More than 18 months after the start of the COVID-19 era, and nine months after the disclosure of the SolarWinds campaign, Microsoft reengineered much of its business model in order to simultaneously reap the rewards of the changing workplace, while scrambling to protect what some consider a core weakness.
The pandemic brought huge benefits to the company, as millions of corporate workers embraced cloud computing and productivity applications, like Office 365 and Microsoft Teams, in order to maintain business continuity. Commercial cloud revenue rose during the fiscal year, up 34% to $69 billion, according to the company. Office 365 grew to more than 300 million commercial paid seats, Microsoft announced in August. The company will raise prices starting in 2022, the first substantial increase since launching the service more than 10 years ago.
Key to maintaining the growth of its enterprise and small and medium-sized businesses (SMB), Microsoft positioned itself as the best option to provide customers an integrated, end-to-end solution that provided a seamless, secure experience to compete in a climate dominated by remote work.
"A typical enterprise customer, they might be using 50 different security products from many different vendors, and these products are not built to work together with each other," Harvinder Bhela, corporate vice president, Microsoft 365 security, compliance and management, said during a June fireside chat on security. "So while the attackers, they can see the whole picture, the defenders, they can't see the entire picture."
At the same time, Microsoft has been one of the leading targets of nation-state and criminal actors looking to cash in on vulnerable and distracted employees, and a corporate workplace. The same products touted as defense tools were direct targets of malicious actors.
APT threat actors in recent years have used a technique called Golden SAML to steal Active Directory Federation Services (AD FS) tokens and move laterally within Microsoft 365 environments, including in the SolarWinds attack.
Microsoft President Brad Smith, in response to questions during a February committee hearing on the SolarWinds attacks, said the technique was found in 15% of the attacks, but insisted a flaw in AD was not leveraged.
The company notified at least 60 companies that had been compromised during the SolarWinds attack, and was instrumental in helping those companies investigate and remediate any damage to their core IT environments, Smith testified. Microsoft considered its response to SolarWinds as a critical part of the remediation and recovery of the industry from the nation-state attack.
Microsoft offers a layered set of tools that customers implement based on their respective security needs, said Smith, who recently added vice chair to his title. The company offers a set of core and more advanced tools that are built into various E3 and E5 agreements.
"The ability of our solutions to mitigate any threat or incident response scenario, such as the discovery or mitigation of an identity compromise, or the operation of malicious software, depends in part on customer implementation," he said, in response to questions during his testimony.
In the view of Microsoft's leadership, the company held firm against what arguably was the most sophisticated cyber campaign launched against the U.S. After reports that Microsoft source code had been accessed by the threat actor, an internal investigation found company systems were not used as a vector to attack others, nor was customer data accessed.
Microsoft executives have continued to push back against the tide of skepticism by calling out the company's existing presence in the cybersecurity space. During the Microsoft fiscal second-quarter earnings call in January, CEO Satya Nadella referenced the company's $10 billion in revenue over the prior 12 months just from its security business, up 40%.
Azure Active Directory, Microsoft's identity solution, had more than 425 million active monthly users and Microsoft Defender had blocked more than six million threats over the past year, Nadella said during the call.
Rival cybersecurity executives say Microsoft has faced increased scrutiny from customers that are concerned about the security across a range of Microsoft products, because certain legacy protection technologies have not been able to adequately protect customers from sophisticated attacks.
Executives acknowledge that, in some cases, there may be a disconnect between Microsoft and customers about how to adequately configure these products to achieve maximum protection levels.
Configuration concerns are a known issue in Microsoft environments. Last year, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to companies about threat mitigation techniques when deploying Office 365.
Microsoft has made it a point to remind customers that in order for their cloud infrastructure to be properly secured, they need to make sure they properly configure their settings based on their corporate IT environment.
"Because at the end of the day, we can do everything right to protect our products, but if our customers end up misusing them, or misconfiguring them or doing something unsafe with them, they still become problems," Scott Guthrie, executive vice president, Microsoft Cloud and AI Group, said during the Jefferies Software Conference earlier this month.
CrowdStrike President, CEO and Co-Founder George Kurtz last month told analysts a Fortune 500 company jumped over to his firm after using legacy security products from Microsoft.
"This company experienced a long and difficult deployment process, particularly in low-bandwidth environments where endpoint performance was critical," Kurtz said, during the fiscal second-quarter conference call with analysts on Aug. 31.
The unnamed company suffered a devastating ransomware attack that disrupted the firm's business and encrypted its primary and backup data, which Kurtz said would cost that company in the tens or possibly hundreds of millions of dollars. CrowdStrike was called in to remediate the situation and ultimately deployed its Falcon security product across the company's environment.
Microsoft officials, when asked about the situation, pointed to a prior spat with James Yeager, VP of public sector at Crowdstrike, who claimed at the time that Microsoft was incapable of delivering the most basic protection to its customers.
Microsoft did not challenge any of the underlying facts discussed by Kurtz but defended its record in a statement: "Today, Microsoft helps secure more than 600,000 organizations across 120 countries," a spokesman said. "Customers choose Microsoft because we secure organizations from the chip to the cloud, backed by more than 3,500 defenders at Microsoft and 8 trillion security signals we process every day."
CrowdStrike was not the only security industry competitor to question Microsoft's ability to manage the number of threats targeting enterprises and other customers.
Mimecast Co-Founder and CEO Peter Bauer, whose company helps mitigate threats in Office 365, addressed during a fiscal first quarter 2022 earnings call how Microsoft vulnerabilities were being exploited and end users were being targeted.
"And so this is really driving an appetite for defense in depth, and layered independent, best of breed security brought on top of Microsoft so that we get away from a homogeneous attack surface and a single flavor security approach," Bauer said. "And organizations are really able to mitigate against some of these fast spreading, highly scalable threats that we've seen out there."
Microsoft defended its track record of providing secure access to the enterprise. The company noted that customers are offered various options to allow customers to determine the level of protection they are most comfortable with.
"Microsoft designs our products and services to be secure and securable, but no two organizations are the same or have the same risk tolerance and security needs, so we empower customers with an array of choices to help them select and achieve their optimal security posture," a Microsoft spokesperson said.
The company provides guidance to customers through features like Secure Score, which is an internal recommendation engine that helps customers understand the security posture of their company and makes recommendations about how to improve any weaknesses.
Microsoft said it continually rolls out changes to default configurations, for example the switch to enable Azure AD Security Defaults for all new tenants and ongoing transitions to disable Basic Auth for Exchange protocols and TLS1.0/1.1 for all customers.
A growing security portfolio
IT companies are now considered targets of malicious cyberattacks and there is pressure on those companies to gain more control over their own products and ecosystems to maintain trust with their customers and vendor relationships.
"Migrating to cloud-delivered security products and cloud-delivered IT products is accelerating," Peter Firstbrook, research VP at Gartner said. "IT skills are the most valuable commodity and cloud delivered products reduce the burden on the IT organization to maintain the solution, freeing up time to focus on the management of the product."
The rise of sophisticated ransomware and nation-state attacks since the SolarWinds campaign has accelerated consolidation and new investments in the InfoSec space.
"In regards to investment by IT buyers, the biggest issue is that boards of directors are now seeing cybersecurity as a major risk to their business," Firstbrook said. "Ransomware and business email compromise are the primary risks that mainstream organizations are concerned about."
Smith testified the company spends, on average, more than $1 billion a year in R&D and security operations, and has more than 3,500 people working on security. In recent months, Microsoft moved to expand its existing security portfolio with additional acquisitions and strategic investments.
The agreements were largely designed to help Microsoft raise its capabilities in threat intelligence, internet of things (IoT) and identity management.
|Cloud infrastructure entitlement management
|Threat intelligence to track attack surface by analyzing vulnerabilities and tracking external threats.
|IoT security, analyze and strengthen firmware security
|Visibility into OT and industrial cyber environments
Microsoft in mid-August also acquired a stake and entered a strategic agreement with Rubrik, a startup firm that specializes in ransomware detection and cloud-based data recovery. The companies have about 2,000 mutual customers and will provide data protection for Microsoft 365 customers and integrated cloud services on Microsoft Azure.
The Microsoft acquisitions and strategic investments come at a critical time for the InfoSec and IT businesses. Cybersecurity has undergone a wave of consolidation since the beginning of the COVID-19 pandemic and the transition to remote work, which forced major enterprises to make significant changes in how they secured the workplace, according to analysts.
Investment activity in the cybersecurity space reached a record pace during the first half of 2021, with a total of 593 deals, with a combined value of $51 billion, according to Momentum Cyber, an advisory firm focused on the sector. Of that total, there were 163 mergers and acquisitions with a total value of $39.5 billion as well as 430 financing deals with a total value of $11.5 billion.
Among the major acquisitions, Thoma Bravo agreed to buy Proofpoint for $12.3 billion in cash and Okta acquired Auth0 for $6.5 billion.
The M&A surge in 2021 had a couple of key drivers, according to Dino Boukoris, a founding and managing director at Momentum Cyber.
"First, in 2020 we saw a rapid acceleration in companies' digital transformation leading to a significant increase in their reliance on technology in order to thrive (or even survive). This further fueled already strong growth in cybersecurity spending," Boukoris said. "Second, we saw a slowdown of deal activity in Q2 and Q3 of 2020 that resulted in a pipeline of pent up 'demand,' if you will. Many of the deals we saw close in 1H 2021 were already in flight in 2H 2020."
Microsoft's security renovation
Whether Microsoft can overcome the concerns about its product security is unknown, but the company is pulling out all the stops in trying to strengthen its security posture.
At an August White House meeting on cybersecurity with other top technology executives, Microsoft said it would spend $20 billion over the next five years to strengthen cybersecurity. The company also agreed to put $150 million in technical services immediately on the table to help federal, state and local governments upgrade their capabilities.
Microsoft named Amazon cloud security executive Charlie Bell as executive vice president, leading a newly formed engineering organization that includes security, compliance, identity and management, according to a LinkedIn post from Bell. The bold signing has set up Microsoft for a potential clash with cloud service rival Amazon, which is expected to fight the attempt to poach one of its key security leaders.
"We believe Charlie Bell's new role can help advance cybersecurity for the country and for the tech sector as a whole, and we are committed to continuing our constructive discussions with Amazon," a Microsoft spokesperson said. "We're sensitive to the importance of working through these issues together, as we’ve done when five recent Microsoft executives moved across town to work for Amazon."