There’s an old joke about a new CEO who gets hired to run a floundering business and is given three envelopes on her first day at work. If you haven’t already heard it, give it a quick read here.
The Charlie Bell Memo
Microsoft has been taking a well-deserved thrashing in the press and industry for a number of security incidents over the last couple of years. From the widespread compromise of on-premises Exchange servers by HAFNIUM to Storm-0558 to Midnight Blizzard, Microsoft has been criticized for the security of their products and processes and for many aspects of their response. The latest, and most public, criticism came in the form of a strongly worded report from the US government’s Cyber Security Review Board (CSRB), which is worth reading if you haven’t already. Of course, it’s not new that software can have security problems, but the scope, scale, and attention focused on Microsoft’s recent problems are all unusual.
So, what did Microsoft do? They opened envelope #1, and the message inside reads “Publish a new security strategy.” Thus the May 7 memo from Microsoft security VP Charlie Bell titled “Security above all else.” In it, Bell lays out six “prioritized security pillars” that Microsoft is promising to invest in and execute on. I won’t repeat them all here, but I do want to highlight a few of the subordinate items and talk about how you can, and probably should, duplicate them in your own environment.
Protecting Identities and Secrets
The first pillar is, as it should be, focused on identity protection. Microsoft is promising to apply “rapid and automatic rotation with hardware storage and protection” for all signing and platform keys. They’re committing to using standard internal SDKs for all identity account access and management, and to protecting 100% of user accounts with phishing-resistant MFA. You’re no doubt tired of hearing how important it is to deploy MFA, but you will certainly be hearing more about it as Microsoft continues to push the deployment of passkeys. Deploying phishing-resistant MFA is absolutely a tactic you should copy yourself. Start now if you haven’t already.
Protect Tenants and Isolate Production Systems
I can’t believe I have to write this, but yes, Microsoft is promising to “[remove] all unused, aged, or legacy systems.” That absolutely seems like something they should already have been doing, and that goes for your environment too. More interestingly, Microsoft says they will “ensure only secure, managed, healthy devices will be granted access to Microsoft tenants.” That sounds like a call to use Entra ID conditional access more broadly, in combination with endpoint protection, to perform more thorough device health checks and to appropriately restrict network and application access based on those health checks. It still surprises me when I see organizations with completely unmanaged device fleets, especially when users are allowed (or required!) to supply their own devices. It’s time to knock that off.
Protect Networks
The most important bullet promised under this pillar is that Microsoft is going to “enable customers to easily secure their networks and network isolate resources in the cloud.” While you may not be interested in completely redesigning your network, at a minimum you should already be segmenting your internal network to keep guest devices on their own isolated network, and it’s an excellent idea to have a separate segregated network for devices such as smart TVs, copiers, and so on that need network access but shouldn’t be able to directly reach your production systems. If you haven’t already applied segmentation in your Azure or AWS resource networks, you should do that immediately as well.
Monitor and Detect Threats
One important aspect of the public criticism surrounding the Midnight Blizzard and Storm-0558 attacks is that Microsoft sells much of its most useful security functionality instead of including it in their products—security logs being a fantastic example. We learned, again, from the Storm-0558 attacks that an attacker can get in and do quite a bit of damage before being detected, so Microsoft’s promising to retain its own logs for at least two years and to make all security logs available to customers for six months. This is a good first step, but it won’t do you any good unless you’re monitoring the logs yourself with whatever tools you prefer. Remember, it was a customer who first detected (and notified Microsoft) about the Storm-0558 attacks.
Pablo Picasso and you
Picasso famously said “Good artists copy. Great artists steal.” Many, many customers over the years have implemented network, storage, Exchange, and other systems based on Microsoft’s own internal designs, on the reasonable theory that if Microsoft knows what they’re doing then replicating their designs and standards makes sense. The problem with this approach is the copiers frequently ignore the unique circumstances around Microsoft’s business. With that in mind, don’t blindly do what Bell says Microsoft’s doing just because Microsoft’s doing it. You obviously have to balance the amount and nature of your security investments against your business requirements and your threat models; you don’t have the same nearly infinite budget that Microsoft does. That being said, there are clearly some actionable items from Bell’s list that will apply to you.
The Other Two Envelopes
Old-timers may remember Bill Gates’ “Trustworthy Computing” memo, which was truly revolutionary in its time and led to a long period of rapid growth for c. We may see that Bell’s memo (and the corresponding memo from CEO Satya Nadella that famously told employees to “do security”) marks a similar renaissance of security capability and quality. Or we may see that Nadella or other Microsoft executives find themselves reaching for the other two envelopes in their respective desks.
