I can’t deny that Microsoft competes with Cybereason, but the truth is, I owe a lot of the success of Cybereason to Microsoft. After all, the lion’s share of what we do as defenders is protect against exploits targeting vulnerable Microsoft platforms and applications.
I’ve been involved in cybersecurity for my entire adult life. I started out conducting nation-state offensive operations while I was in the military—honing my skills in hacking, offensive operations, forensics, malware analysis and reverse engineering, cryptography, and evasion—all mostly focused on Microsoft software.
Microsoft made headlines again this week when it issued a warning to customers of the Azure cloud platform that configuration errors in a component enabled by default had exposed data for the past two years. Thousands of customers that rely on the Azure Cosmos DB—including household names like Exxon and Coca Cola—were exposed to the possibility that an attacker could read, write, or delete data without authorization.
Microsoft has stated that there is no evidence that any attacker or unauthorized third party ever actually exploited the flaw, but that doesn’t mean it didn’t happen. It just means they didn’t identify it. To their credit, Microsoft resolved the issue very quickly once the flaw was disclosed.
Let me be clear that I don’t completely fault Microsoft. There is no such thing as perfect code and Microsoft is responsible for billions of lines of code between its cloud platform, operating system, applications, and other tools. Vulnerabilities are inevitable, and what’s important is that a company like Microsoft take ownership of the flaws that are discovered and act quickly and responsibly to address them—which Microsoft seems to do.
However, there is a reason why I stress to customers that it is a bad idea to rely on Microsoft for security. They have done a fair job establishing a baseline of security offering—incorporating basic controls that raise the bar for security at least at the consumer level. But Microsoft has been at the heart of most major cyber attacks and data breaches, from SolarWinds and the HAFNIUM attacks that targeted vulnerabilities in Microsoft Exchange Server to the recent new wave of attacks targeting those same vulnerabilities and the news from Microsoft about this two-year old vulnerability in Azure.
Microsoft leverages its massive position in the enterprise market to offer inferior security tools at a significant discount. But, remember the old adage, “If you aren’t paying for the product, you are the product.”
Using Microsoft security tools to protect Microsoft environments and applications is, quite simply, putting all of your eggs in one basket. The fact that Microsoft—which uses Microsoft security tools itself—missed the SolarWinds and Microsoft Exchange Server attacks and allowed an exploitable vulnerability to exist in Azure for two years before it was discovered by outside researchers illustrates that they have bigger problems to focus on.
Organizations deserve more from the companies they trust to provide security solutions—especially if those solutions have repeatedly proven incapable of protecting their own operating systems and platforms from attacks.
As a defender, you have to win every time. It takes an operation-centric approach to deliver security that detects attacks earlier, so security teams can respond sooner and remediate faster—before the attack escalates to the level of a major breach event.
We don’t have a team building operating systems or email servers. We are focused on one thing--reversing the adversary advantage and helping defenders protect against attacks. By all means, use Windows, and Azure, and Office365, and the other platforms and tools Microsoft offers—just don’t rely on them to also defend your organization.