With RSA starting over the weekend, Microsoft is the latest company to make a slew of security announcements in order to get everyone’s attention. The announcements were made in a blog post by Bret Arsenault, Chief information Security Officer, Microsoft and delivered as a progress report on enterprise security.
The blog starts by referencing Satya Nadella’s comments last year on the need for a new approach to enterprise security. That’s followed by Arsenault promoting the work being done by his team especially when it comes to new technologies around cyber security. What is interesting is that Arsenault sets out three goals for Microsoft to achieve if it wants to keep customers secure. These are:
- Evolve Microsoft’s ability to get real-time insights and predictive intelligence across the network to stay ahead of the threats.
- The ability to correlate security data with threat intelligence data to separate bad from good.
- Leveraging the industry and partners to ensure a broad, comprehensive approach.
There is much for Arsenault to do in all of these areas not least when it comes to sharing and cooperating with others. It is not listed as a partner or users of either the Structured Threat Information eXpression (STIX) or the Trusted Automated eXchange of Indicator information (TAXII). These are the two biggest threat exchanges and are currently being actively turned into a standard by the OASIS standards organisation. It has also chosen not to participate in the OASIS Cyber Threat Intelligence (CTI) Technical Committee.
Without being involved in these industry wide initiatives it is hard to see how Microsoft is about to talk about a comprehensive approach. Instead, this seems to be another Microsoft partner project rather than a move to work with the wider security industry. This is deeply disappointing and something that it would be good to see Arsenault address in a later blog.
Microsoft Security announcements for RSA
There are a lot of these and it is easier to read the blog to get the full list. Among those that are notable are:
Microsoft Cloud App Security: This is a security broker based on the Adallom technology that Microsoft acquired in September 2015. It extends on-premises security controls to the cloud and the SaaS applications that they are using by extending Active Directory. There is a blog on the Active Directory enhancements written by Alex Simons which can be found here.
Unsurprisingly integration and protection of Office 365 are the bulk of the new feature set. There are alerts that can be set to warn Office 365 admins of suspicious behaviour. An interesting feature is the extension of App permissions which makes it easier to approve or revoke permissions for third party services that have been authorised for use with Office 365.
The most interesting new feature here is the Cloud App Discovery feature. This will enable IT departments to analyse which cloud services their users are connecting to. Skyhigh Networks and IBM already have their own tools that are doing the same job and it is good to see Microsoft recognising that the vast majority of cloud services are not created or controlled by IT departments. While not announced the logical next step would be to use the Cloud Security Broker capabilities of Adallom to enable IT to offer users approved and secure alternative cloud services.
There is a blog from the Office team which can be found here that goes into more detail and also talks about the new enhancements to Customer Lockbox. This will begin to roll out in Q2 and will support SharePoint Online and OneDrive for Business.
New security management and reporting for Azure Security Center: This is designed to increase the granularity of security permissions within Azure. It builds on the existing ability to set security policies for each Azure subscription and allows a new security policy for a resource group. The primary focus is around workloads but there are a number of other areas in which this can be applied.
Azure Security Center Advanced Threat Detection: According to Arsenault’s blog this uses the technology Microsoft has developed over the years to analyse crash dumps from end-user devices. Azure Security Center is now capable of collecting crash events from Azure virtual machines, analysing the data and alerting the customer where a VM has been compromised. With new generations of malware such as Spartan identified by the Dell Security team which creates and lives only in-memory, the ability to analyse VMs has become a key tool to detect such attacks.
There is a very interesting blog from Sarah Fender, Principal Program Manager, Azure Cybersecurity which can be found here. It talks in more detail about the new security features in Azure and the new integrated partner solutions that Microsoft are deploying.
This is a good update from Arsenault and one that needs to be repeated on a regular basis. While some of the updates such as the Cloud App Discovery feature are overdue, Microsoft is moving to close the gap to some of the other players in the market. Perhaps the biggest disappointment is that Arsenault made no mention of Microsoft engaging with the wider threat intelligence community, something that we hope he will address in his next update on security.