The 2021 Microsoft Digital Defense Report
Nic Fillingham: Hello. And welcome to "Security Unlocked," a new podcast from Microsoft where we unlock insights from the latest in news and research from across Microsoft security, engineering and operations teams. I'm Nic Fillingham.
Natalia Godyla: And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft Security, deep dives into the newest threat intel, research and data science.
Nic Fillingham: And profile some of the fascinating people working on artificial intelligence in Microsoft Security.
Natalia Godyla: And now let's unlock the pod.
Nic Fillingham: Hello, the internet. Hello, listeners. Welcome to Episode 49 of the "Security Unlocked" podcast. My name is Nic Fillingham. Joining me, as always, is Natalia Godyla. Hello, Natalia. How are you? And can I get a status report, please, on the commemorative 50th episode anniversary gold foil chocolate coins that I know you're working hard on?
Natalia Godyla: The chocolate is on track. I may have eaten a good portion of it. But, you know, there'll still be a few coins of chocolate.
Nic Fillingham: So you're saying there's a slight supply chain issue with the...
Nic Fillingham: ...Production of these gold coins. Is that right?
Natalia Godyla: And I am primarily the issue.
Nic Fillingham: (Laughter) Well, yes, we are coming up on our 50th episode. We're very excited about that. But today's Episode 49. We are joined by Sian John. On today's episode, we are going to talk about the 2021 release, the second release of the Microsoft Digital Defense Report, the MDDR, which you can download at aka.ms/mddr.
Nic Fillingham: And Sian is joining us today to really sort of give us a general overview of what can we find in the 2021 edition of the MDDR. And then we specifically go deep into the final chapter, which Sian co-wrote with someone that's probably very familiar with the podcast audience - Ann Johnson - on what are the key takeaways and the sort of big shifts that we've seen in the cybersecurity industry over the past 12 months.
Nic Fillingham: Natalia, what were some of your takeaways and highlights from both the MDDR and then today's conversation with Sian?
Natalia Godyla: She does a great harbor cruise through the different sections of the MDDR. So the MDDR goes deep on a few different topics in cybersecurity - the state of cybercrime, nation-state actors, hybrid workforce and disinformation. Now, I gravitate towards the topics of cybercrime and nation-state actors. We had a really great conversation around the evolution, consolidation and maturation of the cybercriminal operations, which is just always fascinating to hear the economics of how that's being developed.
Natalia Godyla: One of the salient points to me, though, I think our listeners will find not just interesting but useful is the presence of nation-state threats in all matters of companies. You know, as Microsoft, we recognize that we're a target for nation-state actors. But Sian made a good point that at this point, small businesses should be equally aware of that as a risk to their operations.
Nic Fillingham: I'll remind you one more time of the URL to download the report 'cause I think it would be great to follow along at home - aka.ms/mddr. But I think we should get on with the pod.
Natalia Godyla: On with the pod.
Nic Fillingham: Welcome to the "Security Unlocked" podcast, Sian John. Sian, thank you for joining us, especially for staying up late in the U.K. Welcome to the podcast.
Sian John: Thanks for having me. I'm looking forward to it.
Nic Fillingham: I'm also looking forward to it as well. Sian, if you could please introduce the audience to you and your role at Microsoft, how long you've been here. What do you do? What's your day-to-day job look like?
Sian John: Yeah, I'm Sian John. My - just had my four-year anniversary for working at Microsoft...
Nic Fillingham: Hooray.
Natalia Godyla: Woo.
Sian John: ...Last weekend, yeah.
Nic Fillingham: Congratulations.
Natalia Godyla: (Laughter).
Sian John: So it seems like I only joined yesterday, and yet it also seems like I've never worked anywhere else. So that's great.
Sian John: And I started off leading, working as a chief security adviser in (unintelligible), Japan, working with our senior customers - the CISOs and things of that - talking to them about their strategy, what they want to do, how Microsoft cannot help. But for the - coming up to the last year, I've worked in our business development team looking at the growth opportunities that Microsoft can make in security, looking more at that longer-term, bigger strategic engagement that we might do.
Nic Fillingham: Are you a former CISO? Have you - are you sort of from the more formal info cybersecurity side?
Sian John: I'm sort of one of those - like many people of my age, being quite middle-aged in security that got there organically. So I think I'm coming up to my 25th or 26th year in cybersecurity now, from before it was called cybersecurity. I sort of started off internally in the customer, and then I went in through consulting - very senior consulting, strategic consulting - into presales. And then the role I had as a security adviser I did before at a company called Symantec. And I've been doing that senior strategic adviser role long-term strategy for about 10 years.
Natalia Godyla: Well, today, we're going to talk about the Microsoft Digital Defense Report with you - the 2021 edition of the report. So for those listening to the podcast today that don't know this report, can you just share a little bit of a background and explanation of what someone would find in the report?
Sian John: Yes, it's really a state of the nation of security as Microsoft sees it. So we used to have a - we used to do a security intelligence report with - which was a bunch of stats and facts, which were all very interesting but not necessarily that usable for people in terms of thinking about what that might mean for them. So what we've done for the - I think it's the second time we've published the Digital Defense Report now - is actually combine some of that stats and facts and information, but also with the insights of the various teams that we've got that specialize in this area - so giving not just a whole load of stats about what malware we see, but actually how we're seeing campaigns evolve, how we're seeing threats evolve, the sort of approaches that people should take to defending themselves.
Sian John: That's why the Digital Defense Report term is so important. It's not just like every security company out there gives you a lot of stats about how bad it is. This isn't about that. This is like, here's some stats about what's going on, but also, here's some really strong recommendations about what you should do to do with that, how you should evolve, how you should respond based upon the expertise of our various teams within Microsoft.
Nic Fillingham: And, Sian, you've actually personally contributed to many areas of the report. It's why we've invited you to be on the podcast today, in addition, obviously, to your 25 years of experience in the industry and your four-year anniversary. Congratulations. I believe you get a case of Talking Rain on your fourth year.
Nic Fillingham: I wonder, could you just sort of give us a little quick tour? What are some of the sections of the report where we could sort of find your analysis or your insight before we sort of start diving into each of the chapters?
Sian John: My team - myself and my manager, actually - we worked on the conclusion, the actual insights section. So I had the pleasure of reading the entire report to see what everyone was talking about and where there were - see if there was any common themes that might be seen across the different areas. You have different foci in the report. And then we were going, well, like, OK, ah, there's some common themes each of those experts are saying that we can abstract out and say, these are things you should look at, and these are things you should work at.
Sian John: So related to that, there's some key paradigm shifts we're seeing in security, but also some things around cyber hygiene and zero trust, which is a very big theme in the report that we talk about. But really, that's what I was working out. I was on the actual insights. But really, that meant I got to read all the great insights that everyone else had written throughout the report.
Natalia Godyla: So before we dive into those insights, I'd love to spend a little bit of time on the focus areas just so we could provide a little bit of context to our listeners on what sorts of information you distilled for those insights. So what were the main focus areas of this report, and how did we come to the conclusion to focus on those? I believe there were six in total.
Sian John: Yeah, so six in total, and we could've done more. There's so many different topics and themes that we work on. And so I think the real focus from the office was to say, what are the six that are most impactful right now in terms of both things that are happening, but also topics where people can get themselves ahead and start to think about how they might need to change the way that they do things in doing so.
Sian John: So one of those was, what's the sort of state of cybercrime? It's always interesting to people to know what's going on in the criminal underworld, what people are doing, how the criminal attackers are evolving. And that was really looking at the evolving marketplace, obviously, the rise of ransomware and the really living off the land that's been a threat that's been going on for the last few years and how, you know, you effectively got ransomware as a service as a whole business model in cybercrime now, which just means you're dealing with a lot more professional level of crime than would've been the case 10 or 15 years ago. It's a trend we've been on. So there's lots of stats and facts in there, but also some insights around what that means and how the campaign groups are operating.
Sian John: And then related but separate to that is their nation-state threats and looking at how the nation-state has worked, particularly in the last 18 months, where, you know, there has been a real rise in very high-profile nation-state attacks, but also, as more and more people have been working remotely, there's been more and more sensitive information and sensitive work happening outside of people's environments, making them more at threat.
Sian John: And then another big thing, in particular the last year, when we've had the SolarWinds, Solorigate attack - things like supply chain and how people can think about what the supply chain attacks are. And not just looking at one attack - they're looking at what people can do to secure the whole supply chain.
Sian John: And then relating to that, things like IoT and OT security - so as we - as technology is becoming more and more baked into what we do every day, the fact that you have got now systems that would've been analog 20 years ago are now connected to networks, you know, key operational technology systems - and obviously, we've seen some of the result of that in the last year as well. So really talking about those challenges, but then also about some of the architectural approaches people could do to be secure.
Sian John: The other big theme for the last year - two years, really, I suppose - is hybrid work security, unsurprisingly. So given that, you know, our hybridness continues and will remain, I think, even after things - the pandemic is over, it was a trend we were already on towards a much more modern working environment. And I think that just got accelerated. So there's going to be that mix and match. And so really talking about what that means from a security perspective, so how you can actually secure and protect people but also allow them to be productive in that hybrid working environment.
Sian John: And then the final topic and area, another, again, very - a relevant topic for today is disinformation, so looking at almost that emerging threat of disinformation that we've seen. You know, so obviously, we talk about some of the things that happen with election security and elements like that. But there's also how that can be used for enterprise disruption and the fact that really - I think the phrase that the author uses in that is effectively that it's if you've got cybersecurity, today it's mostly looking at hacking devices and systems, but disinformation is really looking at the cognitive hacking and the hacking of the person.
Nic Fillingham: Thank you for that, that quick summary of the report. And for those listening at home, we'll have the URL to download the 2021 MDDR in show notes. Please go and download it. It's a fascinating read. It's 140-odd pages, but there's some really helpful infographics and some visuals there that really sort of tie it all together. Plus, obviously, the inside analysis from across all the various teams at Microsoft is really fascinating.
Nic Fillingham: I thought we might come back up to the top to that first chapter and if - Sian, I wonder if there is just maybe one or two things that might've caught your eye as you were reading through it and especially digesting it to pull together those actionable insights.
Nic Fillingham: I know for me, reading the cybercrime chapter - and I had seen these stats before, but it really hit home. There's a little graphic on Page 9 that talks about the average prices of cybercrime services for sale. And it's just really so eye-opening to see how the economy of cybercrime evolves. And the kinds of attacks and attacks for hire are in some ways so much - I want to say cheaper than I expected. And then in other areas, they're actually sort of a lot more than I expected. And so it was sort of fascinating to see this little snapshot into what are the prices that are being charged and what are criminals willing to pay for these services. Yeah.
Nic Fillingham: Your thoughts on the cybercrime chapter?
Sian John: Yeah, that's very similar to me. It's a trend that we've been watching for, like, the last, I want to say, 10 years, maybe a little bit longer than that, where effectively, you're seeing this professionalization of cybercrime, where it's - and I think the challenge most people have is they still think of a 22-year-old hobbyist sitting in their bedroom being the hacker. And that's just not the reality. They're probably wearing business suits, or they're the techies that are writing things - people wearing business suit. And you're making your money out of that service.
Sian John: And we saw that a little bit with the financial Trojans. And that started to happen, where people started to sell the Trojan on the market because that's probably, I suppose, less risky if you're a techie than actually using it.
Sian John: And then that's why you see, like, the social engineering getting more sophisticated - 'cause you've got people that understand people doing the social engineering.
Sian John: And so I found that really interesting, and the fact that it's getting so mature now. And I think ransomware is such a lucrative market, I hate to say, for the attackers that it's really funding this business evolution, and you're seeing it go to that next level now.
Sian John: And the fact that some things are just becoming commodity. And so if you think about any evolution of any market, you start off with your high-value goods, and then they sort of drop down in commodity. And we're almost seeing that now in the market. So it's been becoming a market for 10 years, and it's really getting there now. So we used to talk about having the support contracts and, you know, one free upgrade a year. And now it's not even that. It's like it is the other service model - come along, rent some time for us. We'll do all the maintenance, just as you would with any of the software as a service, and then we'll take (ph) it.
Sian John: And the other one that really hit home for me as well is the amount of research they're doing into organizations. So in ransomware, they're not just sending the attack. They're doing research into people's accounts and turnover and bank accounts to try and work out what they can afford to pay. And, you know, some examples of people saying, well, I know you can afford to pay this, and getting very - almost doing the economic research in a way that you would expect in any sort of market environment. So it is just that continuing the professionalization of crime.
Natalia Godyla: So what's changed here is that the attackers have better tooling to get access to deeper data or that they're better at social engineering as they've continued to evolve. What's driving the unique level of deep information that they're collecting?
Sian John: I think it's business reconnaissance. So they've always done technical reconnaissance, trying to find the way in, trying to break in. But now they've done the research into how the organization is financially. They're doing research into the organization and saying, we've worked out what we think you can afford to pay this ransom, so pay this ransom. And so although they've always done research into the organization and, actually, as time has gone on did more research into people and executives and working out who people are, they're now reading the annual reports. They're reading the budgets. And they're making financial decisions, not just technical ones.
Nic Fillingham: And there's a big part of that cybercrime section on phishing and malicious email, you know, some really interesting diagrams here that sort of talk about the journey of stolen credentials and sort of how they're used throughout the entire abuse of sort of email as a communication medium. Anything, Sian, there you'd like to call out? I know we're going to revisit some of the actionable insights at the very end that come back to phishing and come back to malicious email. But anything that caught your eye here in this chapter?
Sian John: I think, obviously, it's underlying why protecting identity and multifactor authentication - things like that - are absolutely essential. But really, what's the interesting thing - what I think when I read that is absolutely utilizing and exploiting - that's what (unintelligible) - exploiting our webs of trust. So our interpersonal webs of trust as well as our technical ones. So by a takeover credential - and then I use that to expose the trust that other people have for that person. And it's that sort of exploiting our human trust as well as our technology trust, is one of the really interesting things to see. And, you know, as human beings, as much as we try and say don't trust people, we're hardwired to do that. We're social beings. We are hardwired to try and, you know, trust. If somebody you know and trust is asking for something, there is a slightly lower, you know, natural barrier to have that. And I know that, as cybersecurity professionals, we think that's often not the case. But then - but not everybody who's dealing with these things - with that, virtually nobody is cybersecurity professionals.
Natalia Godyla: And so much of what we're talking about here is amplified at the nation-state level, right? These nation-state actors have so much time and funding resources at hand to really bring a new level of sophistication to their attack. So, you know, what really stood out from you from that particular section in the MDDR and the findings that we've developed out of the signals?
Sian John: I mean, it's always interesting to look at nation-state - isn't it? - 'cause it's almost like - it is sort of like what you see in nation-state today will be mainstream tomorrow, is quite often the case, and that's been the same in crime for many years. So some of the things we're seeing in terms of the advanced attack techniques, all the most - I'd rather use the word sophisticated than advanced, 'cause it's not always an advanced attack to be sophisticated because sometimes it's using basic things in very sophisticated ways - but what you see coming in from them can be used against other people. So I think it is that fact that they are just so active at the moment. And you saw them over the last 18 months and the active campaign groups.
Sian John: And yeah, you see this - I think quite often when we see this sort of big zero-days coming out, they - you know, you get waves of zero-days that are quite often driven by nation-state attackers who have the research to do it, going right the way back to Stuxnet and all of the sort of things that came from that. A lot of these threats come from these nation-states that really just have the resources to do the research. And so, you know, when it comes to nation-state, the things that comes back to me when you read it is you're not going to keep them out. You want to detect them as soon as possible and protect, you know? You want to make it as hard as possible for them to get in, and you want to make sure that you understand. And I think the really big thing for me when I read that section was how important international collaboration and international intelligence-sharing and collaboration between organizations is to actually dealing with it.
Sian John: The other thing, as well, is seeing that some of them are actually working in the - they're sort of self-funding the nation-state activity by working in that sort of private sector as well. And whether they're the same group or not is always a discussion, but they're using the same campaign methods as the nation-states. It's almost like they're finding the budget for your nation-state activity by doing criminal activity to fund it, rather than having to get a budget allocation.
Nic Fillingham: I think we might want to sort of race through the next two - not that there isn't a plethora of things to talk about, Sian. But we want to jump down to this section of the five paradigm shifts in cybersecurity into action - and then actionable insights. So just lightly - you know, hybrid workforce and then sort of disinformation. Hybrid workforce, we've covered quite a bit on the podcast, and I know we've covered that from Microsoft through the Microsoft Security Blog and through when we have presentations at some of our big conferences. It really is probably the No. 1 topic at the moment. Disinformation, though - brand-new chapter. That wasn't in last year's MDDR, so this is sort of a new set of insights and a new set of analyses, which I found fascinating. I wonder, you know, some of your takeaways from that disinformation chapter.
Sian John: 'Cause it's an emerging area, and I think, as we say in the report, it's an emerging - set of emerging threats. And really, it's the fact they're now becoming more sophisticated, more evolved. So obviously, we've got a lot of the conversation around disinformation and then sort of misinformation, which is a slightly less malicious version that's been happening over the last few years and, you know, high-profile things of elections in various countries or referendum - referenda, I should say - being effectively influenced by that. But actually, the sophistication and the capability now means that the synthetic media, the deepfakes, the manipulation with algorithms to really understand how to actually make disinformation work and build behavioral patterns to actually control people, is really beginning to happen. So while obviously if I'm an attacker, if I can use that machine-learning information and to be able to manipulate the way people are and behave and the decisions they make, that's really useful.
Sian John: And the fact that we've got these echo chambers that we're all forming online, that they're effectively being manipulated by things, and you're getting to that point where when you do get, you know, self-reinforcement and you get into certain messages and if you create that perfect echo chamber - and I hate to say, but I suppose in a noncyber way, the - some of the responses to information around the pandemic - you can definitely see people have echo chambers, whether that's, you know, echo chambers that are for vaccination, echo chambers that are against, whatever, you get a self-reinforcing set of messages that come in and then pulling it in, and effectively, there is a lot of parallels there. What I found really interesting is the parallels with cybersecurity and the fact that you can actually use it to adjust and manipulate the people working. I think it's definitely going to end up in phishing and in the way that people - you get people to engage within ransomware as well as actually getting behaviors and outcomes that people want without even having to introduce any malware into an organization. You just manipulate people - what you want to do. So we've seen that arguably done for elections, but there's no reason you can't do that to manipulate response to the way people respond to an organization or companies' activities or services.
Nic Fillingham: I wonder if we might jump forward, Sian, to the five cybersecurity paradigm shifts, which is the introduction to this actionable insights chapter towards the end of the report. There are - as the name suggests, there are five here. The first is the rise of digital empathy. And I'd love you to explain that to me. What is digital empathy, and how is it rising?
Sian John: So it's something we should've been doing in security for years but haven't done. It's - and it's really actually thinking about the situation in which the people that are using the technology are when you ask them to engage with cybersecurity. So if you think about it - I mean, I've 25 years in security, as I was saying. I've heard the user will do the right thing so many times in my career. And they just need to do the right thing. And why did they click on the link? And what's that approach? And, actually, what you need to think about is actually looking at the digital solutions and making sure that what you're creating actually understands the situation of people engaging with it. And particularly over the last year and a half, two years, where people have had a lot of personal stress going on, people working from home. They're not sitting in an office. They've maybe got their cat being sick behind them, their dog wanting to go out, their kids asking for home - help with homeschooling. And then you asking them to make a really complicated cognitive decision about security. And so, actually, digital empathy is saying, OK, let me understand where you are and what you do as an industry. And it's something that we've talked about for a while about, you know, becoming more business-aligned. Actually, it's the way we've gone in modern work. We need to go with security is actually think about who people are. Think about what the situation is. Quite often, security for employees in particular is one-size-fits-all. Everyone's expected to be the same, and everyone gets locked down the same. But actually having empathy for who they are, where they are, what they're operating in and their level of risk allows you to go, OK, so someone who's got privileged access and is doing privileged controls or someone in accounts payable is maybe one set of requirements. But if you're a salesperson who's, you know, doing emails and things like that, there's things like price list you need to be protected and things of that. But other stuff - just don't give people the access. And don't ask them to make decisions that might be difficult. And also, if you've got traveling people, don't put 15 agents on their endpoint, so it takes 20 minutes boot up if they've got, like, an hour in a meeting because you know what's going to happen then? They're going to carry that personal device around. Or, you know, traditionally, this is what we've done. We've gone, you get the level of productivity that we decide is secure for you. And what we need to think about is, what is the productivity people need? What's the cognitive stress they're under? What are they used to with technology? 'Cause quite a lot of people - technology is a tool. It's not the be-all and end-all as it is for those of us that work in the industry. And actually making security easy to use, making it engageable and making it as invisible as you can when it needs to be but visible when you need to nudge behavior. So I - it's the analogy we've used a lot in - about cars for years, but it's really that whole - there's certain things in cars that just save your life, like airbags. You sort of know they're there, but you never see them till you have a crash. It's why the rise of sociology and psychology is so important and diversity of background of people working in cybersecurity is so important. Because if we're all techies that spend our entire time playing the security that are all paranoid, that no one uses social media, no one goes out and no one connects this stuff, how can you expect to secure the environment of people that are out and have got a very different background and a very different cultural script to you?
Natalia Godyla: The second pillar here is zero trust. And unlike digital empathy, we've had conversations about zero trust for some time now. But you're saying in the report that it is increasingly important. So why hasn't zero trust been implemented despite the conversations we've had around it? And what's making it even more important now than the previous years that we've been discussing the approach?
Sian John: I think one of the challenge of zero trust is it is becoming very popular. So a lot of people are talking about it, which means it's having that hype cycle effect. So I think it's probably at the top of the hype cycle at the moment, where every man and their dog is saying that their company does zero trust, and they're attaching it to everything. So therefore, the terminology gets a little bit of pushback. But the actual principles - of course, I seen on Twitter going, oh, hey, have you got someone coming in and saying, yup, their product does zero trust and all this sort of thing? Zero trust isn't a product. I think we say this today on the conclusion. It's almost a set of architectural principles. You can then talk about how the technology you have enables you to do zero trust, so how, from the Microsoft perspective, our identity platform helps with that, the way you do that in modern working, that sort of approach. But in reality, the three zero trust principles of verified explicitly least privileged access and assume breach or assume compromise, depending on how you feel about the word breach. Those three things together - they're effectively those principles that you need to have. And it's fair - if you think about it, it goes back 20, 30 years in security. We just got into this implicit trust of being on networks because it made it easy, and you could do network filtering. So it's at that point now I think it is taking off. But because everyone's saying my product does it, it's becoming confused, which I think is a side effect of the fact that it's successful.
Nic Fillingham: And then moving on to number three is diversity of data or data matters. This is an interesting little one here. It is talking a bit more about sort of Microsoft's perspective on data capture and signal capture. Can you talk a little about the diversity of data and the importance of that, Sian?
Sian John: Yeah, I mean, so obviously, we talked about - and then we talk about the Microsoft example, but I think it shows for everyone about that need. So I think historically, we've talked about defense in depth in cyber and having lots of different products. And if you got lots of different products that were all giving you the same sort of information, that's not actually where you necessarily need to do. Now, you need lots of different feeds to give you context. So it's not about how I got then to A then to B then to C. It's like, actually, they could all be one vendor, but it's actually, have I got people that give me signal about context of location? Have I got things about health of the device? Have I got threat signals? Have I got signals about what's going on on the cloud and the network? And I think that's the reality of not relying on one particular feed and bringing everything together, including maybe what would be traditionally nonsecurity-themed data to allow you to - I sound British. I got to say data and not dahta (ph) - data to allow you to bring things together. And I think it's a thing people have talked about for ages. And I think the reason we say diversity is diversity, not just volume. Having lots of volume of the same data doesn't necessarily help.
Nic Fillingham: I wonder if this is - you know, there's a parallel here for the need for, you know, solutions like SIMs or XDR solutions that are able to pull in all of your logs and all of your feeds from pretty much every single thing that you have on your network that's generating signal and then using some kind of technology to correlate them together to go find incidents. There's a parallel there, right?
Sian John: Yeah, it really is. And it's that diversity of data sources. But even if you look at some SIMs, when you look at the traditional ones, the things they were pulling in were variants of the same type of data source. So it's actually using your SIM and pulling in lots of different types of data and not necessarily just pulling in all the cloud data into an on-premise things (ph) but actually connecting up different data sources rather than necessarily having it all. Yeah, it's not about having a data link. It's about having access to the insights, some of which may be a data link.
Natalia Godyla: Speaking of connections, maybe that's a good way to tee up this one, but I personally really love this one. I think it's really smart and useful way to think about cybersecurity in the context of the broader motion side of business. But, you know, in the time of crisis, like the past couple of years, and digital transformation, the concept of resiliency has been increasingly popular in conversation. So, you know, how is resiliency of the business truly tied to cyber resilience? And why is this conversation so important to have now?
Sian John: Well, you think about where we've been going over the last - what? - five to 10 years - longer, 20, 30 years. But we're really - now we've gone into digital transformation. You have businesses that were never traditionally digital but now are. And they just rely on it. And if they don't have access to technology or the digital engagement, they just can't operate, whether that's even - obviously, I'm going to go back to being British again - even a pub now. You know, I was seeing in the last year, a lot of them had to get into delivering via online apps, their pints to people or food or actually - even if you're open, you do - I don't know, but it's finally killing cash - is the pandemic. So really, your actual resilience of your technology or - so everyone says cyber resilience as if it's, like, just resilience against an attack. It's like there is almost no cyber impact from a cyber incident, if you know what I mean, its impact on the business and its impact on its operating. If you can't take payments, if you can't sell online and you're an online retailer - and let's be fair - if you didn't - if you weren't an online retailer before the pandemic, then that was a massive - particularly the other day, the world where we shut our shops for four months. If you couldn't sell online, you couldn't sell. And if you think about those sort of approaches, if your technology goes out now, your business - web banking has been for years, I think - about 10, 15 years now, most global banks have been effectively digital businesses with digital money. And it's just where they - I think the rest of the world is going now. If you're - if you lose technology, it's very difficult to go back to a paper-based system.
Nic Fillingham: We're just wrapping it up here, Sian. The fifth and final paradigm shift that is mentioned here in the actionable insights is a greater focus on integrated security. And I read that. And I read those words integrated security. And I wondered how much of that means the allowance for and the planning for and the integration of security, supply chain security. And I know when we say integrated security, we often think of that in terms of, like, platforms and tools and sort of having an end-to-end approach in terms of the security solutions that a team uses. Is it broader than that? Does it include things like monitoring and thinking about your supply chain security? Tell us about this fifth paradigm shift.
Sian John: Yeah. So at the core, it is about putting platforms and tools together to get visibility. But actually, that includes looking at the supply chain, as well. So I think the biggest challenge for most chief information security officers and their teams now is, how do I get visibility of my risk across everything, across my on-premise environment, my cloud environment, my supply chain? And so, yes, the integrated security is really about pulling together a - at least a global visibility of what's going on in your environment - and that is the traditional tools and techniques - but also looking at the supply chain, looking at, you know, operational technology that you might have in place and really looking at how you can actually build efficiencies in across the entire environment and get the visibility you need in a way that's manageable. So, yes, it is about integrating tools for efficacy. But also, you're right about supply chain, as well. And I think what comes through as you read the report is the attackers will go after the weakest link, wherever that may be. Whether that's in your supply chain, in your identities, with people using their dog's name as a password - obviously not with the MFA - or if it's in people not looking after devices, they will go wherever they can get in. And so really, that integrated security approach - looking at how you can get visibility and control across all the disparate environments is absolutely essential nowadays.
Nic Fillingham: Well, Sian, that leads us really nicely into sort of the wrap-up here. We're just coming up on time for our interview today. But if you go to the Microsoft Digital Defense Report, you download it and you read it, one of the things you'll see at the very, very end is a thing called the cybersecurity bell curve. It's on page 124. And it just calls out five basic cyber hygiene tasks that are going to mitigate almost all of your risk. I'm just going to run through them super quick. The first bit of guidance is to utilize anti-malware. It's about some of the principles of zero trust, which is applying least-privilege access and multifactor authentication. It's about keeping all the versions of your software and firmware and stuff up to date and it's about protecting your data. I think - Sian, actually, I think those first four are pretty self-explanatory. Could you quickly just give us a tl;dr on protect data or dahta? Because that seems very broad. What does that really mean when it comes down to mitigating 98% of cybersecurity risk?
Sian John: We sort of put that in there because it often gets overlooked because it is such a broad category, and everyone puts it in the too-difficult-to-do pile. So it's too difficult to work out where information happens. And yet, repeatedly, attackers get in, and they don't seem to have any trouble working out what information matters and how to go and get it. So I'm going to use an American term now. This is better. So it's like - it's because everyone tries to boil the ocean. Everyone tries to do all the data at once. And, yes, ultimately, that's where you want to get to. But you really want to pick the sensitive data, make sure that protected. So in Europe, it's - well, I suppose everywhere, it's personal data but also the particular sensitive personal data types - credit card data, your plans for - your marketing plans for a new release, which is time-sensitive - and they're not - is that looking at, what are the information you need? And looking at - and sensitivity information labels and data protection. And the reason I say protect data, not prevent loss is prevent loss is a very sort of old-school if it's - I think old-school's the wrong word 'cause it still does have a role to play. But that's very much a - keep it in my remit and don't let anyone else access it. And then you forget about the fact that to collaborate, you need to share it. And then you lose control. So it's something that we've have principles around for 30 years and we've been rubbish at doing for 30 years. And then data is growing exponentially, and we have this massive data holder problem, and we don't understand what our data is. So it's almost like, put in some sensitivity labels. Understand where the most critical data is, how it's used, how it's accessed because A, you stop - hopefully stop it being exploited and used where - when it shouldn't be. And B, you also know what level exposure you have if someone does get in because you have an understanding of what data was touched. And if you look at where ransomware is going now, it's not just about destroying our systems. It's about taking sensitive data and leaking that. So at the very least, protect customer data. Protect credit card data. And protect employee personal data. And then, you know, my tea schedule or my local soccer - yeah, I'm American again - and my local soccer team schedule doesn't matter so much unless I've got people's names in it. But, you know, in my back and forth, if you actually classify the really sensitive data, then that is - in the way we talk about protecting and doing this (unintelligible) for high-sensitivity admins and privileged access, we need to be thinking about the same thing for privileged data as well.
Nic Fillingham: Again, we're talking about the Microsoft Digital Defense Report 2021. You can download it in the link that'll be in the show notes. You can also find it at microsoft.com\security. Sian, thanks so much for your time. Thanks for joining us.
Sian John: Great. Thank you very much for having me. I've enjoyed that.
Natalia Godyla: Well, we had a great time unlocking insights into security, from research to artificial intelligence. Keep an eye out for our next episode.
Nic Fillingham: And don't forget to tweet us at @msftsecurity or email us at firstname.lastname@example.org with topics you'd like to hear on a future episode. Until then, stay safe.
Natalia Godyla: Stay secure.