A global pandemic and its impact on the way we work and live served as a catalyst for enterprise digital transformation in 2020. The enterprise did two years' worth of digital transformation in two months this year, according to Microsoft CEO Satya Nadella. But how did that acceleration of projects impact the security of the enterprise? Did smart security practices fall by the wayside?
Gunter Ollmann, chief security officer for Microsoft's Cloud and AI security division brought the answers to that and other questions about the cloud, AI, and security to his keynote address during a December virtual edition of Interop presentations. The keynote was presented in a question-and-answer format, with questions from Dark Reading Executive Editor Kelly Jackson Higgins.
In spite of the rapid change, including the sudden move to remote working for many in the workforce, security for the end user and the customer has improved, according to Ollmann. There are still some gaps, he said, but those have been mostly in the realm of patch management of unmanaged or unowned devices, and even that is changing.
However, a couple things have been happening from a cloud perspective that need attention. First, there's a skills gap still that needs to be closed when it comes to adding cloud environments. And second, Ollmann said one of the top requests from enterprise customers is help with learning how to take their cloud approach back to on premises. These organizations would like to be able to manage their cloud and on-premises postures in a single element, according to Ollmann.
Cloud has also changed the way organizations approach security. Ollmann frequently used the term "cloud posture." Jackson Higgins asked him to explain what that means. Ollmann said that back in the old days, security often was about vulnerability scanning, vulnerability asset management, tools for identifying assets and security patches and services.
But with the growth of cloud computing, organizations are looking at so much more, including infrastructure as a service, SaaS, resources, resource management, plus all the applications that operate in the enterprise such as the finance application, the purchase order application, and all the assets behind all those applications.
"Posture management tooling lets you get that visibility, control, and management of those policies," Ollmann said. This gives security pros visibility into the vulnerability risk management for particular assets, resources, applications, and environments.
Ollmann likes to call it a gamification of the security and risk assessment. Assets are assigned scores and any vulnerability or misconfiguration or step away from best practices then lowers that score. That puts the focus on improving the score, effectively gamifying security improvements.
Artificial intelligence, including machine learning, has added a new element to security operations, too, according to Ollmann. On one hand, organizations are able to use AI and automation to help fight against attacks.
For instance, if a security pro sees the same alert five times a day and it is always fixed the same way, that's a fix that can be automated. For security pros that are operating in an environment of alert fatigue -- seeing hundreds of thousands of events that pop up every day -- it's a benefit to allow AI to triage them.
"If my capacity is to do six things today, what are those six things?" Ollmann asked. Anything below those six things should be automated.
But AI also poses a threat to organizations because as companies develop their own AI that underpins the products they produce, that becomes the next target for the bad guys, according to Ollmann. For instance, attackers may poison data. Ollmann gave the example of the bad guys putting stickers on Stop signs to fool cars into thinking that they are actually 50 MPH signs.
"There's a lot of work going on in the adversarial machine learning space," Ollmann said. For instance, Microsoft and 12 other global enterprise research and academic teams have created a Machine Learning Adversarial Threat Matrix that examines the phases of a data poisoning attack (much like the Mitre Att&ck Framework does). The effort is designed to identify the tools and tactics employed by the attackers and to help protect against these kinds of attacks.
Protecting against these kinds of attacks is a next step in securing the enterprise.
The Machine Learning Adversarial Threat Matrix is designed to not only provide guidance and visibility on how to mitigate an attack underway, but also provides insight on how to clean up afterwards across an organization's teams.
But is there one takeaway? Is there one piece of advice that Ollmann has for enterprise organizations looking to secure themselves during a new age of cloud?
Ollmann said that assets used to be the pain point for management, but today that has pivoted to identity. If you want to do one thing to secure your enterprise, here's what it should be, according to Ollmann.
"Eighty percent of cloud attacks could have been stopped through multifactor authentication," he said.
For more on the future of the enterprise and cloud, read these articles: