Breach, Vulnerability Management, MSSP

Microsoft CEO: Security More Important Than Features

The corporate logo for Microsoft is displayed on the front of their building

Microsoft is “doubling down” on making cybersecurity its top priority, CEO Satya Nadella told analysts in its recent fiscal Q3 2024 earnings call.

“Security underpins every layer of our tech stack, and it’s our number one priority,” Nadella said.

Still, it's worth noting that not one analyst on the conference call asked Nadella about Microsoft's cybersecurity posture.

“We launched our Secure Future Initiative last fall for this reason, bringing together every part of the company to advance cybersecurity protection, and we are doubling down on this very important work, putting security above all else — before all other features and investments,” he said.

Secure Future is Microsoft’s umbrella for the tech giant’s software engineering process, meant to enable its software to be secure by default and revolving around artificial intelligence.

Secure Future's Six Pillars

Nadella said Microsoft is focused on making progress on the six pillars of the Secure Future Initiative as the company works to:

  • Protect tenants and isolate production systems
  • Protect identities and secrets
  • Protect networks
  • Protect engineering systems
  • Monitor and detect threats
  • Accelerate response and remediation

“We remain committed to sharing our learnings, tools, and innovation with customers,” Nadella said, pointing to Copilot for Security, which brings “together LLMs (large language models) with domain-specific skills informed by our threat intelligence and 78 trillion daily security signals, to provide security teams with actionable insights.”

The comments come after Microsoft suffered an email breach in 2023 that exposed its senior leadership team and employees in its cybersecurity, legal and other functions. In April the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive telling all federal civilian executive branch (FCEB) agencies to guard against attacks from the Russia-linked Midnight Blizzard hackers currently leveraging compromised Microsoft email accounts.

Server Breach Draws Harsh Criticism

Nadella’s remarks come just weeks after scorching criticism of the company’s security practices from the Cyber Safety Review Board (CSRB) who in early April took a sledgehammer to Microsoft's 2023 Exchange Server breach.

Specifically, the CSRB called a break-in of top government officials' emails last year "preventable," faulting Microsoft for its cybersecurity lapses and a deliberate lack of transparency.

The board said in its report that it identified a series of decisions by Microsoft that had decreased enterprise security, risk management and fostered mistrust from customers to protect their data and operations.

In a seven-months long investigation included interviews with 20 organizations and experts including cybersecurity companies, technology companies, law enforcement organizations, security researchers, academics, as well as several impacted organizations. The CSRB concluded that Microsoft’s corporate culture emphasized speed over risk management.

The CSRB’s review identified a series of Microsoft operational and strategic decisions that “collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management, calling it “at odds” with the company's central position in IT and eroding the trust of its customers.

Microsoft Errors Deemed Avoidable

The intrusion was the result of a “cascade” of avoidable errors, the CSRB said, including:

  • Failure to detect the compromise of its cryptographic "crown jewels"
  • A lack of adequate cloud security controls in comparison with other cloud service providers
  • Failure to detect a compromise of an employee’s laptop from a recently acquired company before allowing it to connect to the company’s corporate network
  • A decision not to correct a public statement that it had discovered the likely root cause of the intrusion when it had not

“The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul,” the CSRB said.

CSRB's Recommendations to Microsoft

The Board recommended that Microsoft develop and publicly share a plan with specific timelines to make fundamental, security-focused reforms across the company and its suite of products. Microsoft fully cooperated with the Board’s review.

The CSRB also recommended specific actions to all cloud service providers and government partners to improve security and build resilience against the Chinese government-backed Storm-0558 cyber crew that carried out the operation, and other cyber crews.

Recommendations include:

  • Cloud service providers should implement modern control mechanisms and baseline practices, informed by a rigorous threat model, across their digital identity and credential systems to substantially reduce the risk of system-level compromise.
  • Cloud service providers should adopt a minimum standard for default audit logging in cloud services to enable the detection, prevention, and investigation of intrusions as a baseline and routine service offering without additional charge.
  • Cloud service providers should implement emerging digital identity standards to secure cloud services against prevailing threat vectors. Relevant standards bodies should refine, update, and incorporate these standards to address digital identity risks commonly exploited in the modern threat landscape.
  • Cloud service providers should adopt incident and vulnerability disclosure practices to maximize transparency across and between their customers, stakeholders and the United States government.
  • Cloud service providers should develop more effective victim notification and support mechanisms to drive information-sharing efforts and amplify pertinent information for investigating, remediating and recovering from cybersecurity incidents.
  • The U.S. government should update the Federal Risk Authorization Management Program and supporting frameworks and establish a process for conducting discretionary special reviews of the program’s authorized Cloud Service Offerings following especially high-impact situations.
  • The National Institute of Standards and Technology should also incorporate feedback about observed threats and incidents related to cloud provider security.

As a result of the CSRB’s recommendations, the Cybersecurity and Infrastructure Security Agency (CISA) plans to convene major CSPs to "develop cloud security practices aligned with the CSRB recommendations and a process for CSPs to regularly attest and demonstrate alignment."

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.