MJFChat: How to think about security planning for your organization
We’re doing a twice-monthly interview show on Petri.com that is dedicated to covering topics of interest to our tech-professional audience. We have branded this show “MJFChat.”
In my role as Petri’s Community Magnate, I will be interviewing a variety of IT-savvy technology folks. Some of these will be Petri contributors; some will be tech-company employees; some will be IT pros. We will be tackling various subject areas in the form of 30-minute audio interviews. I will be asking the questions, the bulk of which we’re hoping will come from you, our Petri.com community of readers.
We will ask for questions a week ahead of each chat. Readers can submit questions via Twitter, Instagram, Facebook and/or LinkedIn using the #AskMJF hashtag. Once the interviews are completed, we will post the audio and associated transcript in the forums for readers to digest at their leisure. (By the way, did you know MJFChats are now available in podcast form? Go here for MJF Chat on Spotify; here for Apple Podcasts on iTunes; and here for Google Play.)
Our next MJFChat, scheduled for Thursday, April 2, is all about security planning for your organization. My special guest is Ann Johnson, Corporate Vice President of Microsoft’s Cybersecurity Solutions Group. We want you to submit your best questions for Ann ahead of our chat.
Ann is ready to address the concept of how orgs of all sizes can be cyber-ready these days. She has lots of ideas about the checklist IT leaders need in their quest for cyber-resilience. She’s also ready for any related questions you have on how and what to prioritize on the cybersecurity front. Make sure to chime in with any questions or topics you’d like to hear her cover.
Also: If you know someone you’d like to see interviewed on the MJFChat show, including yourself, send me a note at [email protected] (Let me know why you think this person would be an awesome guest and what topics you’d like to see covered.) We’ll take things from there….
Transcript of the conversation:
Mary Jo Foley (00:01):
Hi, you’re listening to Petri.Com’s MJF Chat Show. I am Mary Jo Foley, AKA your Petri.com community magnet. And I’m here to interview tech industry experts about various topics that you, our readers and listeners want to know about. Today’s MJF Chat is going to be all about security planning for your organization and specifically for a world where many, if not all of your employees are now working remotely. My special guest today is Ann Johnson corporate vice president of Microsoft’s Cybersecurity Solutions Group. Welcome and thank you so much for doing this chat.
Ann Johnson (00:43):
Oh, thank you so much for having me. I’m really looking forward to it.
Mary Jo Foley (00:47):
Great. When we originally talked about you doing this chat we had kind of a different thought about what the mission of it was going to be, but since then a lot has changed. I know understatement of the century, right?
Ann Johnson (01:03):
Mary Jo Foley (01:04):
So just a few weeks ago, I feel like IT and security professionals weren’t so all consumed with protecting people working from home, but right now that’s very much top of mind for everyone all over the world. So let’s start out by talking about some of the best security tools that you think people should know about, when they’re planning to secure their employees from home. And I guess the way I would suggest delving into this is if you had to pick your top three things that you would say to someone, make sure you are doing this, this and this, what would you say?
Ann Johnson (01:43):
I would say the first thing that we need to make certain that people are utilizing when working from home is multifactor authentication. We’re seeing an increase in COVID based phishing attacks, COVID as a lure and you want to make sure that you’re not putting your employees in a situation where they’re very stressed and they’re responding to that stress by looking quickly and maybe not making the best decisions and they give away their username and password.
If you’re using multifactor authentication, that becomes much less of a risk to your organization. So that’s number one. The second thing is increasing and enhancing your phishing protection. As I mentioned, we are seeing an increase in the types of attacks related to COVID and the ability to detect those and to block them and to keep them away from the end-user would be the ultimate goal.
Ann Johnson (02:33):
But that goes hand in hand with actually doing user education. So both the phishing controls but also the user education, that’s needed to explain to your users in this type of environment what they’re going to be facing from a phishing attack. And the final thing is fundamental device protection. So, you know, we talk about security a lot is defense and depth and layered type approaches. You still want to be using your, you know, whatever device they’re working on from home.
You want to have that device protected and managed. So using you know, enterprise protection software and EDR software like Microsoft Defender ATP. And we go as far as managing all of our, our devices with Intune. And those are just things that I strongly recommend that you don’t decrease. What I’ve heard from security professionals in the past two weeks is, they rushed to get everyone working from home and now they’re going back into layer on the controls. And those are the three things we’re strongly recommending people start with.
Mary Jo Foley (03:36):
Okay, that’s great. And then kind of a counterpart to that. If there were three other things you could say, once you’ve got those first three things in place, here are three other things you might not know about, but that actually could make a big difference to your security operations.
Ann Johnson (03:54):
Yeah, absolutely. So, one of the big things right now is you’re going to need to think about how you monitor, right? Because you know, your SOC is going to be fundamentally looking at threats in a different way and there are much less people on your corporate network. For example, more of your people are working from home. So the ability to have monitoring tooling that’s scalable, that can look at those remote environments that isn’t looking as hard as, you know, your VPN or your corporate networks type environment.
Things like, we have our Azure Sentinel, you know, our cloud-native SIM, but also things like the Microsoft Threat Protection Solution, right? Which does threat protection and Azure and Office and Windows and it correlates it all. So monitoring technology is something that I think is the next step for all of our customers to think about. Monitoring how your SOC is working, how you’re correlating threats and again, how you’re putting those defenses into block and to detect as we’ve seen customers stand up their environments.
Ann Johnson (04:57):
The second one is, we’ve seen customers stand up their environments. Sometimes they were trying to push out the same technology on a VPN. And when you stand up some of these, you know, internet-facing applications like Teams on a VPN, it may not be the best user experience and you can experience bottlenecks. So we’re working a lot with our customers right now to reduce their dependency on VPN by putting in a lot of different layered controls.
A lot of the controls I talked about in the first place, you know, MFA and device management and the EDR type solutions at the endpoint coupled with that advanced monitoring and make sure you have things like the right web application firewalls in place. The final thing is we’re seeing a lot of demand for virtualized desktop experiences. One of the use cases we have is our developers working from home, they work in a very different way than, than me, as you know, pretty much an end-user, right?
Ann Johnson (05:49):
I’m not a heavy user and I don’t use a lot different applications like a developer would. And so we had to very quickly out how we could give them the tooling they needed and we went with the Windows virtual desktop solution. And we’re seeing a lot of our customers move to virtualization type solutions for those heavy users. Again, you have to think about how you’re securing that environment, how you’re choosing multifactor authentication, but also how you’re monitoring the threats in those environments. So those are all considerations for our customers right now.
Mary Jo Foley (06:21):
Okay, that’s great. I want to dig in on a few of these that you just mentioned. First I want to talk about multifactor authentication because I feel like even before the COVID-19 pandemic hit, Microsoft was out there making this their primary message, saying the single best thing IT and security pros can do is turn on MFA. So my question is, why is that the best single thing you can do? I mean, is it just that it’s a simple kind of no brainer type thing or why is it the thing that you all are highlighting as the first and most important thing?
Ann Johnson (06:58):
That’s a great question. And your listeners may not know, but you know, I started my career in security at a company called RSA Security in the year 2000. So we sold, these tokens, right? We were one of the early people out there saying, you need to use something stronger than a username and password. From that time to this time. So we’re talking about 20 years now. We still haven’t seen the broad enterprise adoption, of you know, multifactor or strong authentication solutions. Even though the industry has come a long way from having people carry a hardware token.
Right. We have biometric authentication, we have the YubiKeys, there’s different use cases that made certificates easier. The reason that we talk about it so much, is if you go back and Alex Weiner, who leads security engineering for Azure Active Directory, wrote a blog, and I want to say it was in September of last year, where he went through and he looked at all of the different attacks that we had visibility to, within the environment and 98% of them had some type of password compromised.
Mary Jo Foley (08:07):
Ann Johnson (08:08):
Meaning that either credentials were stolen. It was a brute force attack, where they just kept pounding on the environment. It was a password spray, where they kept using different passwords. But the point was if you didn’t have passwords, you would have avoided 98% of those attacks and the impact to an enterprise. So I joke, with my friends and I joke a little bit on Twitter that I’m going to have it engraved on my tombstone use MFA. So 100% of your users, 100% of the time should be using MFA, starting with anybody that has admin rights and privileges, domain admins, exchange admins, HR admins have a lot of access. You need to start there, but 100% of your users should be using it.
Mary Jo Foley (08:55):
Hmm. Okay, that’s great. You also mentioned virtual private networks and I know Microsoft has been recommending to most customers to use split tunneling for VPNs as a way to optimize traffic with so many people working at home. So, I’m curious about the security aspect to setting up split-tunnel VPNs. I mean, if somebody is following Microsoft’s advice and doing that, what do they have to think about specifically in terms of security?
Ann Johnson (09:25):
Yeah, so they have to, it’s all the things we’ve talked about. And I’ll just reiterate because we’ve published some pretty precise guidance on it, during this time. And it’s based on what we use by the way, it’s based on what Bret Arsenault’s team has stood up for us. So, you know, when I went back to his team and that was the first question I asked, is what are we doing? They said, look, we’re using multifactor authentication. We’re also using conditional access. It’s part of our whole zero trust strategy, because that gives us a profile, not just the user with multifactor authentication, but also of the machine, of the applications, of the data, of the network environment that you’re coming in on. We’re using Intune, so we’re managing all of our devices at Microsoft. You actually can’t access a corporate asset on an unmanaged device any longer.
Ann Johnson (10:11):
So we’re strongly recommending that. And then we’re strongly recommending enhanced device security, like Defender ATP at the endpoint, but also enhanced phishing controls. If you can actually layer those things. And if you have multifactor authentication, you’re enhancing that with conditional access, you’re enhancing that with a managed device. In our case Intune, you’re using EDR at the endpoint and you’re using some type of ATP or phishing protection, you’re going to have a reasonably secure, you know, nothing is perfectly secure ever, but you’re going to have a reasonably secure end-user environment.
And then the other thing I would say, and we published this guidance yesterday, is those devices, and I know this is a hard ask, but those devices have to stay patched. So when we hit our, you know, Patch Tuesday event, we published on the group that works under Brad Anderson, worked really hard and published some guidance on how you can think about updating, patching those devices in that split tunnel or VPN environment without having a huge impact on your network. And that’s the other thing we’ll continue to reinforce with our customers is you can’t stop patching just because your users are remote. As a matter of fact, it’s more important now.
Mary Jo Foley (11:22):
Yeah, I saw that guidance. That was really good. So people who are listening, look on Microsoft’s tech community site. They’ve got a bunch of, basically, a whole area about remote working and then the specific guidance around split tunneling and VPNs is all up there too. So you can do a search and find that pretty easily. I want to talk about phishing attacks since that’s come up a couple of times.
And I know lately Coronavirus themed phishing attacks, unfortunately, seem to be more and more. So what are you suggesting IT pros and security pros do specifically around that to help defend inside their organizations when those kind of phishing attacks happen?
Ann Johnson (12:07):
One of the first things I recommend they do is educate their users. You need to recognize that, and I think you do, we’re in an unprecedented time and users are working from home. They may be having children at home that they’re having to homeschool. They may be caring for a sick family member. They may be a little under the weather themselves or they may be facing, you know, loss of life, which is just tragic.
They’re not at their best optimally from a work standpoint. Their productivity is different than it used to be. And the bad actors know this and they’re preying on the psychology of people that are highly stressed by sending out phishing, you know, COVID based lures as we say, that look like their emails from the CDC in the US or they look like their emails from the World Health Organization, or they’re emails or even phone calls that pretend to be, you know, the CFO of say a small to midsize business that says, Hey, I need you to transfer money into this account because it’s for our Coronavirus defense.
Ann Johnson (13:12):
And they’re taking advantage of preying on people by using, you know, click on this website and we’ll get you a Corona test, or click on this and we’ll get you the drug that can cure it. Whatever it is, right? It’s gross. But that being said, it’s the world we live in. So educating your own users is one of the absolute most important things you can do right now, that has to be layered with enhanced phishing detections and protections. We’ve done things. We take a lot of inputs as you know, from all of our different threat intelligence groups and also the detection response team, the dark team that works for me, that does global customer incident response.
We take all of that intelligence and knowledge in, as do you know many vendors, right, that have intelligence groups and we have continued over the past two to three weeks, to iterate our threat protection product, to look for these different types of phishing attack. And to be able to detect them and to block them quickly. So you need to combine that user education, the user empathy, understanding the stress that your end users are under. But also you need to have the technology controls, so the phishing attacks don’t even get to them in the first place. And that’s an area of vertical focus for us and for our customers right now.
Mary Jo Foley (14:29):
So what are some of the other trends beyond the Coronavirus specific attacks that Microsoft’s seeing happening right now, in terms of security?
Ann Johnson (14:40):
We published a blog yesterday that we’re seeing an increase in attacks on healthcare, which is just incredibly disappointing. Because they’re on the front lines. And one of the things that we’re seeing is human-operated ransomware and that’s a trend we’ve actually been seeing for probably 12 to 18 months. And what that means is that the human actually is going into an environment and using ransomware, in say one, you know, one department in a hospital, maybe the cardio lab, right. And then trying to demand a ransom. If they, regardless of whether they do or don’t get paid, they’re going to continue to extend and move into other parts of the environment.
They also will change the ransomware, if they feel like it’s being too easily detected or blocked because the hospital maybe has brought in some experts or have some experts in their IT organization. It’s the most alarming trend we’re seeing, because that ability to have human-operated ransomware, and to really be looking at environment as opposed to having an automated type attack, is a significant increasing trend. And it’s something that we’re seeing that is growing. But the most alarming part is we’re seeing a lot of attacks right now on healthcare, because the bad actors know that they are absolutely on the front lines and they feel like they can get a lot of payoff. Which is just horrible.
Mary Jo Foley (15:53):
That is, it’s really terrible. Let’s switch gears a little bit. I want to ask you about secure score. This is my personal question here that I’m throwing in because I see Microsoft talk a lot about secure score and say it’s very important for companies who want to figure out, you know, where the holes are in their security plan. But I kind of wonder is it real? Like, my question is what do you really get out of secure score that you wouldn’t get if you didn’t use it?
Ann Johnson (16:26):
Yeah, so there are three flavors of it. There’s secure score in Office. There’s secure score in Azure and there’s security fundamentals in Azure Active Directory, they’re not all exactly the same, but they fundamentally do the same thing. And the important thing isn’t that they tell you the security posture of your environment, like a credit score, right? It’s not important that they’re telling you it’s, you know, five out of ten or whatever it is. What’s important is that they give you the top 10 to 20 things you should do to improve the security posture of your environment. And that’s what I tell customers.
I say, look, they’re all included with the base level service. You should turn it on. You should have somebody looking at it on a fairly regular basis. And then the most important thing isn’t necessarily comparing yourselves to your peers or to what your score was yesterday. It’s looking at the recommendations and implementing them. And by the way, the number one recommendation almost always is use MFA.
Mary Jo Foley (17:21):
It always comes back to that. Nice. Okay. I feel like, the idea of having a communication plan when a security issue hits, it’s pretty much an afterthought for many people, or just like a checklist item. I’m curious what you would say about how IT and security pros should think about having a communication plan. And what that means, especially these days with COVID.
Ann Johnson (17:50):
Yeah, it’s an interesting topic cause, it was the RSA conference a year ago, we published, with a couple of partners, a guide to building your cyber resilience plan as part of your operational resilience. And one of the things we’ve said, and I blogged on this topic, by the way over the past year, is that your cyber resilience plan for a cyber disaster should be exactly the same as your plan for a natural disaster or global event. Meaning that all aspects of it, you know, legal technology, PR, comms, executive notifications, customer notifications, should be the same.
We find that really lagging. There was a stat that we’ve used, and I want to say it, and I’m winging this cause I don’t have it in front of me, but something like, you know, less than 30% of organizations felt like they were as prepared for a cyber event as they were for any other type of event in their organization and they didn’t have a structured communication plan.
Ann Johnson (18:45):
And it’s something that we’re going to continue recommending to customers, and you just need to model it after your pandemic or your natural disaster plan. It should be the same plan, with all of the same elements and it needs to be taken as seriously. I have seen an increase, we hear about it more. I’ll tell you that in the past year I spend more time talking to boards of companies than I ever have. And that is always the topic of the conversation, is what is our cyber resilience plan and how do we, not, how do we prevent it, but how do we react, respond and communicate and get systems back online.
Mary Jo Foley (19:18):
Great. Okay. Well thank you so much for taking time. I know this is a really busy time for you because of all that’s going on and I appreciate you coming on the show and thanks again for doing this.
Ann Johnson (19:32):
Thank you so much for having me, it was a pleasure.
Mary Jo Foley (19:34):
Great. And for everyone else listening to this podcast, all you MJF chat readers and listeners, I’ll be posting more information soon on Petri about who my next guest will be. Once you see that, you can submit questions on Twitter directly for that guest. In the meantime, if you know of anyone else or even yourself who might make a good guest for one of these chats, please do not hesitate to drop me a note. All my contact information is available on Petri.com. Thank you very much.