Before I start, let me say, I have a ton of respect for Microsoft (News - Alert) and the security precautions it has built into the Office365 (O365) environment. I won’t critique its decisions or its tools. I would, however, like to discuss the systemic reasons that it can’t win this war and why others can.
To start with the problem: take a look at what Microsoft has said about why it can’t totally secure Office365 from hackers, malware and ransomware.
In my mind, Microsoft is working hard to secure O365. It has thrown a ton of resources into addressing this issue. So why can’t Microsoft win this war? It all boils down to four overriding factors.
1. Microsoft is a victim of its own success.
According to Microsoft’s own reports, it is about to surpass 100 million users on the O365 environment. That is almost 100 percent growth from a year ago. When there are that many users on any system, there are bound to be issues. From Microsoft’s viewpoint, it can’t make security too tight so that it restricts users unnecessarily. After all, how many of those 100,000,000 users will put up with two factor verification with each log on attempt? Or seven day password renewals before they jump ship to a more convenient solution? And what is Microsoft’s acceptable level of infected accounts? Even if it is a tiny 0.001 percent of the total 100 million users, it is still a staggering 100,000 users.
However, the largest issue with being the big player in the market is that, for a monthly reoccurring fee, every hacker has a copy of the most up to date software. Gone are the days of servers hosting individualized local email systems. Hackers now have a system to test, refine and circumvent the basic security that is part of the Office suite. For example, Microsoft is proud of the Advance Threat Protection and of the fact that it monitors all inbound emails. BUT, it does not monitor outgoing or internal emails. Every threat actor knows that and uses that fact to spread their malware through a network almost unchecked.
2. It is an ugly world, and sometimes you have to get dirty.
OK, OK… no one has ever accused Microsoft of having too much heart.
But the ugly truth is the cyber war that has been heating up for the past decade. Winning a war takes getting dirty, and that is just not something Microsoft has been able to do. In order to infiltrate a hacker group, it takes time to build up your ‘street cred’ in those circles. It appears it is not something a white-hat publicly traded company like Microsoft is willing to do. It isn’t in its DNA.
3. Everyone is playing in the same sandbox
Similar to my first point, there is an upgraded sandboxing feature for Office. This is the same sandbox the hackers have access to.
A new zero-day threat is released in the wild that has already tested your sandbox. And your anti-virus isn’t enough. You will find that threat in your Office 365 inbox. Waiting…
Some of the most recent malware and phishing attempts are quite sophisticated even if they are not part of the weaponized NSA hacker tools that were released earlier in the year.
4. Microsoft has to deliver 100 percent of the legitimate email all the time
Amid all of the attacks across the Internet, Microsoft has to be perfect in its defense. Meanwhile, hacker groups have the ability to try and try again until they uncover an exploit. The hacker community is focused in their attempts. They are bolstered by the triple whammy of state sponsored hacking, the rise of SaaS (News - Alert) and IaaS popularity and the new monetization of information theft through Dark Web, Bitcoin and other cryptocurrencies.
Every day, these groups—like Fancy Bear, which is linked to Russia, and Lazarus, which is linked to North Korea— are trying to probe and test the boundaries of Microsoft’s defenses. The popularity of cloud based SaaS like O365, Slack, Box, Salesforce, Dropbox (News - Alert) and Google Gmail/GSuite and their integration with one another is another opening for hackers. Seemingly ‘worthless data’ now has value in the right hands (used for sphere phishing) and a way to monetize it through the Dark Web and cryptocurrency like Bitcoin.
The bad news:
Keeping one step ahead of the threat actors and their arsenal of botnets, DDoS attacks, malware, ransomware, spoofing and phishing tools is a constant game of cat and mouse. It appears that the best that Microsoft can hope for with its Office 365 is an uneasy truce in its war against the hacking community, but there is no sign of one on the horizon.
The good news:
There are solutions available that are customized to protect O365 environment. These solutions deploy the best countermeasures available today in protecting data just as if it was stored on-premise. How do you protect SaaS data from spreading malware when SaaS is purposefully built to spread data automatically? Oh yes, and when you don’t own the system or the infrastructure?
If you would like to see a webinar on the topic, click here. If you have any questions or need assistance with this or any other threat vectors, please reach out to our Teneo engineering team.
About the Author
John Warnagiris is a Green Belt, PMP and the Senior Project Manager at The Teneo Group, where he oversees Client Relations, Business Development, and Marketing. He combines his understanding of Six Sigma & PM along with 30+ years of practical leadership experience to help achieve The Teneo Group’s mission of securing the networks and data of its clients.