Governance & Risk Management , Next-Generation Technologies & Secure Development , Patch Management
ISMG Editors: Can Microsoft Regain Trust in Its Security?
Also: CrowdStrike Grilled by Congress; Coalition Against Spyware Abuse Is Growing Anna Delaney (annamadeline) • September 27, 2024In the latest weekly update, Information Security Media Group editors discussed Microsoft's major cybersecurity overhaul in the wake of some high-profile breaches, the latest developments from CrowdStrike's global outage hearing, and the expanding U.S.-led coalition against spyware abuse in the EU.
The panelists - Anna Delaney, director, productions; Tony Morbin, executive news editor, EU; Chris Riotta, managing editor, GovInfoSecurity; and Michael Novinson, managing editor, ISMG Business - discussed:
- Whether Microsoft can rebuild trust following recent breaches, as the company implements significant cultural and engineering shifts to enhance its cybersecurity efforts;
- How CrowdStrike's leadership faced tough questions during a House Homeland Security cybersecurity subcommittee hearing this week regarding the July global outage that crippled businesses worldwide;
- Why four more EU nations have joined a U.S.-led coalition to fight spyware abuse, intensifying pressure on the European Commission for failing to regulate the region's booming spyware market.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Sept. 13 edition on whether Microsoft will rethink Windows security and the Sept. 20 edition on how to survive a major ransomware attack.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Welcome to the ISMG Editors' Panel. I'm Anna Delaney. Today, we'll explore Microsoft's major cybersecurity overhaul, the latest developments from CrowdStrike's global outage hearing, and the expanding U.S.-led coalition against spyware abuse in the EU. The panel today includes Tony Morbin, executive news editor for the EU; Michael Novinson, managing editor for ISMG Business; and Chris Riotta, managing editor for GovInfoSecurity. Excellent to see you all.
Chris Riotta: Thanks for having us.
Michael Novinson: Thank you.
Delaney: So Michael, starting with you this week, Microsoft has announced a major overhaul in response to cybersecurity threats, which includes big cultural and engineering shifts. What key changes stand out to you?
Novinson: Thank you for the opportunity, Anna. So, to set the stage here, Microsoft has been under quite a bit of scrutiny in recent years, both for high-profile exploits by nation-state actors as well as adversaries being able to capitalize on their architecture, particularly in the identity arena, to exacerbate the impact of attacks. There have been two fairly recent things. One was Storm-0558. A China-based threat actor gained access to Microsoft Outlook systems in July 2023, when they stole emails from 25 organizations. And then just this January, Russian hackers compromised source code repositories from Microsoft, as well as internal systems. Microsoft is facing increased pressure from regulators and Congress, particularly Jeff Merkley, a junior senator from Oregon. A sense that they're prioritizing product innovation and feature development over security. Security was both an afterthought as well as something that they were looking to upcharge for that it was seen as essentially a cash cow, rather than as a bare necessity to keep folks safe. So, that is kind of the setting Microsoft had announced in November. They were going to be making a major pivot by investing a lot more into security than it may have at the time of the RSA Conference. And Chris, I know you covered this. Microsoft debuted its secure future initiative, which was focused on three areas - culture, governance and engineering. These initiatives were launched with the aim of making Microsoft a security-driven organization and a company that sees fewer high-impact breaches going forward. So, to break down each of those here in terms of the culture, which is perhaps the most straightforward effort to integrate security into performance reviews from Satya Nadella, the CEO. Every developer, engineer and employee, as part of their annual performance reviews, will be reviewed on how they prioritize security, how they embed security into their efforts, and that'll be considered when determining their scores, potential raises, promotions, etc. Also on that front, there are weekly meetings conducted. They take place on Friday with Satya Nadella, as well as with several key leaders of Microsoft, including Joy Chik, who we spoke to at ISMG last week. She heads identity and network access. And there's a rundown of how these security initiatives are doing and what progress has been made. What are some of the challenges and the issues? And from what Joy shared with me, it sounds like Satya is very engaged. These aren't meant to be kind of happy patting each other on the back sessions. These sessions are meant to have a critical look at where the company is falling short, and how can they change that. So, certainly, that's from a cultural standpoint. There has been a focus on trying to revamp the security organization. Microsoft brought in a new chief information security officer in December, and then, in recent days, as part of this progress report around their secure future initiative, they announced a series of deputy CISOs, some of whom were fairly high profile. What's notable here is that the CISOs are essentially associated with each product area grouping. So, the idea is that you have folks who have kind of that depth of knowledge in specific Microsoft technologies, as well as a background in cybersecurity, and so they're able to bring that all together and help ensure that security is being applied consistently across the organization. Also, there's going to be a focus in terms of having some more governance groups, review boards and third-party feedback from a governance standpoint. The biggest updates have been from an engineering standpoint, where there have been efforts in a bunch of different areas, including identity protection, tenant isolation, network security and software engineering. But, the big picture has been more focused on how security is delivered internally within Microsoft that used to be delegated to individual business units and groups they secured internally. There's been a focus on trying to centralize systems and processes across the organization so that there's more consistency. Some of the areas of focus have been certainly around identity and authentication. We saw historically that Azure Directory was taken advantage of extensively during the SolarWinds campaign in 2020. I know now it's called Entra ID, but there's been a focus on trying to secure that using more passwordless authentication and more hardware-based tokens to move away from some of the more traditional issues present. Also, there has certainly been a focus on, from a development and SecOps standpoint, trying to create standardized templates and playbooks for folks to use. So, they do not need to reinvent the wheel every time Microsoft is building something, and these templates and playbooks would have security best practices baked in already to ensure that there aren't issues. From a security operation standpoint, in terms of logging, this was a big issue in a previous exploit on Microsoft where you had to have, in order to prevent the exploit, a customer purchase Microsoft's E5 license in order to have sufficiently detailed logs. That's an up-charge. E5 is quite expensive. It's orders of magnitude more expensive than the base E3 license. The CISA congress officials telling organizations that, "Gee, you're not going to have the information you need to stop a cyber incident unless you pay for the premium package," is not acceptable. And Microsoft, in response, a while ago, brought the more robust logging features to the base packages, rather than making it contingent on having an E5 license. They extended the retention period from 90 to 180 days and enabled more Microsoft 365 audit logs. A lot going on there. Finally, who is this being done for? If you think of the consumer space, there's not a ton of choice in that OS market. Microsoft is so dominant. This is meant to speak to larger enterprises, the folks who do have larger budgets and who can be more choosy, in particular, if they make choices around bringing in third-party security vendors. Okta, Proofpoint and Zscaler - do we bring those into secure Microsoft architecture? Or can we trust Microsoft security products to secure Microsoft's architecture? The secure future initiative is meant to try to convince some of those customers who have the cash to purchase an alternative to standardize around Microsoft.
Delaney: Great stuff, Michael. And in your opinion, will these changes help Microsoft regain the trust that they need after recent breaches or is more needed?
Novinson: Time will tell. We'll be hearing from Chris on this in a little bit, but some of the standalone cyber vendors have had their issues. The CrowdStrike outage was more of an IT outage. Certainly, Okta's had no shortage of security issues and also announced its own security initiatives. So, it seems like a lot of this is more systemic than specific to Microsoft. But, time will tell, that is, if we go 6, 12 or 24 months without a huge, high-profile cyber incident, where either Microsoft was the initial access factor or threat actors used Microsoft to exacerbate the impact of the attack. That will help with gaining the trust of organizations with more cash. So, they're saying and doing the right things right now but the proof is going to be in the pudding here.
Delaney: Excellent. We shall see. Thank you, Michael. So Chris, as Michael said, not unrelated. CrowdStrike's leadership faced tough questions this week during a House Homeland Security's Cybersecurity Subcommittee regarding the July global outage that crippled critical infrastructure. Can you summarize the key points from the hearing?
Riotta: Absolutely. It's come pretty full circle. Capitol Hill has become a familiar territory this year for Microsoft, CrowdStrike, and many cybersecurity and technology leaders in the wake of this kind of high-profile hacking and other security incidents that have shaken and disrupted U.S. infrastructure and networks. Microsoft President Brad Smith testified in July after facing intense scrutiny over some of the cyber failures that Michael talked about, and lawmakers expressed some distrust at the time about the company's overall transparency and slow response in addressing those vulnerabilities. This week, it was CrowdStrike's turn. The July 2024 CrowdStrike outage is now considered the largest IT outage in global history. It wasn't caused by a cybersecurity attack, but instead, it was triggered by a faulty software update within the CrowdStrike Falcon platform. Specifically, a misconfigured threat detection rule was sent to systems that were running Microsoft Windows and caused widespread crashes across the globe. We saw thousands of commercial flights canceled and delays in thousands of others; severe interruptions to emergency services and healthcare operations; and surgeries were postponed. Microsoft previously reported that the outage affected less than 1% of its Windows systems. Because a wide variety of critical infrastructure sectors relied on those systems, it hit hard in many areas, which was a key focus during the congressional hearing this week. CrowdStrike brought out Adam Meyers, a senior vice president for counter-adversary operations, who told the House Homeland Security's Cybersecurity Subcommittee that the company used a "longstanding routine process to deploy this faulty update." According to Meyers, CrowdStrike was using this decade-old validation at times. He said it was over 10 years old to verify and test these updates before pushing them out. The process failed to identify what he called an unexpected discrepancy in the updated threat detection configurations, which then caused thousands of systems across various industries to experience significant outages. So, lawmakers were left baffled at times and still had many questions about CrowdStrike's previous testing operations. They described the outage as a catastrophe, and they were seeking many insurance from CrowdStrike that it revised its deployment processes for certain software updates. Meyers said that the company has stopped doing the decade-old verification process and instead now pushes all of these updates through an internal testing and deployment process first. In response to one question from a lawmaker, he said that artificial intelligence had no part in the decision-making that led to the faulty update being pushed out. He told lawmakers that the new methodology involves a series of internal assessments and that updates similar to the one that caused the disruption are currently being evaluated and pushed out 10-12 times a day. So, concerns from lawmakers and the industry regarding the federal government's heavy reliance on Microsoft also loomed quite large over the hearing, as CrowdStrike does depend on Microsoft for its security software deployments. You saw folks such as NetChoice, which is a major technology trade association funded by Google and Meta. It sent a letter and tried to make some noise ahead of the hearing, warning about the federal government's Microsoft monoculture and over-reliance on Microsoft systems. That letter said that while the July outage from CrowdStrike was not, in fact, Microsoft's fault, the government's over-reliance on Microsoft's Windows servers allowed the outage to inflict widespread problems on America's critical IT infrastructure. So, Congress is continuing with this probe, and we'll have to see where it develops.
Delaney: Did anyone mention potential solutions to reduce that dependence?
Riotta: There weren't many solutions offered during the hearing, and it was interesting to see CrowdStrike get in front of this hearing by sending its officials to Capitol Hill in Washington in the weeks ahead to meet with lawmakers. While we were expecting some theatrics, it kind of was more toned down. It didn't seem like folks were yet willing to move on from Microsoft or move on from CrowdStrike. So, hopefully, these companies can improve their security initiatives and do the things that we've heard from Microsoft and CrowdStrike when it comes to improving these processes.
Delaney: And did Meyers mention any lessons learned from the incident? Do you think they're planning to make further changes to what's already been said?
Riotta: He said that they'll also be rolling out this new kind of tiered deployment process for these updates, where if folks have critical systems, they can have early access to the updates that may have patch vulnerabilities that have been spotted rapidly, they can be part of what's called an advanced deployment. So, right after the update goes through the internal processes and testing and is approved at CrowdStrike, it'll be sent to this next tier of first-time adopters of the new update and then everyone else who can be in the sort of general availability tier would receive it kind of like a third ring. So, they're going to be moving from just a send out and push out these updates to everyone all at once to maybe more configurations and tiers depending on what your security preferences are.
Delaney: Yeah, that makes sense. Okay. Thanks Chris for now. I know we'll revisit this. Tony, four more EU nations have joined a U.S.-led coalition to fight spyware abuse, intensifying pressure on the European Commission for failing to regulate the region's booming spyware market. Now, you've been comparing spyware to guns. So, can you elaborate on that analogy?
Tony Morbin: It is not a perfect analogy, but arguments around the use of spyware are quite similar to those around the use of all sorts of weapons. Historically, the ownership of weapons has been restricted. In Japan, the shogunate banned commoners from owning swords. They did the same in the U.K. Today, we've got all sorts of different restrictions on gun ownership, varying by country. Now, the reasons are pretty obvious - preventing crime, promoting social cohesion, or, in the Japanese example, consolidating power for the ruling elite. And today, information is power. As we're all saying all the time that it's oil, it's whatever you want to call it. Spyware is the new weapon in those armories for those who want to acquire or retain their power. It's a $12-billion-a-year market now, and like warfare and crime, spying has always existed. And spyware is the latest technological advancement. It makes it much easier to spy, be pervasive on a MESS scale, and like all other technical advances, it de-skills the process. So, it makes it easier for anybody to conduct it. Now, as you say, the U.S. is relatively lenient on the ownership of guns; other countries, such as the U.K. and Japan, less so. But apparently, all countries today have some kind of restrictions on guns. There is increasing concern about who can use spyware, and we're moving down that same path of introducing restrictions. But the problem is - Is it enough to restrict sales to governments when the governments themselves are often the ones who are abusing it, and who decides what's abuse anyway? It can even be argued that the very existence of spyware will inevitably result in abuse. There was a Mandiant report that found that commercial spyware was behind 50% of all zero-day exploits in the last year. So, it is a big issue, whatever way you want to cut it.
Delaney: What actions are governments taking to address the growing concerns around spyware?
Morbin: As you said at the beginning, this week, Austria, Estonia, Lithuania and the Netherlands have joined a U.S.-led coalition of 21 countries that aims to prevent the proliferation of spyware. The coalition members are committed to information-sharing programs seeking to prevent the export of software technologies that can be used for malicious cyber activities. The U.S. Treasury has already sanctioned five commercial spyware companies, including Greece's Intellexa. There was initially some reduction in its activity, but then the company responded by fortifying its infrastructure and adding new layers of complexity, essentially to evade detection. Expansion of the coalition is coming amid growing criticism of the European Commission's failure to curb the use of prolific spyware, the calls for tighter export controls, permitting spyware only to be used in exceptional cases that are preventing a genuine threat to national security, but the reality is that EU members, including Poland, Greece, Hungary and Spain, are among those that have been reported to have used surveillance tools to monitor politicians, journalists and activists. The will to introduce a tougher EU-wide regime simply doesn't exist, according to various people, quoted by my colleague Akshaya in her recent report in ISMG.
Delaney: Tony, if some governments are unwilling to act or are involved in the misuse of spyware, what recourse do victims have?
Morbin: It's difficult to say. In the U.K., four human rights activists, just recently, have said that their communications were snooped on by autocratic states, and they filed a legal case under the U.K.'s Computer Misuse Act and National Security Act, accusing Israel spyware maker NSO of being behind alleged spyware infections. They say that NSO's Pegasus spyware has been used against targets' phones inside the U.K., which therefore threatens the country's sovereignty and security. And they cited various alleged attacks within the U.K. government networks, as well as an alleged attack on House of Lords member Fiona Shackleton. Pegasus is probably the most advanced of the spyware software that we know about. It delivers a zero-click attack on phones where it can copy messages, pictures, and videos, download content to send to an attacker, record your calls, track your location, and it can also independently and secretly activate the phone's camera and microphone. Now, NSO Group denies these allegations and says that its customers are carefully assessed and they only sell their spyware for use against serious criminals and terrorists. But, the problem is some governments' definitions of terrorists include virtually anybody who opposes the government, and many autocratic countries have limited or no accountability and oversight on how the powerful capabilities of spyware are used. In relation to the recent expansion of sanctions on spyware makers, U.S. State Department spokesperson Matthew Miller said the United States will not tolerate the misuse of technologies that undermine America's national security or that of our allies, and we will not tolerate the misuse of technologies that perpetrate human rights abuses or undermine freedom of expression. But, many fear that spyware has already gone out of control, and highly sophisticated spyware tools are simply being sold on the open market, where licensed customers are free to spy on whoever they choose.
Delaney: Tony, it is a massive topic. Thank you for sharing that so clearly. Lots to think about there. We'll revisit. Brilliant insights as always. Thanks team.
Novinson: Thank you, Anna.
Riotta: Thanks for having us.
Delaney: And thanks so much for watching. Until next time.