coin, which is that people are also our greatest strength. We need to ensure that we give everyone the right training, awareness, tools, and policies to stay as safe as possible. If your people are not cyber-resilient, neither is your business.

Brooke: What is the real cost of cybercrime? 

Rob: This question can be answered in a number of different ways. In terms of monetary value, the numbers are huge. I read one report recently that suggested that if the worldwide cost of damages caused by cybercrime was a country (measured in gross domestic product), it would be the third largest economy in the world after the United States and China.

The other way of answering the question is to look at all the associated impacts of cybercrime. This includes the direct costs of responding to an attack, including the investigation, remediation, and repair. Then, there are indirect costs, such as lost business, loss of productivity, reputational damage, emotional harm experienced by the Chief Information Security Officer and company officers, and other things like the resultant increase in insurance premiums (which can be significant).

Brooke: What variants are you seeing with phishing attacks today? How are they getting smarter and how can people and organizations protect themselves from these attacks? 

Rob: Phishing attacks come in many different forms, but common variants include:

• Spear phishing: This is a targeted attack that is tailored to a specific person or organization. The attacker may use personal information or other details to make the message seem more legitimate.
• Whaling (chief executive officer phishing): This is a type of spear phishing that targets high-level executives (the “big fish”) and other high-profile individuals within an organization.
• Pharming: This is an attack that redirects users to a fake website that looks like a legitimate site but is designed to steal their login credentials or other sensitive information.
• Vishing: This is a form of phishing that involves voice solicitation, such as phone calls or voicemails, instead of email.
• QRishing: This is phishing through QR codes. If you open a QR code on your device, it is no different from clicking on a link in an email.

Cybercriminals are using more sophisticated tactics for their phishing attacks to make their messages seem more legitimate. For example, attackers may use social engineering techniques to create a sense of urgency or to create a false sense of trust. They may also use advanced malware and other tools to bypass security measures and gain access to sensitive information.

To protect against phishing attacks, individuals and organizations should take a number of steps:

• Use strong passwords and multifactor authentication.
• Be wary of emails or other messages that ask for personal information or login credentials.
• Check the URL of any website that asks for login credentials or other sensitive information to make sure it is legitimate.
• Use antivirus and antimalware software to protect against malicious software.
• Educate employees and other members of the organization about the risks of phishing attacks and how to recognize and avoid them.
• Make sure your computer and devices have the latest software and firmware updates.
• Use anti-ransomware detection and recovery and turn on controlled folder access on the desktop.

By taking these steps, people and organizations can protect themselves against the growing threat of phishing attacks.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post How automation is evolving SecOps—and the real cost of cybercrime appeared first on Microsoft Security Blog.

Brooke: What are the top threats impacting organizations?

Matt: One of the big threats is business email compromise, with all the phishing happening of organizations and billions of dollars being stolen because of invoices being modified after attackers access the mailboxes of key employees.

Another threat is info-stealers. Essentially, ransomware involved criminal groups breaching organizations’ infrastructure, encrypting their files, and asking for ransom. Now, because more organizations are aware of that threat, they have become more proactive, and use backups. This is why criminal groups are switching to info-stealers, where they steal that sensitive information rather than randomly encrypting files. They are more strategic with the data they are stealing, so they can monetize the information. Ransomware actors even buy the credentials of companies on different forums or from other criminal groups.

Brooke: How can organizations reduce the risk of threats?

Matt: Reducing your risk is a continuous process because threats today are different from a few years ago and they are different from what they will be in one to three years.

Organizations must understand that there will never be zero risk. That is why it is important to be proactive when it comes to detection as well as have a strong, quick, and efficient incident response plan in place. We enable our users to proactively hunt for threats not only after breaches but also as a routine exercise as sometimes actors can be present in your network for months before they take any visible actions.

This plan should also include digital forensics—uncovering root causes and working those learnings back into the rest of the organization to remediate vulnerabilities, as well as improve the overall incident response plan, which is another strong way to reduce the risk of attack through similar methods.

Microsoft Incident Response

Your first call before, during, and after a cybersecurity incident.

Learn more

Brooke: How do you get leadership buy-in to build an incident response team?

Matt: To get budget, the chief information security officer needs to convince upper management of being prepared for a cyber breach, as it is inevitable. At organizations that understand the security risk, it may be easier to get budget, but then it is about how you deploy that budget. That comes down to the organization and leadership prioritizing what they want to focus on based on the actual threat model of the organization and areas where they know they are weak and want to improve.

The answer is going to differ from one organization to another, but the main thing is to make sure that leadership understands the risk of poor cybersecurity and a lack of preparedness for when a breach occurs. Fortunately, in 2023, there are enough stories in the press, movies, TV shows, and books to do the job for people.

Brooke: How does an organization develop an efficient incident response process?

Matt: First, each organization needs to understand its threat model, because each organization has different risks. The issues of a healthcare company and a financial institution are going to be completely different, and even the people targeting you would have different attack strategies.

Organizations need to focus on both detection and response capabilities. Detection involves being proactive, making sure you have visibility of your network and understand what is happening. If there is a threat, you detect it. The response part is why you have an incident response plan and digital forensics capabilities in place. If something is happening, you need to be able to investigate it immediately and thoroughly.

Organizations also need to understand their threat model and the profile of people that may be going after them. Based on that information, focus on a strategy for detection and a strategy for incident response. Threat intelligence is a component of both.

Everyone also needs to have a backup plan internally whenever they investigate because detection is great but not perfect.

Brooke: What do we need to know about incident response to protect ourselves?

Matt: Unfortunately, a lot of security processes involve humans, so if you are a large organization, automate as much as you can to avoid security people experiencing burnout and so your company can be more efficient.

If you are an organization developing software, make sure you have proper application security people in place. If you are handling data, make sure you have good controls in place. If you are a financial institution, you are going to need all of the above, so it really depends on the profile of the organization. It is about people being logical and not only relying on security products.

Brooke: Why is multifactor authentication so important?

Matt: With identity, we are talking about control. Multifactor authentication is great because it adds a layer to authentication. As long as we depend on passwords for authentication, multifactor authentication is a must because of the issues happening with spear phishing, business email compromise, and databases containing passwords being leaked.

Passwordless is the future of authentication. Until we move toward the direction of passwordless authentication, two-factor authentication is going to be a must.

Brooke: How do you sift through information about a threat effectively without burnout?

Matt: AI is good if you know and understand the data you have, which is not often the case. Information triage is always required. Organizations need to understand their needs properly and not simply be driven by checkbooks or just check boxes because of compliance.

A good first step is what we call a priority intelligence requirement. Data is always about context. You need to understand what type of data you have to categorize it and then that can be efficient. If you have a lot of information, it is good, but if you have data with no context, it is useless. That is why you need to always make sure you have the right context, and that what you are collecting is responding to your intelligence requirements.

Brooke: What is the best way to monitor tenant administrator accounts?

Matt: This goes back to building a proper threat model so organizations can identify potential infection vectors and how administrative accounts are being used. In a lot of cases, you may have administrative accounts that are completely forgotten or hidden somewhere. For example, an employee left, and that account was not disabled.

That is why I like authentication. More organizations are using single sign-on (SSO) technologies in addition to multifactor authentication. Another great way to do this is to avoid multiple accounts and centralize identity and control so it is easier to monitor. It is a difficult exercise because you may have multiple Microsoft Azure Active Directory accounts, multiple cloud providers, different accounts for accounting, or other things not inside the SSO. If you do a threat model, you can list all the ways of authentication that would require monitoring in the first place.

Brooke: What is your advice for incident response teams, whether one person or more?

Matt: Whether one person handles incident response, or you have a team of 10 people, you must understand what you do well but also your limitations. Understanding your limitations is often quite tricky because people do not like the exercise of discovering what is missing or requires improvement.

Sometimes, the security approach is generic and aligned with compliance checkboxes when it should be more practical. The more practical it is, the easier it is to make decisions. Understand your current capabilities and weaknesses, then focus on where you have gaps. Start with creating an incident response plan and aligning your internal stakeholders around it. Ensure it includes steps for what happens during and immediately after the breach and post-incident so that you can learn from the incident and come out stronger. If you just spend your time filtering and doing triage of data and information, it is like running in the sand backward.

Learn more

Learn more about Microsoft Incident Response.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Why a proactive detection and incident response plan is crucial for your organization appeared first on Microsoft Security Blog.

Brooke: You are known as SheHacksPurple. How did you become interested in hacking?

Tanya: I started coding as a teenager. Both of my aunts and three of my uncles are computer scientists, so learning to code did not seem out of place. I thought, “Every woman codes. Isn’t that the way?”

At college, I studied computer science and then was a software developer until around 2015, when I switched full time to security. I became more obsessed with security and software during my last two years in software development. I wanted to fix the bug and work with the penetration tester. I hustled my security team where I worked and after a year, one of them said, “We are posting a job for a security person and the job is for you. It was never for anyone else.” I joined that team.

I started speaking at conferences because you get in free, and when working for the federal government, they did not have a ton of money to fly me to another country for some cool training as part of a conference. I started getting plane tickets sent from all around the world and I flew everywhere.

Microsoft reached out and said, “We want to hire a developer advocate who understands security,” and I said, “Is this a prank call? Come on, that’s not a real job. You don’t get paid to do my hobby.” And they are like, “Yes, you do.”

Brooke: How valuable are information security certifications or any other certifications?

Tanya: Certifications have value depending on where you are in your career and the types of jobs you are looking for. There are not many application security certifications. There is one from my company, We Hack Purple. It is not widely recognized.

If you want a specific type of job, studying for a certification will teach you a lot. If you are new in your career, it shows evidence that you know something. One of the problems when you get a job in information security is that there is no clear career path and the people hiring you do not have the technical expertise to know what to ask you.

I have no certifications except for the ones from We Hack Purple. I have a college diploma and I took courses from the University of Maryland. The work I got was based on experience and mentors vouching for me. When people ask “Should I get one?” I say that if you have an active GitHub where you find bugs and fix all of them, that is evidence of skill. Sometimes, a certification helps with that, but they are not all created equal, and it costs a lot of money.

Brooke: What can companies do to protect themselves from ransomware attacks?

Tanya: Every IT department, even if you are not afraid of ransomware, should do backups and practice rollbacks. I worked somewhere once, and we had a glitch where 2,000 people lost all their work for the day. We still had copies of everything from the day before on our local machines, but a backup had not been done the night before. The backup team said it would take a month to replace that one day of work. And they said, “We don’t even know if it will work and it will copy over everything you have done in the meantime, so let’s not bother.”

I said to my boss, “We are going to save so much money because clearly we do not need them. They never practice the backup. Think of how many more developers we can hire.” Doing backups is good, but even better is practicing rollbacks so you can roll back in a reasonable amount of time and roll back more than just files. We need to roll back everything.

At We Hack Purple, we back up my machine in a special backup that no one else is in because I’m the CEO and I create most of the content. We also have a backup in the cloud and another physical backup in a different location that we do every week. If ransomware happens, I have everything backed up. There are companies that get hit with ransomware and just think, “Go away” and then they just roll everything back in an hour.

It is important to ensure that your backups are not attached to your network. Everyone has their fancy backup drive still connected to their computer and the ransomware is like “Excellent. I shall now encrypt your backup.”

About 60 percent of small businesses go out of business in the month after a cyberattack.¹ Because we are such a small company, if we lose one of our people, that is a huge enough risk. But imagine we lose all their work. That is even worse.

Brooke: How can tech leaders limit the frequency and severity of a ransomware attack?

Tanya: Get training for your company on what ransomware looks like and how to defend yourselves. For instance, do not save to your local computer. Save to the cloud like everyone else. You can download local copies to your machine but emphasize what it is like to lose your work and how bad it would be.

I am getting everyone to turn on multifactor authentication because it is extra defense and could block an attack from being successful. I am a huge fan of password managers. At my company, everyone must use a password manager. They make up unique, long, and random passwords that human beings would never guess, and that computers have trouble guessing.

Helping employees protect themselves in their private life gives them even more practice using the password manager.

Brooke: At what part of a development cycle does security come in?

Tanya: We used to bring security in at the end and they would do a penetration test and it would be like shooting fish in a barrel. They would tell you all the things you have done wrong, but because it is close to go-time, they would fix one or two things, put a big bandage on it, and send it out the door.

For a long time, I would give conference talks, write blog articles, and say, “We need to shift security left,” and by left, I mean earlier in the system development lifecycle. It is cheaper, faster, and easier to fix security problems there, whether it be a design flaw or a security bug. But marketing teams got a hold of that and there are all sorts of products that have the word “shift” in the name. What they meant is buy our product, put it in your continuous integration/continuous deployment (CI/CD) pipeline, and all your dreams will come true. The term got co-opted.

Brooke: If you could impact one thing in security, what would it be and why?

Tanya: On a professional level, it would be that more universities and colleges start teaching secure coding. If they are going to work in information security, one of the classes should be about application security. I wrote my book “Alice and Bob Learn Application Security” hoping universities would teach it and they only want to teach it in cybersecurity programs. I am happy about that, but 100 percent of them refused to teach it to the computer science students and I said, “But they are the ones making all the bad code.”

On a personal level, I want information security to be inclusive of everyone. I want all the LGBTQIA people to show up. I want all the women to show up. I want people of every race and religion to show up. I want disabled people to show up. Everyone can contribute effectively, but there must be space for them.

Learn more

If you’re attending the RSA Conference, do not miss Tanya’s sessions: “Adding SAST to CI/CD, without losing any friends” on April 26, 2023, “DevSecOps worst practices” on April 27, 2023, and “Creating a great DevSecOps culture” on April 27, 2023. And to learn more about Microsoft’s DevSecOps and shift left security solutions, visit the DevSecOps tools and DevSecOps services and Microsoft Defender for DevOps pages.

Learn more about general data security from Microsoft.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹60 Percent of Companies Fail in 6 Months Because of This (It’s Not What You Think), Thomas Koulopoulos. May 11, 2017.

The post Why you should practice rollbacks to prevent data loss in a ransomware attack appeared first on Microsoft Security Blog.

With that goal in mind, Microsoft has launched a new kind of security webinar “for experts, by experts.” The new Security Experts Roundtable series will serve as an accessible video platform for cyber defenders to learn about some of the latest threats while gaining a big-picture view of the cybersecurity landscape. Our inaugural episode aired on January 25, 2023, with an expert panel consisting of:

• Ping Look, Director, Training and Communications, Microsoft Detection and Response Team (DART)
• Ryan Kivett, Partner Director, Microsoft Defender Experts
• Jeremy Dallman, Principal Research Director, Customer Ready Intelligence
• Rani Lofstrom, Director, Security Incubations

This episode also features a special appearance by Rachel Chernaskey, Director of the Microsoft Digital Threat Analysis Center, who discusses cyber-enabled influence operations. I host a special remote interview with Mark Simos, Lead Cybersecurity Architect at Microsoft, on how to effectively communicate with your board of directors about cybersecurity. We also talk to Peter Anaman, Director and Principal Investigator at the Microsoft Digital Crimes Unit about tracking global cybercrime, and we have a special guest interview with Myrna Soto, Chief Executive Officer (CEO) and Founder of Apogee Executive Advisors, on the state of cybersecurity in the manufacturing sector.

Evolving threats—Expert insights

Back in December 2020, Microsoft investigated a new nation-state attacker now known as Nobelium that became a global cybersecurity threat.³ The following year, the hacker gang Lapsus moved into the spotlight with large-scale social engineering and extortion campaigns directed against multiple organizations.⁴ Those threat groups are still active, but 2022 saw a slowing in their attacks. “We didn’t have too many high-profile mass-casualty events,” Ping points out. “But we did see a continuation of ransomware, identity compromises, and attacks centered on endpoints.”

The ransomware as a service (RaaS) ecosystem has continued to grow.⁵ Jeremy singles out DEV-0401, also known as Bronze Starlight or Emperor Dragon, as a China-based threat actor that’s “shifted their payloads to LockBit 2.0, developing their technology and emerging some of their tradecraft in order to evade detection and target our customers more prolifically.”⁶ Jeremy also calls out DEV-0846 as a provider of custom ransomware,⁷ as well as Russia’s Iridium as a source of ongoing attacks against transportation and logistics industries in Ukraine and Poland.⁸ He also cites Russia-based actor DEV-0586 as using ransomware as a ruse to target customers, then following up with destructive data “wiper” attacks.⁹

In his position as Director of Microsoft Defender Experts, Ryan brings a unique perspective on the changing threat landscape.¹⁰ “It’s been a proliferation of credential theft activity, largely stemming from adversary-in-the-middle attacks.” He points out that this kind of attack “underscores the importance of having a strategy for detection and hunting that’s beyond the endpoint; for example, in the email and identity space.”

“Identity compromises have been on the rise,” Ping concurs. “Attackers are just taking advantage of any vectors of entry that any customer has in their environment. So, it’s really important customers exercise good basic security hygiene.” She stresses that defenders should think of their environment as one organic whole, instead of separate parts. “If you have anything that touches the external world—domain controllers, email—those are all potential vectors of entry by attackers.” In short, protecting against the constantly evolving threats of today (and tomorrow) requires embracing a Zero Trust comprehensive approach to security.¹¹

Understanding cyber-influence operations

Cyber-enabled influence operations don’t grab headlines the way ransomware attacks do, but their effects are more pernicious. In this kind of cybercrime, a nation-state or non-state actor seeks to shift public opinion or change behavior through subversive means online. In Jeremy’s talk with Rachel, she breaks down how these types of attacks unfold in three phases:

1. Pre-positioning: Reconnaissance on a target audience, registering web domains to spread propaganda, or setting up inauthentic social media accounts.
2. Launch: Laundering propaganda narratives through fake organizations or media outlets, coordinated overt media coverage, stoking real-world provocations, or the publishing of leaked or sensitive material.
3. Amplification: Messengers unaffiliated with the actor repeat or repost the content.

The most prolific influence actors are labeled advanced persistent manipulators (APMs). Rachel uses the analogy that “APMs are to the information space what APTs (advanced persistent threats) are to cyberspace.” APMs are usually nation-state actors, though not always. Increasingly, the Microsoft Digital Threat Analysis Center (DTAC) sees non-state or private-sector actors employing the same influence techniques. In this way, a threat actor that wages a successful cyberattack might repurpose that capability for subsequent influence operations.

Rachel explains how DTAC uses the “four M model:” message, messenger, medium, and method. The message is just the rhetoric or the content that an actor seeks to spread, which typically aligns with the nation-state’s geopolitical goals. The messengers include the influencers, correspondence, and propaganda outlets that amplify the message in the digital environment. The mediums are the platforms and technologies used to spread the message, with video typically being the most effective. And finally, the methods consist of anything from a hack-and-leak operation to using bots or computational propaganda, or real-world elements like party-to-party political engagement.

So why should private organizations be concerned with cyber-influence operations? “Influence operations inherently seek to sow distrust, and that creates challenges between businesses and users,” Rachel explains. “Increasingly, our team is looking at the nexus between cyberattacks and subsequent influence operations to understand the full picture and better combat these digital threats.”

Microsoft DCU—Tracking cybercrime across the globe

The Microsoft Digital Crimes Unit (DCU) consists of a global cross-disciplinarian team of lawyers, investigators, data scientists, engineers, analysts, and business professionals.¹² The DCU is committed to fighting cybercrime globally through the application of technology, forensics, civil actions, criminal referrals, public and private partnerships, and the determined assistance of 8,500 Microsoft security researchers and security engineers. The DCU focuses on five key areas: Business Email Compromise (BEC), Ransomware, Malware, Tech Support Fraud, and Malicious Use of Microsoft Azure. According to Peter Anaman, Director and Principal Investigator at DCU, their investigations reveal that cybercriminals are moving away from a “spray-and-pray” approach toward the as a service model. Along with ransomware, cybercriminals are extending their retail services into new areas such as phishing as a service (PhaaS) and distributed denial of service (DDoS).

Threat actors have even created specialized tools to facilitate BEC, including phishing kits and lists of verified email addresses targeting specific roles, such as C-suite leaders or accounts-payable employees. As part of the service, the seller will design the email template and even scrub the responses to make sure they’re valid. “All for a subscription model of, like, USD200 dollars a month,” Peter explains. DCU investigative evidence has observed a more than 70 percent increase in these services.¹ “We’re finding that there’s a higher number of people who are committing these crimes. They have greater know-how on different technologies and online platforms that could be used as part of the [attack] vector.”

Regardless of the type of cybercrime, DCU goes after threat actors by executing on three main strategies:

• Investigate: Track online criminal networks and make criminal referrals to law enforcement, along with civil actions to disrupt key aspects of technical infrastructure used by cybercriminals.
• Share evidence: Assist with victim remediation and allow for the development of technical countermeasures that strengthen the security of Microsoft products and services.
• Use our voice and expertise: Build on our partnerships to inform education campaigns and influence legislation and global cooperation to advance the fight against cybercrime.

In addition to arrest and prosecution, DCU deters cybercrime by disrupting the technical infrastructure used by criminals, causing them to lose their investments. In 2022, DCU helped to take down more than 500,000 unique phishing URLs hosted outside Microsoft while disrupting cybercriminals’ technical infrastructure, such as virtual machines, email, homoglyph domain names, and public blockchain websites.

DCU also works with Microsoft DART to gather intelligence and share it with other security professionals. Some of those indicators—a URL, domain name, or phishing email—may help with future investigations. “That intelligence [we gather] feeds back into our machine learning models,” Peter explains. “If that phishing page or kit is used again there will be better measures to block it at the gate, so our monitoring systems become stronger over time.”

When asked what an organization can do to protect itself, Peter suggests sticking to three cybersecurity basics. First: “Use multifactor authentication,” he stresses. “Ninety percent of [attacks] could have been stopped just by having multifactor authentication.” Second: “Practice [cyber] hygiene. Don’t just click links because you think it comes from a friend.” Cyber hygiene includes installing all software patches and system upgrades as soon as they become available. And third: “You’re really looking at the Zero Trust model,” Peter says. “Enforce least privilege [access]” so people only have access to the information they need. Bonus tip: “Make sure you have the same level of security on your personal email as you do on your work [email].”

Winning in the room—Communicating to the board

In this segment, I have a chance to speak with one of my favorite folks at Microsoft. Mark Simos is Lead Cybersecurity Architect, Microsoft, (and PowerPoint super genius) with more than two decades of experience, so he knows something about dealing with a board of directors. Whether you work for a public or private company, the board is responsible for oversight. That means making sure that the leadership team is not only managing the business but also managing risks. And cybercrime is one of the biggest risks today’s organization contends with.

But for the board to understand the organization’s security positioning, they need to grasp how it relates to the business. Unlike dealing with finances, legal issues, or people management, cybersecurity is a new area for a lot of board members. According to Mark, a big part of winning them over is “making sure that the board members understand that cybersecurity is not just a technical problem to be solved, check, and move on. It’s an ongoing risk.”

In our talk, Mark lays out three basic things the board needs to know:

• Problem or requirement: Frame this in terminology relating to the business.
• Status: How well are you managing risk to your targeted tolerances?
• Solution: What is your plan to get there, and how is it progressing?

Bonus tips:

• Learn about your board. Read their bios and study their backgrounds and professions. These are highly capable and intelligent humans who have mastered demanding disciplines like finance, supply chain management, manufacturing, and more. They are capable of understanding cybersecurity when it’s presented clearly.
• Learn their language. This goes back to framing the cybersecurity problem in concepts they’ll understand, helping you land your points accurately.
• Find a board buddy. Establish a relationship with someone on the board who has an interest in learning cybersecurity. A mutual mentorship can help you learn about the other person’s area of expertise, which can help you make your case in clear terms.

Mark provides a wealth of free resources you can access anytime on Mark’s List.¹³ Also, there’s a chief information security officer (CISO) workshop available as public videos and as a live workshop from Microsoft Unified (formerly Premier Support). The workshop provides plenty of material to help accelerate a productive relationship with your board, including:

• Sample questions the board should be asking of the security team (and you should be proactively answering).
• Roleplay video on how CISOs can engage with hostile business leaders.
• Kaplan-style scorecards based on the familiar approach used in many organizations.

Often board members don’t consider that security decisions can be made by asset owners, not just security teams. Mark suggests stressing the holistic aspect of cybersecurity as a differentiator from typical business unit concerns. “With security, it doesn’t matter where the leak is on the boat; it’s still going to sink,” he says. “So, it’s really important for folks to work together as a team and recognize that ‘I’m not just accepting the risk for me; I’m accepting it for everyone.’”

Security on the edge—Manufacturing and IoT

For the last segment of the webinar, we invited an expert to weigh in on one of the most-attacked industry segments across the globe—manufacturing. Myrna Soto is the CEO and founder of Apogee Executive Advisors, and a board member of prominent companies such as Headspace Health, CMS Energy, Banco Popular, Spirit Airlines, and many more. Cybersecurity in the manufacturing sector carries added urgency because many of these entities are part of the nation’s critical infrastructure—whether it’s manufacturing pharmaceuticals, supporting transportation, or feeding the power grid.

The smart factory has introduced more automation into the manufacturing ecosystem, creating new vulnerabilities. “One of the biggest challenges is the number of third-party connections,” Myrna explains. “It relates to how entities are interacting with one another; how certain companies have either air-gapped their Internet of Things (IoT) networks or not.” Myrna points out that the supply chain is never holistically managed by one entity, which means those third-party interactions are critical. She mentions the ability to encrypt certain data in machine-to-machine communications as a crucial part of securing an interconnected manufacturing ecosystem. “The ability to understand where assets are across the ecosystem is one of the key components that need attention,” she points out.

With the prospect of intellectual property loss, disruption to critical infrastructure, along with health and safety risks, Myra sees manufacturing as one area where security teams and board members need to work together with urgency. I asked her to offer some insights gleaned from time spent on the other side of the table—particularly what not to do. “Probably the most annoying thing is the tendency to provide us a deluge of data without the appropriate business context,” she relates. “I’ve seen my share of charts around malware detections, charts on network penetrations. That is difficult for most non-technical board members to understand.”

Security is a team sport—Join us

Be sure to watch the full Security Experts Roundtable episode. We’ll be doing one of these every other month until they kick us off the stage, so remember to sign up for our May episode. Before we wrap up for today, I’d like to invite you to join us on March 28, 2023, for a brand-new event: Microsoft Secure. This event will bring together a community of defenders, innovators, and security experts in a setting where we can share insights, ideas, and real-world skills to help create a safer world for all. Register today, and I’ll see you there!

For more cybersecurity insights and the latest on threat intelligence, visit Microsoft Security Insider.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2022, Microsoft. 2022.

²Based on internal research conducted by Microsoft Digital Crimes Unit, January 2023.

³The hunt for NOBELIUM, the most sophisticated nation-state attack in history, John Lambert. November 10, 2021.

⁴DEV-0537 criminal actor targeting organizations for data exfiltration and destruction, Microsoft Threat Intelligence Center. March 22, 2022.

⁵Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself, Microsoft Defender Threat Intelligence. May 9, 2022.

⁶Part 1: LockBit 2.0 ransomware bugs and database recovery attempts, Danielle Veluz. March 11, 2022.

⁷Monthly news—January 2023, Heike Ritter. January 11, 2023.

⁸New “Prestige” ransomware impacts organizations in Ukraine and Poland, Microsoft Security Threat Intelligence. October 14, 2022.

⁹Destructive malware targeting Ukrainian organizations, Microsoft Threat Intelligence Center. January 15, 2022.

¹⁰Microsoft Defender Experts for Hunting proactively hunts threats, Microsoft Security Experts. August 3, 2022.

¹¹Implementing a Zero Trust security model at Microsoft, Inside Track staff. January 10, 2023.

¹²Digital Crimes Unit: Leading the fight against cybercrime, Microsoft. May 3, 2022.

¹³Mark’s List, Mark Simos.

The post Microsoft Security Experts discuss evolving threats in roundtable chat appeared first on Microsoft Security Blog.

Brooke: What are today’s biggest data security challenges?

Linda: Nowadays, all businesses, whether large or small, handle a huge amount of data, and protecting it is critical to avoid damages related to its theft. The collection of data is essential because it optimizes processes, makes production more efficient, and reduces costs.

Connecting it to the cloud and being able to find information anywhere is a great opportunity, but we should never forget to protect our backs. How? Through the implementation of proactive and reactive cybersecurity strategies. With a cyber emergency response plan, we can draw up a guide highlighting the actions to be taken in the event of a cyberattack. A successful, growth-oriented business will necessarily pursue a journey toward digital transformation and encourage the connection of devices and people. At the same time, however, it’s imperative to monitor the security of information systems.

Brooke: How is internal threat protection a key component of a well-thought-out data security strategy?

Linda: When we talk about cybersecurity, we often think about how to protect the company from external threats. But sometimes those threats come from within company walls. Employees who pose a threat may not be caught until the damage is so severe as to be evident because they know how to move within the network. Or the people who allowed an intrusion may not even be aware of what they did.

How to thwart the insider threat? First, invest in training to make sure all employees know the risks of sharing information online. It is critical to educate employees on how to handle data. Second, establish roles and permissions for accessing confidential data and documents. By adopting identity and access management logic, for instance, employees will have specific permissions to access the information they need to do their jobs.

Again, we should never underestimate the importance of having security systems that identify threats and predict possible attacks. In conclusion, always be on the lookout for alerts generated by platforms and suspicious movements. These include much higher bandwidth consumption at unusual times or data passing from someone who does not have the permission to do so.

Brooke: We are focused on creating a human-first and tech-driven approach to security. What does it mean to you to strike a balance between these two elements?

Linda: Bringing the potential of the human mind back into machines is a challenge that has experts and scientists around the world engaged. The business context is one of people and technology. This balanced combo can recreate the potential of the two mental hemispheres: the left hemisphere, which is the seat of rationality and logical, mathematical thinking, and the right hemisphere, the seat of imagination and creativity. The two hemispheres of the human brain are interconnected.

In the same way, an innovative company will have to connect the creative potential stored in the minds of people and the analytical and rational potential programmed into the software. Creativity is as important as rationality and must be trained in business contexts, where stagnation is the greatest obstacle to growth and ally of security breaches.

Figure 1. Creativity and rationality are the two levers of an innovative company. The qualities pertaining to the Human Creativity Lever include: breaks the rules with knowledge; innovation is the pivotal element in activating the innovative process; data analysis harnesses intuition for new interpretations of data; empathy assesses the emotional side of customers and stakeholders; and the creative curve is not constant but has very high peaks that generate innovation. The qualities pertaining to Machine Rationality include: fixed rules ensure accuracy and response; innovation is used to activate the functional and useful aspect of innovation; data analysis offers fast and comprehensive analysis of Big Data; empathy generates objective and superpartisan evaluations; and the level of productivity is constant but adequate to a planned standard.

Brooke: More than 80 percent of organizations are multicloud. How important is creating solutions that span clouds, platforms, devices, and apps?

Linda: Surrounded by a fast-paced, changing world, companies choose to define their own strategy and create software applications in-house. What is needed is a cloud that lets an IT team configure, run, and enhance responsive applications in modern, dynamic environments. That is why organizations end up turning to multiple clouds simultaneously.

One of the most important benefits is security. The multicloud architecture requires a “command platform,” like a cloud management system. Through this, it is possible to manage access, know at any time the structure of the cloud, and know and manage data storage. Also, thanks to communication between platforms, it is possible to make processes more efficient, reducing bottlenecks and slowdowns.

Finally, interoperability enables learning how to operate in multiple clouds and the internal generation of those talents and skills that are hard to find externally: transversal skills and critical observation. It is increasingly vital to have a well-defined strategy for storing digital data.

Brooke: How have data security market trends adjusted in response to worsening macroeconomic conditions?

Linda: Almost daily, our global news cycle runs stories about cyberattacks on our systems. Whether it’s stealing data or seeking ransom, these reprehensible acts make us feel, at best, insecure, and perhaps even hostage to hackers. Of course, they also carry a significant cost to the companies that must reclaim their data, restore public trust, and pay the penalty for violating privacy and protection laws. How do we protect ourselves? To mitigate consequences, we train employees to recognize the scale of the problem so that they can identify early warning signs, just as we invest heavily in technological resources to monitor, prevent, and block nefarious users.

Globally, large technology players are innovating systems to make them less vulnerable to attack. For instance, the Zero Trust security model requires users—whether they fall within or outside an organization’s network—to be authenticated, authorized, and continuously validated before they can access applications and data. Essentially, Zero Trust assumes that there is no network edge: networks can be local, in the cloud, or a combination, with resources anywhere as well as workers in any location.

Brooke: How does the industry view data protection within the context of cybersecurity?

Linda: How much data do employees have to deal with every day in the company? A lot, especially when we look at companies going digital. Despite the increase in cyberattacks in recent years, few companies still commit to in-house cybersecurity investments. Digital exposes our data to significant risk, and chief information security officers should raise awareness among leaders on this issue, where prevention is better than cure.

The benefits to the company in terms of economic and business impact are evident, so it is important to act from the first presentation of a cybersecurity solution. Indeed, losing customer data and stopping production or operations because of a systems attack carry significant image and economic costs, and few companies are willing to take these risks. If they do, it is because they are unaware or because they do not understand the entire process.

Brooke: What advice would you give to companies about where to start?

Linda: Cybersecurity is not something to be evaluated on a one-time basis or reserved for high-risk business areas. Today, with digitalization and data-centricity, we need a real, continuously updated cybersecurity strategy. We need initial planning and constant monitoring to make sure we are properly defending our business value. Having highlighted the experts and data to be protected, it will be necessary to plan activities and tools that allow people to make as few mistakes as possible.

First, activate backup systems that periodically and automatically save data from specific areas defined as sensitive or high-risk. Also, strategically, a recovery plan will need to be in place in case of damage to systems (disaster recovery). We can predict threats and plan preventive actions, but we will never achieve 100 percent risk coverage. When we manage services, the interruption of those activities would harm us and our customers, so it is essential to provide an alternative plan that ensures continuity of service while fighting cyberthreats, such as attacks aimed at preventing access to a system, like distributed denial of service (DDoS).

At this point in the strategy, remember to constantly update the entire information security system. Do not let your guard down when the implementation has been done correctly, people have been trained, you have learned cybersecurity procedures, and the security system proceeds automatically. Instead, it is as important, if not more important than the previous activities, to constantly update software and related procedures related to cybersecurity. Threats evolve rapidly and outdated systems may not do their job properly.

Learn more

Learn more about solutions for securing access with Microsoft Entra.

Learn more about Zero Trust and how Microsoft can help.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Cybersecurity health and how to stay ahead of attackers with Linda Grasso appeared first on Microsoft Security Blog.

Brooke: Christina, thanks for taking the time to share your extensive experience as a cybersecurity analyst and thought leader.

I’ll be asking you about topics that Microsoft customers typically consider in their end-to-end security journey, especially around the foundation of identity and access solutions as the first line of defense in a Zero Trust strategy. Here’s my first question:

What security basics should an organization build into any cloud platform for a strong security foundation?

Christina: I would expect to see a layered approach across the entire environment. Any cloud provider needs to secure their own infrastructure and extend to everything they are offering externally. In the shared responsibility model, the customer of the cloud platform needs to understand where their data is, which is their responsibility, and where the platform is being secured by the cloud provider. It’s important to see that the cloud provider’s physical infrastructure and digital assets are going through the same kind of security, layered approach, or in-depth defense that you would hope to see in any organization.

I also would want to see a cloud provider offer tools to help customers with their side of the shared responsibility model. For example, identity security is your responsibility as an organization, but a cloud provider can help by offering a strong identity and access management program. I would expect identity and data security to be very strong from a cloud provider because those are the new perimeter, and data, of course, is the lifeblood of the organization.

The other thing that I would hope for from a cloud provider is actionable insight into threat actors and the tools and tactics that they are using, plus the monitoring and response services that span a hybrid environment and multicloud environments.

Brooke: How should trust play into security decision-makers’ minds?

Christina: Trust means so many things to so many people. It’s not one thing. When I was at IDC, I defined digital trust solely in terms of security. Now, I look at it from a broader economic perspective, like how a company is transparent about how they are going to use customer data. It is about showing very high principles around their data security.

That would be evidenced by publishing what they do with your data and what choices you have as a consumer of that service. You can choose privacy and have different elections of privacy controls, so that would be transparency around data.

Digital trust involves having a very strong model of ethics around proper data usage, but also ethics more broadly in the community, so not just the data of their consumers but also the data of their partners. Digital trust also has to do with the brand. Do you feel good about a brand? If you see sustainability, strong diversity, equity, and inclusion, and they’re taking care of their organization and presenting a brand that is doing good in the community, that also builds trust. 

I like it when organizations are very straightforward and transparent about what they are doing for their employees. “Here is our diversity equity inclusion framework, our mission statement, and what we are doing in the community to give back. Here is how we are being responsible partners for facial recognition, artificial intelligence, and machine learning.” I love it when there is an event in the media—it might be a negative event—and a company comes out right away and says, “This happened, and here is our stance on it” and they are very transparent. 

Brooke: What are the most common gaps you are seeing for organizations when securing access?

Christina: There are a ton of gaps. Identities are really complicated. Administrators deal with so much complexity. They must look at multiple dashboards and onboard employees to work on software as a service (SaaS) platforms or cloud platforms or on-premises in their own data centers.

There is a gap in modernizing identity and having one dashboard for visibility. Visibility into apps and services that also need our access control is a huge gap. We do not know what we cannot see, and we cannot protect it if we do not see it. It is important to include those apps and services in identity lifecycle management, and it is a gap for many organizations because it is still new.

Brooke: What should organizations be doing to address the challenge of compromised passwords?

Christina: Before we talk about moving toward passwordless authentication, we need to look a little more deeply at multifactor authentication. It is important, but it is not enough. There are multiple authentication techniques, and we are used to getting a code and putting the code in. That is better than just putting a password in and having to personally manage hundreds of passwords, but there are other things that we can do to bolster multifactor authentication:

• Biometrics: We can use facial recognition or a fingerprint on our computer or phone.
• Time of access: Time and geolocation are coordinated.
• Behavior-based security: Consider how a person holds the phone and how much they shake or move it around and tell if it is in someone else’s hands.
• Hard token authentication: Users need a USB drive, keycard, RFID key fob, or another hard token to authenticate.
• Passwordless:  It helps slow the hacker down because it is much harder to hack. I like passwordless. I just think it still needs a little bit more maturing.

Brooke: What are your thoughts on permissions management in a risk-reduction approach?

Christina: It’s important to have permissions management. There is permission creep, and we need to keep on top of it. Having visibility across your on-premises data center, your multiple data centers, and your multiple clouds is critical.

We lack visibility into identities and permissions, and we struggle with permission creep. We need a comprehensive, unified solution for full visibility and for remediating risk that continuously monitors unused or excessive permissions and is based on least privilege. Least privilege and Zero Trust are vastly different and both are important for varied reasons. Being able to manage all those permissions in a way that provides us with broader visibility and a unified view and does constant monitoring is a critical asset. This could mean flagging that this person or this resource is no longer using their permission, or a person has too much permission based on their title or other factors. 

Brooke: Thank you, Christina. I’ve got one closing question on behalf of our readers. As an expert, what do you suggest as the three most important things that organizations should implement for a strong digital identity framework?

Christina: First, identity governance with self-service onboarding is important, so more automation and fewer legacy tools. Second, we need to be moving toward passwordless authentication, and we need to make passwordless easier on the users. Third, organizations need workload identity management because the supply chain is a mess when it comes to tracking who has access to what resource, for what reason, and how broad their permissions are. We need to be able to track that in real-time and do it seamlessly with automation. Permissions management needs to be built-in, but we need to treat workloads, apps, and services as identity so that we can fold that into our permission management and our broader identity access management tools.

Learn more

Learn more about Microsoft identity and access management, and solutions for securing access with Microsoft Entra.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to build a secure foundation for identity and access appeared first on Microsoft Security Blog.

Brooke: How did you get into cybersecurity?

Matthew: If your dad is a car mechanic, you grow up learning about cars. During the 1980s, my dad was super into computers. He used to go to my grandma’s school and bring home the computers prior to anyone really understanding what they were. These were the filing cabinet days and the days of carbon paper. Only very academic people and fringe technologists were interested in cybersecurity. When I was in high school, I had networks in my house with networked games. I started picking apart how the phone network worked and how internet access worked. My dad was supportive. He said, “If a 13-year-old kid can break into it, maybe we should not be using it.”

I pushed hard to get myself in front of as many people as I could and ended up working for a group from the National Computing Center. They had begun selling cybersecurity assurance services and penetration testing. I built a portfolio of my work publishing papers and showing people how computer systems were broken and how you could hack into them. At the time, you could not go to college and do cybersecurity. I dealt with a lot of rejection letters and a lot of people saying no and then I got my first job—that was 20 years ago. Now, I run my own company and I have written a book on the subject.

Brooke: What is most fascinating to you about cybersecurity?

Matthew: For me, it is the exciting element of offensive security testing. I take a low-privileged user on the system and say, “I want to make this user become a high-privileged user without authorization” and I will poke and probe my way through the system, testing all the boundaries and controls in place until I find ways to break it.

I began on an interesting journey; looking at things like state machines, where a computer will go through a lifecycle of a connection. When you connect your system to a server in the office, the computer will keep track of different states. For example, “Did you enter the right password?” and “Should it give you access?” I find these kinds of problems intellectually challenging and quite enjoyable.

Brooke: How do you help clients define and set goals for security control?

Matthew: There is a saying that this industry is run on fear, uncertainty, and doubt. I often ask clients: “If a hacker broke in tomorrow and had free rein of all your systems, what are you most concerned about?” We identify all the assets in the environment and their sensitive data and then review controls based on their concerns. Usually, they are most concerned about payment information and commercially sensitive information, or they are storing things that they perhaps should not have been storing, including credit card data and anything that could cause brand reputational damage.

It’s important to get board buy-in and foster a culture of cybersecurity in the organization and make it something that everybody in the company talks about regularly, like with phishing awareness.

Another key thing is to never punish the user. If they are at work and opening emails, that is what you are asking that person to do. Even the best cybersecurity professionals will click on a phishing link eventually. It’s human nature. These psychological lures are designed to get people to click on them. One of the most effective is a fake FedEx or UPS notification. Nine times out of 10, people will click on the link to track that parcel because they want to know. The attackers know our psychology and our natural human behaviors and how to get attacks through our radar in a way that does not alert us that we are being attacked. Proper cybersecurity in an organization takes human error into account.

Brooke: How do you reduce assessment times and identify threats faster?

Matthew: The MITRE ATT&CK^® Framework has been massively advantageous. It is a spreadsheet-based approach to understanding how an attacker behaves in an environment and it stems back to a paper written by Lockheed Martin. Lockheed Martin and the defense sector obviously were big targets for advanced persistent threats and cyber-enabled economic espionage, where nation-state actors break into their systems to steal information for espionage purposes.

Lockheed Martin came up with what they call the cyber kill chain, a timeline of an attack that starts at the very point that the attacker starts their breach into the network to the end—where they have exfiltrated and stolen the information. They modeled this and identified that the earlier you stop the attacker along this kill chain, the better, because they must start over again. The further along the chain they are, stopping the attack will cost the attacker more resources in terms of time and exploits used.

MITRE then came up with tools, techniques, and procedures. You can look at the threats in your industry and the known behaviors of threats targeting your sectors and begin unit testing those individual items. Instead of running a six-month engagement where we break into the client’s environment and do all this stealthy stuff, like monitor your network, we test against the actual threats and against these component items. That narrows the time involved in assessment activities and they get the result quicker.

Brooke: At what stage do clients bring your organization into the process?

Matthew: We work with a whole range of different clients, including people who have already built their product and people who have started to build their product. These kinds of strategies are usually very effective against large organizations—multinational corporations and Fortune 500 companies.

If you want to be effective in cybersecurity, the costs need to be on the attackers. We encourage organizations to move away from this longstanding engagement model and instead focus on doing unit tests against the actual situations they face. We call them cyber preparedness drills. We mimic the attacker’s behavior utilizing tools we’ve built, like these items we have published on GitHub for User Account Control (UAC) bypass testing:

• MsSettingsDelegateExecute
• Envschtasksuacbypass
• ColorDataProxyUACBypass
• iscsicpl_bypassUAC

These types of common attacker behaviors should be well-detected and even better detected by Microsoft Defender than they were previously. Simply scripting, even if it’s in the PowerShell command shell or the .NET developer platform and creating standard individual tests for specific items in the ATT&CK^® framework and running those as simulations gives you better results.

Brooke: What advice would you give to cybersecurity leaders on how to manage their budgets?

Matthew: There is a big push in the industry to do what is most interesting. Clients will say, “I want you to simulate a real attacker. I want the best hackers to throw everything you have at the system.” They want to spend a ton of money simulating a real attacker and I usually discover they have not covered any of the basics, like telemetry, alerting, or network defense.

It is easy to bring people on board, but if you have not looked at your environment and the basics, there is no point hiring a team to mimic your attacker and do a full six-month red team engagement. Your attacker is going to break into your network for free anyway, so you might as well focus on how you can use that budget to build better defenses to alert your team. So many companies do not know how many systems or databases they have, for instance. They do not have an accurate picture of what is happening in their environment. They look to the penetration testers who end up telling them more than they know about their network. 

Leaders should always ask: Do you have an accurate picture of the patch levels in your environment? If someone opens malware, can you see the events? Do you get the telemetry?

You could buy the best security system around and if it is getting 150 alerts a day but nobody is paying attention, it is useless because no one is going to ever act. When looking at your budget and how to spend it effectively, focus on granular engagement. When you hire a firm, hire one that has a good background and good understanding that can make effective use of that budget.

There are three approaches. There is a black box assessment methodology, where we know nothing about the environment, the target, or the target network. Then, you have a gray box methodology, where a client might share a little bit of information, such as what is given to a new starting staff member in an area where there is a high employee turnover rate. And third, there is a white box assessment, where they give us anything we want to know and we can see what they see. From our experience, you get the best results from white box assessments and from doing bite-sized exercises as your security provider is better informed and not reliant on guesswork achieved through the other two common methodologies.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Identifying cyberthreats quickly with proactive security testing appeared first on Microsoft Security Blog.

Brooke: How did you get into cybersecurity?

Alissa: I started out as a radio DJ while I was an undergraduate at Savannah State University. Originally, I was a mass communications major, but my university English professor urged me to move away from that. At the same time, my mathematics professor was urging me to change my major to math. Ultimately, I decided to major in math.

After graduation, I used my mathematics degree to work my way into information technology and began a career within the Department of Defense. As a certified Cryptologic Engineer, I toggled between information technology and information assurance—both cyber-adjacent areas. Over the course of my career, I have sought out roles that let me grow in both areas. This approach took me across the private sector before I was eventually appointed by President Barack Obama to help lead White House technology (which included cybersecurity) in 2012. It was while I served in the White House that my passion for—and appreciation of—cybersecurity really took off. 

Brooke: Why is comprehensive identity and access management (IAM) necessary within an organization’s cybersecurity approach?

Alissa: If you think about the future of cybersecurity, it is an amalgamation of many different aspects.  One of those is the future of data. 

The relevance of data is built on many different aspects—specifically calling out the importance of identity tied to the data, whether that is a human identity, machine identity, or something else. So, as we talk about where we are now with cybersecurity and where we will be in the future, it greatly hinges on IAM. It hinges on the identity tied to data and tied to systems. It hinges on getting access to what you need, when you need it, and how you need it without going further than that. 

The strategy of the future contains boundaries that give you what you need while limiting yourself to include only those things. That way, you shrink the threat landscape in anticipation of a bad day. A strong IAM strategy provides just that. It protects aspects of the various identities while allowing for the appropriate amount of access. The future of cybersecurity will hinge on how well we handle identities and access. 

Brooke: What are the most common access security gaps within organizations? 

Alissa: I sum up the gap with one word—culture. That is the most common gap. What I mean by that is we are used to the idea of having carte blanche access. The change to a Zero Trust mindset is a paradigm shift that can often cause angst in many environments. Some developers or data owners are anxious that the limitations provided in a Zero Trust environment will impact innovation. When done right, it enhances innovation and pushes security to the edge. 

Brooke: Compromised passwords are the number one way in for attackers. What should organizations do to address this?

Alissa: The easiest solution for me to recommend is a passwordless environment, but to be honest, no solution is attack-proof on its own. We have heard attacks that include multifactor authentication fatigue and those where the adversary is paying employees to provide multifactor authentication approvals to compromised accounts. The best step for most environments is to move to passwordless, but the work does not stop there. A security-aware culture will be an additional line of defense.  

Brooke: President Biden’s 2021 Executive Order on Cybersecurity mandated a Zero Trust approach for all government agencies. What can private organizations learn from the Executive Order?

Alissa: The Executive Order really formalized the work that organizations in both the public and private sectors were doing together through strong partnerships and a collaborative working relationship. We have had many conversations around Zero Trust and its implementation together and separately. We can continue with the good foundation started and expand the learnings between the different environments. 

Brooke: Microsoft recently released multicloud Microsoft Entra Permissions Management, based on the Cloud Knox acquisition, within the Microsoft Entra product family, which also includes Microsoft Azure Active Directory and Microsoft Entra Verified ID. Why is permissions management important as part of a strong identity strategy?

Alissa: Let us start with two assumptions: 

First, a lot of the future will be based on identities. If you start to decouple identity information from the data, the data becomes less relevant. Second, the future relies heavily on cloud-based architectures. These are not absolutes but are statements that describe the future as we know it today. 

If we take both of those as great starting points, then you easily move into the need to manage entitlements and permissions in the cloud environments. We cannot be myopic in our view of identities. Just as we seamlessly want to manage user identities, those entitlements in the cloud are equally important and we should not have to chase down entitlements in every cloud platform. An integrated model helps with visibility, automation, and policy management.

Brooke: What basic elements of security should organizations expect to be built into any cloud platform for a strong security foundation? 

Alissa: Cloud platforms have many security elements ready to customize that will provide the level of security that you need for your data. Some examples that I can think of are data encryption, intrusion detection with event logging, and application security protections, just to name a few.  

It is important to think of security protections in layers—data, application, and infrastructure. Cloud platforms have options that allow you to protect each layer and negotiate the level of security for your situation with the cloud service provider.

Brooke: What are three things an organization should absolutely make sure they have implemented for a strong digital identity framework? 

Alissa: First, a strong digital identity framework should include many layers, but those layers cannot be seen as complexities. The layers should help provide clarity on the security state of digital identities within an environment. 

Second, solutions have to be adopted and executed in a timely way so that the biggest benefit is reached. Solutions like multifactor authentication and passwordless not only enhance your digital identity framework but also enhance your user experience. 

Third, the identity framework needs to be comprehensive. There are so many different types of identities, and the framework needs to include the management and security of all identities—including employee, machine, service, and cloud. If you miss including one area, you could potentially open that area up to the adversary. 

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post CSO perspective: Why a strong IAM strategy is key to an organization’s cybersecurity approach appeared first on Microsoft Security Blog.

Brooke: How did you get into cybersecurity?

Runa: I got my first computer when I was 15. I studied for a bachelor’s in computer science at a university in Norway, where I’m from. One thing I really enjoy about this industry is that within computer science and cybersecurity, there are so many different challenges to take on. There are so many problems that you can work on and so many things to be curious about and I’ve always really loved that.

During the summer of 2009, before the last year of my bachelor’s, I worked for the Tor Project as part of Google Summer of Code. Once that internship wrapped up, I stayed on with the Tor project and I volunteered to continue maintaining my project. Over time, Tor offered me a part-time contract and later, a full-time contract.

A lot of the work that I do today has been shaped by the four years that I spent working with the Tor project. When I first heard about Tor, I thought it was cool that you could be anonymous online by using a piece of technology. I didn’t consider who’s using it or for what reason. But over the four years with Tor, I got to meet not only other people working in the same space but also people around the world who told me about their experiences with the tool and what it enabled them to do, which was a hugely positive experience for me.

Brooke: What excites you the most about protecting journalists?

Runa: Around 2011, four projects got funding to train reporters on how to use the Tor browser and I ended up leading that project. We were building out a curriculum and we felt very quickly that it was not super helpful to teach someone how to use a Tor browser to be safe online if they’re not also familiar with general security best practices, like passwords and two-factor authentication and the importance of software updates. So, we built a curriculum around that. I later took that experience with me to the Freedom of the Press Foundation and The New York Times.

The work that I’ve done with journalists was something that I stumbled into, but looking at it now, I think investigative journalism has a lot of the same themes as security research. It has the same puzzles, same challenges, and the same digging that gets me really curious and really interested. It also has this incredibly important mission behind it.

Brooke: What do you do to protect journalists and at-risk groups or organizations?

Runa: For an individual to work safely or securely, I consider digital security, physical security, emotional safety, and legal issues. Journalism security really needs to encompass all four buckets, so some of the work that I do has been one-on-one discussions with reporters who want everyday security guidance, and I help them figure out what they can do to improve. They are usually preparing for a specific investigative project or preparing for a trip to an at-risk area.

I have worked closely with groups of people at media organizations that are a mix of reporters, IT, security, and legal to produce a security plan based on the challenges they face and the kind of support the newsroom needs. Years ago, if you were a big enterprise like The New York Times, Washington Post, Microsoft, or Google, there were a lot of big, complex cybersecurity frameworks to help you get a baseline and the steps to take to improve moving forward.

If you’re an individual looking to improve your security, there are guides from the Electronic Frontier Foundation and the Freedom of the Press Foundation giving you information like “here’s how you use a password manager” and “here’s how you set up two-factor authentication,” but Ford Foundation fellow, Matt Mitchell, found that if you’re a small organization or small team, there’s not a good option available. He put together a committee to develop the Ford Foundation Cybersecurity Assessment Tool, which is designed for smaller organizations. It is a really effective way to figure out where I am today and where the focus should be on the next year or two.

Brooke: What are the biggest threats you’ve seen in your line of work?

Runa: If we are talking about security issues that a journalist as an individual might face, we could talk about online account takeover and phishing scams. I recently gave a talk at Paranoia in Oslo about how the media gets hacked and the root cause behind all these issues. If we are talking about the organization that the journalist works for, it comes down to a lack of two-factor authentication credential stuffing, poor passwords, phishing, and outdated systems.

Over the years, my work has focused on the individual, but 10 years ago, Tor was clunky and complex. We had VPNs. We had tools to fully encrypt the drive in your laptop, but they were clunky to use. There was a long text of steps to get it all up and running. People needed a lot of help to use it. These days, we have all the tools and they’re either free or not super expensive. What is missing now is that buy-in from leadership to create the processes and the workflows to ensure that the newsrooms have all these tools provided to them. Currently, it is more of a building-the-bridges type of challenge. I don’t think we are necessarily missing any tools. We just need to figure out how to piece it together.

Brooke: What are the biggest security challenges for journalists?

Runa: A journalist is a journalist all day, every day. That is not just a job, it is an identity. They are journalists, whether they are in a movie theater with a personal phone or at work with their company laptop. Regardless of the device they are using, the time of day, and location in the world, they are still journalists, and they are going to report if there is something to report on. In a corporate context, historically, we have been focused on securing corporate accounts, corporate systems, and corporate devices, but for roles like journalism and other activist groups, which starts to break down a bit. I think there needs to be a greater conversation around how we go about securing identities as opposed to just the 9-to-5 corporate bits and bobs.

Another big challenge is building sufficient support on the business side of the company to be able to provide adequate support to the newsroom. Reporters who I have talked to are not questioning that they need to be more secure and that they need processes or tools. Once that is provided, they are very willing to try things. You just need to build that bridge and help the business side understand the challenges in the newsroom and the potential challenges that presents for the business, whether from a physical, digital, or legal standpoint, and then produce ways to address that.

Supporting the work that the newsroom is doing means developing products, developing the content management system (CMS), getting stories out, producing new ways to report, retaining subscribers, and funding reporters who go out on investigative trips. All of these things are incredibly important and sometimes more important than security. The challenge is where do I spend my resources knowing that everything is so strapped?

There are a lot of diverse ways that you could improve security at your organization and even if you do not have the resources currently for the best and biggest and greatest product, there are still small things that you can do. It is a matter of figuring out how to focus on this one thing you do have to focus on, even if it’s just one person, two people, or a small team. At this point, not focusing on cybersecurity is not an option.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Runa Sandvik’s new startup Granitt secures at-risk people from hackers and nation states, Zack Whittaker. July 15, 2022.

The post A multidimensional approach to journalism security appeared first on Microsoft Security Blog.