How to Plan for and Implement a Cybersecurity Strategy

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys and welcome to the show today we have Marcus Imus on he is a cybersecurity guy extraordinaire and I can't wait to hear what he has to say so without further ado let's start the show [Music] hey Mark how you doing today doing great how you doing Lex I'm doing good man I'm in Cleveland so that's always fun nice I'm actually working from home in Florida so it's nice to not be on the road yeah rub it in uh yeah so I actually have a house about I don't know 60 on the beach how'd you fare in there we did all right I mean by the time the hurricane ran over us it was pretty weak from coming through South Florida you know yeah them for take him hit for us yeah we're lucky that it turned cuz it was looking pretty bad there for a while you know but I think it Amen over the Everglades so that that probably snapped some steam out of it definitely and I gained a new appreciation after a couple days of power outage for why they call power and other services critical infrastructure and cybersecurity it's not fun to be without power no not at all and speaking of critical infrastructure you're gonna talk to us about some cybersecurity stuff today absolutely we're going to talk about the cybersecurity reference architecture and which has been around for a little bit and cybersecurity reference strategies which is just releasing that we put together just recently okay awesome all right well I'm gonna kick it over to you and let you start okay so what I'm going to do is talk a little bit about a couple of virtual academy sessions that we got going on and these are these are full-on virtual academy pieces and I'm just gonna give a little bit of a tease you know show people kind of what what they can expect from in there and and then we can talk about and see what you see what questions you have for all right Allison so the so the two different virtual academy sessions that we want to have people take a look at and and see see how makes sense for their environment are really about two different things that are very close related the first was a reference architecture so something that my my boss said actually committed me at a very large meeting and said mark is going to create a reference architecture for cybersecurity and I smiled and nodded like a like a good employee and and when often figured out how to do that and it did take quite a bit because as I discovered researching it we have a lot of cyber security capabilities actually a astounding amount and you know I'll go ahead and bring this this full slide up here just to kind of give folks a sense for it and this is our reference architecture and the intent of this was really to kind of capture in one place all of the different capabilities that Microsoft has has has brought to bear on the cyber security challenges our our customers are facing the the threats coming in all the time the new cloud and IOT and other technologies coming online that they have to secure and really kind of you know making sense of that and so you know yeah this is a very easy to understand and direct slide yes and it was actually made in PowerPoint believe it or not this was not a Visio thing or anything like that we actually use PowerPoint for that and and one of the things that we actually did with it is because it's so hard to kind of figure out where to start where to go with it I don't know if you notice here but as you hover over it there's a little tooltips there that give you a quick blurb on on what this thing is and then they take you to a link to kind of understand it and learn a little bit more about it because it was a little difficult for people to figure out where to start that's cool and so the the first the first webcast that we mentioned there is really about the reference architecture and kind of our first pass at how to interpret it and how to how to take some of those capabilities and build a strategy around it and then as we as we moved into this next new year for us here at Microsoft our new fiscal year we really wanted to take a fresh look at it and say okay how do we how do we take all this and then really make sense of it in a language that a CSO and their security organization can make sense of you know how do i how do i build a strategy to address all these modern problems and so what we did is we built to get built these reference strategies on the security management identity access management threat protection information protection and so we went we went through and for each of these we said okay in this modern hybrid enterprise that almost every organization is either operating right now or will be in the not-too-distant future how do we how do we go about being successful in this area and notice those categories actually came from our customers we pulled a number of CISOs and they said these are our top priorities these are the things that we want to try and solve right now that were that we're trying to figure out and so with what we did is for each of those who put together you know a strategy so what are the success criteria is what does success look like what is it what is the right approach to this what are the things that I need to do to accomplish that those success criteria and kind of check the boxes and then you know what are the capabilities that then can enable that strategy to help me be successful on it and so that's really the way that we approach this for each of those different key initiatives that CISOs are currently driving in most cases cool and you'll see here the the links to each of the virtual academies that cover those and if you'd like I can run you through kind of a little bit of a teaser some of the content in there that that kind of shows some of the unique sides of Microsoft cybersecurity both from a historical perspective as well as kind of what we're doing currently that a lot of people didn't know about yeah that's awesome can we go through both of them the the the the first one the reference architecture I don't have any of the slides that they're ready but the reference strategies I do okay let's go through reference strategies all right so when we kind of step to step back and said okay what is actually happening to a security program we kind of wrote we looked at that and then what was also happening to the IT environments today and there's a number of these trends which every but kind of pretty familiar with and and you know we don't really see a lot of heads nodding when we talk about these in customer meetings but ultimately the back end is going hybrid so the infrastructure the server's data centers Enterprise Services and you know we don't expect customers to turn you know we don't expect customers to not go to the cloud at all but at the same time turning that last switch in the data center is not something that's just going to happen you know with the with with just a Fiat it's just not going to happen quickly so it's going to take a while for enterprise to get fully clouds so they're gonna be in this hybrid state for a long time so that was a key assumption and then we're you know mobility everybody knows mobility has been growing in as a crazy rate and the use of apps and and especially when you look at the digital transformation going on it's just going to keep continuing there and and we're starting to see some some maturity in the space of you know with all the different mobile devices out there the different versions and and in the different vendors the different configurations that we're starting to see the maturing that we expected for some time which is we're gonna start judging the devices by how Trust where they are they are they configured right are they compliant are they you know you know in the case of Windows 10 have has the hardware validated that the software is actually booted correctly and has high integrity so we're starting to see that differentiation where the trustworthiness of these mobile devices is not just this one model if it's actually being judged individually and then digital transformation I mean everybody's everybody's got on their mind everybody's hearing about it it's something like 86 percent of CEOs have it as our top priority so um so digital transformation is a is a very big deal and IOT is coming along with it and so we're seeing a lot of application development coming along with this which is one area that security does worry about and we're also seeing especially in the area of IOT you know trying to apply your standard-issue PC security strategies like antivirus and firewalls it just doesn't work on an IOT device some of these things are super low power and they're just really hard to secure with those normal tools so you got to really think about these things differently than today and of course as you and I have talked about several times in the past you know the bad guys just keep on getting better at what they're doing and the interesting observation that we see in here is that they tend to be fairly reactive in how they invest so they only invest in problems that they need to which is very rational human economic behavior and so the interesting thing here is you know if the if they're still using credential theft and pass the hash in those two Meek's and it's still working every time they're not going to bother investing in something now however if they're getting detected all the time it is making them have to restart their operations their attacks then they're gonna go ahead and vest in in different ways of hiding in stealth technologies so the other thing that we talked about a little bit is digital transformation we try to do this from sort of a security eye view because a lot of times we see when you talk about digital transformation we see it from the from the IT and or the business units view like hey how is this you know bringing value to my business how is this making me more efficient and that is absolutely the driving factor to change the way that organizations engage their customers and power employees change the products that they actually offer and of course all the internal optimizations but the thing that's interesting when you look at it through a security eye view is when you look at the classic security strategy I mean what was the number one thing when you think security well firewall comes to mango so everything was all about the firewall right we had this edge of this network edge around and of course all the security guys like to say it's a hard crunchy edge and a soft chewy center and that's really how we had architected things that we had this one place to do policy control and it was the network edge and then along come mobile devices and they don't really live behind the firewall so we had to kind of figure out that we kind of bolted that onto the strategy but really didn't kind of reinvent anything we just kind of accepted that but when you look at what's happening when you look at what digital transformation requires you need saj apps off the shelf you need to enable and empower these employees to collaborate quickly with these moderns has applications software-as-a-service applications then you look at the mobile experience and I don't know if you ever used one of those older M DMS and these you know sort of the very limited email and web browsing capabilities on them but it's a very challenging and very poor experience and you know that's not going to get that fast collaboration that you need done it's not going to allow you to run those custom collaborative apps to to enable your business processes so you're seeing increased demand for this first-class mobile experience like give me a real mobile experience not this this this very very limited one and then of course IOT right so IOT is exploding everywhere businesses are enabling a weather IT and security or onboard or not and you know almost every IOT project we see just pulls through cloud I mean with the that's where all the analytics the value all the data is is crunched and then give you those insights into what people are actually doing or how the products being used so with all this it doesn't really fit well behind a firewall most of it doesn't even live behind a firewall and so the thing that we're working with IT security organizations or information security organizations to do is to help them understand that you know you need to kind of redefine the perimeter that you defend and what that perimeter needs to be based on is identity and we talk a lot about that in the identity strategy the identity access management strategy is you know taking that one could one type of control that you do have in all of these which is you know authentication authorization which is an identity control and taking that one control and from that clay making a pot that you can use which is a security perimeter and and how do you do that and how do you bring all these new tools that allow you to have that visibility and control in this world that simply doesn't fit behind the traditional firewall make sense yeah absolutely so then we have a little bit of fun here I actually enjoyed making this slide quite a bit talked a little bit about kind of the history of security and there was there's some surprising nuggets in here that I was able to dig up through through research as well as my own personal experience when you look at what's happened in sort of the the IT security there's kind of three eras you've got the mainframe and PC era right and you know at the time we were facing hobbyist enthusiasts you know kind of people attacking because they enjoyed it for some reason but you know over time you know and about the same time as we're going into data centers and mobile devices and kind of modernizing into a true enterprise IT we started to see monetization of attacks really kind of become in vogue and we found people capitalizing on the economic potential of it and you know as we're moving into this current era of cloud and Internet of Things and all these other pieces you know we're actually seeing that monetization and turn into full industrialization so you're seeing it we're seeing like specialized economies we're seeing you know much like in the days of the gold rush in the u.s. in the 18-49 kind of 1850s era and the people that made the most money were not actually the the gold miners it was the people that sold them the pics on the axis and and and gave them loans from the banks and so that we're seeing a similar thing and you forgot Levi Strauss and Levi Strauss thank you very much yes and we're seeing a similar thing happen where we're seeing this this dark economy emerge with specialization and markets and you can buy I mean there's something like 12 million corporate credentials that are for sale right now on you know a couple dozen different markets so instead of just buying your Xbox Live or whatever types of accounts that that are bought and sold and have been for years you can actually buy now by corporate credentials and so we're seeing this this real specialization there you can buy attack toolkits you know that are pre-made you don't have to even know how to have you know hardly any skills at it and of course you can always you know grab a bunch of tools and assemble them into your own attack so we're seeing this just incredible sophistication industrialization and we're also seeing as nation-states kind of integrate this into their normal warfare and normal politics sort of strategies I mean it's a full-on component of actual warfare nowadays and so you know as this evolution has happened you know Microsoft's had sort of an interesting interesting journey along it I mean we started where everybody else started in the security world which was security controls and for the hardcore out there anyone out there remember orange book which became Common Criteria you know we started out there I mean that we had access control this and and in Windows NT and the like you know we we start at the same place that the rest of industry was and the reality was the at the time software quality security quality was a little on the poor side and and we were the biggest software vendor you know on the block by a large margin and so we we experienced a virus and worm epidemic and our operating systems that was just any and productivity apps that was just stellar was stunning rather it was it was it was a really big set of things that happened and it really kind of was a wake-up call for all the industry particularly us because we were the biggest player there and that's when we launched our trustworthy computing initiative in 2002 I mean Alex I think you've been around long enough to remember Melissa and slammer and no yeah those were those were some tough times and some let some late nights for a lot of support back in the day and and obviously it wasn't a sustainable state and so Microsoft really kind of woke up along with the rest of industry that this is something that had to be done in a very very intentional way and so we launched the trustworthy computing initiative we had a we had an organization to sort of make that initiative real which was trustworthy computing or TWC for for long time Microsoft DS and you know and really they were kind of the standard bearer that and we're figuring out how do we solve this problem and we've actually made quite a bit of progress over time on it and this is just you know some of the ways that were approaching it you know the first thing that we had to do is we had to figure out this platform security thing so we added platform security as a core tenant to our security philosophy and that's you know where the security development lifecycle was born because we wanted to reduce the the number of vulnerabilities of security bugs in our products and so we also you know we wanted the whole lifecycle is you know secure and design development employment as well as communications and our work in this was actually recognized and adopted as an international standard ISO it's an ISO standard now and so we really kind of went into we became an industry-leading organization and this to really drive some change so that addressed the first you know national problem because you know we realized quickly and many in the industry are now realizing that you can't get to zero vulnerabilities it just doesn't happen but people didn't believe us when they said that when we said that it's only when Apple and Android and all these other platforms are suffering from the same problems that they actually that people actually realized and believed that yeah you really can't get to zero bugs and then the second piece it was a time of exposure so if you have a vulnerability you want to limit the time that an attacker can actually use in a market and so you know we have some some of our original investments like the response Center to really quickly respond to these things doing rigorous testing to make sure that every security update that we send out is reliable it doesn't break anything and our automatic update mechanisms which has evolved over the years but you know has been a mainstay and recently you've actually invested in a bug bounty program to buy these things off the market so that they're not actually out there hurting our customers and then the last piece you know we're always going to have this this exposure profile right of any security vulnerability that gets out there and so what we wanted what we've been focusing on very heavily is we want to increase that difficulty and the cost to exploit these things so we want you know we putting in mitigations for whole classes of vulnerabilities into the platform at ignite last week we we actually recently released exploit guard which took a lot of the innovation that was an Emmett and then built on it to go even further to kind of break these things and it's it's an imperfect science but we're working hard to really kind of cut out large sections of what the attackers can do and so you know that's what happened when we added the platform security thing and that you know started back in 2002 but we are continuing to invest like in that bug bounty program and then the thing that's been sort of haunting our our customers today is really twofold one is we're seeing this uptick of attacks just you know the steady drumbeat of large attacks and disclosures you know of organizations just getting hit by these various different attack groups and then at the same time we're also seeing organizations hesitate to go to the cloud because they don't know how to secure it and they and the tools that they have that they built for their own promise they really just don't they don't really apply well to the cloud there's a whole new generation of tool sets and techniques and technologies that then that are needed for securing these hybrid workloads and so these two things kind of led us to the conclusion that we really need to kind of launch a similar type of initiative which happened in 2015 with our cybersecurity initiative Satya said I want to say was a government cloud forum Satya Nadella our CEO and and launched this and and really the the best way to describe what we're we're doing with this generation is we're building an integrated security experience in there because security has gotten so complicated and so difficult for our customers because they're managing I mean I've you know that the estimates vary but 2040 a hundred even heard 150 different security vendors in their security department so imagine trying to manage that many tools and integrate that many tools and figure that out and so our customers are facing these challenges and they're having a hard time you know figuring this out and so you know we really put a lot of investment into building this integrated security experience to help our customers manage these problems really better much better and then one of the big pieces of this just to mention it really quickly there's a whole lot of great webcasts and sessions on the intelligent security graph but this is really core to a lot of our security stuff you know we work with obviously partners but we have a large number of internal groups that you know focus on working with this and what the graph is is essentially it's a collection of data analytics and people that that it's really a system of systems that that are interconnected that allow us to really have a heartbeat on what's going on in the in the security world when you think about when you think about Microsoft and the businesses that we're in you know what do we do for for our businesses we've got a search engine where the number one number two commercial and consumer email providers a provider on the planet we've got on the largest antivirus footprint and and we patch about a billion pcs every month I think it's like up to 1.2 or something like that right now and so with all the things we end up getting a whole lot of data now we're always very very we always follow the the compliance laws and and and all those kind of pieces and the privacy and we only use the data in ways that our customers have explicitly authorized us to but that perspective that we get that firsthand high fidelity data gives us an amazing view into what's happening in the world and you know it gives us the context to say is this unusual is targeted is this targeted in a particular industry or or or type of customer and so we have a lot of teams that work across that data and the machine learning and analytics and all the advanced things that we do on it to to protect our customers detect viruses help protect the ecosystem through the digital Crimes Unit help hunt for attackers in the in in various different aspects in our IT environment in our data centers in our and our customers tenants you know for the for the address security center defender ATP products etc so lots and lots of ways that we use this and then of course everything that we learned from that we feedback into it and of course you know the next question is is like okay so how does this help me as a as a customer as an organization and you know there's a couple things that are just on for free that a lot of people don't realize or tapping into this vast data store smart screen which is built into our our edge and our Explorer browsers Windows Update actually leverages this as part of the malicious software removal tool that runs every month and and cleans off the top anti-malware families that we see and then our Windows Defender also has something called Maps or active protection service that essentially if it runs into a suspicious event that it has not seen and it doesn't have a signature for but it still hit the suspicious trigger it will go ahead and check with the cloud for to see if there's any latest and greatest signatures that have have been released at last got signatures and and block it and while this seems like it's sort of a minor optimization to go from any you know whatever 6 12 24 hours when you get your signature updates down to that up to the minute when you look at what happened with with the not Patea and wanna crypt attacks we had customers where their entire global enterprise was taken down in 16 minutes excuse me 60 minutes and this was somewhere on the order of you know 60 some thousand PCs and and servers were wiped down to the ground in less than an hour and so it becomes really critical to have that up-to-the-minute signature piece and and so those are the kind of the free things that we that provide out there and there's a number of other capabilities that that we have that tie into this we discussed these in quite a bit of depth especially in the threat protection module of the virtual academies that really get into you know these different ways of protecting all the different kinds of assets that our customers have email and hosts and and you know software is a service you know discovering that shadow IT and then protecting it and the like yeah wow that's cool yep and then the last piece I just wanted to kind of talk about because this is one of the fun themes that we were able to to integrate into this I'm kind of a I mean you know me I'm kind of a multidisciplinary guy like a I like to draw and learn from other different areas and there was a lot of things in here where we're able to learn from the like the different intellectual domains in this case economics and really take a look at okay what what does security return-on-investment mean right because this is yeah I can't tell you how many how many chief information security officers or CISOs or CFOs have this communication challenge where the CFO says please tell me what I'm getting for my money you know why I'm spending money on you security department what am I getting back and the CISOs don't have a good language for being able to communicate this back and so we've been working hard on this problem and then and so what what we've been able to do is we've come up with something that makes sense we're working on actually backing this up with numbers and formulations but we've got something that actually gives them a language to communicate it it's actually a little different than most people expect so ROI right what's my return on the investment I'm making so investment very simple I've got a security budget I've got the time and attention to people that I've already hired right that's what I've got to spend what am i buying well our opinion is that you're buying the attacker are you're buying the ruination of the attacker are why your job is to ruin the attackers return on investment because when you do so it affects the whole range of cyber attacks right you've got your opportunistic opportunistic attackers you know he or she may want to attack you because you have a personal health information PII credit-card numbers right you've got something of value but a bunch of other people do write at a bunch of other organizations do and so when you ruin the attacker ROI they're gonna go and you know do the proverbial break into your neighbor's house not your house and then you're determined attackers which are the tough ones right so you've got a nation-state after you and they've got deep pockets and they really want to get your stuff what you can do with this is by ruining their attacker ROI and forcing them to and to spend more to get less instead of having a hundred victories a year on you or you know compromising you in one a one day or one week they maybe get ten a year if they focus on you and then it takes a months to get in and so you they actually have a lot less gain for what they're doing and they're less likely to attack you or you know it reduces the impact that they have on your organization so we found that this is actually a really good way to think about it and then we kind of break this down a little bit further when you look at the return it's actually really hard for me as an organization as an individual defender to have much impact on the return right like whether they're going to use it to to swing an election they're going to use it to sell on the black market for profit where they're gonna actually use the credit card numbers to buy something it's really hard to influence that as an individual defender but the investment that they have to make the cost of attack the cost that it takes to attack you is something that you have a lot of control over because if you take that limited investment that you have that the budget in the team time that you have and you focus that on the cheap and easy stuff and you're working on driving their cost up deliberately as opposed to going after things that the attacker might do um you're going after the things that they will do and that they can do cheaply and if you prioritize in that way you can actually have a lot more success with a few resources you have then then going after it through any of the other method that we've seen so we've really kind of woven that into the to the success criteria and how you know what what a good way to balance protection investments versus detection response so we spend a lot of time on really kind of making this real cool awesome that sounds awesome yeah you know it's like sticking an alarm sign in your front yard you know if they believe it and they go to the next house that's right yeah or buy a big dog exactly so yeah that was that that was kind of it for the teasers I mean we we go for security management really kind of focus on how do we get you know that visibility across the whole world and how do you get it across all your assets that visibility that control that that guidance as you need it I mean if you look at some of our stuff as an attack is detected it not only gives you a little one pager on what the the malware is that's being used if it's a known group that we know like strontium or LED or gold or one of them it actually brings up a profile sheet one industry so they attack what are they what are they after and what kind of tools do they like to use so there's a whole lot of amazing stuff that's been sort of embedded in their identity and access management of course we have the classic credential theft passed the house pass the hash pieces in there to to protect your your infrastructure but we also want to help you protect your accounts as well as this new identity perimeter and how do you assemble one so we focus a lot on that and identity access management like what is this new perimeter what does it look like from a security lens and then how do I manage it what are the tools for it yeah and then threat protection that one is really about you know instead of you know trying to prevent everything at the firewall how do you actually do these protections along the whole kill chain right along every attack phase that the attacker could go for how do you raise that attacker cost with preventive controls with detection response capabilities and really kind of building that capability out so that you know you're really making it hard for an attacker to get what they want because they're just you know hitting obstacles every step of the way and then you lessen information protection it's it's about you know protecting documents when and where they all are right and and no questions asked don't have to worry about it you know okay protection on your mobile device but not if it's an unmanaged one or you have protection on your PC but not when it copies to a to a thumbdrive we want to get out of that old mindset because we have technology that allows documents to phone home and track it we can find the shadow IT that's out there and the and the software-as-a-service stuff so that we can then secure it and you know secure these third parties has as well as office 365 of course so really focus on ok how do I solve this this business problem the security strategy problem of protecting my information and there's there's an amazing amount of capabilities in our portfolio it really it really shines through yeah so is there a cost for customers to go and take these absolutely not these are completely free just you know go to those links and you know take them and then you know on your way and there's a bunch of more resources linked in each course wow that's killer that's just awesome who creates this content you're talking to him oh really this is all you mostly me I mean a lot of collaboration a lot of smart people a lot of research that I had to do but ultimately you know I was the one that was focusing on crafting the stories and and making it make sense to to a CSO or security architect wow this is awesome what a great value for customers you know you can't you can't prevent every attack but you can make yourself a little less vulnerable or a lot less vulnerable if you're smart about how you architect things yeah these are great these are awesome resources and they're free that makes it even better absolutely I mean and this content is actually based on on some content that we I mean it was it's the same content that we developed for our you know top customers that we're gonna directly engage with the sea so is there to help them understand the Microsoft capabilities and integrate them in their strategy so this is this is essentially our top shelf stuff that we've put together ok awesome well mark listen as always you know thank you for doing this for us oh no worries uh thank you so much for having us on here love talking to you and your audience man yeah yeah it's a lot of fun for us as well and certainly great information so guys listen thanks for watching the show and that your taste mere
Info
Channel: Taste of Premier
Views: 9,292
Rating: 4.9666667 out of 5
Keywords: Cybersecurity, Cloud, Azure, Cloud Architecture, Microsoft, Amazon, AWS, Microsoft Azure, Windows, Windows 10, Content based Security
Id: u-EQHbqWY60
Channel Id: undefined
Length: 33min 50sec (2030 seconds)
Published: Tue Dec 26 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.