Key Takeaways:
- Microsoft has made major advancements in cybersecurity by implementing new tools and enhancing identity protection.
- Microsoft has improved engineering systems across platforms like Microsoft 365, Azure, and Windows.
- Microsoft introduced over 200 new threat detections, addressed 180 cloud and AI vulnerabilities.
Microsoft today released its second Secure Future Initiative (SFI) progress report. This new report outlines significant efforts in fortifying digital infrastructure and enhancing the cybersecurity resilience of organizations worldwide.
What is the Secure Future Initiative (SFI)?
Microsoft launched its Secure Future Initiative in November 2023. The SFI includes six pillars or areas of focus, with an emphasis on secure by design, secure by default, and secure operations principles. Microsoft introduced the SFI after a China-based threat actor breached Exchange Online to access U.S. government emails in 2023.
“Since inception, we’ve dedicated the equivalent of 34,000 engineers working full-time for 11 months to mitigate risks and address the highest priority security tasks,” Executive Vice President, Microsoft Security. “We have made progress across culture and governance by fostering a security-first mindset in every employee and investing in holistic governance structures to address cybersecurity risk across our enterprise.”
As part of the initiative, Microsoft has implemented several changes to protect customers against cyberattacks. Specifically, the company introduced a new Design UX Toolkit, which includes best practices, conversation cards, and workshop tools to help employees embed security practices in product development. Microsoft has also rolled out 11 new security capabilities across Microsoft 365, Windows, Microsoft Azure, and Microsoft Security.
Microsoft has also launched several company-wide initiatives to make security its “top priority.” The company mentioned that employees now have a Security Core Priority connected to their performance reviews. Moreover, 99 percent of Microsoft employees have completed cybersecurity training. Microsoft has also implemented stronger governance across its divisions.
Strengthening engineering and network security
Microsoft has taken various security measures to help organizations better detect and respond to cyberattacks. The company has improved identity security with new security capabilities for Entra ID and Microsoft Account (MSA) token signing keys stored in hardware-based security modules. Microsoft has also migrated MSA signing service to Azure confidential virtual machines (VMs).
Additionally, Microsoft highlighted that 90 percent of Entra ID tokens for Microsoft apps are validated by hardened SDK. Moreover, 92 percent of employees now use phishing-resistant multifactor authentication (MFA). Microsoft has also migrated over 88% of resources to Azure Resource Manager to boost security.
Microsoft has also enhanced the security to engineering systems used to build, test, and deploy code. The company says that nearly all pipelines now have a full and accurate record of their inventory. The Multifactor authentication (MFA) feature also leverages roof-of-presence checks to protect 81 percent of production code branches.
Enhanced monitoring & incident response
Other steps Microsoft has taken include:
- Centrally tracking 97% of production infrastructure assets.
- Adding over 200 additional detections against top tactics, techniques, and procedures (TTPs).
- Improving customer communication regarding security incidents with new processes and playbooks.
- Addressing 180 new security flaws in cloud and AI.
Microsoft emphasized that cybersecurity is a continuous process that requires collaboration across customers, partners, and the industry. The latest SFI progress report also highlights Microsoft’s commitment to Zero Trust principles as well as its ongoing efforts to secure its platforms and protect customers.