Microsoft announced its Secure Future Initiative Thursday to better address software and vulnerability issues leveraged by attackers in many high-profile incidents over the last several years.
Two separate posts Thursday outlined the new initiatives, which include three pillars focused on AI-based cyberdefenses, improving software engineering and “advocacy for stronger application of international norms to protect civilians,” according to Microsoft President Brad Smith. He emphasized how increasingly advanced cyber attacks that involve nation-state groups, target critical infrastructure and leverage identity-based attacks require new defenses.
The threats were perpetuated, he said, by the rise in AI-based technology used by both adversaries and defenders.
“In recent months, we’ve concluded within Microsoft that the increasing speed, scale, and sophistication of cyberattacks call for a new response,” Smith wrote in the blog.
The new response includes three engineering advancements as part of the Secure Future Initiative (SFI). The first focuses on improved software development through automation and AI. It will expand on Microsoft’s Security Development Lifecycle, a security and privacy standard created in 2004. Smith said part of the process will also address multifactor authentication default settings to help a “wider band of customer services.”
In an internal memo published Thursday, Microsoft executive vice presidents Charlie Bell, Rajesh Jha and Scott Guthrie said the company will add threat modeling and GitHub’s CodeQL to help identify security risks and vulnerabilities in its products and services.
“We will accelerate and automate threat modeling, deploy CodeQL for code analysis to 100 percent of commercial products, and continue to expand Microsoft’s use of memory safe languages (such as C#, Python, Java, and Rust), building security in at the language level and eliminating whole classes of traditional software vulnerability,” Bell, Jha and Guthrie wrote in the memo.
The use of memory safe languages (MSL) in software products has picked up speed in recent years. MSL was one aspect of CISA’s “secure by design” plan introduced during Black Hat USA 2023 in August.
Microsoft has faced several significant vulnerability issues over the past few years and has been publicly criticized by several vendors and security experts for its responses in fixing and disclosing them. Those issues were highlighted by the series of “Proxy” vulnerabilities in Microsoft Exchange, which threat actors repeatedly exploited. On Tuesday, Zscaler detailed 117 vulnerabilities it discovered in Microsoft 365 apps that stemmed from uploaded SketchUp files.
Strengthening identity
The second SFI advancement is a new identity system, currently in development, that is designed to help users improve verification and authentication protocols across the entirety of Microsoft’s platform and products.
“Our goal is to make it even harder for identity-focused espionage and criminal operators to impersonate users,” Bell, Jha and Guthrie wrote.
In September, Microsoft revealed that a threat group it refers to as Storm-0558 stole a Microsoft account signing key by compromising a Microsoft engineer’s account. Using the compromised account, the China-based threat actor gained access to Microsoft’s corporate network and found that the key was accidentally placed in a debugging environment — another mistake by Microsoft.
Storm-0558 used the stolen key to breach the email accounts of several customer organizations, including some federal government agencies. Following the attacks, Microsoft was also criticized for its inadequate logging features, which it has since addressed.
SFI specifically addresses the security of such keys. “To stay ahead of bad actors, we are moving identity signing keys to an integrated, hardened Azure HSM and confidential computing infrastructure. In this architecture, signing keys are not only encrypted at rest and in transit, but also during computational processes as well. Key rotation will also be automated allowing high-frequency key replacement with no potential for human access, whatsoever,” Bell, Jha and Guthrie wrote.
In his blog post, Smith said password attacks have “increased ten-fold during the past year.” Microsoft’s goal is to make consumer and enterprise key management fully automated through a unified and consistent process, he said, adding that the advancements will be made freely available to non-Microsoft application developers.
Cloud vulnerability management
The third and final component of Microsoft’s SFI outlines proposed improvements to cloud vulnerability responses and security updates. To that end, one of the biggest promises Microsoft made was reducing the time it takes to mitigate cloud vulnerabilities by 50%. Security researchers have called out Microsoft for silently patching and downplaying vulnerabilities discovered in its cloud services. Last year, Tenable criticized Microsoft for its lack of transparency around cloud flaws after reporting Azure vulnerabilities to the software giant.
“We also will encourage more transparent reporting in a more consistent manner across the tech sector,” Smith wrote.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said SFI could mark a significant moment for Microsoft, comparable to founder Bill Gates’ Trustworthy Computing (TwC) memo from 2002.
“I especially like that they included vulnerability response as a tenet, but I am concerned the focus seems to be specifically for cloud computing,” Childs said. “There are still plenty of on-prem software and services that are favorites of attackers. We saw vulnerability response take a hit in 2014 when the original TwC [group] was disbanded. Let’s hope they’ve learned from that and don’t make the same mistakes.”
Microsoft will look to investments in automation, orchestration and intelligence-driven tools to achieve the third advancement of improving cloud vulnerability mitigation.
The expansion of AI capabilities was another aspect of Microsoft’s SFI. Smith referred to AI as a game changer for threat hunting, especially during a time when remote work and an influx of unmanaged BYOD created even more attack vectors.
“In a single day, Microsoft receives more than 65 trillion signals from devices and services around the world. Even if all 8 billion people on the planet could look together for evidence of cyberattacks, we could never keep up,” he said.
When the initiatives are enacted, Microsoft will extend its Microsoft Threat Intelligence and Microsoft Threat Analysis Center directly to customers. In addition, AI will be used to help enterprises address trends such as the cybersecurity workforce shortage and the rise in ransomware attacks.
Microsoft told TechTarget Editorial that the initiatives are driven by Microsoft AI, but efforts such as Security Copilot will include third-party partners such as OpenAI.
Additional reporting by senior security news writer Alex Culafi.
Arielle Waldman is a Boston-based reporter covering enterprise security news.