In recent years, Microsoft’s security offerings have shifted from security for Microsoft products and services to security from Microsoft for the full range of products and services an enterprise needs to protect. That means versions of Defender that monitor iOS, Android, macOS, Linux, Internet of Things devices and containers rather than just Windows, as well as its Sentinel SIEM, MDM for a wide range of devices with Microsoft Endpoint Manager and a continuing stream of acquisitions that bring point tools like ReFirm and CloudKnox, which eventually become integrated options in the Microsoft security tools.
SEE: Office 365: A guide for tech and business leaders (free PDF) (TechRepublic)
Last year Microsoft Defender for Cloud added features for managing and monitoring security settings on AWS as well as on Azure; now it covers GCP as well, with a dashboard showing your security settings and whether you’re following best practices across all three clouds (or individually if you prefer).
The new CloudKnox Permissions Management dashboard shows you what permissions have been granted to all the identities you’re using across Azure, AWS and GCP (including identities for VMs, access keys, containers and scripts as well as users and admins). You can see which identities have access to more resources than they need to use, get alerts for unusual behavior and automate policies that allocate the fewest possible privileges and access rights.
Hybrid and multicloud is a reality for many organizations, said Eric Doerr, corporate vice president of cloud security at Microsoft.
“There was a period of time where it wasn’t clear whether multicloud was going to be a long term, intentional strategy of customers or whether it was more ‘you’re on Azure and you buy a company that’s on AWS and you have to deal with that for a period of time’. It became clear a few years ago that multicloud is not a fad, that it’s an intentional strategy. What we started hearing more and more was ‘this Azure stuff: You’re doing is great but I’m dying trying to keep on top of all the clouds and I don’t have time to have my security teams become experts on the tooling for Azure and the tooling for AWS and the tooling for GCP.’ It just doesn’t work.”
Even companies with the budget for that many staff have trouble hiring enough people with security skills covering multiple clouds. Defender for Cloud can help by giving you one place to set and monitor policies around patching, encryption and backup of data, network port management, logging and monitoring for credentials in source repositories, without needing to know the nuances of the different ways to configure those on different clouds.
“What we’ve focused on with this release is taking the annoying work of translating ‘I want encryption on all my storage [across clouds]’,” Doerr explained. “I shouldn’t have to worry about the different way you configure that on the different clouds. We make that one click, and then that gets enforced. And then if there’s deviations from that policy, you get an alert and you can go investigate what’s going on.”
The new CloudKnox service goes a step further. “We’re going to do more than give you advice. We give you very targeted details: here’s what you’ve got, here’s exactly what the problem is, here’s how you go fix it.”
Doerr is resigned to a little surprise over Microsoft offering security solutions for non-Microsoft systems.
“Perception always lags reality,” he pointed out. “A long time after we got serious about Linux and Mac and Android and iOS we still had customers saying ‘you’re Microsoft, don’t you only care about Windows?’ We’re serious about multicloud, we’re serious about meeting the customer where they are and helping with their cloud infrastructure all up. But I know I’m going to have some period of time of customers saying, ‘no, but you only care about Azure, right?’ I love Azure. I love you more, customers; I’ve got your back.”
Know what you need to protect
The complexity of managing multiple clouds also exacerbates a common problem: very few organizations have an accurate, up-to-date list of all the resources they need to secure–and while that’s true of all infrastructure, it’s so easy to turn on new cloud resources that they tend to proliferate. “It turns out people actually don’t always know what they have. Some of the best, strictest security shops that I’ve talked to, they all have a story that’s relatively recent where this subsidiary did this thing and they didn’t talk to us, we didn’t know about it and then all of a sudden, we had this issue.”
To help with that, last year Microsoft bought RiskIQ, which offers a security intelligence service Doerr calls ‘outside in scanning’; “they scan your whole internet addressable attack surface.”
Scanning the entire addressable internet and drawing inferences from what’s visible powers three different approaches, with the first being audit. “Help a company look broadly and understand what of their infrastructure, even infrastructure they might have forgotten about, is exposed.” It also provides more general threat intelligence on a dashboard.” If I’m a [security] analyst in the middle of an investigation or I’m doing some research to get myself prepped for what kind of threats might be coming out in oil and gas and what kind of actors are coming after [that sector],” Doerr explains.
But he’s also excited about the way the service can help customers understand threats from their partners and supply chain. “If I’m a company with vendor relationships with a hundred other companies, how secure are they? Are they doing a good job? Are they patching? It sounds boring, but if you’re not patching, you’re in trouble!” In future, he suggests, Microsoft will be able to correlate that with the other signals in its security graph.
SEE: Hiring Kit: Cloud Engineer (TechRepublic Premium)
Currently, a separate service that will be integrated with other Microsoft tools (expect an update on that in a couple of months, Doerr said), RiskIQ supplements Microsoft’s existing “inside out” efforts to help support security teams in their work. “If the security team doesn’t know about some asset, you can’t protect it. This ‘outside in’ [approach] is the perfect complement; it’s like peanut butter and jelly. You need to do the inside out, you need to do the outside in and that needs to come together in really meaningful ways for security teams.”
However good the information from your security tools, it won’t make you more secure unless it’s acted on.
As well as creating security tools, Microsoft is also working with customers to help them bring the information from those tools into their processes so they can use the information to make their systems more secure, which might mean updating a custom application rather than just setting a firewall rule. “We don’t live in a world where you can just have a security team set a network policy and boom, you’re done,” he points out. “An increasing number of these things that we surface to the security teams are things where the security team themselves don’t own the resource that needs to change.”
Organizations often want to plug that information into existing workflows. “Some customers say, ‘Hey, I’ve got a ticketing system that is awesome and I want you to have the right APIs and plug into that and then it’ll all be good.’ Some customers live by email and want the extensibility to have the security team be able to nag people by email.”
Getting that handoff right will pull the industry up a notch because improving security means orchestrating the end-to-end workflow, from spotting a security issue to dealing with it. “If the security team doesn’t know they have a problem and they don’t know the relative priority, then that’s a problem. But then as you expose visibility into the problem, if you don’t help equip them with the tools to go get that fixed, then you haven’t really moved the needle on the bad guys.”
The devsecops shift left policy will play an increasing role here, Doerr said, and Microsoft is making investments in developer tools and GitHub to help: “Setting a policy and enforcing it in code so that as deployments happen the right things are happening more often. You’ve got to shift further left into the deployment environment to be rational about your use of human person-power. We’ve got a lot of people working on how do we connect the security team to the engineering team.”
Back to basics
On the other hand, while attackers are getting more sophisticated, all too often the simplest attacks still get through because the security tools defenders work with are fragmented and not easy enough to work with.
“We have seen the trickle down of techniques and competence. Five years ago, there were a handful of nation-states that were very good, and most of the criminal actors were not very sophisticated. The nation-states have continued to get better in their capabilities, but we’ve seen the criminal groups have definitely closed the gap quite a bit,” he warned.
With the ever-increasing numbers of attacks, prioritizing is more important than ever, and using automation to apply security policies can make security engineers more productive by handling the basics and leaving them to analyze and understand the more unusual issues, Doerr suggested.
“It is true that the bad guys, the nation-states and the criminal folks, are much better equipped than they’ve ever been. But the defenders still outnumber them. If we can only work together, if we can only have the defenders actually spending time on the things that matter rather than spending a bunch of time learning GCP primitives and figuring out how to translate control frameworks into something meaningful for the security team.”
“How do we raise the minimum bar of competence an attacker has to have to be a problem to the average enterprise out there? A lot of that is about simplicity and automation and not requiring that you hire seven top-notch security people to go design a security programme from scratch. What we’re doing is a step in that direction with one multicloud solution: pick your policy, pick how you want to run your security team, and we’re going to automate a lot of that stuff.”
Microsoft’s DART (Detection and Response Team) helps customers with security incidents (and Doerr runs Microsoft’s own Security Operations Center), so he sees similar problems in far too many organizations that automation could help with, whether it’s the new multicloud services or following baseline security recommendations for Office 365.
“It’s shocking how often [the problem is] ‘Wait, you didn’t have MFA turned on? You had exposed management ports? Why did you expose management ports?’ And when you look into it, it’s because the tools weren’t making it easy. You’re playing this endless game of Whack a Mole. How do we make it so that rather than security teams playing Whack A Mole, you have security teams pushing automated policy? There’s still going to be exceptions and weird stuff that happens but then you’re focusing on those weird things and not running around playing Whack a Mole with open ports.”