First published on CloudBlogs on Sep 27, 2016
You can now watch my entire Ignite session right here – and, for reference, included below is an in-depth summary of everything I talked about on stage. For most of us, the recent Zero Day vulnerabilities in iOS, as well as the recent attacks on organizations like the group responsible for testing the Olympic athletes, Colin Powell’s e-mails, or the massive Yahoo breach are still fresh in our minds. To think that by simply tapping a link received in a text, your device could be jailbroken and then completely owned by an attacker with access to literally everything stored and accessed by that device… this is an incredible reminder of the importance of securing and protecting our people and data. Cybersecurity is among the most pressing and imperative issues in our industry, but, at the same time, as companies embrace the digital transformation, IT teams all over the world are being asked to protect company assets that now travel far outside of your secure zone. This is a new reality for organizations doggedly working to be more competitive and attract talent that is used to a new way of working and collaboration. The attacks we’re seeing every day on the news will only get more sophisticated, more targeted, and more impactful as the value of data rises and the surface area IT has to cover expands.
News of sophisticated cyberattacks have dominated the headlines -- including four big stories in just the last 3 weeks. #MSIgnite pic.twitter.com/g81u36gpoV
— Brad Anderson (@Anderson) September 26, 2016
Now is the time to be deeply aware of how and where your data is moving. Core parts of your business now run in the cloud, but most companies underestimate their use of SaaS apps by an average of 20x . Even when there is data kept on-prem, that data is still accessed from a variety of locations and devices (and often times by vendors, partners and providers) – and that puts even more of your data outside of the firewall. More than 90% of organizations are using SaaS apps today, and many (if not most) of you are already using Cloud services from Microsoft – including 80% of the Fortune 500 . It’s no coincidence that these escalating threats arrive at the same time the surface area you have to protect is rapidly expanding. This expansion is driven by the always-growing number of mobile devices in your network, and these devices are constantly taking your data well beyond the confines of your data center. There is also the growing number of SaaS applications your organization needs or that your employees are already using. Your operations are also most likely running from a different sets of datacenters (both public and private). For decades we’ve all relied on the perimeters of our organizations to act as one of the primary lines of defense from attacks – but, as our data regularly moves outside of these perimeters to the cloud and cloud-based apps, these boundaries are no longer effective deterrents.
Old Strength vs. New Technology
With all of this in line, we have to rethink how we manage and protect the company assets . This crisis we’re facing is the result of the fact that no one can have the expertise , the resources , or the time necessary to adequately defend their organizations from every single one of these modern threats. These threats are so fast and complex that they simply cannot be handled by humans alone. This is an area where Microsoft has a very unique perspective and some particularly valuable tools. I really can’t overstate how important it is to rethink the concept of perimeter. The change that has taken place over the last several years is nothing short of total. To give you a sense of the past vs. the present in this regard, I want to talk for a minute about Bamburgh Castle in northern England. In the Middle Ages, Bamburgh was among the absolute pinnacles of engineering – and it was famous for being impregnable. A king, his fortune, or his people were safer here than anywhere else . Many different strategic fortifications had stood on this exact outcropping of volcanic rock for 2,000 years – but none had been quite so massive or powerful. No matter how large an army might be, no amount of swords or cavalry or determination could breach these walls. And many had tried. As the centuries passed, Bamburgh’s strength became legendary, even as the world around it changed. In 1464, amidst the long and violent War of the Roses, the Earl of Warwick laid siege to the castle. Predictably, for nine months he made no progress. But then, after nearly a year of stalemate, the Earl did something no one at Bamburgh had ever seen: He began preparing 3 massive cannons. For those watching from behind the walls, this did not present a credible threat to the impossibly tall and thick ancient walls. No castle in English history had ever fallen to cannon fire. But then, one morning in late June, the three cannon [named London, Dijon, and Newcastle] fired in unison and began picking the prodigious castle apart. Cannons and gunpowder had been invented elsewhere long before and were nothing new to western armies, but the technology to use them accurately and at great distance was cutting edge. Warwick’s cannons fired granite balls weighing 300 pounds, and the walls of Bamburgh came down quickly. Bamburgh became the first English castle to ever be defeated by artillery, and the obliteration of its outer wall decisively ended the nine year war. Old strength was no match for new technology. The fall of Bamburgh was shocking. But it was also inspiring. Faced with this new reality of warfare, everyone stopped building castles. Initially there were some creative ideas about how you might redesign existing castles or change the geometry of their walls, but the era of hiding inside a stone box was over. No amount of innovation could change the fact that a castle was a huge, stationary target that, given enough time and resources, anyone could now knock down.
Bamburgh was impregnable for centuries. Then in 1464 tech grew so sophisticated it became the 1st castle to fall to cannon fire. #MSIgnite pic.twitter.com/hiB1b0kiFK — Brad Anderson (@Anderson) September 26, 2016
The giant hole punched in the side of Bamburgh showed the world a new way to operate, and technology surged to keep up – tech that was both offensive and defensive. Now kings and generals had to rethink the way they operated. Old, time-tested methods of keeping their citizens and soldiers safe no longer applied. The way an army was organized and mobilized had to change now that giant projectiles fell from the sky with unrelenting precision. And new professions and specializations sprung up in societies that had previously only required the brute strength necessary to lift a shield and march through the night. Today I want to talk about an era of technology that has moved past perimeters , that regularly operates beyond firewalls , which is almost always mobile , and which is taking advantage of the very best technology to act offensively and support of productivity and defensively on behalf of your organization’s data.
The Microsoft Intelligent Security Graph
To defend against attacks that are ruthlessly fast and extraordinarily complex, the need for sophisticated software that utilizes machine learning and operates on as much data as possible has never been greater . This is why we set out to build something incredible: The Microsoft Intelligent Security Graph. Our vision is to aggregate and correlate relevant signals from as many sources as possible – telemetry from our solutions, industry and research data, and data from as many partners as possible. We take all of this data and then apply our own machine learning and data analytics – this enables us to identify the suspicious and anomalous activities that identify these modern sophisticated attacks. This is how we can deliver the recommendations and automated actions to protect, detect and respond across all of these different attack vectors. This is something no other software company is equipped to do on such a massive global scale. Every second we are adding hundreds of GBs worth of the telemetry to the Intelligent Security Graph. This anonymized data is coming from the 100’s of global cloud services that we operate. Every month we updated more than 1B PCs around the globe through Windows Update. The things we can learn from this data about orchestrated attacks is nothing short of incredible – and all that signal is constantly coming in and going directly into the graph. Each month we also service more than 450B authentications across our consumer and enterprise service, and we analyze more than 200B e-mails each month for malware and malicious web sites – and all of that signal goes into the graph.
the MSFT Intelligent Sec. Graph aggregates & correlates data from 100’s of cloud services, +1B PCs, 450B log ins, & 200B emails. #MSIgnite pic.twitter.com/n1TreGBcYp — Brad Anderson (@Anderson) September 26, 2016
All told we receive trillions of pieces of data from billions of devices every month through our cloud services, our extensive research, and our partnership with industry and law enforcement through our Digital Crime Units and Cybersecurity Defense Operations Center. All of this goes into the Intelligent Security Graph. No other organization (or combination of organizations) has this much data – and we are putting it all to work for you . We want you to have a uniquely powerful perspective on the attack vectors of your incoming threats, insight on how they are evolving, and the power to correctly respond and protect yourself. We feed signal into the Graph from our core solutions like Windows, Office 365, Azure, and Enterprise Mobility + Security – and then we take what we learn and feed it back through those same tools to enable an empowering work environment (that end users love!) that is also incredibly secure (which IT loves!). As Satya noted last year , Microsoft is the biggest security company you’ve never heard of – and the breadth and strength of our security platform is the proof. As a company, we spend over $1B each year on security R&D – and we actively integrate our breakthroughs into the products and services you rely on every single day. It is awesome how often I meet with CIOs who tell me they are confident that Microsoft is able to provide levels of protection their own organizations cannot. This is a really important point I want to emphasize: Building a solution that delivers on the security and protection that IT needs (but also delights end-users) is not a trivial undertaking. We constantly ask ourselves, “What does it take for end-users to love a security solution?” The answer we’ve found is pretty simple: It means they don’t know it’s there because the security and protection has been seamlessly integrated into the way the users work.
MSFT invests >$1B in security every year. the breadth, strength, & funding of our security platform is proof. #MSIgnite pic.twitter.com/ZOgcn5lF8b — Brad Anderson (@Anderson) September 26, 2016
One of the key things we have learned is that to deliver a seamless experience that is loved by both IT and end-users, it has to be engineering in from the beginning. This is why what we’ve been building is engineered from the ground up to delight both IT and the end-user. Today at Ignite, I spoke in depth about some of our newest innovations and the end-to-end scenarios you can use right now – and this post will touch on each of those points I covered. We have been building these end-to-end scenarios for a number of years in what I would call a “One Microsoft” manner. One of the things I hear from tech leaders in almost every conversation I have is just how different the Microsoft of today is compared to the Microsoft of just a couple of years ago. I can tell you from the inside that the level of collaboration and the focus for building seamless end-to-end scenarios is like nothing else I have ever seen before.
Asking the Right Questions
One of the most important things to remember about security is that it has to be comprehensive . If a security solution has gaps and seams, attackers will find and exploit them. Another really important thing to focus on is the experience your users are getting. What we have been building across Microsoft are solutions that empower end-users to achieve more and are also secure. These are solutions that are loved by end-users and IT. One of the things we have learned throughout this journey is the importance of the end-user experience. And we have learned that building a security solution that also delights end-users is really, really hard. So, what does a security solution that is loved by users look like? Well, it’s seamless and the users don’t even realize it’s there . We have learned that to build something that does this, the solution has to be engineered for both end users and IT. This is not something that can be assembled or cobbled together after the fact. Over the last year, as I have met with many of you, I started compiling a list of the common questions and concerns I heard. Something I came across over and over was the desire for IT leaders to be able to answer “Yes!” to the following questions without any hesitation: 
Protect: Secure Access
Because the movement of data to and from the cloud has weakened the perimeter security we’ve historically relied upon, the network no longer contains your data or your employees. Identity is the new control plane , it follows your user and it grants access to all your data. Attackers know this too – and that’s why 75% of confirmed data breaches involve weak, defaulted, or stolen passwords. In a workplace that is increasingly mobile and cloud-centric, it is the user’s identity that unlocks access to the corporate resources. Whether that data is behind a firewall or in the cloud, identity is the token that grants access. This is why securing identity is the first step to protecting your data.
in a workplace that's mobile & cloud-centric, it's identity that unlocks access to data -- whether it's behind a firewall or in the cloud. pic.twitter.com/2xOf6pKAwQ
— Brad Anderson (@Anderson) September 26, 2016
As sophisticated as modern attackers can be, it’s the simplest attacks that still do incredible damage. For those of you who have ever engaged in a test phishing attack against your own organization, you know that a deeply disturbing number of people fall for it every time . From our own research, we know that 23% of your people will open an e-mail sent from an attacker. With this in mind, we all understand how effective a simple phishing attack can be, and we know that, once someone does fall for it, the attackers immediately have valid usernames, passwords, and can start accessing your information without restraint. Once they’re in your network, the attackers then move laterally and look for privileged accounts to escalate the attack and do more even more damage. All of this would be terrible enough if it happened over a weekend – but, on average, a breach lasts 226 days before being discovered, and it can take up to 80 days to contain it. But even once that is done, then comes the process of determining the impact of the breach. This kind of longevity is only possible because the attackers are often authenticating using valid user accounts, and their tracks are exceptionally hard to find. This scenario is very dangerous for all of us. This is something we can actively address with the combination of the intelligence that comes from the signals/insights we collect and feed through our platform, as well as modern security technologies (e.g. Credential Guard with Windows 10) that help you stop potentially compromised identities from accessing data or moving laterally through your organization. We do this by using the vast computing power of the cloud to gather and process key insights about your users’ work behavior and, when unusual or suspicious behavior is detected, take action immediately.
Demo Wave 1: Protect Your Data
At this point in the session, I dove in on the first big series of demos -- you can watch the entire sequence here: These demos were based on the idea that attacks are accelerating and the damage from these breaches is growing – an idea you can really examine in depth here . The work we’ve done in this area since the since the last Ignite is stunning – here’s everything new we demoed:
today's first wave of demos stretched 15 minutes. here's everything we showed that was new. pretty impressive. #MSIgnite pic.twitter.com/aMnMScYeiJ — Brad Anderson (@Anderson) September 26, 2016
Looking back at the 5 Questions I asked earlier, the elements demoed in this part of the session effectively answered:
- Do you know who is accessing your data?
- Can you grant access to your data based on risk in real time?
- Do your users love their work experience?
The things covered in this demo are already in use by organizations like Unilever and Bristow Helicopters – and the positive feedback is incredible.
Detect: Stop Malicious or Inadvertent Data Leakage and Breaches
The end users we support every day want to feel free to innovate and achieve, and every IT team wants to deliver an empowering work environment – but with a few guardrails that help users protect sensitive data. The challenges and dangers here are real: 58% of workers admit to having accidentally sent sensitive information to the wrong person, and 90% of data leakages can be traced back to user behavior – both intentional and unintentional.
IT wants to deliver a great work enviro w/ a few guardrails to help protect data. the challenges/dangers are real; check out this stat: pic.twitter.com/A3zxMtBWQT
— Brad Anderson (@Anderson) September 26, 2016
As we think about the users we are trying to enable and guide, we have to take into account their different needs and also the different intentions behind their actions. The majority of users are always trying to do the right thing – they want to be empowered and they understand the need to protect company assets. Then there are users who need to share large amounts of sensitive data internally and externally – these users appreciate guidance from IT as long as it is seamless and doesn’t require them to fundamentally change or slow down how they work. This means that IT needs a way to secure data that has moved into the cloud and/or SaaS apps that are being shared. This also leads to a greater focus on data lifecycle since data will travel across devices, outside of the network, and across users and corporations. All of this means IT will need data to become self-aware of its own sensitivity as well as guide its users to make good decisions with company assets . The appropriate policies and protection, including compliance and retention, need to be applied and travel with the data. Some data may need to be tracked and violations of policies will need to be logged, etc. There simply has to be multiple check points. There is also a third group of users that can’t be ignored: A small sliver of users have (unfortunately) malicious or ill intent. We need to acknowledge that these users exist and plan for their actions. We want to optimize our solutions to empower and delight the users who are all working with us to advance our organization, but we also need the capability to detect when something suspicious is happening and take action to protect our organizations, our partners and our customers.
Demo Wave 2: Detect Threats
At this point in the Ignite session, I began the second series of demos -- you can watch the entire sequence here: These demos covered the incredibly powerful ways we’ve engineered security into our solutions in a way that detects and guides the user, as well as brings potential issues to the attention of IT. These were mind blowing to see come together over the last year – and I can’t begin to explain how excited I was to finally show these tools in action. Here’s everything new we demoed:
today's second round of demos stretched 14 minutes. here's everything we showed that was new. wow! #MSIgnite pic.twitter.com/SMMN77OJNs — Brad Anderson (@Anderson) September 26, 2016
Looking back at the 5 Questions I asked earlier, the elements demoed in this part of the session effective answered
- Can you protect your data on devices, in the cloud, and in transit?
- Can you quickly find and react to a breach?
- Do your users love their work experience?
The things covered in this demo are already in use by organizations like General Motors , Avanade , and Starr Companies – with great results across the board.
Respond: Identify Suspicious Patterns, Block and Remediate Attacks
Even with the very best defenses in place, breaches can and will occur. Whether it’s simple human error by someone or a previously unknown method of intrusion (like a new zero-day attack , for example), we all have to operate with the assumption that we’ve already been breached. In other words: Assume breach and have the tools and capabilities always working to identify the suspicious behaviors that are associated with compromised accounts, compromised devices, and the suspicious use of resources. Scott Guthrie referenced in the main keynote the fact that there two kinds of companies in the world: Those that have been breached and those who just have no admitted it.
even with the very best defenses in place, breaches can/will occur. we have to operate w/ assumption we’ve already been breached. #MSIgnite pic.twitter.com/QYKnrSvUcE
— Brad Anderson (@Anderson) September 26, 2016
Having and using these tools is going to be one of the most important aspects of your management and security platform moving forward. As these attacks become more and more targeted and sophisticated you must have a partner that is bringing together the broadest set of data about the threats that are happening around the globe combined with intelligence about the actions and behaviors of your users and systems. This comprehensive approach to security results in a literal mountain of data – but data alone is not the answer. What’s needed to make this much data useful is the capacity for processing, co-relating, finding patterns, eliminating countless false positives, and providing quick remediation, in minutes/hours/real-time – not days or the need to take down your system while you perform a post-mortem. That’s the difference that cloud-based Machine Learning can make – a powerful tool that is constantly operating, gathering, and learning how to best protect your assets. This kind of protection is only possible with the unique type and volume of intelligence Microsoft can gather (breadth and depth that is categorically unmatched by anyone else) and put to use. This is how we can see attacks that are happening to customers in remote parts of the world, and then watch as these attacks migrate around the globe. With this view we can aggregates known vulnerabilities, understand how it vectors, and gather information of any and all compromised credentials. This data allows us to identify the patterns of orchestrated attacks against any organization and then, once the attack is blocked, apply this fix to all our customers instantaneously. In a nutshell, this is the power of the Microsoft Intelligent Security Graph – and I honestly don’t know of anything like it in the world. One thing that is really remarkable about the Microsoft Intelligent Security Graph is how it illustrates security is not an isolated discipline. Attackers use different entry points and attacks exploiting different vectors (e.g. compromised credentials, hardware, or infrastructure vulnerability) within your datacenter or in the various public clouds you may be using to host your data and operate your business – and any given point solution is going to fall short of catching every attack route. Furthermore, I’m constantly amazed by how sophisticated these attackers have become – to the extent that, as we were reminded, a few weeks ago, cybercrime is an enterprise business – complete with licenses, software assurance, and 24/7 support.
These attackers are incredibly sophisticated and focused, and they relentlessly look for seams and weaknesses. In this modern threat era, Microsoft has been focused on two key elements of cybercrime: 1) Ensuring we have the signal and the capabilities to identify the attack patterns, and 2) Extending these capabilities across all of our offerings and the offerings of our partners. This approach allows us to look holistically across our ecosystem – instead of at individual products and services. This completeness is one of the greatest values we offer – but we certainly know we are not done.
Demo Wave 3: Respond to Intrusions
With this perspective as a backdrop, I started the third and final round of demos -- you can watch the entire sequence here: As with both of the previous two demo sections, this was amazing content to finally share publicly. It is no exaggeration to classify everything we revealed today as game changing . Here’s everything new we demoed in the third section:
today's third and final set of demos stretched 16 minutes. here's everything we showed that was new. so cool! #MSIgnite pic.twitter.com/gDC4zHIbTp
— Brad Anderson (@Anderson) September 26, 2016
Looking back at the 5 Questions I asked earlier, the elements demoed in this part of the session effective answered
- Do you know who is accessing your data?
- Can you quickly find and react to a breach?
The things covered in this demo are already in use by organizations like Time Warner Group and Crystal .
Highlighting Windows 10: The Most Secure Platform for Business
Windows 10 has been built to protect users and organizations from these modern attacks with two layers of protection: Device protection and Service protection. We have already taken everything that we’ve learned from the Microsoft Intelligent Security Graph and natively built it into Windows the capabilities required to defend against these attacks. For example, Windows Hello reduces your dependency on passwords, SecureBoot ensures the devices boot cleanly, DeviceGuard ensures only software from approved vendors can be installed. The list goes on. With Windows 10, we have delivered the most secure operating system for business. The demos in this session underscored the exhaustive and comprehensive work we’ve done to deliver the powerful integration of Windows Advanced Threat Protection with Office Threat Protection and Microsoft Advanced Threat Protection. It’s pretty amazing as a feat of engineering – and even more impressive for what our users can do with it. These features are already in use by customers like Hendricks Motor Sports .
How Do You Get Started?
My session at Ignite was intended to provide you with as much insight as possible into the capabilities we’ve been building to support your management and security efforts. With the Microsoft Intelligent Security Graph, our secure platform and comprehensive services protect your new hybrid and cross-clouds environment. We’ve built these things because we believe that it’s critical for you to have a solution in place that enables you to do the following 3 things:
- Protect: secure access
- Detect: stop malicious or unintentional data leakage and breaches
- Respond: identify suspicious behaviors, block and remediate attacks
Across users, devices, apps & data, and infrastructure – your data is safer than ever before. All of these capabilities are now native to Windows, Office 365, EMS and Azure. We have been working on these solutions for a number of years, and they have been carefully engineered to work seamlessly together. This seamless interoperation is how you get the greatest value and the best possible protection. In fact, not only have we done the technical integration, but we’ve worked to make acquiring these solutions as simple as possible. The easiest way to acquire all of these capabilities is through what we call the Secure Productive Enterprise SKU . 