Identity, Threat Intelligence Driving Microsoft’s Security Strategy

One year after Microsoft announced its $1B investment into a holistic cybersecurity strategy, executives discuss how their plans unfolded and what’s on the agenda for 2017 including Identity.

In November 2015, Microsoft shared the details of its $1B investment in a new integrated security strategy across its portfolio of products and services including Windows, Office, and Azure.

The funds were allocated toward initiatives such as doubling the number of security executives and launching the Microsoft Enterprise Cybersecurity Group (ECG) and Cyber Defense Operations Center (CDOC). Its broader goal was to better protect, detect, and respond to cyberthreats.

One year following the announcement, Dark Reading caught up with Microsoft executives to learn about how its holistic strategy unfolded in 2016 and where its priorities lie for the year ahead.

Bret Arsenault, Microsoft CVP and CISO, explains how the past year has driven platform progress, particularly with threat intelligence. Leaders across Microsoft’s Windows, Office, and Azure teams have begun collaborating to collect data across platforms so they can identify and address security problems.

“We see a large shift in moving away from the ‘spray and pray’ approach to security, and moving towards how to improve protection and response capabilities,” Arsenault says. “In a mobile and cloud world, many approaches aren’t as effective.”

Many people focus on speed of obtaining threat intelligence, says Arsenault, but data diversity is more important because it improves both precision and isolation. Microsoft analyzes events from billions of devices each month. Office 365 and Azure provide endpoint, cloud, and identity intelligence, which helps the company as identity becomes a bigger part of its security strategy.

“Identity is the number one thing people need to focus on,” says Brad Anderson, CVP for Enterprise Client and Mobility at Microsoft.


Anderson, whose team builds management, security, and identity for mobile devices, says more than 75% of attacks trace back to someone having their user account compromised.

He says businesses need to build an identity-based perimeter in addition to the perimeter-based security model. In the cloud world, he says, the only constant factor across services and mobile devices is a user’s identity.

“Attacks on organizations are more sophisticated; more targeted,” he says. “The attackers are getting as mature as the organizations are. You have to assume you’ve been breached and you have to find ways to identify accounts that are being used against you.”

Security has become a data-gathering exercise, Anderson explains. Last year, Microsoft promised to evolve endpoint security in the cloud and on-premises. In 2016, it aimed to better combine security data and threat intelligence with its Intelligent Security Graph (ISG).

The graph collects data from billions of sources including endpoints, consumer services, commercial services, and on-premises tech, and compiles them in one location to apply data analysis, find patterns, and generate insight to pinpoint security flaws.

Every identity in the security graph has a risk score, says Anderson, and scores can determine different actions. If an identity is performing suspicious activity, it can raise the score and take action or use this information to build policies. For example, medium risk may warrant multi-factor authentication.

Read the full, unabridged article over at



Leave a Reply