Microsoft security overhaul offers blueprint for SecOps

Microsoft security was found wanting by the federal government last year. But the company's efforts to shore up SecOps might guide other enterprises struggling with technical debt, according to one industry analyst.

In this episode of IT Ops Query Season 2: The State of SecOps, Melinda Marks, cybersecurity practice director for TechTarget's Enterprise Strategy Group, discusses key takeaways from Microsoft's first Secure Future Initiative (SFI) progress report. The document was issued Sept. 23, nearly a year after Microsoft kicked off the initiative in response to a scathing report from the U.S. Department of Homeland Security's Cyber Safety Review Board about a "cascade of security failures" that led to a breach of email systems affecting 22 organizations, including the federal government.

The SFI progress report highlights broad changes to Microsoft security programs from identity and access management to secrets management, network and software supply chain security as well as bringing production systems up to date with zero-trust security practices.

"Some of the things in [the report were] like, 'Wow, you just did that?'" Marks said in a podcast interview with TechTarget Editorial's Beth Pariseau. "[Microsoft] is behind on emphasizing that security is a priority. We've seen a lot of messaging [on that already] from the other companies in this space."

Melinda Marks

However, other large enterprises with legacy applications might have similar problems, Marks said. Microsoft has more than 1.5 billion users, including more than 300 million paid subscribers to Microsoft 365, 100 million developers using GitHub and millions of users of its Azure cloud services.

"We talk about, in security, the adage of, 'You can't secure what you can't see,'" Marks said. "Well, when you're that big and you have that many users, there's going to be shadow tech, and those are going to be the things that the hackers are going to target."

Much of the first SFI progress report details how Microsoft inventoried its IT infrastructure, rooted out and cut off access to unused accounts and legacy resources, and brought hundreds of thousands of resources secured using an outdated API up to date.

"That's part of the rigor of what you need for security," Marks said. "I think every security professional should read this report. … It's good to think of it as kind of a blueprint for how you need to think of security."

Every security professional should read this report. … It's good to think of it as kind of a blueprint.

As with Microsoft, SecOps practices at many enterprises must evolve in an age of regulatory scrutiny to become more efficient and collaborative while maintaining visibility and control, Marks said.

"Sometimes [organizations] have to tap their former developers or DevOps people to get involved in security," she said. "[But they] need to train security teams to better understand this stuff and figure out ways to pick the right tools and gain the trust of the other groups."

The good news is that evolving cloud security tools that tie together various aspects of cloud and app security into a single view of the application lifecycle can potentially help this collaboration, according to Marks.

"You can respond a lot faster if that stuff is all tied together, because you know who the developer is from the very beginning, who could fix something when it's in runtime," she said. "I also see a lot of messaging and tools to help the SecOps teams work with other teams, so I'm optimistic about that."

Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.