Pearls of Wisdom in the Security Signals Report
Nic Fillingham: Hello, and welcome to Security Unlocked, a new podcast from Microsoft where we unlock insights from the latest in news and research from across Microsoft Security engineering and operations teams. I'm Nic Fillingham.
Natalia Godyla: And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft Security, deep dive into the newest threat intel research and data science.
Nic Fillingham: And profile some of the fascinating people working on artificial intelligence in Microsoft Security.
Natalia Godyla: And now let's unlock the pod.
Nic Fillingham: Hello listeners. Hello, Natalia. Welcome to episode 30 of the Security Unlocked podcast. 30 is the, uh, traditionally, uh, celebrated with a pearl. Uh, I don't have any pearls on me right now. Natalia, do you have any pearls?
Natalia Godyla: I have pearls. I'm not wearing them. I should have worn them to this recording. I feel like it could have been attribute to this massive milestone.
Nic Fillingham: I mean, it's a milestone for you and I. I think that the listeners, they sort of probably don't care as much as you and I do, but, but we'll, we'll... after this we'll, we'll toast ourselves and we'll go put on our finery and look at our pearls. And anyway (laughs)-
Natalia Godyla: (laughs).
Nic Fillingham: ... on today's episode, we have a returning guest, Nazmus Sakib, who's here to talk about the security signals report published back at the end of March. There's a blog post, which you can find on the Microsoft Security blog from March 30th. There's also an accompanying report that you can download from the secured core PC website. And this report is called the Microsoft security signals report, and it is all about firmware and firmware attacks.
Nic Fillingham: And a bunch of things that I sort of thought I knew, but didn't, one of them is I just didn't realize how pervasive firmware is. Firmware is, is everywhere inside your PC. It's not just your BIOS. You know, there's multiple components inside the average computer that have firmware in them. And so that was sort of the first thing that I was sort of quite shocked about to learn. Natalia what were some of your takeaways?
Natalia Godyla: The steady increase in firmware attacks was, uh, shocked me, five fold increase over the last four years. I mean, firmware is a clear target because it houses such sensitive information, but it had been historically too difficult for attackers to target. Now that they're looking for new threat factors, they're targeting firmware because it's often overlooked. There's not a ton of visibility into firmware. So they recognize it's an opportunity for exploitation.
Nic Fillingham: I came into this thinking that the percentage of organizations that have encountered a, a firmware attack, a firmware incident, a firmware breach will be really low. I thought it would be, I don't know, five, 10, 15%. It's over 80, over eight zero, which is just, uh, phenomenal. And so, you know, that was sort of really quite sort of surprising to me. And we spent quite a bit of time in the interview with, with Sakib sort of breaking that number down and understanding sort of why it is so big and what the scope of it is. Again, a great conversation. I encourage everyone to go read the blog, download the report, follow along at home. On with the pod.
Natalia Godyla: On with the pod.
Nic Fillingham: Welcome back to the Security Unlocked podcast, Nazmus Sakib. Thanks for joining us.
Nazmus Sakib: Thanks for having me back, uh, Nic and, and, and Natalia. I appreciate it. I guess, uh, our, uh, expansive chat about cricket was not enough of a disqualifier.
Natalia Godyla: (laughs).
Nazmus Sakib: And, um, um, I'm grateful to be, to be back on.
Nic Fillingham: Yeah. Awesome. Uh, I'm looking forward to, uh, sneaking some cricketing talk into another episode of Security Unlocked. We'll, we'll get to that in just a second. There was a blog post on March the 30th, the blog post is called new security signals study shows firmware attacks on the rise, here's how Microsoft is working to help eliminate this entire class of threats.
Nic Fillingham: There is a fascinating paper associated with this called the security signals report, which you can download for free. We'll put a link in the show notes. Sakib you're here to talk to us about the findings in this research work. Before we jump into that, could you re-introduce yourself to our audience, please? What do you, what do you do at Microsoft? What's your role? What is your day-to-day look like?
Nazmus Sakib: Thanks. So I'm on the operating systems team broadly at, at Microsoft and specifically on the enterprise and security team. Our team works on building in the security features that go into our, our operating systems, Windows, obviously, and as we work on our cloud infrastructure and Azure, we're also looking at, uh, security capabilities in Linux as well, since that's a, a big area of growth and a really important piece of the puzzle for our, for our customers in Azure.
Nazmus Sakib: So my team works on the intersection of hardware, firmware and operating system security features. Uh, we're the team responsible for secured core PCs and secured core server where we're working on alongside our [OEM 00:05:00] ecosystem, the, uh, the Dells, the HPs, Lenovos, uh, of the world to build more secure systems right out of the gate, as those systems, uh, leave the factory floor and go off to our customers.
Nazmus Sakib: We wanna try and shift a bit of the burden of protecting against security attacks to mitigate threats. We wanna shift it left so that there's less of that configuration and management overhead on the end customer. We at Microsoft and collaboration with our partners can do a lot more of that, uh, on behalf of the customer.
Nic Fillingham: Got it. And this report, the security signals report, the 2021 security signals report. Uh, it was commissioned by Microsoft. It was commissioned, I think in part by your team, partnered with a group called hypothesis. I'd love to start with what was the hypothesis? What was the sort of the idea or the big question that you, you all had coming into deciding to create and launch this research?
Nazmus Sakib: We didn't have necessarily, you know, one or two questions that we were specifically interested in. What we wanted to do was to have more qualitative insight into what customers were experiencing to compliment the signals that we get to see from the day-to-day, you know, operation of our products and services. We get a lot of signals, obviously as part of the intelligence that we have in general at Microsoft from a, a threat intelligence perspective, right.
Nazmus Sakib: But we wanted to really understand a bit better around where customers were at and how were they experiencing threats? How are they responding to threats? Like how are they viewing their estate? How are they analyzing and, and bucketing risk? And how are they investing in order to mitigate that risk? So that really was the Uber goal behind doing, doing the research is to compliment the data that we already get internally from the day-to-day operation of our products and services, and really get better insights of how customers are experiencing threats and how they're responding to those threats, tactically and strategically.
Natalia Godyla: So I'll, I'll start with a big question. What are the major takeaways from the security signals report? What was the big aha?
Nazmus Sakib: The big aha. There were maybe a couple of things that, you know, immediately come to mind. And I'm sure as we continue through the conversation, there are a few more that will come to recognize. One was the last time that I was on the podcast, we talked a lot about how we're investing in firmware threat protection. We were seeing a trend that suggested that, you know, based on the security research, based on a couple of recent attacks, that this was something that firmware attacks was something that was, you know, in the near future, if you will.
Nazmus Sakib: What was particularly surprising at least to me, was that over 80% of the respondents and there were, you know, a thousand respondents mentioned that they'd suffered at least one firmware attack in the last couple of years. And so that to me, you know, confirmed one aspect of the hypothesis, if you will, that had internally that, that firmware is a ripe avenue for attack, for threat [inaudible 00:08:20] to exploit. The surprise was that, you know, real customers were, were seeing it.
Nazmus Sakib: And it was at a scale that perhaps we had an accounted for earlier. So it wasn't from our attacks wasn't something that was in the near future. It was actually something that customers were, were experiencing in the present. So that certainly stood out for me. In relation to that, I think, you know, it was a pleasant surprise that, uh, you know, customers are trying to, and enterprises are trying to respond to, to firmware attacks.
Nazmus Sakib: I saw that 33% of respondents said that they were doing, uh, firmware threat modeling, which is a really high number. Threat modeling is generally a pretty advanced security procedure. And, uh, generally it's assigned that whoever's doing, it takes the security life cycle of how they're managing their own estate, their, their product, their services seriously, if they're digging in and trying to do a threat model as well. So that was a pleasant surprise.
Nazmus Sakib: And, you know, it goes well with that, that earlier data point, you know, if customers are experiencing some of these, these threats, they're likely going to invest in ways to mitigate those sorts of attacks. So that was a pleasant surprise for me in the data as well.
Nic Fillingham: When I saw the top level findings from this study, given the massive sample size, like over a thousand respondents, that's pretty big. I was absolutely shocked to see that 80% or even more than 80% of respondents said that they'd experienced the firmware attack. If you'd asked me, hey, what percentage of, uh, of enterprises, you know, across the, the spectrum do you think have had a firmware attack? I would have said 10%, 20. I mean, I'm making that up, right.
Nic Fillingham: But to I think your point when you talked about the, the hypothesis of why you commissioned this research, I would have thought that firmware attacks were very much something that were [inaudible 00:10:12] and a future threat as opposed to something that four out of five have encountered today. So I think you said you were a little surprised there, but I'd love to learn a bit more about this 80% number.
Nic Fillingham: Can you sort of walk us through the spectrum of types of firmware attacks that make up this 80% and, you know, your thoughts on that number? Was it much, much higher than you expected?
Nazmus Sakib: Yeah. It was higher than I, than I expected. I think, um, I was at some level expecting to be a little surprised, but 80% was definitely more than I was expecting. How do I explain that number? We're asking our... the respondents to, to think holistically, like these were, uh, IT decision makers. So they were more likely to be responsible for larger estates like you're described, right, Nic.
Nazmus Sakib: That, you know, they may be managing a lot of PC end points that, you know, may come to mind more immediately, but also potentially servers, potentially other connected devices like IOT systems or a whole range of the sort of connected appliances equipment that you see and get a modern workplace. Right. And so to me, as I think about how a respondent wold have answered a question, I think they would have come at it, not just from the perspective of, you know, is, has my PC firmware been compromised as part of attack.
Nazmus Sakib: They were likely answering that from the perspective of, as any of the systems in my estate that constitutes more than just PCs has been been compromised. So I think that's one way that I can sort of think about like how that number could have been, you know, higher than I was expecting is that respondents were looking at it from the perspective of, you know, I'm not just the person that manages PCs, I'm the person that manages infrastructure.
Nazmus Sakib: And there are many things that go into that infrastructure, and have any of those things been compromised using firmware. So to me that was something that helped explain things in my mind. The other aspect is just, you know, for me personally is recognizing that, you know, firmware is, is just on, you know, quote unquote, everything. You know, we often think a lot about, and especially from our last conversation right Nic where we talk a lot about boot firmware.
Nazmus Sakib: But firmware is on all the components that, that go in to make a device work, right. Firmware is on your network controller, if you have, you know, firmware helps make your wifi packets move on a network. Firmware is on your, your storage device, right on your hard desk or your SSD. And so customers correctly, I think probably interpreted firmware to account for all of those things. And so if they've potentially encountered an attack where a buggy networking firmware may have been part of the compromise, they, they perhaps kind of answered that question that way.
Nazmus Sakib: So that's how I've been able to kind of explain that number. And it's, it's pretty insightful to, to sort of come at it from that perspective at least for me, is to, to make sure that, you know, I'm looking at the problem space and the breadth that customers have to experience it.
Nic Fillingham: That's a fantastic clarification there. And it's, and it's an assumption that I had coming into this that you've, you've just [inaudible 00:13:28]. Firmware is not just boot firmware, firmware is, is everywhere. To your point it's not, so it's not just PCs and on PCs it's not just boot firmware. As you were walking through that list of things, I sort of distinctly remember, you know, I have, uh, a laptop that was updating the other day, or I got some sort of notification saying that there was an update required and it was touch pad firmware.
Nazmus Sakib: Right, right.
Nic Fillingham: So there's obviously, you know, some silicon that helps the touch pad work and that has firmware inside of it. And I guess if it has firmware inside of it, it's a potential vector for attack.
Nazmus Sakib: Yeah, exactly. If you have a hardware device, right, or a hardware component, it has firmware. And so I think to me that was one of the big kind of, uh, moments of, of making sure that I wasn't kind of being narrow and fixed in my kind of perspective is just like, yeah, of course, um, you know, we need to be thinking about, about from where in that expansive way.
Nazmus Sakib: We do but I think it's one of those things where, you know, if, uh, your focus is in a particular area as that's where, you know, your immediate like, uh, engineering schedule is or happens to be, you know, it's easy to kind of lose sight of that. So I think, you know, looking at it from the customer's perspective that they're interpreting firmware as being more than just for PC class devices.
Nazmus Sakib: And then also, you know, looking at firmware as not being just boot firmware, I think, you know, that helps explain why that number was, was high and why that number isn't surprising.
Natalia Godyla: So the other finding in the report was around investment levels. The data showed, what was it that 39% or 29% of budgets was dedicated to protecting firmware? What is typically that budget used for? What technologies is, is that 29% encompassing? And is that the right amount?
Nazmus Sakib: That's a really interesting question. And I think it's one where one of the big things that we've spent a lot of our time on in trying to interpret that data. Uh, a lot of those investments in, in firmware security that 29%, I think you're going into what I'd call like the, getting the fundamentals, right. And making sure that as Nic was talking about making sure that you're putting firmware updates out, getting them out through your estate to the estate current.
Nazmus Sakib: That's where a lot of that time is going. And oftentimes from our updates like doing it, it seems kind of basic, but it is, uh, can be a time consuming process and just making sure, especially in a managed environment, if you're trying to ensure that you're, you're controlling the network and especially in, in more controlled environments, if you are restricting access to the, to the open internet, then that also ends up meaning that you need to more proactively manage how updates are deployed.
Nazmus Sakib: So that's where a lot of that investment is going in, in making sure just the basics are covered. Now, I think, you know, a lot of enterprises have sort of said it in the aggregate that, you know, I think if I recall the number correctly, you know, 62% of enterprises said they weren't, getting to, to be able to spend enough time on strategic work. And, you know, I, I wonder if that's one of those pieces where customers feel that they could be doing more in the firmware space.
Nazmus Sakib: We did see a correlation where if a respondent had said that they'd been attacked or been, uh, compromised by a former attack, their levels of investment did go up as, as you'd expect. And so I think, you know, I take those signals to mean that I think, uh, that the customers recognize that they could be investing more in some strategic investments and that it is likely that there is some room there for customers to bolster their defenses against some of these firmware attacks.
Nic Fillingham: Sakib, to folks listening to, to the episode and you know, about to go and download the report and, and read through it. What do you want them to take away from that?
Nazmus Sakib: Right. So I think, you know, if there was a key [inaudible 00:17:48] takeaway and the report does look at firmware, we also asked about software and hardware. I think the big thing that sticks out is that where customers wanna go, where different enterprises want to get to from a security perspective. And that is to be more proactive, I think in general, right? And so getting to a place where they can have more proactive protections is, is I think something that, that stood out.
Nazmus Sakib: I think a couple of things that help bolster that is some of the technologies that companies mentioned, that they would be investing more in compared to where they are now in the next two years were AI, ML and trusted execution engines like TEEs. So those are protected enclaves in a system, which are ultimately ways where you can end up creating more of that proactive protection rather than wait to know what an attack is or what any particular strain of malware is.
Nazmus Sakib: And then, you know, figure out how to block that strain of malware. It clearly looks like customers are trying to get to a place where they're not playing whack-a-mole, and have ways where they have more systemic protections, whether that's using technologies like machine learning and AI that are data driven, or by using more fundamental hardware protections like TEEs to mitigate things out of the box of how things are built and architected.
Nazmus Sakib: So that was like the key, key takeaways that customers, companies, enterprises, they're all trying to get to a place where they have more proactive protections. Now in terms of where Microsoft is and how, how we can kind of help customers on that journey, I think, you know, we're, as I mentioned, we're working on secure core PCs, which is a collaboration with our ecosystem.
Nazmus Sakib: We have had secured core PCs for, you know, it's getting close to a couple of years now since we, since we launched. And so I think, uh, a little over a year and a half, we recently at ignite in, in March. We announced that secured core is now or will be coming to, to servers and also edge products like IOT devices. Um, because we recognize that customers are experiencing a lot of the same problems that we saw in the PC space, where they're trying to figure out how to be more proactively protected by design, by the operating system, by the hardware that's manufactured by an OEM or device manufacturer.
Nazmus Sakib: So we're bringing that same set of, uh, of principles over to servers and, and IOT as well. And alongside that, one of the other things that customers mentioned as an area of interest is advanced threat protection technologies and Microsoft Defender for end point has been investing in firmware protection capabilities alongside all of their existing investments around operating system and, and services security.
Nazmus Sakib: So we'd definitely want a partner with customers on this journey. We're investing, I think, in, in a bunch of different areas and we're, we're constantly looking at, at our data, we're trying to find ways to connect with our customers to make sure that we're, uh, we're effective partners and ensuring that we're helping them stay ahead of, of attackers.
Natalia Godyla: Sakib could you clarify a few of the phrases and terms you just used, um, trusted, enclave, TEEs?
Nazmus Sakib: Right. So trusted execution engines or enclaves there, they're class of technologies that involve creating an isolated environment for code to execute. And they're often used in conjunction with a general purpose operating system. So the easiest way to think about it is that when you have an operating system and anything that's a sensitive asset, whether that's some sensitive data, whether that's, uh, a key use to access sensitive data.
Nazmus Sakib: Rather than keep it in the operating system where both legitimate and illegitimate applications may be able to access that sensitive data, you can create a system where that sensitive data is stored on this trusted execution engine, which has hardware and software safeguards to better prevent illegitimate access from malware.
Nazmus Sakib: So depending on the, the architecture, OEM has something like a trust zone which you can, you know, look at as a trust execution engine. Intel has a SGX, which we can interpret as a, uh, as a form of a trusted execution engine. Uh, there are these capabilities that are available on different hardware platforms that help operating system vendors, as an example, create these isolated enclaves for storing sensitive data and keys. So at TEE is a trusted execution engine often referred to as, as hardware enclaves as well.
Nic Fillingham: Got it. Okay, so I've read the report. I see that over 80% of enterprises have, have experienced some kind of firmware attack. I see that, you know, potentially not enough either attention or time or money or investments being, being made in, in sort of proactive protections. And so that's, that's definitely a takeaway there. What about protecting existing hardware estate? You know, is there more that I can do to better secure my devices that, that may not have a vulnerability now, but may have a vulnerability in the future?
Nazmus Sakib: Right. I think, you know, for those sorts of sorts of, uh, systems, which, you know, you're, you're totally right. You cannot, uh, especially in a large enterprise, just change, uh, all your hardware out on a dime. And so I think having strategies to manage the risks from older systems is, is a necessity. There are two things that I think would be most useful. One, I think we kind of touched on, which is what a lot of customers and, uh, enterprises are doing is making sure that the basics around updates and patching are being done.
Nazmus Sakib: And finding ways where you can ensure that you have the right pipeline around that, around making things as automated as possible, uh, and getting to a place where there's good consistency around firmware updates and that, you know, you're not falling behind. I think, uh, it sometimes feels, uh, unfashionable perhaps, but, uh, it's a really important capability to have, is that the ability to make sure that firmware updates are happening and, you know, that's doubly important for, uh, older systems, they may not be capable of using some of the newer mitigations. T
Nazmus Sakib: he other one I would say is that, uh, a lot of great works kind of gone in, I think, to the firmware protection capabilities of Microsoft Defender for endpoint. By its very nature. It is not as dependent as say some other protections that we have around new hardware. So it can actually provide protection based on you know, signals that it's getting on older systems as well.
Nazmus Sakib: So I think it would be a big lift for, uh, the older hardware, if you're able to do updates consistently and you get to take advantage of, of tools that, uh, work on on older systems like Microsoft Defender for endpoint, those sorts of ATP solutions that, that are more data-driven and so it can provide protection for older systems as well.
Nic Fillingham: Sakib just to, to wrap up here. So I did note in the report that there was a percentage of, of respondents here that sort of admitted that firmware is entirely unmonitored or essentially unmonitored. I think it was 20% or something. Ut was, it was, it was sort of a scary number. If I, as a listener, if I am, uh, you know, listening to this episode and going, oh gosh, I'm, I'm in that 20%, we, we don't monitor firmware.
Nic Fillingham: Where would you point the 20% of organizations out there that, that aren't monitoring firmware? What's the, what's the first thing they can go do? Is there an easy first step to start to get a handle of this?
Nazmus Sakib: Yeah, I think the work that the Microsoft Defender for end point team has been doing around firmware scanning, it's already, I think, a pretty useful tool and I know that they're, they're continuing to, to, to figure out how to make it better. And so I think to me that seems like a good thing for, for customers to, to consider as a starting point, and especially given all the other insights that and experiences that the tool, the service has.
Nazmus Sakib: It's a way to have some familiarity as you kind of get into a new space. I know that, you know, when I perhaps take on a new project or a new area, I think, you know, if it's, uh, if there are at least some islands of familiarity, it's much easier to get started, it's a lot less scary. And so I think for a lot of customers who may be familiar with monitoring other data from the operating system for other applications, using a familiar tool, a familiar interface to also start looking at firmware data, I think, uh, it's a good place to, to get started.
Nic Fillingham: Well, awesome. Sakib, thank you so much for joining us again on Security Unlocked. Again, we are talking about the security signals report, the 2021 security signals report or sort of thought paper. There's a link in the show notes. I encourage everyone to go down, download and read through the report. It's really sort of a fascinating snapshot of what the, the state of a firmware security is across the industry.
Nic Fillingham: Before we wrap up, though, I have to ask [inaudible 00:27:50] is currently in Sri Lanka for a two test series. First test was a draw, what's gonna happen in the next test?
Nazmus Sakib: And the rate it's going, it's probably gonna be another draw, um, lots of runs. So it seems likely that, uh, it'll be a draw, but you know, it's [inaudible 00:28:07]. You never know things can change in, uh, the space of a single session. So, so yeah, uh, there were a lot of runs in the first test. It looks like there are a lot of runs in the second one. So I think as of right now, I think it's a, it seems like it's headed for a draw after a couple of days, but let's see.
Nic Fillingham: Natalia we're they were talking about, uh, cricket.
Natalia Godyla: Considering I didn't know any of the words, I guessed, Cricket.
Nic Fillingham: Yeah. And so a test match, I'm trying not to butcher this Sakib so correct me if I'm wrong, but for Natalia, Natalia as a test match, imagine a baseball game that goes of maximum five days.
Natalia Godyla: (laughs).
Nazmus Sakib: (laughs).
Nic Fillingham: And, and Natalia, and the other thing about cricket is that, especially test cricket every 15 minutes, you have to stop for tea and cucumber sandwiches. That's, um-
Natalia Godyla: Oh, okay.
Nic Fillingham: ... that's built into the rules.
Natalia Godyla: Well, you sold me at that. Yeah.
Nic Fillingham: Yeah. Yeah. And, and, and regardless of the way that you have to wear a seven piece suit entails.
Natalia Godyla: (laughs).
Nic Fillingham: It doesn't matter, it's-
Nazmus Sakib: (laughs).
Nic Fillingham: ... that's, that's every, every-
Natalia Godyla: Well now you're just taking advantage of the knowledge gap (laughs).
Nic Fillingham: (laughs) Possibly. Nazmus Sakib, again, thanks for being on Security Unlocked. Thanks for joining us. I'm sure we'll talk to you again in the future. And again, uh, folks go down and download and read through the security signals report. And if you're in that 20% of folks not tracking, uh, firmware security, see if you can get on top of that one. It sounds like it's probably something you should prioritize.
Nazmus Sakib: Thank you, Nic. Thank you, Natalia. It's a, it's a pleasure to be on and, uh, great to have the discussion and, and I hope that the listeners find it fascinating. And, and obviously we love to hear from customers and listeners as well.
Natalia Godyla: Well, we had a great time unlocking insights into security from research to artificial intelligence. Keep an eye out for our next episode.
Nic Fillingham: And don't forget to tweet us @msftsecurity or email us at firstname.lastname@example.org with topics you'd like to hear on our future episode. Until then stay safe.
Natalia Godyla: Stay secure.