Microsoft vs. PR/C
7–24–2023 (Monday)
Hello and welcome to another edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for investors in and management teams of growth stage companies.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, July 24th, and we’ve got more updates to cover!
Microsoft vs. China vs. PR, Con’t. (Alternate Title: Handicap Tag Match - Microsoft vs. PR and PRC)
We’ve got a couple of follow-up items around last week’s one big thing that are worth buttoning up before we collectively move on.
It’s also worth noting that we’re seeing larger and larger issues - i.e. multi-week, long-tail impacts become a theme here. We saw it with MoveIT, and we are seeing it with Microsoft. As technology ecosystems become both more complex and more interdependent, I would expect this trend to continue.
The first update that’s worth mentioning is that Microsoft has changed their tune on logging and visibility, moving to make a significant amount of additional telemetry available to their user base at no additional charge.
The details remain a bit sparse, with Microsoft’s Corporate Vice President for Security, Compliance, Identity, and Management writing that “Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost.”
At the same time, cloud security researchers at Wiz are positing that the impact of this incident at Microsoft could be “more impactful than we thought.”
Ironically, or perhaps not, it’s the lack of logs that is making this exercise difficult for the researchers, who write:
“At this stage, it is hard to determine the full extent of the incident as there were millions of applications that were potentially vulnerable, both Microsoft apps and customer apps, and the majority of them lack the sufficient logs to determine if they were compromised or not.”
Wiz researchers apparently worked closely with folks at Microsoft to ensure technical accuracy - which doesn’t appear to have sat well with the PR team at MSFT, given the implications of the finding.
It has triggered a somewhat huffy non-denial over at The Record, with the piece also noting “There are several outstanding questions from the fiasco, including how and when the hackers got the key, and whether other keys were compromised.”
Unfortunately, all of this squabbling is distracting most of us from focusing on what we can do to protect our users, systems, and data.
Without additional information, it really does put us back at square one, relying on logs to identify malicious activity, as these signed keys will allow (in theory) attacker to authenticate to the services, even if we have robust access controls in place.
It’s an unfortunate reality of these new deployment models and cloud computing in general. You lose some ability to configure and inspect these systems, but in trading that away, are getting back other benefits in terms of CapEx and OpEx.
The question for growth stage companies remains, I think, is your team better at hunting and defending against these threats than Microsoft’s team? And for the vast, vast majority of us, that answer remains yes.
Fundraising
If you thought last week was a great week for fundraising, we’ve blown past that number - due in large part to the world’s biggest-ever buyout fund from CVC Capital Partners, $29.2B - with commitments from both new and returning investors.
We had a dozen other funds announced, including at least three that were $1B or more, bringing the weekly total to just over $36B USD, and our monthly total for July to nearly $95B in aggregate.
Seems like Q3 is off to a roaring start, and it will fascinating to watch what happens to these funds, and ongoing fundraising efforts, as the quarter progresses.
You can find all the links to the stories we covered in the section below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next Monday for another Intentional Brief.
Links
https://therecord.media/microsoft-disputes-report-on-chinese-hacking