Webinar - The new security landscape

Key headlines:

• Cyber security has reached the top of the agenda in corporate boardrooms, driven by digital transformation and the pandemic
• Chief information security officers (CISOs) have a louder voice as a result, but budgets are not unlimited
• They are looking for ways to gain an overview of disparate corporate networks in a landscape of evolving threats
• Technology providers including Microsoft realise the challenge and are investing large sums in research and development
• But challenges remain with implementing the right capability, with companies trying to make sense of what’s needed and when

Digital transformation is at the heart of corporate life. The past 12 months have accelerated the adoption of new technologies, ways of working, and created an environment never seen before. Companies have moved quickly to shore up their operations, and support people working from anywhere; they also spent big on cyber security to make sure corporate firewalls remained intact. It has been a very busy year.

These trends, which were evident before Covid-19, are being supported by technology brands investing large sums of money. Last year, Microsoft spent $1bn on research and development for its security products, and in its last earnings report, the computing giant generated $10bn of revenues in the sector. That equates to 40 per cent year-on-year growth and 7 per cent of the company’s total revenues.

“We published some research in August 2020, which suggests the majority of organisations have increased their spending on cybersecurity during the pandemic,” said Nick Lines, product marketing manager at Microsoft. “Many businesses are also looking to recruit further security expertise. Boards now understand that security presents an existential threat to their organisation.

“The CISO of one multinational told me recently he took on the job with the authority to shut down all operations, with no notification, if the cyber risk was too great. He got that assurance; he has a loud voice in the business – the risks are becoming better understood across the corporate landscape.”

But growing awareness and the pace of growth are creating challenges for businesses and security providers. Both are dealing with disparate networks and numerous devices all over the world. They are also working with legacy operations and technology. They can see a complex landscape of threats on the one hand, and a web of solutions to protect them, on the other. Put simply, few are able to build a security utopia from scratch, and everyone has to work with that reality.

“As enterprises and organisations, the majority of us have brownfield sites – new technology that has to co-exist with legacy platforms,” said Jeremy Haisman, director for Microsoft solutions at Protiviti. “How does the Microsoft security stack play with that? How do we interact with it? As a chief information officer (CISO), what should I be thinking? What do I need to invest in? How can Microsoft help me simplify my Security landscape?”

Behind the scenes at Microsoft

Nick Lines started his presentation with a familiar tale. A few years ago, the chief executive of a company he was working for, bought an iPhone. As an early adopter of technology, he wanted to receive corporate mail on his phone. The IT department had always said no, but that answer wasn’t going to cut it anymore. For Nick, this was an inflection point in the debate. IT professionals had to rethink the way they worked with profound change on the way.

“Now, if you go behind the corporate firewall, you’ve got any number of devices, and devices you don’t own,” said Nick. “You’ve got identities in the network behind the firewall that aren’t yours. And in fact, what is the firewall? What is your network? Whose infrastructure is it anyway? So, we need a security model that better adapts to the reality of the world we live in. That model, and it’s not unique to Microsoft, is zero trust.

“First of all, we’ve moved from assumption that if someone’s entered a password on a device, it’s all good; to verification of every action people take,” he added. “Secondly, it’s now policy to provide the ‘least privileged access’. That’s about making sure people have just enough access to get their job done. That approach is in everything we do, from every piece of design to the way we run our services.”

Nick explained that Microsoft had two “superpowers” within its products to make the lives of security professionals easier: automation and integration. The first refers to its growing machine learning capability. By receiving trillions of signals a day across the global network, the security team can automate a large number of responses to cyber-attacks. This ‘heavy lifting’ aims to give security professionals more time to survey the landscape in front of them. Integration aims to provide a unified view of what is going on. It seeks to address the disparate nature of corporate networks and the myriad of solutions used to monitor it. In theory, security leaders should be able to work through “one pane of glass”.

But Microsoft, and other providers, still face criticism from businesses trying to take a single view of security in a busy market. During a series of live polls at the event, participants were asked about their views. Which Microsoft products are you most impressed with? Which Microsoft products are you least impressed with? And which ones are you most curious about? It’s worth noting that there were 25 choices for each answer alone, which illustrates the breadth of what’s available, and the potential for confusion.

The top five most popular products were: Azure Sentinel, Azure Active Directory, Microsoft 365 Defender, Azure Defender and Microsoft Cloud App Security. The least popular, which were less unanimous, included Azure DDOS and Azure Firewall as the top choices. People were most curious about Azure Sentinel, which isn’t surprising given the challenges faced by security leaders. The product is described as a bird’s eye view across the business, using the cloud and artificial intelligence to make threat detection and response quicker. But not everyone was convinced.

In the chat on Microsoft Teams, one CISO described the challenge he faced. “When I perform interim engagements, I generally want to ensure a robust and flexible security framework aligned to the strategy of the business and regulatory requirements,” he said. “When I see the slide with the list of Microsoft security related products, and other vendor solutions, I see noise when I am looking for simplicity.”

Nick Lines was quick to respond. “We hear that feedback and it’s something we’re trying to get better at,” he said. “We’re trying to stop talking about products, and instead talk about these pillars of security: identity and access management, threat protection, information protection, and cloud security.” The first builds on the concept of zero trust, using multi-factor authentication as a powerful tool against attacks; the second employs technology to detect and respond to attacks in real time; the third looks after sensitive data; and finally, cloud security explores ways to safeguard the multiple ways companies host applications.

How do companies build on a brownfield site?

Following Nick’s presentation, Roland Carandang, managing director for Protiviti’s technology consulting practice, outlined how companies can follow these pillars. He said when introducing new ways of working, and new products, it was important to acknowledge what companies would get, but also what they wouldn’t. Building on a brownfield site needs a road map, just like industrial development sites of the same name.

“A lot of CISOs I work with often feel under engaged,” said Roland. “They don’t want to be doing this work, because they rely on their teams to implement projects. But as a steward of the business, they want to intervene and challenge to ensure it makes sense. Showing people what they’re not getting in an update, and what they might be getting in future, gives them an opportunity to ask questions. New capability will be made accessible to everybody, including auditors, so it’s important to understand what that “full puzzle box” looks like.

Protiviti works with businesses to outline the elements needed on any given project. The priorities are called MUSTs (Minimal Usable SubseT). They are so critical to a project that failing to deliver one would deem the project a failure. In order to provide the right level of assurance, a good balance is to allocate between 60 and 70 per cent of the budget to these updates, said Roland. That’s three days a week on what really matters right now, with some contingency built in for clearing dependencies. These could include unpicking the knock-on effects of updates on legacy systems, for example.

Following the MUSTs, are SHOULDs and COULDs. The first refers to capability that would be painful if it weren’t developed, which might take up 15 to 20 per cent of the budget. And the second is capability that would be nice to have alongside. “As a starting point, this work is a way of providing assurance on the project and ongoing outcomes,” said Roland. “Clients are turning to this. It better reflects the reality that there is little tolerance for late or over-budget delivery but there is tolerance for changes in features. This type of project management-based methodology helps us deliver as part of a larger roadmap of security development.”

‘The New Security Landscape: how Microsoft’s security strategy can affect your cyber security planning’ took place on 25 February 2021. The event explored how Microsoft was navigating the security landscape. It also provided a unique opportunity to gain feedback first-hand from security leaders themselves. What’s clear is that everyone is looking for ways to simplify security in a fast-changing world.