Microsoft has unveiled its new Secure Future Initiative (SFI) in an effort to combat the increasing threat of cyber attacks. The initiative focuses on three key areas: AI-based cyberdefenses, software engineering improvements, and advocating for stronger international norms to protect civilians. Microsoft President Brad Smith emphasized the need for a new response to address the escalating speed, scale, and sophistication of cyber attacks, particularly those carried out by nation-state groups and targeting critical infrastructure.
The first pillar of the SFI centers around improving software development through automation and AI. Microsoft plans to expand on its Security Development Lifecycle, a security and privacy standard created in 2004. Part of this process will involve addressing multifactor authentication default settings in order to enhance customer services. To identify security risks and vulnerabilities, Microsoft will also incorporate threat modeling and GitHub’s CodeQL into its products and services.
The use of memory safe languages (MSL) is another important aspect of the SFI. MSL has gained momentum in recent years and is considered a crucial element of secure software design. Microsoft aims to eliminate traditional software vulnerabilities by utilizing memory safe languages such as C#, Python, Java, and Rust. This approach aligns with the “secure by design” plan introduced by the Cybersecurity and Infrastructure Security Agency (CISA) in August.
Microsoft’s response to vulnerability issues has faced criticism in the past, particularly regarding the adequacy of its fixes and disclosures. The series of “Proxy” vulnerabilities in Microsoft Exchange served as a wake-up call, highlighting the need for stronger security measures. Additionally, Zscaler recently discovered 117 vulnerabilities in Microsoft 365 apps that were traced back to uploaded SketchUp files. These incidents have underscored the importance of Microsoft’s new Secure Future Initiative.
The second pillar of the SFI focuses on strengthening identity verification and authentication protocols. Microsoft plans to develop a new identity system that will make it harder for threat actors to impersonate users. Notably, the company aims to enhance the security of identity signing keys by moving them to an integrated, hardened Azure HSM and confidential computing infrastructure. Key rotation will be automated, minimizing potential human access and ensuring higher security standards across Microsoft’s platform and products.
Password attacks have significantly increased in recent times, prompting Microsoft to streamline consumer and enterprise key management through automation. The ultimate goal is to establish a unified and consistent process, making advancements freely available to non-Microsoft application developers.
The final component of the SFI centers around improving cloud vulnerability responses and security updates. Microsoft has set an ambitious target of reducing the time it takes to mitigate cloud vulnerabilities by 50%. The company aims to promote more transparent reporting in the tech sector and address concerns raised by security researchers regarding the downplaying and silent patching of vulnerabilities in its cloud services.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, praised Microsoft’s SFI and compared it to the influential Trustworthy Computing memo from 2002. However, he expressed concern about the focus on cloud computing, as on-premises software and services are still popular targets for attackers. Microsoft will invest in automation, orchestration, and intelligence-driven tools to improve cloud vulnerability mitigation.
Expanding AI capabilities is a key aspect of the SFI. Microsoft recognizes AI as a game changer for threat hunting, particularly in the context of remote work and the proliferation of unmanaged bring-your-own-device (BYOD) environments. Microsoft’s vast network receives more than 65 trillion signals daily, making manual detection of cyber attacks an impossible task for humans alone. By extending its Microsoft Threat Intelligence and Microsoft Threat Analysis Center directly to customers, AI will play a pivotal role in addressing cybersecurity workforce shortages and the rise of ransomware attacks.
The Secure Future Initiative is driven by Microsoft AI, and the company intends to involve third-party partners, such as OpenAI, in efforts like Security Copilot. Microsoft’s comprehensive approach to cybersecurity underscores its commitment to proactively address evolving threats and protect its customers. By prioritizing AI-based cyberdefenses, improving software engineering, and advocating for international norms, Microsoft aims to create a more secure future for all.