We’re doing a twice-monthly interview show on Petri.com that is dedicated to covering topics of interest to our tech-professional audience. We have branded this show “MJFChat.”
In my role as Petri’s Community Magnate, I will be interviewing a variety of IT-savvy technology folks. Some of these will be Petri contributors; some will be tech-company employees; some will be IT pros. We will be tackling various subject areas in the form of 30-minute audio interviews. I will be asking the questions, the bulk of which we’re hoping will come from you, our Petri.com community of readers.
Readers can submit questions via Twitter, Instagram, Facebook and/or LinkedIn using the #AskMJF hashtag. Once the interviews are completed, we will post the audio and associated transcript in the forums for readers to digest at their leisure. (By the way, did you know MJFChats are now available in podcast form? Go here for MJF Chat on Spotify; here for Apple Podcasts on iTunes; and here for Google Play.)
Our latest MJFChat is all about what’s going on lately in the Microsoft security world. My special guest for this chat is Ryan Naraine, editor of the Security Conversations podcast and newsletter. Ryan has been covering the security space forever and has worked at Kaspersky and Intel, among other companies.
If you know someone you’d like to see interviewed on the MJFChat show, including yourself, just Tweet to me or drop me a line. (Let me know why you think this person would be an awesome guest and what topics you’d like to see covered.) We’ll take things from there…
Mary Jo Foley:
Hi, you’re listening to Petri.com’s MJF Chat show. I am Mary Jo Foley, AKA your Petri.com community magnate. And I am here to interview tech industry experts about various topics that you, our readers and our listeners want to know about. Today’s MJF Chat is going to be focused on the latest on the Microsoft Security front and who better to do this then my special guest and longtime friend, Ryan Naraine, Editor of the Security Conversations podcast and newsletter. Hi Ryan, and thank you so much for doing this chat.
Ryan Naraine:
Thank you, Mary Jo. Thank you for having me. You and I go back a long, long time watching Microsoft together,
Mary Jo Foley:
I know.
Ryan Naraine:
And watching from the security trenches at the weekend, CDNet as well. So it’s fun to be here talking and stuff.
Mary Jo Foley:
Yeah. And I got to admit this, security is like an area I am very overwhelmed. I write about stuff like licensing and Windows kernels and all that. But then when we start talking about zero-days on ransomware and supply chain hacks, I’m like, okay, I’m out of my depth. So I’m going to definitely count on you to help out here with all this.
Ryan Naraine:
Absolutely. And you know, Microsoft is in the middle of it, is in the middle of all this noise. You can’t talk about malware attacks or any of the big breaches or data issues without Windows being in the middle of it. So obviously Microsoft is.
Mary Jo Foley:
Yep, that’s true. So I had an idea about starting very broad and talking at a high level about a couple of things and getting a little deeper after that. So here’s kind of a question you can answer any way you want, what is Microsoft doing right, right now on the security front and where could they improve?
Ryan Naraine:
Microsoft is doing a lot of things right. But again, it depends on comparing it to the previous Microsoft that I’ve been covering as a journalist over the years. Microsoft has been through these transformations and transitions in computing along the way. You remember the early two thousands, it was worm attacks and just these kinds of destructive things. Now, we’re starting to see a model where attacks and malicious hacker activity come with a business model attached to it. So ransomware and supply chain, ransomware specifically is data extortion attacks where, you know, someone infects a Windows machine, encrypts everything across the board, and then extorts the company for data to to get a decryption key to get that. A lot of that is in the Windows ecosystem. Microsoft it’s tough to get a lot of it right.
Ryan Naraine:
What has been super impressive about what Microsoft has done over the years is build a security response process and an automatic update pipe and an automatic update mechanism to ship security updates, I think better anyone else in the industry. And they’ve had experience with it over the years with all the attacks and all the stuff they’ve dealt with over the years. But they have a very, very mature security response process to take in vulnerability reports, get patches created and tested of proper quality and then a Windows update mechanism and a pipeline to deliver that reliably, to get things fixed. So they’ve done very, very well architecting that and building that over the years. They could still do a lot I mean, in terms of where they stand to improve, it’s still a big problem. zero-day attacks are still escalating on the Windows ecosystem as we speak. They’re still addressing security vulnerabilities and classes of vulnerabilities that we expected would have been gone by now.
Ryan Naraine:
Yeah. And then there’s a whole bigger discussion we can have around Microsoft, as operating system and cloud provider and Microsoft as a security vendor securing that entire product that they just sell you. So there’s a little bit of, there’s overlaps between Microsoft now becoming a big, giant, significant security vendor. And where does the responsibility lie between, is it your responsibility to protect this prior to your selling or do I have to pay for an upsell to do it? So there’s conversations there and that’s where I would say there’s a lot of things they can improve to help address the security poverty tax across the board.
Mary Jo Foley:
I’m definitely going to ask you more about that as we go on. Cause that is a topic that comes up among my readers and my listeners a lot. So before I ask you about that though, another one that’s kind of very high level, you know, we’ve had all these commonly targeted attacks of Windows and other products in the Microsoft ecosystem with like Nobelium and SolarWinds, right. It just feels like every week we hear about another one of these new kinds of similar attacks. So some people say this is Microsoft’s fault, right. And they should take the blame for these kinds of things. And other people say, you know what they’re not even indirectly at fault, like they’re just trying to defend their products against these kinds of attacks. So I’m curious, do you think we can blame Microsoft for this? Or is that just overly simplistic?
Ryan Naraine:
Well, by nature supply chain, just the definition of supply chain means that you’re part of a chain of things. You’re part of a chain of things that have to go around where, or something has gone wrong within the chain. And like I explained earlier, everything in the computing chain touches Microsoft in some way, whether it’s part, whether it’s desktop server. Now they’re dabbling in IoT and doing a lot of additional stuff. Again taken advantage of that updating pipeline to find business models around it, deployment of IoT and so on. But going back to the point, there’s too much nuance to say you blame one vendor directly because you know, it’s Microsoft could be a pivot point for an attack that started somewhere else. Microsoft is a pivot point to get the attacker to somewhere else.
Ryan Naraine:
And that might not even be the eventual target that somewhere else might just be a third pivot point to actually get to the actual target. So blaming people in supply chain attacks doesn’t help anyone. I mean, it’s easy for headlines and it’s easy for a lot of folks to, you know, to point fingers. And the other thing to keep in mind that Nobelium and SolarWinds and these supply chain hacks is, these are nation-state level apex predators who have access to all the resources they have all the zero-days, the best type of talent to write exploits, access to unlimited resources, and a goal that is driven by nation-state objectives. When a nation-state wants to get into your network, like Microsoft will tell you, you have no chance. The SolarWind CEO, explained this throughout. He’s like if an advanced resource nation-state attacker wants to get into a target, they’ll get into the target. And blaming someone in the supply chain, I think, it helps to keep an eye and keep vendors focused on doing the right things. But I think there’s just too much nuance in the supply chain things to say it’s Microsoft’s blame or not their blame.
Mary Jo Foley:
Yeah. So this idea of a software supply chain security issue means, I’m going to oversimplify this myself. When you send out an update, there could be malicious code in it. So, do you think Microsoft is doing enough about that concept specifically in trying to address where the weakest link is here? Or is there something they could do better or more of to try to help secure as a software supply chain in your view?
Ryan Naraine:
I think Microsoft has a role to play as it relates to taking this very modern, robust, automatic update mechanism that they’ve built over the years. And I’m not sure if open-sourcing it or contributing it in some ways to help the rest of the ecosystem, get to that level of maturity might be something to address it. But I think there has to be a way to address what we are now. As a security industry, we love automatic updates. We taught everyone turn on automatic updates, make sure it’s on by default, leave that up to the vendor because you’re never going to remember to go apply patches and so on. So automatic updates from a security perspective and security experts, we’ve been advising companies get to that place where you can ship automatic updates. Now we’re starting to realize that that has become a big, not necessarily a weak spot, but a big entry point for the types of high-end supply chain attacks that are now coming through that automatic update mechanism that is meant to keep product secure, you know, shipping malicious things through there.
Ryan Naraine:
Very, very, very difficult thing to address. I know the government and there’s a lot of leadership talk around s-bombs and ingredient lists so that people can have a full ingredients of what’s in the software so they can figure out where malicious things are. And there’s a lot of new investment and innovation coming around, like addressing the supply chain thing. But again, I don’t see this as a Microsoft specific thing. This is an industry specific thing that Microsoft would have the dictatatorship to get it right. But it’s really interesting to me over the years to watch the automatic update technology and automatic update pipeline now become part, like it becomes dual use. You know, instead of being primarily for defensive purposes, now it’s now being part of a attacks. And it’s not new either, we saw it in Stuxnet and we saw it in some major attacks in the past. A bigger issue, and it’s something that Microsoft raised and something we should mention here, and Microsoft itself has asked governments to back off of touching automatic update mechanisms. It’s like one of those things where in conflicts and war, you kind of back off from touching hospitals. I think governments at the higher level should understand that dabbling and messing with automatic update piping mechanisms, hurt computing as a whole. And there’s been, there’s gotta be certain responsibility there. I like that Microsoft is leading the call for that.
Mary Jo Foley:
Yep. Okay. All right. Now we’re going to get to that issue you raised earlier on, I was looking through some of your Security Conversations podcasts and newsletters, which if folks don’t know about this, you should definitely subscribe. And you made a very provocative statement there, which I’ve heard other people make similar statements too, as well. You said we’re at a place where vendors sell you a product, then they upsell you on the tools to secure that product. So I know Microsoft gets dinged for this a lot. And I feel like right now, they’re very much on the defensive about this in terms of what kinds of tools they give you for free versus tools they charge you for as an IT pro. So do you think this is a fair criticism and is Microsoft really in the wrong place on this issue?
Ryan Naraine:
It’s a great question. And listen, there’s a lot of people at Microsoft that I admire and respect, and I know there’s people at Microsoft that genuinely are there making decisions, making the right decisions for the rest of the computing ecosystem. But cybersecurity is big business. And when you’re a big vendor like Microsoft and you have responsibilities to shareholders, you cannot ignore this giant pile of cash sitting there called cyber security. It’s really interesting and fascinating to me, to watch Satya actually make a point of breaking out the news that Microsoft is now $10 billion a year in cybersecurity revenue. It was kind of eye-opening for me, biggest vendor like Akamai, for instance, that’s had a track record of doing cybersecurity in our industry. Makes a billion dollars a year in security revenue. Satya comes along late last year and said, we’re making $10 billion a year selling what they call advanced compliance and security services.
Ryan Naraine:
I mean, you think about it. It’s upselling, they’re upselling security technologies and security and compliance technologies and Azure Defender and all the Sentinel logging and analytics capabilities. They’re all just bundling that into their big Azure deals and selling it. And it becomes complicated because Microsoft has done an incredible job of building amazing technologies you know, UpGuard and some of this stuff that they funneled into their E5 licensing. It’s amazing technology that can really, really go a long way to help address malware coming in on Microsoft Word documents. But you’ve got to pay for it. And it’s pretty expensive. And Microsoft is now boasting not only that it’s pretty expensive, but Microsoft is now boasting that we’re a big name, big name, security vendor.
Ryan Naraine:
But, when there’s a supply chain and a ransomware epidemic happening on your platform, it feels wrong. Even if it’s not, it might not be around because companies need to be paid for their innovation. Companies need to be paid for their technology investments. Microsoft has spent record numbers of money on security technologies. They should make money on it, but it feels wrong when we’re in the middle of a ransomware epidemic on Windows or supply chain issues that’s dragged Microsoft into it. And then I go on Twitter and I see all Microsoft executives selling security products, selling security products. It just, it feels wrong. And I feel like we’re taking a step back in time where Microsoft moved from being that pariah, that kind of company that we made fun of to become a trendsetter over the years. And I talk about their maturity on security response and maturity on patching and so on.
Ryan Naraine:
And now it feels like money has forced them to take a back seat and we’re starting to see it affect security in certain ways. You’re starting to see a lot of minor restructuring happening in Microsoft. And a lot of brain drain, a lot of talent shifting. And a lot of it is driven by guys are not comfortable with a lot of the things that have to be sold versus, but again, it’s a tough conversation to have.
Mary Jo Foley:
It is.
Ryan Naraine:
Because Microsoft is, they’re investing a lot of money into building this thing. Why give everything away for free, right? I mean.
Mary Jo Foley:
Right. I know. It’s hard to know where to draw the line there, right? Because like you said, I think it’s a calculated risk when they say we’re at $10 billion security vendor. Because it kind of makes people go, oh yeah, but wait, you’re securing products that I paid money for right? And you’re expecting me to pay for it.
Ryan Naraine:
Right. But, let me give you the counter to that argument as well. As much as I complain about it and I’m whining and moaning about it on my podcast. The CISOs will tell me, listen, I would rather live in Microsoft’s world and have Microsoft understand this better than anyone, than outsource it to a third-party vendor who doesn’t understand how Azure works, who doesn’t understand my infrastructure, who doesn’t understand how it’s properly deployed in my system. I would rather Microsoft be the experts at doing this. And I would rather get a better E5 deal if I can say yes, send me those security things. And I can bundle everything into one and keep my costs down. So the whole security conversation becomes a business conversation. And I think that’s also why we are seeing across the board organizations and enterprises are less secure today because decisions aren’t made based on quality of products or quality of protection, it’s based on what you can bundle into the best, into the cheapest possible thing. And that comes with all kinds of implications as well.
Mary Jo Foley:
Yeah, for sure it does. Okay. Here’s another one, one of these kind of phrases, you hear people say it off the cuff and you’re like, but is it true? So you hear Microsoft say this a lot. The best offense you can make is to move to the cloud because that’s where the most secure technology is, that’s always up to date, and where we put all our first run innovations out first. So is it overly simplified to say, if you really want to take an easy first step to securing your organization, you should go with the cloud.
Ryan Naraine:
Yeah. That’s easy to say until the next cloud outage, right?
Mary Jo Foley:
I know, right.
Ryan Naraine:
And then all the guys who are on premises, see you see those morons scrambling so quickly to move to the cloud, I’d rather be here. The reality though, is that everything is moving to the cloud. The reality, just the bare reality is that digital transformation has been happening. And has been kind of forced by COVID as well. COVID has forced a lot of companies to just cloud-ify things that they weren’t ready to cloud-ify yet. And I don’t believe, I don’t agree with Microsoft, that our best defense is the move to the cloud. I don’t think that our organizations have the required skills, expertise, and we have a cybersecurity skills shortage, which means that that will continue to be a problem. They don’t have enough of the skills and legs to do security in-house.
Ryan Naraine:
You’re better off outsourcing that to these big vendors who can just fix things and patch it automatically. And you don’t have to worry about any of it. What I do worry about is implementation of these technologies. A lot of the hacks we are seeing are not necessarily big high-end zero-days. It’s a lot of the cloud is badly configured. Something was left exposed, and here are all your records are long gone. So moving to the cloud is inevitable. I don’t think you’re going to see many more on-prem, startups aren’t even investing in on-prem products these days, unless it’s like a high, high, high priority. You think everything is in the cloud. But, what I don’t see is enough innovation around deploying and configuring cloud deployment security, so that, that isn’t a weak point. So there’s a lot of work to be done there as well.
Mary Jo Foley:
That’s good. Let’s switch gears and talk about IoT. Microsoft lately has been on like an IoT related buying spree. They bought ReFirm Labs, which makes Binwalk firmware security analysis software. And last year they bought a company called Cyberex in the name of bolstering their IoT security. So I have two questions for you about this, one is, is it really a huge worry IoT in terms of security? Or is this just like the next fad? And what about firmware, firmware security? How important is this to organizations?
Ryan Naraine:
But I think it’s important for us to define IoT security in this context. When people think of IoT security, they think of all those junk things like, you know a talking toothbrush or a fork that can weigh how much calories you’re weighing and like all this dumb IoT nonsense, right? And we’re kind of like, who cares about security in those? They’re throw away things anyway, they’re disposable items. In this context, when you see Microsoft buying ReFirm and investing in and buying Cyberex and kind of merging all of that into an IoT security product or an IoT security, I don’t want to call it a process, but some sort of, or are investing heavily there. They’re not looking at this spoons. They’re thinking about smart light bulbs in the organization. Every enterprise has a lot of these IoT devices scattered around printers, light bulbs, thermostats, all these little things are connected to your network and it becomes a big security problem.
Ryan Naraine:
Not because someone wants to hack into a thermostat. That’s why everyone looks at it, who cares about hacking into a thermostat? That’s not the issue. The issue is breaking into a vulnerability in the thermostat, and then using that as the pivot point to get into Active Directory. Using that as a pivot point to get to another part of your network and plant ransomware or getting to that thermostat and ransoming it. Planting ransomware on some of these IoT devices that becomes unusable. So if you’re in a factory and your thermostat is unusable, you have to close the factory. That’s millions and millions of dollars in losses. For organizations that’s a big, big problem. That reality that the IoT device becomes the hot point and the jump point. And Microsoft has documented places where the printer, a hacker exploits a vulnerability into a printer.
Ryan Naraine:
And IoT device that was kind of left sitting their unpatched. And then just pivoted from that printer into the network and then ransomed the entire network. So it’s like that entry point, that pivot point that gets forgotten in the organization. There’s tons of these sitting around the organizations. Unpatched, just sitting there waiting to be exploited. And the way to fix that is through firmware, I mentioned this automatic update mechanism that Microsoft has. And again, you can start to see it’s taking shape. Microsoft is going to start monetizing that. Now they can say, listen, every one of those IoT point vulnerabilities within your organization, let Windows automatic updates address it, so we can fix that firmware for you. And now with Cyberex, they have this kind of drag and drop functionality they’ve built into kind of a Virus Total functionality so that former developers could check firmware for signs of malicious things. Even at the enterprise side, people can scan their entire organization and see what kind of IoT devices are in here and how does it affect my entire Windows deployment.
Ryan Naraine:
So it just makes natural logical sense for Microsoft to do this from from a we have to defend the Windows ecosystem and there’s big, big money in cybersecurity. And the next wave, there’s big, big money in this automatic update pipe. If you drive a Tesla today, if you buy a Tesla today, in a month, that Tesla will be even better because automatic updates keep making the car better. Microsoft wants to play there. There’s billions and billions of dollars in monetizing that update mechanism for IoT and for firmware. And as you start to see these acquisitions take ship, you start to see where the vision is around Microsoft becoming this big, giant security monster, you know?
Mary Jo Foley:
Yeah. I don’t know if you covered this much, but they have this thing called Azure Sphere where they actually are trying to secure things at the microcontroller level even. And it just, it’s kinda mind boggling to me like how deep they’re willing to go into this pipeline to try to find new ways to kind of turn it into a cloud service.
Ryan Naraine:
Well here’s the thing, that’s the next frontier for attackers as well. That below the operating system. As Microsoft has done more and more of a better job of firming up the operating system. And as the cloud is kind of given them, you know, good visibility and good protection on the top, anything below the operating system from firmware, going down to hardware, going down to chip becomes fertile ground for the future of where malware is. And if you, you know, they’re very, very incredibly smart people at Microsoft, the security leadership who’ve already understood that advanced attackers are going below the stack and going below the operating system and shoring up, that becomes it’s an existential priority for Microsoft moving forward. You’ll see them doing a lot of secured-core PCs a big deal, Windows Defender for IoT.
Ryan Naraine:
A lot of these things are Microsoft’s already foray into addressing the operating system that they worry about. You know, 10 years from now, it’s going to be headlines with firmware attacks and supply chain attacks on the hardware level, like, like normal, like the way we reading ransomware attacks today, we’re going to be reading about firmware attacks in 5 to 10 years. Microsoft knows this. These guys are well aware of where the level of investment needs to pick up. And it’s, from my point of view, just as an onlooker, it’s fascinating to me to watch Microsoft really kind of see the game as it’s being played and the long game and to watch how automatic update and the update ecosystem becomes a crucial part of it. And I think that’s why Brad Smith started complaining to Microsoft to leave automatic updates alone. Cause that’s a cash cow as well.
Mary Jo Foley:
It is, definitely is. Okay. Last thing I want to talk to you about, cause we’re almost out of time here is about hybrid work and working remotely. And the reason I want to ask you about this is lately, my inbox is full of pitches from companies talking about how they can secure Teams, right? It’s like, this is the new thing I’m getting so much email about. So I’m curious if you think there are steps that IT pros can and should be taking right now, when they’re thinking about securing remote work and especially in specifically Teams.
Ryan Naraine:
Stop buying. But first thing they need to do is stop buying point products to secure Microsoft Teams. Like you have, Microsoft Teams is just another cloud collaboration tool. Like to treat this as some new, fantastic thing that needs to be protected in some unique way is a recipe for, you know, being distracted from your security work. What the CISOs and the security defenders will tell you is, listen, I’m focused on setting up your foundation and focused on setting up all these five foundational things. multi-factor authentication, multi-factor authentication all the things. If you put MFA in front of Teams and you zero trust everything where users have to be properly provisioned and segmented before they get Teams access. Once you set up the foundational layers and Teams is just another Slack or another Skype, or just another app in your organization. Focus on the basics, focus on all the, you know, keep things patched, your cloud deployments. You may need to be properly configured and more importantly, multi-factor authentication all the things, add two-factor authentication everywhere. And that’s where you shore that up. Treat it as just another cloud deployment that needs to go through these checklists of things and other vendors start trying to sell you anything, chase them away.
Ryan Naraine:
It gets really aggravating for me as a security watcher for many, many years to see vendors, pitch point products to solve problems that can be solved if a CISO just runs a security program properly.
Mary Jo Foley:
Yup. Fair. All right, Ryan. Well, thank you so much for this. This was awesome. And I really appreciate you taking the time to talk about all these hot buttons with me today.
Ryan Naraine:
Absolutely. The pleasure was all mine. Best of luck, Mary Jo, I’m a big fan of your work.
Mary Jo Foley:
Aw, thank you so much and same here. For everyone else, who’s listening right now to this or reading the transcript. I’ll be putting up information soon about who my next guest is going to be. And once you see that you can submit questions directly on Twitter all week using the #MJFChat hashtag. In the meantime, if you know of anybody else or even yourself who you think might make a good guest for one of these chats, please do not hesitate to let me know and drop me a note. Thank you very much.