Securing the future of AI and machine learning: Early findings from new research paper

Artificial intelligence (AI) and machine learning are making a big impact on how people work, socialize, and live their lives. As consumption of products and services built around AI and machine learning increases, specialized actions must be undertaken to safeguard not only your customers and their data, but also to protect your AI and algorithms from abuse, trolling, and extraction.

We are pleased to announce the release of a research paper, Securing the Future of Artificial Intelligence and Machine Learning at Microsoft, focused on net-new security engineering challenges in the AI and machine learning space, with a strong focus on protecting algorithms, data, and services. This content was developed in partnership with Microsoft’s AI and Research group. It’s referenced in The Future Computed: Artificial Intelligence and its role in society by Brad Smith and Harry Shum, as well as cited in the Responsible bots: 10 guidelines for developers of conversational AI.

This document focuses entirely on security engineering issues unique to the AI and machine learning space, but due to the expansive nature of the InfoSec domain, it’s understood that issues and findings discussed here will overlap to a degree with the domains of privacy and ethics. As this document highlights challenges of strategic importance to the tech industry, the target audience for this document is security engineering leadership industry-wide.

Our early findings suggest that:

  1. Secure development and operations foundations must incorporate the concepts of Resilience and Discretion when protecting AI and the data under its control.
  • AI-specific pivots are required in many traditional security domains such as Authentication, Authorization, Input Validation, and Denial of Service mitigation.
  • Without investments in these areas, AI/machine learning services will continue to fight an uphill battle against adversaries of all skill levels.
  1. Machine learning models are largely unable to discern between malicious input and benign anomalous data. A significant source of training data is derived from un-curated, unmoderated public datasets that may be open to third-party contributions.
  • Attackers don’t need to compromise datasets when they are free to contribute to them. Such dataset poisoning attacks can go unnoticed while model performance inexplicably degrades.
  • Over time, low-confidence malicious data becomes high-confidence trusted data, provided that the data structure/formatting remains correct and the quantity of malicious data points is sufficiently high.
  1. Given the great number of layers of hidden classifiers/neurons that can be leveraged in a deep learning model, too much trust is placed on the output of AI/machine learning decision-making processes and algorithms without a critical understanding of how these decisions were reached.
  • AI/machine learning is increasingly used in support of high-value decision-making processes in medicine and other industries where the wrong decision may result in serious injury or death.
  • AI must have built-in forensic capabilities. This enables enterprises to provide customers with transparency and accountability of their AI, ensuring its actions are not only verifiably correct but also legally defensible.
  • When combined with data provenance/lineage tools, these capabilities can also function as an early form of “AI intrusion detection,” allowing engineers to determine the exact point in time that a decision was made by a classifier, what data influenced it, and whether or not that data was trustworthy.

Our goal is to bring awareness and energy to the issues highlighted in this paper while driving new research investigations and product security investments across Microsoft. Read the Securing the Future of Artificial Intelligence and Machine Learning at Microsoft paper to learn more.


Game for Safer Internet Day shows kids how to protect themselves online

[embedded content]

Use unique passwords1. Use complex, unique passwords for different accounts
If someone has your house key, they can enter and burglarize every room in your home. The same is true of passwords and online accounts. Too often we choose passwords that are easy to remember, such as names or birthday dates. But if it’s easy for you to remember, it’s likely to be easy for cybercriminals to guess. If you use the same, simple password for multiple accounts, then cybercriminals can – and will – be able to access all your sensitive personal information.

Use a password manager to save multiple passwords to different accounts safely and make sure that each password is complex; using at least 10 characters and a mixture of numbers, letters, capitalizations and special characters.

Social media icons2. Don’t accept invites from strangers on social media
Not everyone you meet online is who they claim to be. It’s common for cybercriminals to create fake social media profiles to foster relationships with unwary users and pick their cyber pockets – or worse.

If you’re approached by a stranger online, who insists you share personal information or requests money, that should set off alarm bells. If possible, search the person directly to see if the account is authentic. Still unsure about the person’s identity but want to accept their friend request anyway? Just to be on the safe side, limit the information that person can view on your profile using privacy setting.

Remember: the same rules apply online as they do in the real world – don’t share sensitive or private information with strangers.

Personal info icons3. Online actions can have offline consequences
Think of the Internet like a town square or a sidewalk: it’s a public space, where anyone can see or share anything you publish, irrespective of whether it’s meant for them or if you’ve given permission.

Before you post something online, ask yourself; would I want my employer, customer or relative to know this? Even things like your relationship status or home address, which might seem harmless, can be misused if the wrong people see them.

Online action icon4. Protect sensitive and personal information
With a few exceptions, unfortunately there is no permanent delete key for content posted online. Any image, comment or photo you post online is like to remain there forever. Even if you remove the original post, you can’t be sure that others have not made copies or shared your content on other networks. So don’t put anything online that you wouldn’t want others to see.

Careful click icon5. Be careful where you click
A tried-and-tested cybercriminal tactic is to trick you into downloading malware that allows them to steal information. From a popular game to an email offering tech support, malware can be disguised in a variety of different ways.

Avoid downloading apps that look odd or come from an unknown site. Not sure if an email is legitimate? Ask yourself the following questions: Does the sender have a bizarre email address? Is the greeting impersonal? Are there a lot of spelling mistakes? Is there a strange sense of urgency?

If you’re still unsure, get in touch with the brand or company through their official channels such as their website or social media page. It is always better to triple check than risk compromising your security.

Privacy setting icon6. Update your privacy settings & antivirus
If you don’t update your defences, cybercriminals will eventually come up with a way to overcome them. Be sure to stay current with your operating system’s updates and make an effort to check the privacy settings on the applications and browser you use.

Secure connection icon7. Always use a secure connection
When using a public internet connection, such as Wi-Fi in a shopping center, you have no direct control over its security. If you’re unable to establish a secure connection or ensure your device is protected, don’t share sensitive information. It’s safer to wait until you’re at home and using a secure Wi-Fi network.

Ask advice icon8. Ask advice from those you trust
Never feel rushed to click on a link or publish a post. There is nothing more urgent than our online safety.

Navigating online threats can be stressful, but there are plenty of resources to help you out. Whenever you find yourself in a situation where you are unsure or suspicious, always defer to the expertise of those you trust – whether a friend, parent, teacher or even a technology partner.

Looking for a fun way to teach youth about internet safety? Download the free Safer Internet Day chatterbox and discussion guide.


Data loss prevention: Human error, insider threats and the in-between

Do you remember the first or last time you found a user had shared sensitive information with the wrong people?

Companies dedicate large amounts of resources and money towards establishing an air tight DLP policy to detect and protect company data and prevent it from getting into the wrong hands, whether deliberately or by mistake. But no matter how good the technology, or how vigilant the security team, there is always a wildcard – end users.

“A company can often detect or control when an outsider (non-employee) tries to access company data either physically or electronically, and can mitigate the threat of an outsider stealing company property. However, the thief who is harder to detect and who could cause the most damage is the insider—the employee with legitimate access. That insider may steal solely for personal gain, or that insider may be a “spy”—someone who is stealing company information or products in order to benefit another organization or country.”

                Introductory guide to identifying malicious insiders, U.S. Federal Bureau of Investigation (FBI)


Figure 1: Statistics from the Insider Threat 2018 Report

From the above data we can see that insider threats are becoming a real concern for most organizations, and that active steps are taken to mitigate the risk inherent to these threats.

In this post we’ll discuss how regular users can expose sensitive data by wrongly classifying documents, how malicious users can take advantage of the encryption to exfiltrate data, and how Microsoft Cloud App Security’s new capability of scanning content in encrypted files, as well as the wider Microsoft Information Protection offering, can help organizations mitigate these risks.

The innocent mistake

While employees in the modern workplace are getting increasingly technologically savvy, and are finding new tools to improve their productivity, they aren’t always aware of the security implications of their actions.

Many of our customers are leveraging Microsoft Information Protection solutions to classify, label and protect their data. To minimize the impact on end users and their ability to be productive, these organizations often choose to empower their users to label documents themselves, by providing automatic suggestions but not auto-labeling or -protecting documents.

A user can inadvertently label a document containing highly confidential information with a low sensitivity label that applies minimal access restrictions. Since the file is already encrypted, it will not be scanned by the DLP solution, but might still be accessible to unauthorized people.

The malicious insider

A bigger threat with a much higher potential for damage, is the malicious insider. A malicious insider who is actively working on exfiltrating sensitive information from the organization, whether for personal gain, corporate espionage or other reasons.

This malicious user might exploit the ability to encrypt files to purposefully classify a file as low sensitivity while inserting highly sensitive data and then sharing it externally. As in the “mistake” scenario this will allow the file to pass the scanning of the DLP solution.

How does Microsoft Cloud App Security handle these risks?

Microsoft Cloud App Security has a wide set of tools targeted at handling insider threats. These include user behavior anomaly detections, cloud discovery anomaly detections, and the newly released ability to scan content of encrypted documents.

User anomaly detection

Microsoft Cloud App Security comes with a wide set of out-of-the-box anomaly detection policies that are activated by default as soon as the product is enabled. These detections look at the activities performed by users in sanctioned apps and define a usage baseline, leveraging UEBA capabilities to automatically identify any anomalous behaviors going forward.

An example of these types of detections, aimed at insider threats, is “Unusual file download activity by user”. This detection will create an alert whenever a user performs file downloads that differ from their usual pattern – a potential indicator of a data exfiltration attempt.

Cloud anomaly detection

In addition to the user anomaly detections for sanctioned apps, Cloud App Security also offers detections aimed at identifying suspicious behavior of users in unsanctioned applications. These detections are based on the data we get and analyze as part of our Cloud Discovery capabilities.

An example for such a detection is “Data exfiltration to unsanctioned apps”, which looks at the amount of data being uploaded by users to unsanctioned applications – one of the most common scenarios of insider threat data exfiltration.

Content inspection of encrypted files

We have recently released the ability for an admin to allow MCAS to scan the content of files that are protected by Azure Information Protection. After enabling this functionality, the admin can define MCAS file policies to inspect the content of encrypted files, and generate an alert, or take an action based on the match.

This functionality ensures that files are handled according to their actual content, even if they are labeled incorrectly; thus, preventing sensitive data from leaving the organization – both by mistake and by design.


Figure 2: Policy setting to allow Microsoft Cloud App Security to scan files protected with AIP

Human error and malicious intent will forever be a part of organizational lifecycles. While we cannot eliminate them completely, it’s our goal to enable IT and Security admins to minimize this risk. With our advanced capabilities and unique set of insights, Microsoft Cloud App Security and the wider Microsoft Information Protection offering help organizations to protect their sensitive information – wherever it lives or travels.

More info and feedback

Learn how to get started with Microsoft Cloud App Security with our detailed technical documentation. Don’t have Microsoft Cloud App Security? Start a free trial today!

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

Learn more about Microsoft Information Protection.


Security researchers: Bug bounty program for Azure DevOps added

It is my pleasure to announce another exciting expansion of the Microsoft Bounty Programs. Today, we are adding a security bug bounty program for Azure DevOps in partnership with the Microsoft Security Response Center (MSRC) to our suite of Bounty programs.

Our Bounty program rewards independent security researchers who find flaws and report them to us responsibly. We’ll publicly recognize the researchers who report these security issues, and for high-severity bugs we’ll present payments of up to $20,000 USD.

These rewards help motivate researchers to find security vulnerabilities in our services and let us correct them before they’re exploited by attackers. You can find the details of our Bug Bounty program with MSRC.

Security has always been a passion of mine, and I see this program as a natural complement to our existing security framework. We’ll continue to employ careful code reviews and examine the security of our infrastructure. We’ll still run our security scanning and monitoring tools. And we’ll keep assembling a red team on a regular basis to attack our own systems to identify weaknesses.

If you’re interested in the way our team approaches security and how we continue to evolve our thinking and practices, then I’d encourage you to watch the video of my talk “Mindset shift to a DevSecOps culture.”

This program will help us provide the highest level of security for our customers, protect customer data, and ensure the availability of Azure DevOps. I’m looking forward to seeing what we learn from working more closely with the security community.


Microsoft gains strong customer, analyst momentum in cloud access security brokers market

After a strong year of product updates and innovations, we’re excited to so see that Microsoft jumped into the Challenger position in Gartner’s 2018 Magic Quadrant for Cloud Access Security Brokers (CASB) and solidified its leadership position in KuppingerCole’s 2018 Leadership Compass in the same product category, backed by strong customer adoption rates.

CASBs give organizations the ability to securely embrace the possibilities of their cloud apps and services and they can be crucial in driving a successful cloud security strategy.

While the market for CASB is still relatively young, analyst firm Gartner, Inc. predicts that 60 percent of large enterprises will be using CASB technologies by 2020, with independent forecasts expecting to reach a total addressable market of $7.5 billion in the same timeframe.

We have seen a steep increase in the adoption of Microsoft Cloud App Security across all customer segments, ranging from large enterprises such as global energy leader BP, to smaller organizations such as Affinity Workforce. Our internal estimates show that Microsoft Cloud App Security has a current market share of more than 30 percent in the CASB space. This provides us with insights from billions of signals every day—and direct input from the many organizations that we work with—allowing us to continuously improve the product and react to what we’re seeing in the market.

By integrating with leading security, identity, and productivity solutions across Microsoft 365, Microsoft Cloud App Security is uniquely positioned to drive innovation in the CASB space. Recent additions include our native integration with Windows Defender Advanced Threat Protection and our consistent labeling experience via Azure Information Protection. Among many others, these help organizations gain visibility into their cloud apps and services, provide sophisticated analytics to identify and combat cyber threats, and control the travel of sensitive information to equally support Microsoft’s native cloud services, as well as numerous third-party cloud apps and services, such as Dropbox, Salesforce, and others.

Microsoft Cloud App Security’s portfolio of native product integrations.

2018 analyst momentum

In Gartner’s 2018 report, we significantly improved our positioning and moved along both axes, Completeness of Vision as well as Ability to Execute, up from a Niche Player to a Challenger position. We see the substantial improvement as a testimony to our strong ability to execute against our feature roadmap and the momentum we are gaining with customers.

Magic Quadrant for CASB. Source: Gartner (October 2018)*

In its 2018 report, analyst firm KuppingerCole positions Microsoft as a Leader for the second year in a row. This further emphasizes the strength of our native integrations across Microsoft 365, including Azure Active Directory (Azure AD), Office 365, and Azure Security Center, and the significant customer base of Microsoft Cloud App Security.

Leadership Compass for CASB. Source: KuppingerCole (October 2018)

This year’s results confirm Microsoft’s strong commitment and rapid progress in this space—and with the progress of the overall market, the importance for organizations to start considering the use of a CASB continues to increase.

Learn more

We made both these 2018 analyst reports available for review. Download the Gartner Magic Quadrant 2018 for CASBs report and the KuppingerCole Leadership Compass 2018 report.

If you’re not using Microsoft Cloud App Security, start a free trial today and learn how to get started with our detailed technical documentation.

If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

To stay up to date with our latest product innovations, follow our product blog.

*This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


Microsoft becomes first Fortune 500 company to adopt password-less authentication

Howdy folks,

I’m so excited to share today’s news! We just turned on the ability to securely sign in with your Microsoft account using a standards-based FIDO2 compatible device—no username or password required! FIDO2 enables users to leverage standards-based devices to easily authenticate to online services—in both mobile and desktop environments.

This combination of ease of use, security, and broad industry support is going to be transformational both at home and in the modern workplace. Every month, more than 800 million people use a Microsoft account to create, connect, and share from anywhere to Outlook, Office, OneDrive, Bing, Skype, and Xbox Live for work and play. And now they can all benefit from this simple user experience and greatly improved security.

Starting today, you can use a FIDO2 device or Windows Hello to sign in to your Microsoft account using the Microsoft Edge browser.

Watch this quick video showing how it works:

Microsoft has been on a mission to eliminate passwords and help people protect their data and accounts from threats. As a member of the Fast Identity Online (FIDO) Alliance and the World Wide Web Consortium (W3C), we’ve been working with others to develop open standards for the next generation of authentication. I’m happy to share that Microsoft is the first Fortune 500 company to support password-less authentication using the the WebAuthn and FIDO2 specifications, and Microsoft Edge supports the widest array of authenticators compared to other major browsers.

If you want to know more details on how it works and how to get started, keep reading on.

Get started

To sign in with your Microsoft Account using a FIDO2 security key:

  1. If you haven’t already, make sure you update to Windows 10 October 2018.
  2. Go to the Microsoft account page on Microsoft Edge and sign in as you normally would.
  3. Select Security More security options and under Windows Hello and security keys, you’ll see instructions for setting up a security key. (You can purchase a security key from one of our partners, including Yubico and Feitian Technologies that support the FIDO2 standard.*)
  4. Next time you sign in, you can either click More Options > Use a security key or type in your username. At that point, you’ll be asked to use a security key to sign in.

And as a reminder, here’s how to sign in with your Microsoft account using Windows Hello:

  1. Make sure you’ve updated to Windows 10 October 2018.
  2. If you haven’t already, you’ll need to set up Windows Hello. If you have Windows Hello set up, you’re good to go!
  3. Next time you sign in on Microsoft Edge, you can either click More Options > Use Windows Hello or a security key or type in your username. At that point, you’ll be asked to use Windows Hello or a security to sign in.

If you need more help, check out our detailed help article about how to get set up.

*There are a couple of optional features in the FIDO2 spec that we believe are fundamental to security, so only keys that have implemented those features will work. Read What is a Microsoft-compatible security key? to learn more.

How does it work?

Under the covers, we implemented the WebAuthn and FIDO2 CTAP2 specifications into our services to make this a reality.

Unlike passwords, FIDO2 protects user credentials using public/private key encryption. When you create and register a FIDO2 credential, the device (your PC or the FIDO2 device) generates a private and public key on the device. The private key is stored securely on the device and can only be used after it has been unlocked using a local gesture like biometric or PIN. Note that your biometric or PIN never leaves the device. At the same time that the private key is stored, the public key is sent to the Microsoft account system in the cloud and registered with your user account.

When you later sign in, the Microsoft account system provides a nonce to your PC or FIDO2 device. Your PC or device then uses the private key to sign the nonce. The signed nonce and metadata is sent back to the Microsoft account system, where it is verified using the public key. The signed metadata as specified by the WebAuthn and FIDO2 specs provides information, such as whether the user was present, and verifies the authentication through the local gesture. It’s these properties that make authentication with Windows Hello and FIDO2 devices not “phishable” or easily stolen by malware.

How do Windows Hello and FIDO2 devices implement this? Based on the capabilities of your Windows 10 device, you will either have a built-in secure enclave, known as a hardware trusted platform module (TPM) or a software TPM. The TPM stores the private key, which requires either your face, fingerprint, or PIN to unlock it. Similarly, a FIDO2 device, like a security key, is a small external device with its own built-in secure enclave that stores the private key and requires the biometric or PIN to unlock it. Both options offer two-factor authentication in one step, requiring both a registered device and a biometric or PIN to successfully sign in.

Check out this article on our Identity Standards blog, which goes into all the technical details around the implementation.

What’s next

We have tons of great things coming out as part of our efforts to reduce and even eliminate the use of passwords. We are currently building the same sign-in experience from a browser with security keys for work and school accounts in Azure Active Directory. Enterprise customers will be able to preview this early next year, where they will be able to allow their employees to set up their own security keys for their account to sign in to Windows 10 and the cloud.

Furthermore, as more browsers and platforms start supporting the WebAuthn and FIDO2 standards, the password-less experience—available on Microsoft Edge and Windows today—will be hopefully available everywhere!

Stay tuned for more details early next year!

Best Regards,
Alex Simons (@Twitter: @Alex_A_Simons)
CVP of Program Management
Microsoft Identity Division


Brad Smith on the Paris Call: An important step toward peace and security in the digital world

Today, French President Emmanuel Macron launched a global effort among governments, businesses and civil society to protect and defend against threats to the digital infrastructure that runs our daily lives. We’re proud to be one of the 370 signatories of The Paris Call for Trust and Security in Cyberspace. This includes 51 governments from around the world, including all 28 members of the European Union and 27 of the 29 NATO members. It also includes key governments from other parts of the world, including Japan, South Korea, Mexico, Colombia and New Zealand.

The Paris Call is an important step on the path toward digital peace, creating a stronger foundation for progress ahead. It calls for strong commitments in support of clear principles and strong norms to protect citizens and civilian infrastructure from systemic or indiscriminate cyberattacks. Similarly, it calls for governments, tech companies and nongovernmental organizations (NGOs) to work together to protect our democracies and electoral processes from nation-state cyberthreats.

The Paris Call breaks new ground by bringing together to support these steps an unprecedented and broad array of supporters. Its signatories include more than 200 companies and business associations, including leading tech companies such as Microsoft, Google, Facebook, Intel, Ericsson, Samsung, Accenture, Fujitsu, SAP, Salesforce and Hitachi. Importantly, it also includes leading financial services institutions such as Citigroup, Mastercard, Visa, Deutsche Bank, as well as industrial leaders such as Nestle, Lufthansa and Schneider Electric. And it includes almost 100 critical NGOs that span groups across civil society.

All of this is important for a reason. Success in advancing cybersecurity requires an approach that is not only multinational, but multistakeholder in nature. This is because cyberspace, unlike the traditional planes of warfare like land, sea and air, is typically privately owned. Cyberspace in fact consists of concrete elements in the real world, such as datacenters, undersea cables, and laptops and mobile devices. These are designed and manufactured by private companies. And often they are owned and operated by tech companies and others in the private sector.

While the tech sector has the first and highest responsibility to protect this technology and the people who rely upon it, this is an issue that requires that governments, companies and civil society come together. That is the only effective way to protect people from what at times have become military-grade cybersecurity threats.

Increasingly, it is apparent that the people of the world appreciate this as well. This morning in Paris I announced that more than 100,000 individuals from more than 130 countries have now signed the petition calling for Digital Peace Now, spearheaded with Global Citizen. And like the signatories to the Paris Call, this number is continuing to grow.

Today’s announcements came as part of the Paris Peace Forum, an event commemorating the centennial of the Armistice that brought an end to the First World War. As was the case a century ago, the nature of technology and warfare is changing. A century ago, governments and human institutions failed to adapt to the changing world. This century, we need to do better. With the help of clear principles, strong protection and a growing multistakeholder coalition, we can build on today’s milestones and continue to provide the world the strong cybersecurity it deserves.

Tags: , ,


Top 10 security steps in Microsoft 365 that political campaigns can take today

The increasing frequency of cyberattacks make clear that more must be done to protect key democratic institutions from cyber-enabled interference. With just a few weeks left before the U.S. midterm elections and early voting under way, campaigns must stay vigilant in protecting against cyberattacks to their online collaboration tools, including email. Microsoft recommends taking action today to protect against phishing, malware, account compromise, and other threats—see Top 10 ways to secure Office 365 and Microsoft 365 Business plans from cyberthreats. These recommendations are tailored for small to mid-sized political campaigns and election-focused stakeholders using Office 365 or Microsoft 365. Any organization—especially those without full-time IT security staff—can benefit from taking these actions.

This guidance provides step-by-step instructions for using 10 high-impact security capabilities. These actions help you implement many of the best practices recommended in the Cybersecurity Campaign Playbook, created by the Defending Digital Democracy program at Harvard Kennedy School’s Belfer Center for Science and International Affairs.

Top 10 cybersecurity recommendations:

  1. Set up two-step verification for all staff.
  2. Train campaign staff to quickly identify phishing attacks.
  3. Use dedicated accounts for administration.
  4. Raise the level of malware protection in mail.
  5. Protect against ransomware.
  6. Prevent emails auto-forwarding outside of the campaign.
  7. Increase encryption for sensitive emails.
  8. Protect your email from phishing attacks.
  9. Protect against malicious attachments in email.
  10. Protect against phishing attacks that include malicious website links in email or other files.

Read Top 10 ways to secure Office 365 and Microsoft 365 Business plans from cyberthreats for details on how to implement each action.

These recommendations are provided as part of Microsoft’s ongoing commitment to the Defending Democracy Program. Qualifying organizations using Office 365 can also take advantage of Microsoft AccountGuard for additional protection to leverage Microsoft’s state-of-the-art threat detection and notification in case of targeted nation-state cyberattacks.


Building the security operations center of tomorrow—harnessing the law of data gravity

This post was coauthored by Diana Kelley, Cybersecurity Field CTO, and , EMEA Chief Security Advisor, Cybersecurity Solutions Group.

You’ve got a big dinner planned and your dishwasher goes on the fritz. You call the repair company and are lucky enough to get an appointment for that afternoon. The repairperson shows up and says, “Yes, it’s broken, but to figure out why I will need to run some tests.” They start to remove your dishwasher from the outlet. “What are you doing?” you ask. “I’m taking it back to our repair shop for analysis and then repair,” they reply. At this point, you’re annoyed. You have a big party in three hours, and taking the dishwasher all the way back to the shop for analysis means someone will be washing dishes by hand after your party—why not test it right here and right now so it can be fixed on the spot?

Now, imagine the dishwasher is critical business data located throughout your organization. Sending all that data to a centralized location for analysis will give you insights, eventually, but not when you really need it, which is now. In cases where the data is extremely large, you may not be able to move it at all. Instead it makes more sense to bring services and applications to your data. This at the heart of a concept called “data gravity,” described by Dave McCrory back in 2010. Much like a planet, your data has mass, and the bigger that mass, the greater its gravitational pull, or gravity well, and the more likely that apps and services are drawn to it. Gravitational movement is accelerated when bandwidth and latency are at a premium, because the closer you are to something the faster you can process and act on it. This is the big driver of the intelligent cloud/intelligent edge. We bring analytics and compute to connected devices to make use of all the data they collect in near real-time.

But what might not be so obvious is what, if anything, does data gravity have to do with cybersecurity and the security operations center (SOC) of tomorrow. To have that discussion, let’s step back and look at the traditional SOCs, built on security information and event management (SIEM) solutions developed at the turn of the century. The very first SIEM solutions were predominantly focused on log aggregation. Log information from core security tools like firewalls, intrusion detection systems, and anti-virus/malware tools were collected from all over a company and moved to a single repository for processing.

That may not sound super exciting from our current vantage point of 2018, but back in 2000 it was groundbreaking. Admins were struggling with an increasing number of security tools, and the ever-expanding logs from those tools. Early SIEM solutions gave them a way to collect all that data and apply security intelligence and analytics to it. The hope was that if we could gather all relevant security log and reporting data into one place, we could apply rules and quickly gather insights about threats to our systems and security situational awareness. In a way this was antidata gravity, where data moved to the applications and services rather than vice versa.

After the initial “hype” for SIEM solutions, SOC managers realized a few of their limitations. Trying to write rules for security analytics proved to be quite hard. A minor error in a rule led to high false positives that ate into analyst investigative time. Many companies were unable to get all the critical log data into the SIEM, leading to false negatives and expensive blind spots. And one of the biggest concerns with traditional SIEM was the latency. SIEM solutions were marketed as “real-time” analytics, but once an action was written to a log, collected, sent to the SIEM, and then parsed through the SIEM analytics engine, quite a bit of latency was introduced. When it comes to responding to fast moving cyberthreats, latency is a distinct disadvantage.

Now think about these challenges and add the explosive amounts of data generated today by the cloud and millions of connected devices. In this environment it’s not uncommon that threat campaigns go unnoticed by an overloaded SIEM analytics engine. And many of the signals that do get through are not investigated because the security analysts are overworked. Which brings us back to data gravity.

What was one of the forcing factors for data gravity? Low tolerance for latency. What was the other? Building applications by applying insights and machine learning to data. So how can we build the SOC of tomorrow? By respecting the law of data gravity. If we can perform security analytics close to where the data already is, we can increase the speed of response. This doesn’t mean the end of aggregation. Tomorrow’s SOC will employ a hybrid approach by performing analytics as close to the data mass as possible, and then rolling up insights, as needed, to a larger central SOC repository for additional analysis and insight across different gravity wells.

Does this sound like an intriguing idea? We think so. Being practitioners, though, we most appreciate when great theories can be turned into real-world implementations. Please stay tuned for part 2 of this blog series, where we take the concept of tomorrow’s SOC and data gravity into practice for today.


Seattle Times: Microsoft releases new security tools for political campaigns to combat hacking attempts

Microsoft is offering new security tools to political campaigns — some measures with a level of technology usually reserved for government and big corporate customers — as it expands its efforts to stifle hacking attempts from foreign entities.

The Redmond company announced late Monday a new set of tools, called AccountGuard,  that will closely watch hacking attacks and attempts made against campaigns, and notify their staff when threats occur. Microsoft will also offer training for staffers on how to make accounts more secure, and let them test new security tools “on a par” with the features Microsoft sells to government and corporate clients.

The AccountGuard services will be included for free to campaigns, candidates, think tanks and other political groups that are Office 365 customers. The service is the newest part of Microsoft’s Defending Democracy program announced this spring, which aims to make elections secure.

Microsoft pointed to the need to expand security efforts, saying it seized six website domains last week, with the help of a court order, that belonged to hacking group Fancy Bear. The group is believed to have ties to the Russian government and was behind the 2016 hack against the Democratic Party.

Most Read Business Stories

Unlimited Digital Access. $1 for 4 weeks.

That group and others like it use domains such as and to give the appearance of a trusted organization when they send out phishing emails. The emails could be used to obtain passwords and infiltrate political organizations.

So far, Microsoft has shut down 84 of these fake domains set up by Fancy Bear in the past two years. The company also revealed last month that it thwarted two attempts last fall by hackers trying to get inside two Senate candidate campaigns, including Missouri Democrat Sen. Claire McCaskill’s.

The number of hacking attempts has ticked up as midterm election campaigns get underway, Microsoft President Brad Smith wrote in a blog post Monday. It’s widely believed the threats aren’t as numerous as they were during the 2016 elections, but cybersecurity executives say they are still serious.

“We can only keep our democratic societies secure if candidates can run campaigns and voters can go to the polls untainted by foreign cyberattacks,” Smith wrote.