As Microsoft moves forward with a “cloud first, mobile first” mandate to enable customers to “achieve more,” security has become one of the most strategic investments that the company has ever made. Security is job #1 and goes beyond the funding of teams, R&D, digital crime centers and the like. Security really has become an integral part of Microsoft’s DNA. In integrating security deep into the corporate culture, Microsoft has brought in some of the best and brightest minds in the area of enterprise security. Today, we’re talking to one of those recent additions to Microsoft’s security brain trust. Previously with RSA, Sachin Gupta is a Principal Security Evangelist for our North American enterprise business. Thanks for joining us!
Sachin: Absolutely. Excited to talk to you, John!
John: We’ve let the cat out of the bag a little bit already regarding your background with RSA, but can you go into a little bit more about the how and why of your journey to Microsoft?
Sachin: Sure, you know I spent about 10 years at EMC-RSA working with a variety of security technologies -identify and access management, data protection technologies, fraud detection and prevention, threat detection, security analytics, etc.. More importantly, I enjoyed helping my customers design security solutions to not only help protect the most critical assets, which, in my mind are your identity, data, device and apps, but also to detect and respond to malicious and fraudulent activities outside and inside the organization. I remember when the opportunity at Microsoft first presented itself, I joked and said, “you got to be kidding me.” I never imagined Microsoft and security would go hand in hand together. Jokes and old world bias aside, Microsoft was investing more than $1b in security R&D each year at the time – and more now — and has made “security first” a mandate in our cloud first, mobility first approach to enabling customers to take a secure journey to the cloud. So, back to your question John, what excited me most about Microsoft is the implementation of our built-in vs bolt-on approach to security that is going to be the much needed catalyst to help our customers optimize their investments with Microsoft and other technologies and securely transform their business in ways that were not possible before.
John [Laughter]: Yep, you are spot on that not everyone automatically connected Microsoft to security. But times do change and I now see very different discussions between customers, partners and our teams. A lot of that is connected to the bolt-on vs. built notion that you refer to, but I am always amazed by the amount to telemetry that Microsoft has from the likes of AAD, O365, Windows Update, Xbox Live, Outlook.com, Bing and the like. We’ve become pretty good at discovering, tracking, reporting and helping to mitigate advanced threats, correct?
Sachin: Absolutely! Microsoft security is literally night and day from just 4 or 5 years ago. In addition to all that, Microsoft is taking a holistic approach to security by leveraging the deep and broad threat intel as a fluid to connect and integrate the traditional security silos across all our platforms such as O365, Windows 10, Azure and our enterprise mobility plus security solutions to help better protect, detect and respond to advanced threats in a modern hybrid environment. I believe this is an exciting opportunity and challenge to help our customers leverage security as an enabler for their business organizations to achieve more and I am honored to be part of this journey and the enterprise cybersecurity team at Microsoft.
John: Let’s get specific on the Enterprise Cybersecurity team here at Microsoft. What do you and the team do?
Sachin: My team is a group of trusted advisors with deep cybersecurity expertise that work closely with enterprises and empower them to confidently and securely move to cloud, and modernize their platforms by delivering the security solutions, expertise and services needed to keep their data safe. Mission statement stuff aside, we specifically partner and work closely with our customers in defining a security framework, approach, roadmap and architecture to not only enable a secure journey to cloud but also to optimize and maximize their return on investment with us. Everything we do is grounded in the “value” that security provides. And that “value” is unique from customer to customer.
John: Of course. Every company is unique in their strategic initiatives and their security priorities, but, when you sit down with CIOs and CISOs and their teams, are you seeing some trending issues that are real “hot-buttons” across the board? The common denominators, if you will?
Sachin: Great question. We all know that cybersecurity now is a board room topic and discussion. Even though the board is getting reports from the chief risk officer and external independent sources, boards are now taking time to meet with the CISO on at least a quarterly basis to get the current state of cybersecurity. Board members want to know what the key cyber security issues are, particularly from a business prospective – the key blockers identified, the security strategies and ongoing projects to address the issues, blockers etc. We also know that businesses are transforming themselves to be more agile, to help their employees be more productive, to engage with their customer in new ways and so on an so forth. This, at the same time, is expanding the attack surface and dissolving the traditional security perimeter making the traditional security approach ineffective. But, to your point, let’s get specific and expand on the broader security trends and challenges that majority of the organizations are go through by default.
John: Love it. So, in your mind and experience, these are really the things that are non-negotiable. Is it fair to say that these things MUST be explored in the new cloud first, mobile first world?
Sachin: Absolutely correct. If you, as a commercial entity, don’t look at the modernization of these specific things, you are likely not fully managing your risk and are certainly not fully realizing the value that you can bring to your own customers and stakeholders. So, let me start with a biggie… Identity is the new security perimeter. There are no “if, ands or buts” about it. Identities are becoming more and more mobile. It is not so much about protecting the identities inside the four walls of your organization but the new perimeter is wherever the identity is meeting with the data. Users and business want convenience of being able to access their data/app regardless of where the identity is and the type of device being used. It’s imperative that these identities are protected regardless of where they are in a consistent manner and more importantly should not impede on user experience. We simply can’t built brick walls anymore and this leads to the challenge of implementing compensating controls which not only provide the optimal security but also enhance the user experience.
John: Exactly. Your identity, your credentials, whatever phrase you want to use are really the keys to the kingdom. No matter who you are in an org, you have an assigned identity. It’s like the keys to your house. You wouldn’t hand out a copy to the handyman, to all the neighbors on your street, to the postal carrier, etc, etc, but we often see corporate identity reused – to access a non-sanctioned SaaS app, to “register” for that cool new game from the app store on your phone, etc. If any of those datastores are compromised, you have now unlocked the front door of your house to someone that you don’t necessarily want to be able to walk in unannounced.
Sachin: Yes, that is a great analogy. And if you think about credentials as opening that front door, it’s really more than that. That key has now granted access to everything in your house, the media room, the food pantry, the cars inside your garage, etc. The same thought applies here. Your identity lights up your access to devices, apps and data. Which brings me to the next big security trend and rule… Data is the new currency. Data in traditional thinking used to be an asset that stays within the four walls of our organization. However, with mobility and the need for collaboration beyond the traditional perimeter, the lifecycle of data looks very different today. It may very well be created within your organization and cross boundaries to a partner organization, in the cloud, personal email accounts and so on and so forth. Data is obviously the most important asset for a given organization and it’s imperative that we not only protect it but also track it in highly digitized and mobile world. The silos that use to exist between discovery, classification, protection and tracking of data are collapsing and the CISOs want a more holistic and integrated solution to protect data. Which bring us to the 3rd big trend which is a new approach to overall Enterprise Detection and Response. Prevention will always be a viable strategy, but it can’t be the only one going forward. Something will get through. Now the question is how fast do you find it and how do you minimize the blast radius.
John: You are really advocating an “assumed breach” posture here. Always assume that you are compromised in some way and invest in discovery and remediation as well as robust prevention.
Sachin: Exactly. There is no doubt that significant cyber-attacks are not only occurring more frequently, but also exponentially increasing in technological sophistication. This makes every organization more susceptible to breach, and subsequently, the possibility of a significant financial and reputational damage. CISOs are recognizing the need to run their organization in an assume breach mode. This obviously translates into the ability to pro-actively detect threats much earlier in the kill chain to avoid a breach situation. Dissecting what happened with breaches at several large organization earlier last year shows that they had invested in a bunch of security solutions and yet they failed to detect and respond to threats early enough to avoid a breach situation. Clearly that’s not ideal and a more holistic approach to threat detection combined with strategic threat intel is needed to enable this pro-active threat detection both on-premises and in the cloud.
John: And to circle back to Microsoft’s cybersecurity DNA, how do you and the Microsoft Cybersecurity team help those CIO and CISO teams navigate the kinds of considerations and challenges that you just outlined?
Sachin: Well, I don’t want to sound like a marketing brochure too much, but Microsoft really does have unique, industry leading cybersecurity capabilities that extend from the world’s most used client operating systems to the most trusted cloud in the world. The Enterprise Cybersecurity Group leverages deep security perspective, experience combined with our unique security capabilities to help our customers build a secure roadmap for their journey to the cloud. We break the traditional silos of securing identity, data, apps, etc. and take a more holistic and integrated approach to security. As an example – when we think about enabling identity for digital transformation, the identity to us is a combination of user, application data and device. You simply can’t secure these assets in silos to have a secure identity but rather you need a more connected, integrated and comprehensive approach. We also have unique built-in capabilities to help our customers monitor and detect advanced cyber threats in both on-premises and cloud environment. We work with enterprise customers to help connect these dots to provide for a single pane of glass not only from Microsoft product and technologies prospective but also leveraging integration capabilities with other security solutions that may exist in their environment. Look, we aspire to do some greats things in the security space. However we recognize that we are part of a larger ecosystem and we need to play well with other security providers. Additionally, we offer industry leading tactical and strategic incident response capabilities backed with unique access to product expertise. Bottom line, we help connect the security dots and breaks those traditional silos for our customers to achieve more and enable their business.
John: You may actually have a future in marketing, Sachin! [Laughter] Anyway, certainly internally at the very least, it is clear that Microsoft has made “security first” a mandate in our “cloud first, mobile first” approach to the modern enterprise across all of our platforms and solutions. What makes this such a game-changer for both Microsoft and our customers and partners?
Sachin: First of all, Security is not something new at Microsoft. Microsoft stands for trust. And more than ever, we are making investments to keep us all secure. 15 years ago, Bill Gates recognized this would be a challenge for the industry when he declared that making computing trustworthy was our top priority. Since then, we have made incredible strides but it continues to be a journey. Over these past 15 years, we have learned a lot – First, our ability to make threat go away entirely is limited. What we can control is our reediness and response in face of ongoing threat. Second – bolt on security will always keep us on the defense. The point/bolt-on security solutions are good at solving a specific problem. However for most part, they are disconnected, they don’t share intel and work with each other in real time and that does not help with reducing your median time to detection and recovery. The security first approach at Microsoft is about building the security controls into the platform itself so they can work in a more cohesive and integrated manner. We face the same adversaries as our customers do, but because of the scale of the technology we build and operate, we capture a massive amount of security related signals and that’s what provides us with glue to connect and integrate security dots together. This in turn provides you with the ability to not only provide for enhanced protection but also the ability to proactively monitor, detect and respond to cyber threats. This to me is a game changer which significantly enhances our ability to disrupt the adversary economic model and playbook. Let me illustrate this with an example. We all know Phishing is still the most common attack vector used by adversaries to infect end user devices by sending weaponized attachment via email. Think about a scenario where windows defender detects the malicious payload on the end user machine and sends this intelligence to O365. O365 then automatically uses this intelligence to scan and remove emails with the same malicious attachment from the O365 mailboxes. This is truly a game change how the intel from one security capability is used by other in an automated and near real time fashion to help reduce the median time detection and response. Microsoft is committed to being a leader in the security space, but security is not a problem we can address alone. Doing so in the right way means working broadly with others. Our Digital Crimes Unit brings together partners with multiple areas of expertise to fight digital crime. Together, we are addressing broad threats like botnets and the online needs of vulnerable populations like children and senior citizens. We are also working with alliances like FIDO to help drive towards a world without passwords. We will continue to invest in security partnershipsand help drive the entire industry forward.
John: And, finally, any words of advice for folks that that have been tasked with rapidly — and perhaps even radically — improving their organization’s own security posture? There are so many options and so much noise out there, where do they start?
Sachin: First things first, I believe it is critical for companies to adopt a good security hygiene across things like monitoring, patch, operating systems, privileges access etc. This provides for a good security foundation to build upon and frankly speaking – Could help protect against a majority of threats and attack vectors. Cloud adoption and mobility is clearly expanding the traditional perimeter beyond the four walls of the organization. Clearly we need to acknowledge the reality that it is not a matter of if an organization will experience a breach but rather it is about “when” and organizations need to operating with an Assume Breach mindset. The traditional protect, detect and respond model is still applicable but organizations need to look at capabilities which extend beyond the traditional perimeter. I have said before that identity is the new security perimeter and clearly protecting this modern identity requires innovative capabilities combined with a mind shift. It is also important to understand that modern identity is not just about user but it also includes data, device and the application that the user is accessing. Organizations should also invest in technologies which could them reduce their mean time to detection. Traditional signature based approaches to threat detection should transition to capabilities that leverage machine learning, behavior analysis and big data analytics to proactively detect threats much earlier in the kill chain. Cloud promises agility, scalability and much more but it also promises security at scale and could help rapidly enhance the overall security posture.
John: Thanks, Sachin! Appreciate the time. Now go out there and get some cyber bad guys.
Sachin: [Laughter] Will do, John. Appreciate the partnership! And if folks want to chat, they can reach me at gupta.sachin AT microsoft.com
Stay tuned next month when we continue our brand new security interview series with Randy Howard, Microsoft’s Director of Enterprise Security, North America, Central Region (whew, that’s a heck of a title, Randy!)