{"id":3597,"date":"2023-04-26T17:47:04","date_gmt":"2023-04-26T17:47:04","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/business\/security-insider\/?p=3597"},"modified":"2023-11-15T14:49:56","modified_gmt":"2023-11-15T14:49:56","slug":"ciso-insider-issue-3","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/business\/security-insider\/reports\/ciso-insider\/ciso-insider-issue-3\/","title":{"rendered":"CISO Insider: Issue 3"},"content":{"rendered":"
\n

Letter from Rob<\/h2>\n

Welcome to our third issue in the CISO Insider series. I\u2019m Rob Lefferts and I lead the Microsoft Defender and Sentinel engineering teams. We launched this series about a year ago to share insights from our discussions with some of your peers as well as from our own research and experience working on the frontlines of cybersecurity.<\/p>\n

Our first two issues considered escalating threats such as ransomware and how security leaders are using automation and upskilling opportunities to help respond effectively to these threats amid an ongoing talent shortage. With CISOs facing even more pressure to operate efficiently in today\u2019s economic uncertainty, many are looking to optimize using cloud-based solutions and integrated managed security services. In this issue, we look at emerging security priorities as organizations shift to an increasingly cloud-centric model, bringing along everything in their digital estate from on-premises systems to IoT devices.<\/p>\n

Executive summary<\/h2>\n

The public cloud offers the win-win-win of strong foundational security plus cost efficiency plus scalable computing, making it a key resource in a time of tightening budgets. But with this triple play comes a need to \u2018mind the gaps\u2019 that arise in the nexus between the public cloud and private clouds and on-premises systems. We look at what security leaders are doing to manage security in the liminal spaces between networked devices, endpoints, apps, clouds, and managed services. Finally, we look at two technologies that represent the apex of this security challenge, IoT and OT. The convergence of these two polarized technologies\u2014one nascent and the other legacy, both introduced to the network without adequate built-in security\u2014creates a porous edge vulnerable to attack.<\/p>\n

Issue 3 looks at these three cloud-centric security priorities:<\/p>\n

01 \/ Cloud security strategy <\/a><\/strong><\/p>\n

The cloud is secure; but are you managing your cloud environment securely? <\/strong><\/p>\n

Cloud adoption has accelerated as organizations seek new efficiencies in response to both economic constraints and a talent shortage. CISOs trust the public cloud services for their foundational security, but the cloud is only as secure as the customer\u2019s ability to manage the interface between the public cloud and private infrastructure. We look at how security leaders are closing the gap with a strong cloud security strategy\u2014for example, by securing their cloud apps and workloads with tools like cloud posture management and the cloud-native application protection platform (CNAPP).<\/p>\n

02 \/ Comprehensive posture management<\/a><\/strong><\/p>\n

A comprehensive security posture starts with visibility and ends with prioritized risk management. <\/strong><\/p>\n

With accelerated cloud adoption comes a proliferation of services, endpoints, apps, and devices. In addition to a strategy for managing the critical cloud connection points, CISOs are recognizing a need for greater visibility and coordination across their expanding digital footprint\u2014a need for comprehensive posture management. We look at how security leaders are expanding their approach from preventing attacks (still the best defense, as long as it works) to managing risk through comprehensive posture management tools that help with inventorying assets and modeling business risk\u2014and of course, identity and access control.<\/p>\n

03 \/ IoT\/OT<\/a><\/strong><\/p>\n

Lean on Zero Trust and hygiene to tame the wildly diverse, hyper-networked environment of IoT & OT. <\/strong><\/p>\n

The exponential growth in connected IoT and OT devices continues to present security challenges\u2014especially given the difficulty of reconciling technologies that are a blend of cloud-native, third-party tools and legacy equipment retrofitted for networking. The number of global IoT devices is projected to reach 41.6 billion by 2025, creating an expanded attack surface area for attackers who use such devices as entry points for cyber-attacks. These devices tend to be targeted as points of vulnerability in a network. They may have been introduced ad hoc and connected to the IT network without clear direction from the security team; developed without foundational security by a third party; or managed inadequately by the security team due to challenges like proprietary protocols and availability requirements (OT). Learn how many IT leaders are now evolving their IoT\/OT security strategy to navigate this gap-ridden edge.<\/p>\n

Cloud security strategy<\/h2>\n

The cloud is secure; but are you managing your cloud environment securely? <\/strong><\/p>\n

At a time of talent shortages and tightening budgets, the cloud offers many benefits\u2014cost efficiency, infinitely scalable resources, cutting-edge tooling, and more reliable data protection than most security leaders feel they can achieve on-premises. While CISOs used to see cloud resources as a tradeoff between greater risk exposure and greater cost efficiency, most of the security leaders we speak to today have embraced the cloud as the new normal. They trust in the strong foundational security of cloud technology: \u201cI expect that cloud service providers have their house in order in terms of their identity and access management, their system security, and their physical security,\u201d says one CISO.<\/p>\n

But as most security leaders recognize, cloud foundational security does not guarantee your data is secure\u2014the protection of your data in the cloud greatly depends on how cloud services are implemented alongside on-premises systems and homegrown technology. Risk arises in the gaps between the cloud and the traditional organizational boundary, the policies, and technologies used to secure the cloud. Misconfigurations occur, often leaving organizations exposed and dependent on security teams to identify and close the gaps.<\/p>\n

\n

\u201cA high number of breaches are because of misconfiguration, someone inadvertently misconfiguring something, or changing something that allows the data to be leaked.\u201d<\/p>\n

Utilities – Water, 1,390 employees<\/sup><\/p>\n<\/div>\n

By 2023, 75 percent of cloud security breaches will be caused by inadequate management of identities, access, and privileges, up from 50 percent in 2020 (Misconfiguration and vulnerabilities biggest risks in cloud security: Report | CSO Online<\/a>). The challenge exists not in the security of the cloud itself, but in the policies and controls used to secure access. As a financial services CISO puts it, \u201cCloud security is very good if it is deployed correctly. The cloud itself and their components are secure. But you get into the configuration: am I writing my code properly? Am I setting up my connectors across the enterprise correctly?\u201d Another security leader sums up the challenge: \u201cThe misconfiguration of those cloud services is what opens up the services to threat actors.\u201d As more security leaders become aware of the risks of cloud misconfiguration, the conversation around cloud security has shifted from \u201cIs the cloud secure?\u201d to \u201cAm I using the cloud securely?\u201d<\/p>\n

What does it mean to use the cloud securely? Many of the leaders I talk to approach cloud security strategy from the ground up, tackling the human errors that expose the organization to risk such as identity breaches and misconfigurations. This is in line with our recommendations as well\u2014securing identities and adaptively managing their access are absolutely fundamental to any cloud security strategy.<\/strong><\/p>\n

For anyone still on the fence, maybe this will help: McAfee reported that 70 percent of exposed records\u20145.4 billion\u2014were compromised due to misconfigured services and portals. Managing access through identity controls and implementing strong security hygiene can go a long way to closing the gaps. McAfee similarly reported that 70 percent of exposed records\u20145.4 billion\u2014were compromised due to misconfigured services and portals. Managing access through identity controls and implementing strong security hygiene can go a long way to closing the gaps.<\/p>\n

Best practices for a strong cloud security strategy<\/h3>\n

A robust cloud security strategy involves these best practices:<\/strong><\/p>\n

    \n
  1. \n
      \n
    1. Implement an end-to-end cloud-native application protection platform (CNAPP) strategy: Managing security with fragmented tools can cause blind spots in protection and higher costs. Having an all-in-one platform that enables you to embed security from code to cloud is critical to reduce overall cloud attack surface and automate threat protection. The CNAPP strategy involves the following best practices:\n
        \n
      1. Prioritize security from the start in DevOps.<\/strong> Security can fall to the wayside in the rush to develop cloud apps. Developers have an incentive to solve a business problem quickly and may lack cloud security skills. As a result, apps can proliferate without the appropriate data authorization rules. APIs have become a prime target for hackers, as organizations often cannot keep track of them given the rate of cloud app development. Gartner identifies \u201cAPI sprawl\u201d as a growing issue, predicting that by 2025, fewer than half of enterprise APIs will be managed (Gartner<\/a>). It is therefore critical to implement a DevSecOps strategy as quickly as possible.<\/li>\n
      2. Strengthen cloud security posture and fix misconfigurations.<\/strong> Misconfigurations are the most common cause for cloud breaches\u2014check out Cloud Security Alliance\u2019s<\/a> top most common security group-setting misconfigurations. While leaving storage resources open to the public is the most common fear we hear, CISOs also cite other areas of neglect: disabled monitoring and logging, excessive permissions, unprotected backups, etc. Encryption is an important hedge against mismanagement\u2014and critical to reducing the risk of ransomware. Cloud security posture management tools offer another line of defense by monitoring cloud resources for exposures and misconfigurations before a breach happens, so you can reduce attack surface proactively.<\/li>\n
      3. Automate detection, response, and analysis of incidents.<\/strong> Identifying and fixing misconfigurations is great, but we also need to ensure we have the tools and processes in place to detect attacks that make it past the defense. This is where threat detection and response management tools can help.<\/li>\n
      4. Get access management right.<\/strong> Multifactor authentication, single sign-on, role-based access control, permission management, and certifications help manage the two biggest risks to cloud security: the user and misconfigured digital properties. Least access is a cloud infrastructure entitlement management (CIEM) best practice. Some leaders rely on an identity access management or entitlement management solution to put active security controls in place. One financial services leader leans on the cloud access security broker (CASB) as a \u201ckey backstop\u201d to manage the organization\u2019s SaaS services and to maintain control of their users and data. The CASB acts as an intermediary between users and cloud apps, providing visibility and enforcing governance actions through policies. backstop\u201d to manage their SaaS services and maintain control of their users and data. The CASB acts as an intermediary between users and cloud apps, providing visibility and enforcing governance actions through policies.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n

         <\/p>\n

        A cloud-native application protection platform like that offered in Microsoft Defender for Cloud<\/a> not only offers visibility across multi-cloud resources, but also provides protection at all layers of the environment while monitoring for threats and correlating alerts into incidents that integrate with your SIEM. This streamlines investigations and helps your SOC teams stay ahead of cross-platform alerts.<\/p>\n

        An ounce of prevention\u2014closing identity and misconfiguration gaps\u2014combined with robust tools for attack response go a long way to securing the whole cloud environment, from the corporate network to cloud services.<\/p>\n

        Comprehensive posture management<\/h2>\n

        A comprehensive security posture starts with visibility and ends with prioritized risk management. <\/strong><\/p>\n

        The shift to cloud-centric IT not only exposes the organization to implementation gaps, but also to a proliferating array of networked assets\u2014devices, apps, endpoints\u2014as well as to exposed cloud workloads. Security leaders are managing their posture in this perimeter-less environment with technologies that deliver visibility and prioritized response. These tools help organizations map an asset inventory that covers the entire attack surface, spanning managed and unmanaged devices both within and outside of the organization\u2019s network. Using these resources, CISOs are able to assess the security posture of each asset as well as its role in the business to develop a prioritized risk model.<\/p>\n

        In our conversations with security leaders, we\u2019re seeing an evolution from perimeter-based security toward a security posture-based approach that embraces a borderless ecosystem.<\/p>\n

        As one CISO puts it, \u201cTo me, the posture goes down to the identity\u2026. We don\u2019t look at it just as the old traditional posture where the perimeter is but move that all the way down to the endpoint.\u201d (Utilities-Water, 1,390 employees). \u201cIdentity has become the new perimeter,\u201d comments a FinTech CISO, asking: \u201cWhat does identity mean in this new model where there is no outside and inside?\u201d (FinTech, 15,000 employees).<\/p>\n

        Given this porous environment, CISOs understand the urgency of comprehensive posture management\u2014but many question whether they have the resources and digital maturity to put this vision into practice. Fortunately, through a combination of industry-proven frameworks (updated for today\u2019s needs) and security innovation, comprehensive posture management is within reach for most organizations.<\/p>\n

        \n

        \u201cGet tooling in your cyber infrastructure that allows you to do an asset inventory. Second, look at which one of those are critical, which have the biggest risk to the organization and understand what the potential vulnerabilities are of these devices, and decide whether this is acceptable\u2014do I need to patch or isolate it.\u201d<\/p>\n

        Ken Malcolmson, Executive Security Advisor, Microsoft<\/sup><\/p>\n<\/div>\n

        Best practices for comprehensive security posture management<\/h3>\n

        Here are some best practices and tools security leaders are using to manage their posture in an open-ended, cloud-centric environment: <\/strong><\/p>\n

          \n
        1. \n
            \n
          1. \n
              \n
            1. Achieve comprehensive visibility with an asset inventory.<\/strong>
              \nVisibility is the first step in holistic posture management. CISOs are asking, \u2018Do we even know all we have out there as a first step? Do we even have visibility before we can get to management?\u2019 A risk asset inventory includes IT assets like networks and applications, databases, servers, cloud properties, IoT properties, as well as the data and IP assets stored on this digital infrastructure. Most platforms, like Microsoft 365 or Azure, include built-in asset inventory tools that can help you get started.<\/li>\n
            2. Assess vulnerability and analyze risk.<\/strong>
              \nOnce an organization has a comprehensive asset inventory, it\u2019s possible to analyze risk with respect to both internal vulnerabilities and external threats. This step relies heavily on context and is unique to each organization\u2014a reliable risk assessment depends on a strong partnership among the security, IT, and data teams. This cross-functional team leverages automated risk scoring and prioritization tools in their analysis\u2014for example, the risk prioritization tools integrated into Azure Active Directory, Microsoft Defender XDR, and Microsoft 365. Automated risk scoring and prioritization technologies may also incorporate expert guidance for remediating the gaps as well as contextual information for effective threat response.<\/li>\n
            3. Prioritize risk and security needs with business risk modeling.<\/strong>
              \nWith a clear understanding of the risk landscape, technical teams can work with business leaders to prioritize security interventions with respect to business needs. Consider the role of each asset, its value to business, and the risk to the business if it is compromised, asking questions like, \u2018How sensitive is this information and what would be the impact to the business of its exposure?\u2019 or \u2018How mission critical are these systems\u2014what would be the impact of downtime to the business?\u2019 Microsoft offers tools to support a comprehensive identification and prioritization of vulnerabilities according to business risk modeling, including Microsoft Secure Score, Microsoft Compliance Score, Azure Secure Score, Microsoft Defender External Attack Surface Management, and Microsoft Defender Vulnerability Management.<\/li>\n
            4. Create a posture management strategy.<\/strong>
              \nAn asset inventory, risk analysis, and business risk model form the basis for comprehensive posture management. This visibility and insight help the security team determine how best to allocate resources, what hardening measures need to be applied, and how to optimize the tradeoff between risk and useability for each segment of the network.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n

               <\/p>\n

              Posture management solutions offer the visibility and vulnerability analysis to help organizations understand where to focus their posture improvement efforts. With this insight, they can identify and prioritize important areas in their attack surface.<\/p>\n

              IoT and OT Security<\/h2>\n

              Lean on Zero Trust and hygiene to tame the wildly diverse, hyper-networked environment of IoT and OT <\/strong><\/p>\n

              The two challenges we\u2019ve discussed\u2014the cloud implementation gap and the proliferation of cloud-connected devices\u2014are creating a perfect storm of risk in IoT and OT device environments. In addition to the inherent risk of an expanded attack surface area introduced by IoT and OT devices, security leaders tell me they\u2019re trying to rationalize the convergence of nascent IoT and legacy OT strategies. IoT may be cloud native, but these devices frequently prioritize business expediency over foundational security; OT tends to be vendor-managed legacy equipment developed without modern security and introduced ad hoc onto the organization\u2019s IT network.<\/p>\n

              Here\u2019s a closer look at the state of IoT-OT risk today: <\/strong><\/p>\n

              IoT and OT devices are helping organizations modernize workspaces, become more data driven, and ease demands on staff through strategic shifts like remote management and automation. The International Data Corporation (IDC) estimates there will be 41.6 billion connected IoT devices by 2025, a growth rate exceeding that of traditional IT devices.<\/p>\n

              But with this opportunity comes significant risk. Our December 2022 Cyber Signals report, The Convergence of IT and Operational Technology<\/a>, looked at the risks to critical infrastructure posed by these technologies.<\/p>\n

              Key findings include:<\/p>\n

                \n
              1. \n
                  \n
                1. \n