At Microsoft, we remain steadfast in our commitment to security, which continues to be our top priority. Through our Secure Future Initiative (SFI), we’ve dedicated the equivalent of 34,000 full-time engineers to the effort, making it the largest cybersecurity engineering project in history—driving continuous improvement in our cyber resilience. In our latest update, we share insights into the work we are doing in culture, governance, and cybernorms to promote transparency and better support our customers in this new era of security. For each engineering pillar, we provide details on steps taken to reduce risk and provide guidance so customers can do the same.

Insights gained from SFI help us continue to harden our security posture and product development. At Microsoft Ignite 2024, we are pleased to unveil new security solutions, an industry-leading bug bounty program, and innovations in our AI platform. 

Transforming security with graph-based posture management 

Microsoft’s Security Fellow and Deputy Chief Information Security Office (CISO) John Lambert says, “Defenders think in lists, cyberattackers think in graphs. As long as this is true, attackers win,” referring to cyberattackers’ relentless focus on the relationships between things like identities, files, and devices. Exploiting these relationships helps criminals and spies do more extensive damage beyond the point of intrusion. Poor visibility and understanding of relationships and pathways between entities can limit traditional security solutions to defending in siloes, unable to detect or disrupt advanced persistent threats (APTs).

We are excited to announce the general availability of Microsoft Security Exposure Management. This innovative solution dynamically maps changing relationships between critical assets such as devices, data, identities, and other connections. Powered by our security graph, and now with third-party connectors for Rapid 7, ServiceNow, Qualys, and Tenable in preview, Exposure Management provides customers with a comprehensive, dynamic view of their IT assets and potential cyberattack paths. This empowers security teams to be more proactive with an end-to-end exposure management solution. In the constantly evolving cyberthreat landscape, defenders need tools that can quickly identify signal from noise and help prioritize critical tasks.  

Beyond seeing potential cyberattack paths, Exposure Management also helps security and IT teams measure the effectiveness of their cyber hygiene and security initiatives such as zero trust, cloud security, and more. Currently, customers are using Exposure Management in more than 70,000 cloud tenants to proactively protect critical entities and measure their cybersecurity effectiveness.

Announcing $4 million AI and cloud security bug bounty “Zero Day Quest” 

Born out of our Secure Future Initiative commitments and our belief that security is a team sport, we also announced Zero Day Quest, the industry’s largest public security research event. We have a long history of partnering across the industry to mitigate potential issues before they impact our customers, which also helps us build more secure products by default and by design.  

Every year our bug bounty program pays millions for high-quality security research with over $16 million awarded last year. Zero Day Quest will build on this work with an additional $4 million in potential rewards focused on cloud and AI—— which are areas of highest impact to our customers. We are also committed to collaborating with the security community by providing access to our engineers and AI red teams. The quest starts now and will culminate in an in-person hacking event in 2025.

As part of our ongoing commitment to transparency, we will share the details of the critical bugs once they are fixed so the whole industry can learn from them—after all, security is a team sport. 

New advances for securing AI and new skills for Security Copilot 

AI adoption is rapidly outpacing many other technologies in the digital era. Our generative AI solution, Microsoft Security Copilot, continues to be adopted by security teams to boost productivity and effectiveness. Organizations in every industry, including National Australia Bank, Intesa Sanpaolo, Oregon State University, and Eastman are able to perform security tasks faster and more accurately.² A recent study found that three months after adopting Security Copilot, organizations saw a 30% reduction in their mean time to resolve security incidents. More than 100 partners have integrated with Security Copilot to enrich the insights with ecosystem data. New Copilot skills are now available for IT admins in Microsoft Entra and Microsoft Intune, data security and compliance teams in Microsoft Purview, and security operations teams in the Microsoft Defender product family.   

According to our Security for AI team’s new “Accelerate AI transformation with strong security” white paper, we found that over 95% of organizations surveyed are either already using or developing generative AI, or they plan to do so in the future, with two thirds (66%) choosing to develop multiple AI apps of their own. This fast-paced adoption has led to 37 new AI-related bills passed into law worldwide in 2023, reflecting a growing international effort to address the security, safety, compliance, and transparency challenges posed by AI technologies.³ This underscores the criticality of securing and governing the data that fuels AI. Through Microsoft Defender, our customers have discovered and secured more than 750,000 generative AI app instances and Microsoft Purview has audited more than a billion Copilot interactions.⁴  

Microsoft Purview is already helping thousands of organizations, such as Cummins, KPMG, and Auburn University, with their AI transformation by providing data security and compliance capabilities across Microsoft and third-party applications. Now, we’re announcing new capabilities in Microsoft Purview to discover, protect, and govern data in generative AI applications. Available for preview, new capabilities in Purview include Data Loss Prevention (DLP) for Microsoft 365 Copilot, prevention of data oversharing in AI apps, and detection of risky AI use such as malicious intent, prompt injections, and misuse of protected materials. Additionally, Microsoft Purview now includes Data Security Posture Management (DSPM) that gives customers a single pane of glass to proactively discover data risks, such as sensitive data in user prompts, and receive recommended actions and insights for quick responses during incidents. For more details, read the blog on Tech Community. 

Microsoft continues to innovate on our end-to-end security platform to help defenders make the complex simpler, while staying ahead of cyberthreats and enabling their AI transformation. At the same time, we are continuously improving the safety and security of our cloud services and other technologies, including these recent steps to make Windows 11 more secure. 

Next steps with Microsoft Security

From the advances announced to our daily defense of customers, and the steadfast dedication of Chief Executive Officer (CEO) Satya Nadella and every employee, security remains our top priority at Microsoft as we deliver on our principles of secure by design, secure by default, and secure operations. To learn more about our vision for the future of security, tune in to the Microsoft Ignite keynote. 

Microsoft Ignite 2024

Gain insights to keep your organizations safer with an AI-first, end-to-end cybersecurity approach.

Register now

Are you a regular user of Microsoft Security products? Review your experience on Gartner Peer Insights™ and get a $25 gift card. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

¹ Microsoft Digital Defense Report 2024.

² Microsoft customer stories:

• National Australia Bank invests in an efficient, cloud-managed future with Windows 11 Enterprise
• Intesa Sanpaolo accrues big cybersecurity dividends with Microsoft Sentinel, Copilot for Security
• Oregon State University protects vital research and sensitive data with Microsoft Sentinel and Microsoft Defender
• Eastman catalyzes cybersecurity defenses with Copilot for Security

³ How countries around the world are trying to regulate artificial intelligence, Theara Coleman, The Week US. July 4, 2023.

⁴ Earnings Release FY25 Q1, Microsoft. October 30, 2024.

The post AI innovations for a more secure future unveiled at Microsoft Ignite appeared first on Microsoft Security Blog.

As part of the department’s ongoing assessments of zero trust implementation, Flank Speed just underwent its second round of security assessments sponsored by the DoD Zero Trust Portfolio Management Office (PfMO)—with tremendous results. Just two years after the initial DoD guidance was issued, the United States Navy demonstrated that their integrated approach to security could achieve the department’s ZT goals, years ahead of schedule. The model developed by the Navy in collaboration with Microsoft can be replicated to help both civilian and defense agencies to similarly accelerate their own zero trust goals. 

DoD Zero Trust Report

The United States Navy is proving that Zero Trust goes beyond compliance standards and has become a proven security methodology with real world results.  

Discover more

During the exhaustive test, the comprehensive, integrated suite of Microsoft Security tools enabled Navy personnel to meet Target Level zero trust implementation, achieving 100% success in the 91 Target Level activities tested. Further testing of 61 Advanced Level zero trust activities determined the Navy had achieved success in nearly all (60 of 61) advanced Target Level activities.

The DoD expanded beyond traditional penetration testing to thoroughly evaluate all 152 zero trust activities. Prior to the month-long test, military personnel were trained on the effective operation of the comprehensive zero trust solution over the course of six months. This training allowed Navy personnel to detect and mitigate all attack vectors presented to them by the near-peer adversary assessment team.  

“Flank Speed’s unprecedented ability to achieve the very highest level of DoD ZT outcomes demonstrate to us that the department and the federal government that ZT cyber defenses work very effectively to protect and defend our data and systems against the very latest cyber-attacks from our adversaries.”

—Mr. Randy Resnick, Senior Executive Service, Chief ZT Officer for the DoD 

Components of success 

Flank Speed is a large-scale deployment born out of the need to securely facilitate remote workers at the onset of the COVID-19 pandemic and built on the Navy’s unclassified combined Azure and Microsoft 365 Impact Level 5(IL5) cloud. To achieve a secure operating environment, the Navy aligned its security approach around the DoD’s seven zero trust pillars—each of which represents its own protection area:  

As outlined in the diagram below, the Microsoft 365 E5 package combines best-in-class productivity solutions with comprehensive security technologies that can address all seven pillars of the DoD Zero Trust Strategy.  

This comprehensive and extensible zero trust platform supports a range of environments including hybrid cloud, multicloud, and multiplatform needs. It brings pre-integrated extended detection and response (XDR) services, coupled with cloud-based device management and cloud-based identity and access management to meet the security priorities necessary for all defense and civilian organizations. The specific technologies and implementation strategies that support each pillar are outlined in this blog post. Microsoft has also published a higher-level Security Adoption Framework (SAF) that provides guidance to organizations as they navigate the ever-changing security landscape. 

A partner agencies can trust 

Implementation of a zero trust solution from scratch can be a daunting task. A successful deployment requires the integration of properly configured technologies across numerous product categories. No single product can effectively achieve zero trust goals alone, but selecting a set of integrated capabilities whether first or third party can provide significant acceleration. In order to be effective in the long term, a zero trust implementation must also be flexible enough to adapt quickly to new adversary tactics. Following the White House Executive Order to improve the nation’s cybersecurity and protect federal government networks, Microsoft offered technical expertise that helped architect and deploy technologies aligned to the DoD ZT strategy, including continuous monitoring, big data analysis, and comply-to-connect components. 

The success of Flank Speed is a critical demonstration of this collaborative approach to implementation. That a complex and critical environment such as that belonging to the Navy fully met not only its Target Level zero trust activities, but nearly all of the Advanced Level criteria more than three years before the DoD’s 2027 deadline with a repeatable solution, is a testament that zero trust can be implemented effectively at scale across the government.  

Importantly, though Flank Speed itself is cloud-native, it has been deployed to extend its usability and security capabilities to both cloud-only and existing on-premises workloads and devices, both ashore and afloat. This gave the Navy a rapid path to increased security that was independent of any effort to modernize or sunset existing legacy assets. Along with the proven security achievements, this capacity to extend zero trust security to existing infrastructure could have wide-ranging benefits for organizations pursuing similar cybersecurity goals of a homogeneous security baseline across heterogeneous environments. 

A commitment to security and innovation 

Microsoft’s support in helping the United States Department of Defense and its branches achieve zero trust implementation also helps inform Microsoft’s own Secure Future Initiative, which aims to continuously apply the company’s cumulative security learnings in an effort to improve its own methods and practices, and to ensure that security is kept paramount in everything Microsoft creates and provides to its customers. Independent learnings gleaned as part of the Secure Future Initiative, in return, help Microsoft refine its approach in support of government organizations and a vast ecosystem of security partners. In this way Microsoft can work to ensure that zero trust environments supported by Microsoft 365 and Azure stay up to date, even as cyber threat actors change and mature their tactics and tools. This continuous collaboration advances the broader effort to secure and support the United States national security and the security posture of democratic organizations the world over.  

Microsoft commends the United States Navy for their milestone achievement. The United States Navy and the United States Department of Defense are proving that zero trust goes beyond compliance standards and has become a proven security methodology with real world results.  

Next steps

To learn more about how to accelerate your Zero Trust implementation with best practices, the latest trends, and a framework informed by real-world deployments, visit our latest guidance. 

 To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post DoD Zero Trust Strategy proves security benchmark years ahead of schedule with Microsoft collaboration appeared first on Microsoft Security Blog.

We are announcing a resource to help our customers answer these questions: The Microsoft Zero Trust Workshop, a self-service tool to help you plan and execute your Zero Trust journey guide by yourself or with the guidance of a partner.

The Zero Trust Workshop lets you customize your organization’s end-to-end security deployment to your unique business needs and your environment with a powerful tool that: provides a comprehensive assessment of zero trust capabilities learned from hundreds of deployments; guides you with a visual easy-to-use tool that explains each step of the journey; and delivers a digital artifact that you and your team can use to plan and prioritize your next steps and to compare and measure progress regularly. 

Zero Trust Workshop

A comprehensive technical guide to help customers and partners adopt a Zero Trust strategy and deploy security solutions end-to-end to secure their organizations.

Learn more

How our workshop helps customers and partners solidify their Zero Trust strategy 

Over the past year, we have piloted this workshop with more than 30 customers and partners. They have consistently told us that this provides them with the clarity, coverage, and actionable guidance they need to secure their organization within each Zero Trust pillar and across the pillars. When asked how likely they are to recommend the workshop to their partner teams or to other customers, customers give the workshop a net promoter score of 73.

The layout and question structure is fantastic as it provokes a fair amount of thought around adding each of the capabilities to take a multi-faceted approach to authentication and authorization.

—Senior vice president at a major financial institution

Security is a team sport, and we recognize that customers often need security partners to help them plan and execute their security strategy. This is why we partnered with several deployment partners across the pillars of Zero Trust to get their feedback on the workshop and how they would use it to help their customers.

The Zero Trust Workshop is a great starting point for our customers who want to embrace Zero Trust principles, but don’t know how to align the technology they already own. Furthermore, the workshop allows our customers to measure the progress they’ve made and aim for the next incremental hardening of the Zero Trust model, which is part and parcel of the Zero Trust manner of thinking. As a Microsoft partner and as an MVP, I advocate that customers use the materials provided by Microsoft, including these workshops, to measure and further their security posture.

—Nicolas Blank, NBConsult

[The Zero Trust workshop] has enabled Slalom to help clients accelerate their efforts towards a comprehensive cyber resilience strategy. It provides a clear picture of an organization’s current state and provides a template for order of operations and best practices in a very tidy package. It’s an easy-to-use tool with a huge impact, and our clients and workshop participants have been very impressed by how it organizes and prioritizes a complex set of operations in an approachable and manageable way.

—Slalom

How to start using the workshop to plan your Zero Trust journey

The Zero Trust Workshop is comprised of two main components, all in one handy file you can download and use to drive these conversations: 

• The Zero Trust Basic Assessment (optional): For customers starting on their Zero Trust journey, the assessment is a foundational tool that customers can run before the workshop to check for common misconfigurations and gaps in settings (for example, having too many global admins) to remediate before starting to enable the security features and capabilities of a Zero Trust journey.  

• The Zero Trust Strategy workshop: This is a guided breakdown of the Zero Trust areas according to the standard Zero Trust pillars (Identity, Devices, Data, Network, Infrastructure and Application, and Security Operations). For each pillar, we walk you through the associated areas with a proposed “do this first, consider this then, think about this next” order to how you should tackle them. For each area and capability, you have guidance on why it matters and options to address it and then can discuss it with your stakeholder and decide if this is something you already did, something you are going to do, or something you do not plan to implement at this time. As you progress through the different boxes and areas, you create an artifact for your organization on how well-deployed you are in this Zero Trust pillar and what are the next areas to tackle.  

Now, we are launching the Identity, Devices, and Data pillars. We will add the Network, Infrastructure and Application, and Security Operations in the coming few months. The website for the workshop will announce these as they become available.

I invite you to check out the Zero Trust Workshop site where we have detailed training videos and content. 

For our valued security deployment partners, the workshop is also included in the recently launched Zero Trust Partner kit where, as a partner, you can take the workshop material and customize it for your customer engagements based on your needs. 

Closing thoughts

We all need to work together to help secure the world we live in and keep people safe with the intention of collective defense. As shared in the most recent Microsoft Digital Defense Report, the cyber threat landscape is ever-growing and requires a collaborative approach between product vendors, security experts, and customers to help protect everyone. In the spirit of working with the wider ecosystem to help secure all customers, we recently partnered with NIST’s NCCoE and more than 20 security vendors to publish a guide on how to adopt NIST’s Zero Trust reference architecture using Microsoft’s Security products and this is another example of us working with all of you deploying security out there to help secure the ecosystem. 

We would love to hear how you are using it. Use the feedback form on the site to share with us how we can improve it to help your organization implement a Zero Trust journey. 

Additional resources to accelerate your Zero Trust journey 

This joins a library of other resources to guide your security modernization and Zero Trust journey, including: 

• The Zero Trust Guidance center

• The Microsoft Security Adoption Framework (SAF) which includes the Microsoft Cybersecurity Reference Architecture and the Chief Information Security Officer (CISO) Workshop.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

The post ​​Zero Trust Workshop: Advance your knowledge with an online resource appeared first on Microsoft Security Blog.

Because Kerberoasting enables cyberthreat actors to steal credentials and quickly navigate through devices and networks, it’s essential for administrators to take steps to reduce potential cyberattack surfaces. This blog explains Kerberoasting risks and provides recommended actions administrators can take now to help prevent successful Kerberoasting cyberattacks. 

What is Kerberoasting? 

Kerberoasting is a cyberattack that targets the Kerberos authentication protocol with the intent to steal AD credentials. The Kerberos protocol conveys user authentication state in a type of message called a service ticket which is encrypted using a key derived from an account password. Users with AD credentials can request tickets to any service account in AD.  

In a Kerberoasting cyberattack, a threat actor that has taken over an AD user account will request tickets to other accounts and then perform offline brute-force attacks to guess and steal account passwords. Once the cyberthreat actor has credentials to the service account, they potentially gain more privileges within the environment. 

AD only issues and encrypts service tickets for accounts that have Service Principal Names (SPNs) registered. An SPN signifies that an account is a service account, not a normal user account, and that it should be used to host or run services, such as SQL Server. Since Kerberoasting requires access to encrypted service tickets, it can only target accounts that have an SPN in AD. 

SPNs are not typically assigned to normal user accounts which means they are better protected against Kerberoasting. Services that run as AD machine accounts instead of as standalone service accounts are better protected against compromise using Kerberoasting. AD machine account credentials are long and randomly generated so they contain sufficient entropy to render brute-force cyberattacks impractical.  

The accounts most vulnerable to Kerberoasting are those with weak passwords and those that use weaker encryption algorithms, especially RC4. RC4 is more susceptible to the cyberattack because it uses no salt or iterated hash when converting a password to an encryption key, allowing the cyberthreat actor to guess more passwords quickly. However, other encryption algorithms are still vulnerable when weak passwords are used. While AD will not try to use RC4 by default, RC4 is currently enabled by default, meaning a cyberthreat actor can attempt to request tickets encrypted using RC4. RC4 will be deprecated, and we intend to disable it by default in a future update to Windows 11 24H2 and Windows Server 2025. 

What are the risks associated with Kerberoasting? 

Kerberoasting is a low-tech, high-impact attack. There are many open-source tools which can be used to query potential target accounts, get service tickets to those accounts, and then use brute force cracking techniques to obtain the account password offline. 

This type of password theft helps threat actors pose as legitimate service accounts and continue to move vertically and laterally through the network and machines. Kerberoasting typically targets high privilege accounts which can be used for a variety of attacks such as rapidly distributing malicious payloads like ransomware to other end user devices and services within a network.    

Accounts without SPNs, such as standard user or administrator accounts, are susceptible to similar brute-force password guessing attacks and the recommendations below can be applied to them as well to mitigate risks. 

How to detect Kerberoasting? 

Administrators can use the techniques described below to detect Kerberoasting cyberattacks in their network. 

• Check for ticket requests with unusual Kerberos encryption types. Cyberthreat actors can downgrade Kerberos ticket encryption to RC4 since cracking it is significantly faster. Admins can check the events in the Microsoft Defender XDR and filter the results based on the ticket encryption type to check for weaker encryption type usage.  

• Check for alerts from Microsoft Defender. Microsoft Defender XDR will raise an alert with an external ID 2410 for suspected Kerberos SPN exposure.  

• Check for repeated service ticket requests. Check if a single user is requesting multiple service tickets for Kerberoasting-vulnerable accounts in a short time period.  

Recommendations to help prevent Kerberoasting from succeeding 

Microsoft recommends that IT administrators take the following steps to help harden their environments against Kerberoasting: 

• Use Group Managed Service Accounts (gMSA) or Delegated Managed Service Accounts (dMSA) wherever possible:  
  • These accounts are ideal for multi-server applications that require centralized credential management and enhanced security against credential-based attacks, such as IIS, SQL Server, or other Windows services running in a domain-joined environment. 
  • Group Managed Service Account (gMSA) is an Active Directory account type that allows multiple servers or services to use the same account with automatic password management and simplified SPN handling. Passwords for gMSAs are 120 characters long, complex, and randomly generated, making them highly resistant to brute-force cyberattacks using currently known methods.  
  • Delegated Managed Service Accounts (dMSA) are the newest iteration of managed service accounts available on Windows Server 2025. Like gMSAs, they restrict which machines can make use of the accounts and they provide the same password mitigations against Keberoasting. However, unlike gMSAs, dMSAs have the added benefit of supporting seamless migration of standalone service accounts with passwords to the dMSA account type. They can also be optionally integrated with Credential Guard so that even if the server using dMSA is compromised, the service account credentials remain protected.  
• If customers cannot use gMSA or dMSA, then manually set randomly generated, long passwords for service accounts:  
  • Service account administrators should maintain at least a 14-character minimum password. If possible, we recommend setting even longer passwords and randomly generating them for service accounts which will provide better protection against Kerberoasting. This recommendation also applies to normal user accounts.  
  • Ban commonly used passwords and audit the passwords for service accounts so that there is an inventory of accounts with weak passwords and can be remediated.  

• Make sure all service accounts are configured to use AES (128 and 256 bit) for Kerberos service ticket encryption: 
  • Once the encryption type for a service account is updated to Advanced Encryption Standard (AES), change the password for the account to ensure that the password is encrypted using AES. If the password is not changed after updating the encryption type, the account may still be vulnerable to Kerberoasting. AES alone is not a solution for brute forcing and needs to be used in combination with strong passwords. A weak password can still be brute forced even if AES is used for encryption. 
  • In a future update to Windows 11 24H2 and Windows Server 2025 we intend to disable RC4 encryption by default. We recommended manually disabling the RC4 encryption type on service accounts in environments without these updates.  
  • For more information on configuring encryption type, please visit: Active Directory Hardening Series – Part 4 – Enforcing AES for Kerberos – Microsoft Community Hub, Network security Configure encryption types allowed for Kerberos – Windows 10 | Microsoft Learn, and Decrypting the Selection of Supported Kerberos Encryption Types – Microsoft Community Hub 
• Audit the user accounts with SPNs:  
  • User accounts with SPNs should be audited. SPNs should be removed from accounts where they are not needed to reduce the cyberattack surface. 

Conclusion 

Kerberoasting is a threat to Active Directory environments due to its ability to exploit weak passwords and gain unauthorized access to service accounts. By understanding how Kerberoasting works and implementing the recommended guidance shared in this blog, organizations can significantly reduce their exposure to Kerberoasting.  

We truly believe that security is a team effort. By partnering with Original Equipment Manufacturers (OEMs), app developers, and others in the ecosystem, along with helping people to be better at protecting themselves, we are delivering a Windows experience that is more secure by design and secure by default. The Windows Security Book is available to help you learn more about what makes it easy for users to stay secure with Windows.

Next steps with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

References  

Directory Hardening Series – Part 4 – Enforcing AES for Kerberos – Microsoft Community Hub 

Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning | Microsoft Security Blog 

 Network security Configure encryption types allowed for Kerberos – Windows 10 | Microsoft Learn,  

Decrypting the Selection of Supported Kerberos Encryption Types – Microsoft Community Hub 

Delegated Managed Service Accounts FAQ | Microsoft Learn 

The post Microsoft’s guidance to help mitigate Kerberoasting   appeared first on Microsoft Security Blog.

To add to the complexity, dedicated cybersecurity teams are currently resource constrained, especially compared to their cyberattackers. Globally, the cybersecurity workforce gap has widened this year, with four million roles left unfilled in 2023—a nearly 13% year-on-year increase.²

To help our global defenders, Microsoft has put together the Be Cybersmart Kit, designed to educate everyone on best practices for going passwordless, not falling for sophisticated phishing or fraud, device protection, AI safety, and more.

Empower everyone to be a cybersecurity champion

Help educate everyone in your organization with cybersecurity awareness resources and training curated by the security experts at Microsoft.

Get the Be Cybersmart Kit

In partnership with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) we have focused on four simple best practices:

• Use strong passwords and consider a password manager. 
• Turn on multifactor authentication.
• Learn to recognize and report phishing.
• Make sure to keep your software updated.

“Cybersecurity is not a one-time thing, but that doesn’t mean it has to be a hassle. Small changes in our technology habits can be easy, like using multifactor authentication or keeping your devices and software up to date. All the bad news about the latest data breaches can leave us feeling powerless, but adopting simple, repeatable behaviors goes a long way to protecting our families and businesses. It’s important to stay safe online because your data is worth protecting.”

—Lisa Plaggemie, Executive Director, NCA

The Be Cybersmart Kit goes further, providing information and infographics that cover six of the most universally important elements of cybersecurity. These areas of focus are AI Safety, Cybersecurity 101, Devices, Fraud, Phishing, and Passwords. For example, the AI Safety infographic delivers new guidance that focuses on the safe use of AI tools within your organization, including making sure you haven’t become overconfident in AI-generated content and search results and that you’re using the AI tools provisioned by your IT organization.

The Be Cybersmart Kit is a great starting point, and it’s just one of the many resources Microsoft has put together on its Cybersecurity Awareness site. Those seeking more in-depth resources can access expert-level learning paths, certifications, and technical documentation to continue their cybersecurity education. And for students pursuing the field of cybersecurity, the Microsoft Cybersecurity Scholarship Program and many more educational opportunities are here to help. The goal of all these programs is to help foster a security-first culture and continuous learning for students and professionals alike.

“CISA is excited to lead the federal government’s efforts to reduce online risk during this 21st Cybersecurity Awareness month and every month. We work with government and industry to raise cybersecurity awareness and help everyone, from individuals to businesses to all levels of government, stay safe online in our ever-connected world. Protecting ourselves online is about taking a few simple, everyday steps to keep our digital lives safe.”

—Jen Easterly, Director, CISA

The cyberthreats we face in the era of AI

AI-enhanced phishing threats and social engineering are on the rise. These threats are often highly targeted and present fewer of the tell-tale signs of their traditionally generated counterparts. In the FBI’s 2023 Internet Crime Report, the agency states that its Internet Crime Complaint Center fielded more than 800,000 cyber incident complaints. The FBI estimates the total losses associated with these incidents to be greater than USD10 billion.²

To better understand phishing-related risk factors in the era of AI, Microsoft has collaborated with Fortra to put together the Phishing Benchmark Global Report. The report found that 10.4% of phishing simulation participants clicked the email phishing link they were sent—a 3.4% increase over the previous year.³ Even more worrying, 60% of users who clicked on the email link also ultimately submitted their password to the phishing website.³ These attacks target tens of millions of users annually, and with AI-enhanced features they are more and more likely to evade traditional security layers like firewalls and email security measures. AI can also aid cyberattackers in setting up their phishing sites in locations that internet browsers and security providers are less capable of detecting as high-risk.

In the era of AI, we are all cyberdefenders. Despite this, 52% of employees still say their job has nothing to do with cybersecurity.³ This couldn’t be further from the truth. Employees are the first and last line of defense—and Microsoft recognized the importance of this when we created the Secure Future Initiative. Our Chief Executive Officer Satya Nadella has led the charge himself as Microsoft puts “security above all else, before all other features and investments.” This is why educating everyone on staying cybersafe is so important right now. Whether you point your employees to some of the resources linked in this article, highlight your own in-house resources, or bring in outside experts, it’s time to act now.

We all have a role to play as cyberdefenders both at work and home. Identity and device protection can help protect individuals and their families from malicious cyberthreats—and Microsoft is making it easier than ever to stay safer on unsecure Wi-Fi with the expansion of privacy protection. Consumers can get the added protection of a VPN on their phones and computers when on-the-go in places like coffee shops or airports. And now, device notifications alert users to unsafe Wi-Fi connections guiding them to turn on VPN for a safer connection.

For informed individuals looking to further broaden their understanding of the landscape, Microsoft invites you to join the Build a Security-First Culture in the Era of AI webinar on October 30, 2024. Let’s all do our part to secure our world—together.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Bold action against fraud: Disrupting Storm-1152, Microsoft. August 7, 2024.

²Cybersecurity Workforce Study, ISC2.

³Phishing Benchmark Global Report, Fortra.

The post Cybersecurity Awareness Month: Securing our world—together appeared first on Microsoft Security Blog.

In response, many leading organizations are re-evaluating their security strategy and moving away from a patchwork of disparate solutions in an effort to reduce costs, eliminate gaps, and improve security posture overall. They are adopting an end-to-end security approach, which is not an entirely new concept but rather an evolving vision of the technology, culture, and training necessary to tackle cybersecurity successfully. End-to-end security focuses on fully securing your entire digital estate pre- and post-breach, with management, mitigation, and assessment capabilities. For instance, Microsoft Security spans more than 50 categories within six product families, aligning seamlessly with our Security Future Initiative efforts introduced in November 2023.

End-to-end security is a comprehensive and proactive approach to protecting your environment that is grounded in a Zero Trust security strategy. It’s about a cohesive user experience as much as it is about complete threat intelligence and a consistent data platform. All products work together effectively to address identity, devices, clouds, data, and network. It requires that you have a multitude of capabilities in place, from identity to data to threat protection to governance and compliance. It protects you from every angle, across security, compliance, identity, device management, and privacy. And you can accelerate the benefits of end-to-end security even further with generative AI.

Zero Trust security

Build a secure hybrid workforce and drive business agility with a Zero Trust approach to security.

Get started

Why an evolving landscape makes end-to-end security appealing

You can’t protect what you can’t see or understand. Many organizations are siloed rather than possessing a single vision for cybersecurity. And when these siloed areas of the organization—perhaps none are more siloed than IT and security teams—are not talking to each other, the integration of tools, people, and processes faces a major roadblock. With AI tools gaining popularity in the digital workplace, communication challenges are more apparent as organizations seek increased visibility and greater control of AI usage.

Another challenge is the enormous scale of data that needs analysis to produce threat intelligence and effective threat response. The volume can be overwhelming, and with a patchwork security strategy, even best-in-breed tools are less effective because they cannot contribute to a complete view of the data and offer no way to organize it.

To optimize for the evolving landscape, organizations are changing their security priorities.

Figure 1. A list of nine of the top security priorities organizations should implement in the face of the ever evolving cybersecurity landscape.

The desire for simplification and more effective security are motivating organizations to move to an end-to-end security approach because of significant advantages. Microsoft customers tell us that juggling myriad security products is difficult to maintain and they want to seize opportunities for AI and better manage risk.

ING, one of the biggest banks in Europe, is a great example of how an organization benefits from an end-to-end approach. ING consolidated a fragmented, complicated mix of security tools into an end-to-end security approach for better protection of their private, public, and multicloud environments. The firm is using the solution to protect the company and the 38 million customers it serves across 40 countries.

What are the advantages of an end-to-end security approach?

The end-to-end security approach consolidates all your cybersecurity tools, from data protection to incident response and everything in between, into one solution. According to IDC’s North American Tools and Vendors Consolidation Survey conducted in November and December 2023, approximately 86% of organizations are either actively consolidating or planning to consolidate their tools. And 50% of those planning a consolidation have almost 50 tools (20 vendors on average).³ By interconnecting different tools through APIs, you simplify the security of your organization and gain greater visibility over everything happening. Without that visibility, you lack the knowledge of what you need to protect and govern your data, as well as investigate when a breach occurs.  

When combined with AI, end-to-end security overcomes challenges that can’t be solved by automation or code. That kind of agility is critical to address potential risks and successfully defend against modern cyberthreats, especially in confronting the scale at which breaches are occurring.

Plus, end-to-end security solves challenges in a way that allows for data gravity, which involves bringing applications and services to your data rather than the other way around. It’s useful in instances where the data is extremely large. Introducing data gravity enables new types of security scenarios to be built, sparking innovation in your security strategy. And end-to-end security paves the way for security assessments of your resources and other benefits of continuous posture management.

“By adopting multiple interoperable Microsoft security solutions, we have improved our preventative capabilities, our incident response times, and our scope for monitoring our environment,” said Glauco Sampaio, Chief Information Security Officer at Cielo. “It was surprisingly simple to enable real-time visibility across our environment. It’s been a leap in our security maturity level.”

Explore how adopting end-to-end security benefits you

Taking an end-to-end approach to security can pay major dividends, especially as you align to the Zero Trust framework. You will be able to determine which solutions to deploy and identify any gaps. An end-to-end approach will help you consolidate the number of tools and applications and use the ones that maximize your benefits. To explore how Microsoft Security with Microsoft Copilot for Security enables you to safeguard your people, data, and infrastructure, visit our webpage.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Execs: Partners ‘Critical’ To Achieving Responsible AI, Security, CRN. May 23, 2024.

²ISC2 Publishes 2023 Workforce Study, ISC2. October 31, 2023.

³North American Security Tools and Vendors Consolidation Study: Insights on Product Consolidation Plans, IDC. April 2024.

The post How comprehensive security simplifies the defense of your digital estate appeared first on Microsoft Security Blog.

While the Zero Trust security model is continuing to gain momentum, customers regularly ask for guidance on how to deploy this model effectively using today’s available technology. Microsoft participating in an ongoing collaboration led by the National Institute of Standards and Technology’s (NIST’s) NCCoE. Microsoft joined this effort to support this important mission and to help answer our customer’s need for references on Zero Trust implementations.   

Since 2022, the NCCoE has collaborated with 24 vendors, including Microsoft, on developing a practice guide with practical steps for organizations eager to implement cybersecurity reference designs for Zero Trust. Zero Trust principles include assuming compromise (assuming breach) to drive a holistic and practical security approach, verifying trust explicitly before granting access to assets, and limiting the blast radius by granting the least privilege necessary. The Zero Trust model describes a collaborative comprehensive approach for end-to-end security that is required to keep up with continuous changes in threats, technology, and business.

“The NCCoE strives to launch initiatives that directly benefit organizations facing modern cybersecurity challenges. The lessons learned from integrating various products and services contributed by collaborators like Microsoft is an invaluable contribution toward this effort.”

—Alper Kerman of NIST

Security isn’t easy—it’s always been an extremely complex and challenging discipline and Zero Trust is now transforming how many aspects of that discipline are done. While there is much more to do, we are encouraged by seeing customers make rapid progress on Zero Trust and getting meaningful benefits from it.

NIST: Implementing a Zero Trust Architecture

This guide from NIST shares practical guidance to implement Zero Trust from the NCCoE labs.

Read the guide

Microsoft and the NIST NCCoE: United in prioritizing Zero Trust model

Both Microsoft and the NCCoE have been strong advocates of the Zero Trust model for years. This diagram illustrates how Microsoft technology maps to the NIST Zero Trust model:

NIST’s role in cybersecurity cannot be overstated. In addition to publishing security standards for decades, NIST’s collaborative hub, called the NCCoE, has brought clarity on how to design and implement Zero Trust by publishing how-to guides, practice guides, and business case examples.  

“The NCCoE is dedicated to helping organizations strengthen their cybersecurity. A major way we do this is by translating existing security standards into example implementation guidance, so organizations know exactly what they need to do to protect their most critical assets. By simplifying the process, we can get more organizations benefiting from Zero Trust principles.”

—Alper Kerman of NIST

The Microsoft and NIST NCCoE collaboration

Microsoft has participated for decades in NIST’s open and transparent process for standards development and in particular supported NIST NCCoE ‘s mission to develop practical, interoperable cybersecurity approaches that show how the components of Zero Trust architectures can securely mitigate risks and meet industry sectors’ compliance requirements. Microsoft has been impressed by NIST’s role serving as a credible and clear voice in the security industry. When we found out about this latest collaboration opportunity, we knew we wanted to play a part. 

In October 2020, when the NCCoE sought industry partners to support the implementation of the Zero Trust architecture project, we jumped at the opportunity. The NCCoE’s Zero Trust architecture project is its largest to date with 24 participating organizations, seventeen different builds, and a rich set of practical documentation. The goal of this NCCoE project is to demonstrate several example zero trust architecture solutions—applied to a conventional, general-purpose enterprise IT infrastructure—that are designed and deployed according to the concepts and tenets documented in NIST Special Publication (SP) 800-207, Zero Trust Architecture. The documents from this work effectively demonstrate how to practically implement Zero Trust principles using today’s technology.  

The project addresses several common scenarios you may face: 

• An employee seeks access to corporate resources to complete their work.
• An employee seeks access to internet resources from enterprise devices to complete tasks. 
• A contractor tries to access corporate resources and internet resources. 
• Servers within an enterprise are communicating with each other. 
• An organization is collaborating with a business partner and wants to securely access specific resources. 
• An organization wants to integrate monitoring and security information and event management (SIEM) systems with the policy engine for more precise trust scores.

As part of this effort, the NCCoE just announced the general availability of the Zero Trust Architecture 1800-35 practice guide in conjunction with the Zero Trust architecture project. The practice guide details a standards-based implementation of Zero Trust architecture. The guide offers a learning pathway to greater understanding of the Zero Trust security model, and includes practical use cases and various example implementations and associated documentation. It was developed to be simple, usable, and practical.

Collaboration brings learning and value

These resources help Microsoft customers support end-to-end integrations that lead to significant value over time. Our Zero Trust implementation with the NCCoE has already helped us evolve Microsoft technology and guidance for a successful Zero Trust product deployment and will continue to do so. 

What the future of Zero Trust will bring

Both Microsoft and NIST are investigating opportunities to leverage this foundational work to support other use case scenarios that will benefit from ZT deployment model. Microsoft is excited by the government’s deep commitment to Zero Trust architecture and have been closely monitoring US Executive Order 14028 on Cybersecurity and the OMB Implementation Strategy.

Microsoft is continuously working to achieve an integrated set of offerings to enable customers to more easily and comprehensively address the security challenges they face. Microsoft is also continuously integrating lessons learned from cyberattacks on ourselves as well as on our customer into our guidance and technology. The growth of AI and its close relationship to Zero Trust make this transformation an even more critical effort—a network perimeter can’t secure your AI or your data.

Explore strategies for implementing Zero Trust

We know that adopting a Zero Trust approach is challenging as it requires a shift in mindset, strategy, and architecture as well as a lot of engineering work. We are encouraged by the positive progress and feedback from our customers on this journey, from industry analysts, and other sources. Microsoft is working to ease these challenges through NIST’s NCCoE Zero Trust Architecture consortium, with our Security Adoption Framework (SAF), The Open Group Zero Trust Standards, and other security guidance. 

Learn more

Learn more about Zero Trust.

You can follow Mark Simos on LinkedIn and explore Mark’s List of commonly shared cybersecurity resources.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

About the National Cybersecurity Center of Excellence

The NCCoE, a part of NIST, is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity issues. This public-private partnership enables the creation of practical cybersecurity solutions for specific industries, as well as for broad, cross-sector technology challenges. Through consortia under CRADAs, including technology partners—from Fortune 50 market leaders to smaller companies specializing in information technology and operational technology security—the NCCoE applies standards and best practices to develop modular, easily adaptable example cybersecurity solutions by using commercially available technology. The NCCoE documents these example solutions in the NIST Special Publication 1800 series, which maps capabilities to the NIST Cybersecurity Framework and details the steps needed for another entity to re-create the example solution. The NCCoE was established in 2012 by NIST in partnership with the State of Maryland and Montgomery County, Maryland. Information is available at https://www.nccoe.nist.gov.

The post How Microsoft and NIST are collaborating to advance the Zero Trust Implementation appeared first on Microsoft Security Blog.

This is why a proactive and integrated Zero Trust approach is needed more than ever. A Zero Trust approach considers all activity as suspect, and relies on three foundational principles: verify explicitly, ensure least privilege access, and assume breach. It’s especially effective when an end-to-end security approach is applied to Zero Trust, protecting identities, endpoints, apps, infrastructure, networks, and data consistently across the entire organization’s environment. To learn more about how our new capabilities in identity and network access and security operations make it easier to implement Zero Trust across your entire environment, register for “Zero Trust in the Age of AI” and bring your questions to the livestream at 10:00 AM PT on July 31, 2024.

Microsoft is committed to security above all else² and dedicated to the principles of Zero Trust. We’ll continue to innovate new capabilities for our end-to-end security that combine effectively with these solid principles. We’ll explore the value of these new capabilities at our “Zero Trust in the Age of AI” spotlight at 10:00 AM PT on July 31, 2024. Led by Corporate Vice President of Microsoft Security Vasu Jakkal, the online event will include:

• A keynote exploring why an end-to-end approach centered around a Zero Trust strategy is crucial in addressing future security challenges.
• A demo of the latest product innovations, walking you through how a strong Zero Trust strategy can thwart a breach attempt at machine speed with Microsoft’s unified security operations platform, and how the new Microsoft Entra Suite helps protect every access point to any resource, from anywhere.
• A panel discussion with Gary McLellan, Head of Engineering Frameworks and Core Mobile Apps at Virgin Money, and Carlos Rivera, Senior Analyst at Forrester, on practical ways to take your Zero Trust strategy to the next level.    

Zero Trust in the age of AI

Watch our on-demand webinar to learn how to simplify your Zero Trust strategy with the latest end-to-end security innovations.

Watch the webinar

Simplifying Zero Trust implementation

With the recent general availability of the Microsoft Entra Suite and the Microsoft unified security operations platform, Microsoft is reaffirming our commitment to Zero Trust. We believe Forrester has acknowledged this commitment by naming Microsoft as a leader in the 2023 Zero Trust Platform Providers Wave™, recognizing our advocacy of Zero Trust in our products and supporting services as well as giving us the highest scores possible in the innovation and vision criteria.

The Microsoft Entra Suite is the industry’s most comprehensive Zero Trust user access solution for the workforce while our unified security operations platform offers unified threat protection and posture management. This combination of products simplifies the implementation of Zero Trust architecture.

For a technical deep dive on the new Microsoft Entra Suite, join us on August 14, 2024, for the Microsoft Entra Suite Tech Accelerator, part of an ongoing virtual program aimed at expanding attendees’ technical knowledge of Microsoft products and connect them with industry peers.

We’re looking forward to seeing you at the “Zero Trust in the Age of AI” spotlight at 10 AM PT on July 31, 2024! Register today!

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Cybercrime Expected To Skyrocket in Coming Years, Statista. February 22, 2024.

²Expanding Microsoft’s Secure Future Initiative (SFI), Charlie Bell. May 3, 2024.

The post Zero Trust in the Age of AI: Join our online event to learn how to strengthen your security posture appeared first on Microsoft Security Blog.

Also at Black Hat, our Microsoft AI Red Team will be onsite holding training sessions, briefings, and panel discussions. And today, we’re releasing a white paper to demonstrate the impact of red teaming in practice when incorporated in the AI development life cycle. The paper details our innovative “Break-Fix” approach to red teaming AI systems and our close collaboration with Microsoft’s Phi-3 team, which allowed us to reduce the harms by 75% in Microsoft’s state-of-the-art small language models.¹   

As a proud sponsor of the inaugural AI Summit at Black Hat, we’re further investing in the community by sharing our learnings in both AI for Security and Securing AI. We’ll be participating in a panel discussion titled “Balancing Security and Innovation—Risks and Rewards in AI-Driven Cybersecurity,” where we’ll debate the trade-offs between innovation in AI and security risks and share strategies to foster innovation while maintaining robust security postures.  

There’s also a sponsored session titled “Moonstone Sleet: A Deep Dive into their TTPs,” presented by Greg Schloemer, Threat Intelligence Analyst at Microsoft, that takes a deep dive into cyber threat actors associated with the Democratic People’s Republic of Korea (DPRK), as well as educational and engaging theater sessions in our Microsoft booth #1240. With a ton of critical security content to catch—all detailed below—we hope you’ll make time to connect with us at Black Hat 2024. 

Plan your schedule with our standout sessions  

Join us for core Black Hat sessions, submitted for consideration by Microsoft subject matter experts and selected by the Black Hat content committee to be included in its main agenda.  

Stop by our booth (1240) to connect with Microsoft security experts  

At Black Hat 2024, Microsoft Security is here with security leaders and resources that include:   

• Threat researchers and security experts from Microsoft Security, here to connect with the community and share insights.  
• Live demos of Microsoft Copilot for Security, informed by the 78 trillion signals Microsoft processes daily, to help security pros be up to 22% faster. ²
• Theater presentations of Microsoft’s unified security operations experience, which brings together extended detection and response (XDR) and security information and event management (SIEM), so you get full visibility into cyberthreats across your multicloud, multiplatform environment.  
• Hands-on experience with Microsoft Security solutions to help you adopt AI safely.  

Connect with Microsoft leaders and representatives to learn about our AI-first end-to-end security for all. Additionally, you’ll be able to view multiple demonstrations on a wide range of topics including threat protection, securing AI, multicloud security, Copilot for Security, data security, and advanced identity. You’ll also be able to connect with our Microsoft Intelligent Security Association (MISA) partners during your visit—the top experts from across the cybersecurity industry with the shared goal of improving customer security worldwide. And if you have specific questions to ask, sign up for a one-on-one chat with Microsoft Security leaders. 

Partner presence at the Microsoft booth

At the Theater in the Microsoft booth, watch our series of presentations and panels featuring Microsoft Threat Intelligence Center (MSTIC) experts and Microsoft Researchers. Half of the sessions will be presented by the MSTIC Team. The Microsoft booth will also feature sessions from select partners from the Microsoft Intelligent Security Association (MISA). MISA is an ecosystem of leading Security companies that have integrated their solutions with Microsoft Security technology with a goal of protecting our mutual customers from cybersecurity threats. Seven partners will showcase their solutions at our MISA demo station and five partners will be presenting their solutions in our mini-theater. We would love to see you there. Click here to view our full theater session schedule. 

Reserve your spot at the Microsoft Security VIP Mixer  

The event will be co-hosted by Ann Johnson, Corporate Vice President and Deputy CISO of Microsoft Security, and Aarti Borkar, Vice President of Microsoft Security, Customer Success and Microsoft Incident Response, and, we are thrilled to have five MISA partners—Avertium, BlueVoyant, NCC Group, Trustwave, and Quorum Cyber—sponsoring our Microsoft Security VIP Mixer. The mixer is a great time to connect and network with fellow industry experts, and grab a copy of Security Mixology, a threat intelligence-themed cocktail and appetizer cookbook—you’ll be able to meet some of the contributors! Drinks and appetizers will be provided. Reserve your spot to join us at this exclusive event.

Don’t miss the AI Summit at Black Hat  

On Tuesday, August 6, 2024, from 11:10 AM PT to 11:50 AM PT, we’ll be part of a panel discussion titled “Balancing Security and Innovation—Risks and Rewards in AI-Driven Cybersecurity.” Microsoft is honored to be a VisionAIre sponsor for this event. Brandon Dixon, Partner Product Manager, Security AI Strategy will debate the trade-offs between innovation in AI and security risks, share strategies to foster innovation while maintaining robust security, and more. Note: The AI Summit is a separate, one-day event featuring technical experts, industry leaders, and security tsars, designed to give attendees a comprehensive understanding of the potential risks, challenges, and opportunities associated with AI and cybersecurity.  

Microsoft’s Most Valuable Researchers 

Security researchers are a critical part of the defender community, on the front lines of security response evolution, working to protect customers and the broader ecosystem. On Thursday, August 8, 2024, we’ll host our invite-only Microsoft Researcher Celebration. And on August 6, 2024, Microsoft Security Response Center (MSRC) will announce the annual top 100 Most Valuable Researchers (MVRs) who help protect our customers through surfacing and reporting security vulnerabilities under Coordinated Vulnerability Disclosure (CVD). Follow @msftsecresponse on X and Microsoft Security Response Center on LinkedIn for the MVR reveal. 

Secure your future with Microsoft global-scale threat intelligence  

In the hands of security professionals and teams, AI can deliver the greatest advantage to organizations of every size, across every industry, tipping the scales in favor of defenders. Microsoft is bringing together every part of the company in a collective mission to advance cybersecurity protection to help our customers and the security community. We offer four powerful advantages to drive security innovation: large-scale data and threat intelligence; the most complete end-to-end protection; industry leading, responsible AI; and the best tools to secure and govern the use of AI. Together we can propel innovation and create a safer world. We’re excited to share the latest product news and Microsoft Security innovations during Black Hat 2024 and we hope to see you there.  

Join us at the Microsoft Security VIP Mixer

Don’t miss this opportunity to connect with Microsoft Security experts and fellow industry leaders—and pick up your copy of Security Mixology!

Register now

For more threat intelligence guidance and insights from Microsoft security experts, visit Security Insider. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

Sources:

¹Phi-3 Technical Report: A Highly Capable Language Model Locally on Your Phone, Microsoft. April 2024.

²Microsoft Copilot for Security is generally available on April 1, 2024, with new capabilities, Vasu Jakkal. March 13, 2024.

The post Connect with Microsoft Security at Black Hat USA 2024​​ appeared first on Microsoft Security Blog.

Tools like Microsoft Purview Compliance Manager, Microsoft Secure Score, and regulatory compliance dashboard in Microsoft Defender for Cloud are great ways for an organization to benchmark and communicate its security and compliance posture.

This blog post will offer these learnings to CISOs and IT security teams to set their relationship with the cybersecurity committee of the board up for success.

Microsoft Purview Compliance Manager

Meet multicloud compliance requirements across global, industrial, or regional regulations and standards.

Learn more

The cybersecurity committee of the board

The United States Securities and Exchange Commission (SEC) adopted rules in July 2023¹ to expand the scope of its cybersecurity reporting requirements for publicly traded companies,² making the governance of IT security by the board of directors and the cybersecurity expertise of board members reportable to the marketplace.

Corporate governance benchmarks including the Institutional Shareholder Services (ISS) ESG Governance QualityScore, widely used by analysts and for some executive compensation are including IT security measurements in their scoring.³ Cybersecurity is recognized as requiring governance from the board of directors. Boards are changing to make this possible.

The IT security function was viewed as the province of technical specialists, to be given some increased investment for a more hostile security landscape and in response to high profile security incidents. Cybersecurity was not considered a focus area of the board like finance, audit, or executive compensation. This has changed. Boards are seating directors with IT security expertise and asking for more communication from the IT security team, usually through the CISO.

Mandate of the cybersecurity committee

The mandate of the cybersecurity committee includes learning about the organization’s IT security team. To optimize the relationship, the security team needs to understand how the board and the cybersecurity committee work as well.

The cybersecurity committee will have a mandate, vetted and granted by the board members and likely the chief executive officer (CEO). This mandate will be set out in a corporate document that describes the responsibilities of the committee, the content, and frequency of their reports and the type of information they are to review. The CISO should understand the mandate and with it the scope of the committee to know how to best and most efficiently partner with them. A proactive CISO can contribute to the formulation of the mandate, avoiding conflict and inefficiency, and setting the relationship up for success.

Beyond the mandate document, the board will likely have public-facing Rules of Procedure. This document sets out the mission, duties, and operations of the board. It will likely also have a section describing the various board committees, their operations, and responsibilities.

The committee will be focused on discharging these responsibilities in an auditable way.

Time on the agenda of board meetings is at a premium. A typical two-hour meeting agenda might include:

• Approval of the last board meeting minutes.
• Review of first half results.
• Review of Environmental Social and Governance (ESG) report and ESG committee recommendations.
• Approval of board members’ expenses.
• Financial and business outlook.
• Business plan update.
• Review of next meeting dates.

Some of these are mandated by law, leaving little time for discretionary topics. There may be four or five such board meetings per year. The cybersecurity committee will have a slot on the agenda slot as will other business.

A board may receive a briefing from the CISO on current state and plan once a year. The CISO may be called on to provide ad hoc input on risks, incidents, or other emerging topics.

A cybersecurity committee is a subgroup of the board. It is led by one or two directors that have a relatively high level of cybersecurity expertise. They should:

• Understand the IT security function, policies, standards, current state, and plan.
• Offer their opinion as to how the current state and plan aligns with the company’s risk management posture and business objectives.
• Identify areas in current state and plan that need focus from the IT security function.
• Communicate blockers and advocate for the security function with the board and executives.

The committee is accountable for reporting to the board on these items.

Working with the cybersecurity committee

The board and the CISO need to align on how they will work together. They need to agree on efficient ways to get the information and context the committee needs to achieve its mandate.

This is an opportunity for the CISO to leverage their existing reporting and documents to the extent possible. A CISO who is proactive and suggests a framework will be a good partner to the committee. This will reduce the level of effort for the security team going forward.

The role of the board and the committee is to act on behalf of the shareholders to manage risk—not to manage the IT security team, the plan, or be accountable for cybersecurity. That’s the CISO’s job.

Board members often serve on multiple boards and have high profile roles in other organizations. They need information that is on target, that they can consume quickly, and report with confidence to stakeholders. Effective communication includes:

Context

What does it mean to the business?

Cybersecurity risk and planning should be communicated in similar format to the financial and business risk that the board is used to managing.

Progress to plan should be shown in context. A security roadmap for a minimum of three years should be shared with progress and changes tracked over time.

The focus should be on a holistic IT security strategy and architecture spanning infrastructure, services, internal, vendors, on-premises, cloud, and culture.

Objective data

Recommendations from the IT security team should be presented together with objective information that supports it.

Key performance indicators (KPIs) should be agreed upon and visualized over time to expose trends. The committee should see that the right things are being monitored but not expect to drill down into every KPI.

Objective outputs that can show trends and be mapped to investments in security include Secure Score in Microsoft Defender. Secure Score monitors platform as a service (PaaS) and infrastructure as a service (IaaS) cloud, hybrid, and on-premises environments in Microsoft Azure, Amazon Web Services, and Google Cloud Platform.    

Microsoft Secure Score is a similar service focused on the improvement of security posture of a company’s Microsoft 365 software as a service (SaaS), including identity, devices, and applications.

The score, which is expressed as a percentage from 0 to 100, is shown with a list of recommendations that can be undertaken to meet security controls. These security controls should be considered for the security roadmap. As the controls are implemented, the Secure Score increases.

A company should not be focused on driving Secure Score to 100 percent but rather that the recommendations are considered in light of the company’s risk appetite and security roadmap. If the score is not rising as expected then the reason should be understood.

Similarly Microsoft Purview Compliance Manager provides Compliance Score for Microsoft 365. For Azure customers, Microsoft provides the regulatory compliance dashboard in Microsoft Defender for Cloud, which also provides visibility into the compliance posture of non-Microsoft clouds. These solutions are vehicles to help customers objectively assess and communicate the company’s compliance posture with their most important regulatory standards.

The updated security roadmap, with progress indicated, should be presented to the committee, and the KPIs should broadly track with this progress, allowing an increased confidence in the organization’s security posture and trends.

Align with the mandate of the committee

Working with the cybersecurity committee and the board will involve communicating to a diverse group whose first expertise may not be information technology. We need to teach.

We also need to learn. The committee operates within its mandate. Servicing this mandate is the primary focus of the committee. It will come before other subjects we may want to discuss. Map these subjects to the committee’s mandate.

The board operates within its rules of procedure. We will be much more effective if we are familiar with these. If we map our asks and replies to the committee’s mandate, our communication will be well received and we’ll strengthen the partnership. If we understand the rules of procedure we can avoid ad hoc engagement and communicate our message effectively.

The mandate may indicate that a report from the committee is due to the board in advance of the Annual General Meeting. If we’ve agreed on the information needed to service the mandate, we can be proactive about providing this. We can anticipate questions and put challenges in context with what they mean to the business and what we’re doing to address them.

Confidentiality

Some of the materials provided to the cybersecurity committee will require confidentiality. They should be watermarked or encrypted per company policy. Board members are not employees, and they probably don’t have a company email address or access to the company network. The tools and procedures will need to take this into account.

The reporting of the cybersecurity committee to the board is also confidential. Beyond bad actors, the information may be taken out of context by analysts or those seeking to harm the company’s reputation. Security controls should be agreed with the CISO to ensure that the documents provided to and produced by the cybersecurity committee will be limited in distribution to the committee, company leadership and the office of the CISO.

Some board documents are shared with shareholders and made available to the public, such as minutes of the board meetings. Where input from the CISO or the cybersecurity committee for these documents is needed, it should be made sufficiently general so as not to expose the company to risk.

Get started with committee collaboration

The formation of a cybersecurity committee as part of a company’s board will mean more scrutiny of the IT security function. More time will be devoted to communicating and reporting.

The CISO and their team will get visibility with the board and can use this to advocate for the resources and cultural changes they need to protect the company. Productive, efficient interaction with the committee can build a partnership with the board, which protects and adds value for the company.

Learn more

Learn more about Microsoft Purview Compliance Manager.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on X at @MSFTSecurity for the latest news and updates on cybersecurity.

¹SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, SEC. July 26, 2023.

²SEC cyber risk management rule—a security and compliance opportunity, Steve Vandenberg. March 1, 2023.

³IT security: An opportunity to raise corporate governance scores, Steve Vandenberg. August 8, 2022.

The post Working with a cybersecurity committee of the board appeared first on Microsoft Security Blog.