Microsoft has “the equivalent of 34,000 full-time engineers” working on its Secure Future Initiative (SFI) project to significantly bolster its security infrastructure.

The figure was disclosed in its recent SFI report for September 2024, with the tech giant saying the volume of person-power applying their skills and expertise to the ambition of improving Microsoft’s security systems renders it the “largest cybersecurity engineering project in history”.

The SFI report wrote:

Our engineering teams quickly dedicated the equivalent of 34,000 full-time engineers to address the highest priority security tasks—the largest cybersecurity engineering project in history. We have also made significant improvements in governance and culture, such as integrating security into performance reviews and introducing the Security Skilling Academy.”

Microsoft began its first SFI last November following several high-profile security breaches, most notably the Storm-0558 cyberattack in July 2023 by Chinese hackers who managed to breach US government emails through its Microsoft Exchange Online software. This April, the US Cyber Safety Review Board (CSRB) asserted that Microsoft should have been better equipped to prevent the hack.

In response to the CSRB report, Microsoft has reinforced its SFI by promising to implement the CSRB’s recommendations. The company has outlined comprehensive security principles and objectives, emphasising its commitment to strengthening cybersecurity.

Moreover, in May, Microsoft announced it was linking the fulfilment of security goals with executive compensation in an expansion of SFI. That was further expanded upon in August when a leaked Microsoft memo outlined that not producing substantial work focused on security could negatively impact every worker’s salary increases, promotions, and bonuses. This further extension of that policy to every employee seemingly intends to underscore its commitment to “making security (its) top priority, above all else”.

In addition to those internal initiatives to incentivise work priorities around security, this week’s SFI report offers further insight into the business’s progress.

For example, Microsoft bolstered its Entra ID and Microsoft Account (MSA) systems by implementing Azure-managed hardware security modules to generate, store, and automatically rotate access token signing keys.

Microsoft has refined its network management by tracking over 99 percent of its physical network through a central inventory system, which aids in firmware compliance and logging. The company says it’s improved its audit logs to ensure they are retained for at least two years.

Additionally, the company has eliminated 5.75 million inactive tenants to minimise potential attack surfaces. To further reinforce security, Microsoft has introduced a new testing system with secure defaults to prevent legacy systems from causing future security issues.

Microsoft engineering teams have seen their personal access tokens’ validity reduced to just seven days. SSH access has been disabled for all internal engineering repositories, and the number of groups with access to crucial engineering systems has been reduced.

Microsoft confirms it’s also launched a Security Skilling Academy, which “offers curated training for all employees, reinforcing the importance of security in daily operations”. It also started a new Cybersecurity Governance Council, appointing 13 deputy CISOs, including Timothy Langan, a former FBI employee, to oversee the wider project.

Microsoft’s senior leadership team has incorporated a new process to review the progress of the SFI initiative weekly. Additionally, they are now providing quarterly updates to the board of directors to keep them informed.

Microsoft’s Troubled Security History

Microsoft has faced criticism in recent years for what some perceive as weaknesses in its security infrastructure. July’s global IT outage, traced to a faulty update from cybersecurity firm CrowdStrike, exacerbated these concerns. Since many Microsoft solutions were affected, initial fears arose that the outage might be the result of a mass cyberattack targeting Microsoft.

Although Crowdstrike was ultimately held accountable for the incident, it underscored the world’s heavy reliance on Microsoft’s services, mainly as cyber threats grow increasingly sophisticated.

This incident also cast a spotlight on more severe instances where Microsoft has been directly targeted by security breaches, raising further concerns about the resilience of its infrastructure in the face of escalating cyberattacks.

In October, compromised Skype accounts were hacked to spread the DarkGate malware, while Microsoft Teams was also targeted. In November, Russian hackers breached Microsoft’s security, gaining unauthorised access to the email accounts of several senior leadership team members and stealing sensitive source code. Alarmingly, the intrusion went undetected by Microsoft for nearly two months, only coming to light in January.

Meanwhile, in July, Malwarebytes released a report that exposed a “malvertising campaign” to steal passwords from Microsoft Teams for Mac users.

Hackers have been targeting Mac users by luring them into downloading a fake version of Microsoft Teams, which is actually the Atomic Stealer malware. This malware is designed to steal passwords stored in Apple keychains and web browsers. Users have encountered these fraudulent download links through a compromised Google ad account based in Hong Kong, allowing the malicious sites to appear at the top of search results for Microsoft Teams.



from UC Today https://ift.tt/Xd2i8AK