Microsoft SFI progress report elicits cautious optimism | TechTarget

"After a year, it looks like Microsoft has made some smart and substantive initial progress in elevating security across the whole organization: investment in security-focused head count, inclusion of security into performance reports across the entire organization, establishment of internal security leadership teams who -- importantly -- report directly to the Microsoft Board of Directors, and the establishment of strong governance structures across the organization and burning down a bunch of the 'big rocks' against their secure engineering pillars," he said in an email. In Microsoft's Secure Future Initiative September 2024 progress report, the company covered multiple areas in which it has bolstered its security efforts in the last several months. The first progress report for Microsoft's Secure Future Initiative evoked cautious optimism from the greater security community, but experts said it's clear there's more work to be done. He said that like its predecessor, SFI's goal is to reorient Microsoft "from a tactical and reactive approach to security toward one that addresses it from the core." This latest report, Ellis said, shows that some progress has been made. Infosec experts say the Secure Future Initiative progress report shows Microsoft has made important changes to its policies, practices and accountability structures. 23 published the first progress report of its Secure Future Initiative, a commitment from the tech giant to bolster its defenses and prioritize principles such as security by design and security by default. It remains to be seen whether these improvements alone would prevent a repeat of the Storm-0558 attack or how much technical debt Microsoft is burdened by -- this is only a progress report to an ongoing commitment, after all -- but responses to the progress report have been broadly positive despite remaining concerns. On the company culture and governance end, Microsoft said it dedicated "the equivalent of 34,000 full-time engineers" to SFI, new employee training, and a prioritization of security that measures security performance against both employee performance reviews and senior leadership team compensation. "It required the Cyber Safety Review Board to do a detailed report to get any transparency on the breach of Microsoft by the Chinese last year, and Microsoft has been quietly informing customers that their information was stolen by the Russians throughout 2024. Casey Ellis, Bugcrowd founder and chief strategy officer, said SFI is essentially the 2.0 version of the Trustworthy Computing memo, a historically significant email Bill Gates sent to Microsoft employees in 2002 to prioritize product security. "Microsoft's first Secure Future Initiative progress report looks promising," she said. In the company's SFI expansion, Microsoft Security Executive Vice President Charlie Bell said it would prioritize "security above all else" and laid out six pillars of this mission in a blog post. TechTarget Editorial asked Microsoft about what types of authentication methods were included in the "phishing-resistant credentials" referenced in the progress report.

This Cyber News was published on www.techtarget.com. Publication date: Thu, 03 Oct 2024 19:43:05 +0000


Cyber News related to Microsoft SFI progress report elicits cautious optimism | TechTarget

Microsoft SFI progress report elicits cautious optimism | TechTarget - "After a year, it looks like Microsoft has made some smart and substantive initial progress in elevating security across the whole organization: investment in security-focused head count, inclusion of security into performance reports across the ...
2 months ago Techtarget.com
Risk & Repeat: Inside the Microsoft SFI progress report | TechTarget - But will the changes be enough to prevent a repeat of the Storm-0558 attack? How much technical debt is Microsoft facing in its effort to improve security? What does the SFI progress report say about the current state of SecOps? TechTarget editors ...
2 months ago Techtarget.com
Microsoft security overhaul offers blueprint for SecOps | TechTarget - 23, nearly a year after Microsoft kicked off the initiative in response to a scathing report from the U.S. Department of Homeland Security's Cyber Safety Review Board about a "cascade of security failures" that led to a breach of email systems ...
2 months ago Techtarget.com
MoveIt Transfer vulnerability targeted amid disclosure drama - Another vulnerability in Progress Software's MoveIt Transfer product is under attack amid an apparent leak of flaw. In security alerts published on Tuesday, Progress detailed two critical improper authentication vulnerabilities, one tracked as ...
5 months ago Techtarget.com
Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
1 year ago Microsoft.com
Exploiting an API with Structured Format Injection - Even today, we continue to see abuse of tainted data taking out the apps and infrastructure we use daily. While input validation is improving in frontend web apps, it's not uncommon to bypass this altogether and go straight to attacking the APIs. ...
11 months ago Securityboulevard.com
MOVEit Transfer Flaws Push Security Defense Into a Race With Attackers - Attackers appear to be pounding away at a couple of critical bugs that Progress Software disclosed this week in its MOVEit file transfer application, with nearly the same ferocity as they did the zero-day flaw the company disclosed almost exactly a ...
5 months ago Darkreading.com
JumpCloud's Q1 2024 SME IT Trends Report Reveals AI Optimism Tempered by Security Concerns - The report provides updated survey results and new findings to the company's biannual SME IT Trends Report, which was first released in June 2021. The latest edition of the report delves into the impact of artificial intelligence on identity ...
10 months ago Darkreading.com
What's new in the MSRC Report Abuse Portal and API - The Microsoft Security Response Center has always been at the forefront of addressing cyber threats, privacy issues, and abuse arising from Microsoft Online Services. Building on our commitment, we have introduced several key updates to the Report ...
5 months ago Msrc.microsoft.com
Financially motivated threat actors misusing App Installer - Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme to distribute malware. In ...
11 months ago Microsoft.com
New Microsoft Incident Response guides help security teams analyze suspicious activity - Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for ...
11 months ago Microsoft.com
Exploit for critical Progress Telerik auth bypass released, patch now - Researchers have published a proof-of-concept exploit script demonstrating a chained remote code execution vulnerability on Progress Telerik Report Servers. The Telerik Report Server is an API-powered end-to-end encrypted report management solution ...
5 months ago Bleepingcomputer.com
How to manage a migration to Microsoft Entra ID - Microsoft Entra ID, formerly Azure Active Directory, is not a direct replacement for on-premises Active Directory due to feature gaps and alternative ways to perform similar identity and access management tasks. For some organizations, a move to ...
11 months ago Techtarget.com
Akamai discloses zero-click exploit for Microsoft Outlook - While examining a previous bypass mitigation, Akamai Technologies discovered two new Windows vulnerabilities that could allow an attacker to create a zero-click exploit against Microsoft Outlook clients. In a two-part report published Monday, Akamai ...
1 year ago Techtarget.com
Generative AI's enterprise gamble: IT leaders bet big on tech despite security woes - Enterprise IT teams are moving swiftly to adopt generative artificial intelligence systems like ChatGPT, according to a new report from Glean and ISG. The report found that IT leaders see generative AI as transformational and are willing to increase ...
10 months ago Venturebeat.com
Hackers target new MOVEit Transfer critical auth bypass bug - Threat actors are already trying to exploit a critical authentication bypass flaw in Progress MOVEit Transfer, less than a day after the vendor disclosed it. MOVEit Transfer is a managed file transfer solution used in enterprise environments to ...
5 months ago Bleepingcomputer.com
Google Cloud Report Spotlights 2024 Cybersecurity Challenges - As the New Year dawns, a cybersecurity report from Google Cloud suggests that while there are many challenges ahead, it will also become simpler for cybersecurity teams to leverage artificial intelligence to better defend IT environments. John ...
11 months ago Securityboulevard.com
NCSC says AI will increase ransomware, cyberthreats - While ransomware activity is already surging, a new National Cyber Security Centre report assessed that the threat will only increase globally over the next year as AI improves phishing and other threat actor techniques. The report is based on an ...
10 months ago Techtarget.com
'Defunct' DOJ ransomware task force raises questions, concerns | TechTarget - "The Office of the Deputy Attorney General (ODAG) memorandum that established the Ransomware Task Force also contained several strategic areas, including directing the Ransomware Task Force to design and implement a strategy to disrupt and dismantle ...
2 months ago Techtarget.com
Microsoft Security Copilot improves speed and efficiency for security and IT teams - First announced in March 2023, Microsoft Security Copilot-Microsoft's first generative AI security product-has sparked major interest. With the rapid innovations of Security Copilot, we have taken this solution beyond security operations use cases ...
1 year ago Microsoft.com
Microsoft reveals how hackers breached its Exchange Online accounts - Microsoft confirmed that the Russian Foreign Intelligence Service hacking group, which hacked into its executives' email accounts in November 2023, also breached other organizations as part of this malicious campaign. On January 12, 2024, Microsoft ...
10 months ago Bleepingcomputer.com
Ransomware Attacks Strike South Africa, Decline in UAE - Cybercrime - and especially ransomware - traditionally have had an uneven impact across the Middle East and Africa, yet recent data suggests that ongoing geopolitical conflicts will likely raise the overall level of cyberattacks across the regions. ...
1 year ago Darkreading.com
CISA confirms compromise of its Ivanti systems - CISA confirmed two of its internal systems were breached by a threat actor that exploited flaws in Ivanti products used by the U.S. cybersecurity agency. Ivanti on Jan. 10 disclosed two zero-day vulnerabilities that were under exploitation by a ...
9 months ago Techtarget.com
LockBit claim about hacking U.S. Federal Reserve fizzles - The LockBit ransomware gang claimed it had breached the U.S. Federal Reserve, but it ultimately leaked data belonging to a single bank. On June 23, LockBit listed the U.S. Federal Reserve on its data leak site and claimed to have obtained roughly 33 ...
5 months ago Techtarget.com
Tracking Cybersecurity Progress at Industrial Companies - Although cybersecurity has become a priority at many manufacturing companies, risks have increased at the same time. To better understand how companies are addressing heightened risks, Manufacturers Alliance and Fortinet partnered to study the ...
1 year ago Feeds.fortinet.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)