Microsoft SFI progress report elicits cautious optimism

The first progress report for Microsoft's Secure Future Initiative evoked cautious optimism from the greater security community, but experts said it's clear there's more work to be done.

Microsoft on Sept. 23 published the first progress report of its Secure Future Initiative, a commitment from the tech giant to bolster its defenses and prioritize principles such as security by design and security by default. The SFI was initially launched in November before being expanded this spring, following a report from the Department of Homeland Security's Cyber Safety Review Board that slammed the company over a number of security failures.

In the company's SFI expansion, Microsoft Security Executive Vice President Charlie Bell said it would prioritize "security above all else" and laid out six pillars of this mission in a blog post. They include protecting identities and secrets; protecting tenants and isolating production systems; protecting networks; protecting engineering systems; monitoring and detecting threats; and accelerating response and remediation.

The pillars appear to be direct responses to security issues the company suffered in recent years. For example, Microsoft in January disclosed that a Russian state-affiliated threat actor known as Midnight Blizzard breached Microsoft's corporate network via a password spraying attack, accessing a number of Microsoft corporate email accounts. In the initial disclosure, Microsoft said Midnight Blizzard gained access via "a legacy non-production test tenant account" -- a test tenant account that did not have multifactor authentication enabled. Elements of this attack are covered at least in part by all six aforementioned SFI pillars.

In Microsoft's Secure Future Initiative September 2024 progress report, the company covered multiple areas in which it has bolstered its security efforts in the last several months.

On the company culture and governance end, Microsoft said it dedicated "the equivalent of 34,000 full-time engineers" to SFI, new employee training, and a prioritization of security that measures security performance against both employee performance reviews and senior leadership team compensation. The report also claimed that senior leadership reviewed SFI progress on a weekly basis.

As for the pillars, the company laid out a large number of security improvements it made across its organization. Some highlights include the elimination of 730,000 unused apps and 5.75 million inactive tenants to reduce the potential attack surface; the onboarding of 99% of all physical assets into a central inventory system with ownership and firmware compliance tracking; the enabling of 99% of its network devices with centralized security log collection and retention; and "updated processes across Microsoft to improve time to mitigate for critical cloud vulnerabilities."

Microsoft also promised improvements to its transparency and communication practices, issues long criticized by the security industry.

"We began publishing critical cloud vulnerabilities as common vulnerability and exposures (CVEs), even if no customer action is required, to improve transparency," the report read. "We established the Customer Security Management Office (CSMO) to improve public messaging and customer engagement for security incidents."

Specific to the cloud front, the company said 85% of production build pipelines for Microsoft cloud services shifted to centrally governed pipeline templates.

Regarding identity issues, the tech giant "completed enforcement of the use of phishing-resistant credentials in our production environments and implemented video-based user verification for 95% of Microsoft internal users in our productivity environments to eliminate password sharing during setup/recovery." Microsoft did not specify beyond this what kinds of credentials would be utilized. Moreover, MFA was not mentioned in the report.

TechTarget Editorial asked Microsoft about what types of authentication methods were included in the "phishing-resistant credentials" referenced in the progress report. In response, a spokesperson for the company explained via email that these credentials include passkeys, biometric authentication and multifactor authentication.

It remains to be seen whether these improvements alone would prevent a repeat of the Storm-0558 attack or how much technical debt Microsoft is burdened by -- this is only a progress report to an ongoing commitment, after all -- but responses to the progress report have been broadly positive despite remaining concerns.

Longtime security analyst Kevin Beaumont called the progress update "a good security transformation start."

Alex Stamos, chief information security officer at SentinelOne, praised a number of organizational changes, but felt that the SFI report was short on details. Specifically, he noted the lack of a root cause analysis or technical update regarding how Midnight Blizzard breached the tech giant.

"Microsoft has made some laudable organizational changes. They have promoted some smart people as deputy CISOs and announced measuring security as part of their review cycle. We haven't seen any practical, technical or transparency improvements yet," he said in a statement to TechTarget Editorial. "If Microsoft wanted to demonstrate that they are turning over a new leaf, they could provide a detailed technical update and root cause analysis of the breach of their systems by the Russian intelligence services that they announced with no details earlier this year."

Additionally, Stamos said Microsoft is still falling short on transparency. "It required the Cyber Safety Review Board to do a detailed report to get any transparency on the breach of Microsoft by the Chinese last year, and Microsoft has been quietly informing customers that their information was stolen by the Russians throughout 2024. The world deserves to know more, and other companies targeted by the SVR [Russia's Foreign Intelligence Service] could benefit from Microsoft sharing details of the attack and how they are fixing their systems. That would show real leadership and that Microsoft has decided to no longer hide their security failures behind PR and marketing fluff."

Katie Moussouris, CEO and founder of Luta Security as well as a bug bounty pioneer, said the initial report shows promise.

"Microsoft's first Secure Future Initiative progress report looks promising," she said. "I'm also interested in the broader ecosystem initiatives like safe deployment practices and the new platform capabilities they are working on to allow security vendors, like CrowdStrike and others, to operate outside of kernel mode to help improve software reliability."

Casey Ellis, Bugcrowd founder and chief strategy officer, said SFI is essentially the 2.0 version of the Trustworthy Computing memo, a historically significant email Bill Gates sent to Microsoft employees in 2002 to prioritize product security. He said that like its predecessor, SFI's goal is to reorient Microsoft "from a tactical and reactive approach to security toward one that addresses it from the core." This latest report, Ellis said, shows that some progress has been made.

"After a year, it looks like Microsoft has made some smart and substantive initial progress in elevating security across the whole organization: investment in security-focused head count, inclusion of security into performance reports across the entire organization, establishment of internal security leadership teams who -- importantly -- report directly to the Microsoft Board of Directors, and the establishment of strong governance structures across the organization and burning down a bunch of the 'big rocks' against their secure engineering pillars," he said in an email.

As such, Ellis said he was a "big fan" of many of the steps Microsoft has taken to culturally affirm and reaffirm the shared responsibility aspects of security, as well as "the accountability structures that have been established both on the cultural and the engineering side."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.