The Deputy CISO blog series is where Microsoft Deputy Chief Information Security Officers (CISOs) share their thoughts on what is most important in their respective domains. In this series, you will get practical advice, tactics to start (and stop) deploying, forward-looking commentary on where the industry is going, and more. In this article, Damon Becknel, Vice President and Deputy CISO for Regulated Industries at Microsoft, outlines four things to prioritize doing now.
When a particularly damaging online cyberattack is successfully carried out in a novel way, it makes the news. In a way, that’s good: everyone knows there’s a new cyberthreat out there. The problem is that most successful online cyberattacks are far more mundane and far more preventable, but they’re not being stopped. They’re also not being covered by the media, so it’s easy to imagine that they’ve simply gone away. They haven’t. There are multiple established best practices and low-cost solutions that address the majority of these cyberattacks, but a lot of people out there simply haven’t implemented them. Instead, we all too often see people making the same bad security decisions that open them up to cyberattacks. While there is no recipe for guaranteed success, there are recipes for guaranteed failure. Our goal needs to be to stop making it easy for the cyberattacker and to instead make it as expensive as feasible for the cyberattacker to achieve success.
On a basic level, there are four things everyone needs to prioritize right now. None of these will shock you, but it’s important to understand that we see these patterns all too often in struggling organizations. Here’s what you have to do:
- Prioritize essential cyber hygiene basics.
- Prioritize modern security standards, products, and protocols.
- Prioritize fingerprinting to identify bad actors.
- Prioritize collaboration and learning,
Prioritize essential cyber hygiene basics
Don’t forget the basics. Just because a product isn’t new doesn’t mean it isn’t necessary. Just because a technology isn’t making headlines doesn’t mean it isn’t mission critical. Here are a few basics folks should start doing now:
- Keep an accurate network inventory. A solid inventory of all assets (including software, cloud applications, and hardware) helps ensure comprehensive security management. This is the most fundamental requirement as you can’t protect what you don’t know about. Work with your finance and contracting teams to make sure that you have a firm understanding of all IT capabilities in your environment, as departments may inadvertently purchase capabilities that fall into blinds spots of your monitoring.
- Use network segmentation on your internal networks and enforce traffic patterns to prevent unexpected or unwanted network traffic. Very little traffic needs to be permitted from one workstation to another. Direct access to production systems and key databases should be infeasible. Force that traffic through a jump box instead.
- Block unnecessary IP addresses from accessing your public-facing systems. Block Tor nodes, implement country blocks, and block other known cyberattacker spaces to restrict the problem space.
- Maintain effective logging and monitoring. The better your logs and monitoring, the better you’ll be able to detect issues in a timely manner. Shoot to keep a year’s worth of data in order to facilitate better detection development and incident response. Make sure that all needed data elements are present in a machine-readable fashion and include events from successful or allowed and failed or blocked activities. Also, find and enforce correlating data elements to enable linking multiple data sources for the same events.
- Use a virtual private network (VPN). VPNs help to remove direct access from the Internet and simplify network blocking infrastructure by forcing users to a known, good location. This makes it easier to patch and secure your network. Be aware that real-time streaming content like voice and video may need a more direct path.
- Implement basic identity hardening everywhere. Use elevated accounts sparingly. Your everyday account for productivity should not be an administrative account on your machine; rather, leverage a separate credential for when administrative tasks are needed. Also, ensure that every human account has multifactor authentication (MFA) enforced. Phishing-resistant multifactor authentication like YubiKeys or Passkeys significantly reduce the risk of unauthorized access and protects against the vast majority of identity-based attacks. Avoid utilizing MFA factors that use SMS and email one-time passwords (OTP), as well as simple time-based one-time passwords applications, as these are easily subverted by cyberattackers.
- Patch everything in a timely manner. Security patching keeps systems current, protects against exploits, and helps ensure resilience against emerging cyberthreats. Environments of any scale will need some help through a patch management solution. Don’t forget that network appliances and auxiliary devices require patching as well. Leverage the inventory from above to ensure that everything is being addressed.
- Have basic endpoint security tooling. At the very least, some kind of endpoint detection and response (EDR) solution should be enabled. You also need to make use of full drive encryption in order protect local data and prevent unauthorized offline tampering of system files. And make sure that you have some tooling to allow for software inventorying and patching. Finally, configure a host-based firewall to prevent lateral movement between workstations and block most, if not all, incoming connections.
- Proxy all web traffic and use an email security gateway. The vast majority of cyberattacks begin with email messages or web pages. Modest investments in these capabilities will have high pay off in lowering the probability of successful cyberattacks. Enforce the use of the web proxy by only allowing web traffic via the proxy and blocking everything else. This helps to simplify access control lists (ACLs) as well.
If you’re looking for the next step beyond the basics, you’ll want to look into data loss prevention (DLP), web proxies, and mail proxies. DLP solutions allow for the creation of policy-based enforcement and automated actions. You can use these to automatically block access to sensitive data or encrypt emails containing confidential information. Web and mail proxies analyze HTTP/S and SMTP traffic to detect malware, phishing, and sensitive data patterns. They can be used to block or quarantine suspicious content before it reaches your users or leaves the network.
Prioritize modern security standards, products, and protocols
Stop hanging on to old software and protocols. There are times when this can feel bad for business. When your organization’s customers or partners use old technology, it can be tempting to carve out an exemption for them in your otherwise modern security practices. It’s important to evict deprecated technologies, dated installations, and poorly maintained software. There are a few specific technologies that present this kind of elevated risk:
Nowhere is this more crucial than in authentication. Username-and-password has long since been dead. If this is the method you are using for authentication, then I fear for your security. MFA has long since been the best method of authentication, and it has evolved over time. While one-time passwords were widely considered the most scalable and easiest for users, recent cyberthreat activity has demonstrated the theoretical perils that have long been hypothesized; email and text messages should not be considered secure. The key to today’s threat landscape is ensuring the use of phishing-resistant MFA. Of the choices in this class, passkey is the easiest in terms of user experience and offers the ability to eliminate the password altogether. Passkey technology has been available for several years. Mobile devices now offer native integration for using passkey authentication, though far too few authentication services offer it as an option.
Non-secure DNS opens you up to a world of hurt. For one, cyberattackers can insert corrupted DNS data into the cache of a DNS resolver through DNS spoofing, making it return incorrect IP addresses that redirect users to malicious sites without their knowledge. Non-secure DNS also leaves organizations more vulnerable to distributed denial of service (DDoS) attacks and can lead to easier data exfiltration. Implement DNS security extensions, DNS filtering and blocking, monitor and log DNS traffic, and configure DNS servers securely to help minimize these risks.
Simple Mail Transfer Protocol (SMTP) vulnerabilities: SMTP open relays allow users to send emails without authentication, which increases server vulnerability. Misconfigured servers allow for unauthorized access and sharing of sensitive data. SMTP servers can also be used to send phishing emails or to spoof trusted domains. And because SMTP offers no native encryption, emails sent via SMTP servers are more vulnerable to interception.
Exchange Web Services (EWS): Microsoft is very actively deprecating EWS dependencies across all of its products. This includes Microsoft Office, Outlook, Microsoft Teams, Dynamics 365 and more. Work is also underway to close the remaining parity gaps between EWS and Microsoft Graph affecting specific scenarios for third party applications. If you haven’t yet identified your active EWS applications and started their migration, it’s time to do so. Many application scenarios are already supported by direct mappings between EWS operations and Graph APIs.
Border Gateway Protocol (BGP) best practices need to be updated. BGP is designed to exchange routing information between autonomous systems. Notably, BGP also natively provides little security, and when it isn’t managed securely it leaves organizations open to route hijacking—allowing for data to be exfiltrated by directing it through the cyberattacker’s network mid-stream. Outdated BGP versions also lack modern authentication and can be made vulnerable to denial-of-service attacks. A good place to start would be reading up on the BGP best practices from NIST and the NSA.
Use Domain-based Message Authentication, Reporting, and Conformance (DMARC) and enable blocking. This is an email authentication protocol designed to protect your domains from being used in phishing, spoofing, and other unauthorized uses. Setting up blocking within DMARC is a fairly simple process that enables an enforcement mode capable of actively preventing unauthenticated or spoofed emails from reaching recipients. The challenge is making sure you’ve found, validated, and enrolled all authorized senders.
Prioritize fingerprinting to identify bad actors
Nearly everyone knows to avoid a suspicious address when they see one. It is relatively common practice to block IP network blocks or entire autonomous system numbers that are commonly used by threat actors. However, cyberattackers have adapted to using IP address space that is much more likely to contain legitimate user traffic, making the practice of blocking on IP address alone less useful. It’s also important to understand that these cyberattackers can move through endpoints in ways that make them appear to be legitimate users interacting with systems from expected geographical locations. Account Take Over (ATO) gives cyberattackers the appearance of a legitimate persona with seemingly valid historical activity. Infrastructure compromises and freely available proxies and VPNs allow cyberattackers to appear from nearly any geographic region. Botnets and other machine compromises can even let cyberattackers borrow time on actual user machines. The first two tactics are increasingly common, while the latter makes it difficult for the cyberattacker to achieve scale.
Organizations should pivot to creating and tracking unique identifiers for networks, browsers, devices, and users. This is fingerprinting, and it works in much the same way that its real-world namesake does. Fingerprinting helps you quickly identify known good and bad actors via machine specific identifiers that are hard to fake. Each user should match up with their specific profile on their specific browser and their specific machine. Using fingerprinting as a primary key in correlating user traffic allows for easy identification of questionable activity. Either the user is working from a very popular public machine, like a library or community center computer, or someone is using a machine to transact across a number of user personas. The former can be identified and tracked, while the latter should be blocked. Without a solution like this in place, it is going to get harder to verify user identities.
Because fingerprinting involves multiple factors, it can be used to generate known good fingerprints, known bad fingerprints, and fingerprints that fall somewhere in the middle. This helps companies create flexible detection methods that meet their specific needs. Fingerprints that fall between known good and known bad can be indicators of changes in user behavior that should be looked into—like login attempts across multiple devices or in unusual geographic locations. The best practice in these scenarios is to consider the fingerprint information along with data on the ISP of origin, means of connection, and the user’s access patterns to adjudicate a security action.
There are many types of fingerprinting, and they may already be available features of your existing solutions. Azure Front Door has integrated some fingerprinting into its offering. Note that different solutions have strengths and weaknesses, and teams may find value in deploying multiple fingerprinting solutions.
Prioritize collaboration and learning
Rather than staying quiet about the cyberthreats your organization is facing, it’s better to find ways to collaborate. Talk more openly about the incidents and failures you’ve faced, share threat intelligence more broadly, and you’ll find that you and the organizations that you work with all stand to benefit.
That’s part of why Microsoft participates in multiple major security conferences as well as the Analysis and Resilience Center for Systemic Risk (ARC), the Financial Services Information Sharing and Analysis Center (FSISAC), the Health Information Sharing and Analysis Center (HISAC), and the Trusted Information Security Assessment Exchange (TISAC). Microsoft also recently joined the Global Anti-Scam Alliance (GASA) as a Foundation Member. By granting its knowledge and expertise to an organization dedicated to protecting consumers from scams of all kinds, Microsoft hopes to both share and gain new insights into the activities of threat actors all over the world. Sharing threat intelligence allows organizations to provide real-time updates on emerging cyberthreats, indicators of compromise, and malicious activities. In return, they also gain similar insights, enhancing their detection capabilities. This enables organizations to gain a more comprehensive understanding of the cyberthreat landscape and consequently to detect and respond to a broader range of cyberthreats within their own environments faster.
Establishing a solid security foundation should be a top priority for any organization aiming to protect its digital assets. By focusing on fundamental practices, sharing security signals and learnings, and avoiding unnecessary technological debt, you can answer most of the mundane threats your organization faces. That way, when something newsworthy does show up on your doorstep, your network, your team, and your time will be available to face it.
Learn more with Microsoft Security
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
The post Cybersecurity strategies to prioritize now appeared first on Microsoft Security Blog.
Log in
