The Microsoft dilemma
Reducing risk from essential tools
The personal computer and the Internet would not be what they are today without Microsoft. For nearly fifty years, Microsoft has pushed computing forward—while also empowering the people and businesses that use its products. From students to gamers, small businesses to multinational corporations, non-profit organizations to government agencies, Microsoft customers have come to rely on the company’s products and services for productivity, communication, collaboration, entertainment, and business transformation.
By enabling all of this change, Microsoft has become the world’s second most valuable company. But unfortunately, this success has also made Microsoft and its products a massive target for cyber attacks.
As we recently reported in the annual phishing trends report, attackers pretend to be hundreds of different organizations, but they primarily impersonate the entities we trust and rely on to achieve our goals. Microsoft is the number one most impersonated brand in the world because of its products and the trust it has earned from us all.
While Microsoft is a prime target, it’s also a defender against attacks, providing not only software applications and operating systems but also cyber security tools. In fact, 30 percent of the revenues from Microsoft 365 can be attributed to cyber security.
The problem is that Microsoft tools are not particularly effective in addressing threats alone.
So, where does Microsoft fit into our thinking about cyber security? Many security professionals I speak with ask challenging questions, like; “Is Microsoft the Trojan Horse that enables cyber criminals to invade and attack our networks? Or is it Troy—a seemingly well-guarded environment that is nevertheless successfully attacked?” And, “Who can hold Microsoft accountable for security flaws when it is so deeply entangled within budgets.”
There’s no doubt that Microsoft environments are frequently attacked—and that the consequences of those attacks can be serious. In July of this year, Chinese hackers were able to access the Microsoft-based email systems of U.S. government agencies, perhaps including the office of the U.S. Ambassador to China. This was an unfathomable breach of trust. And this wasn’t the first time that something like this has happened.
This August, Microsoft issued software updates to address more than 70 security holes in the Windows operating system and related products, including multiple zero-day vulnerabilities currently being exploited. Anyone who has ever written code knows that software is vulnerable because it’s developed by humans. But this large volume of Patch Tuesday updates begs the question: Is there more that should be done to protect Windows and other Microsoft products given the massive scale of adoption and inherent vulnerability that leaves?
You might also wonder: Can vulnerabilities in Microsoft products ever be addressed effectively by more Microsoft products? If cyber actors are successful in attacking Microsoft products, why should we have confidence that patches and updates from the same company will prevent future breaches?
Rethinking your Microsoft security strategy
For most organizations, we rely too heavily on Microsoft software for our day-to-day work to abandon them. We’re not about to stop using Microsoft Word, Excel, PowerPoint, Exchange, or SharePoint, for example, just because we find Microsoft’s security products insufficient.
Still, most of us need better ways to protect our Microsoft-based tools and environments from attacks—because the attacks will not stop coming.
The first step in strengthening protection is to stop depending primarily—or exclusively—on Microsoft products for security. Microsoft has published a shared responsibility model illustrating the areas of responsibility between Microsoft and its customers according to the type of deployment of your stack. As security professionals, we know that a layered approach is critical for eliminating gaps in protection. But Microsoft security challenges suggest that the layered approach should involve not only multiple tools but also multiple vendors. The key, of course, is finding the right combination of vendors without adding management complexity.
When considering vendors, we need to find companies that we can hold accountable. That is to say having the power to influence a product roadmap, or find an alternative where the cost of switching isn’t too high, nor is the addition duplicative. Microsoft is a huge company that provides several essential products. When a security patch or tool fails to stop an attack, holding Microsoft accountable becomes difficult. We can’t threaten to remove them and stop using Excel until they fix the problem — But, we can shift responsibility and accountability over to another vendor.
The right vendors are likely to be specialists in cyber security—companies that are dedicated to solving your security problems and will be much easier to engage with at a higher level and hold accountable. We can work with their engineers to find solutions to evolving threats, demand attention from company leaders when necessary, and replace products if all else fails—without also losing essential productivity tools.
As long as millions of individuals and businesses rely on Microsoft applications and operating systems, those products will continue to be prime targets for cyber attacks. To better defend against attacks, organizations need to shift their reliance on Microsoft and partner with dedicated security companies to solve the Microsoft dilemma: Can we benefit from the company’s essential products without leaving ourselves vulnerable?
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Microsoft and Microsoft 365 are trademarks of the Microsoft group of companies.
Author
Oren J. Falkowitz — @orenfalkowitz
Security Officer, Cloudflare
Key takeaways
After reading this article you will be able to understand:
Why Microsoft tools are the leading target for cyber attacks
Why a reliance on layered Microsoft tools alone is insufficient
How to strengthen protection by partnering with security vendors you can hold accountable