New insights on cybersecurity in the age of hybrid work

As we approach the last week of Cybersecurity Awareness Month, I think about what is top of mind for myself and my peers in security. The past year has continued the 2020s major shift in the way organizations operate. Recent data shows that 81 percent of enterprise organizations have begun the move toward a hybrid workplace, with 31 percent of those surveyed already fully adopted. As the public and private sectors continue to enable hybrid work, the attack surface for cyber threats has expanded, and threat actors have been quick to exploit any vulnerabilities. In response, organizations have enforced various security controls to revamp their security postures. For example, the number of Microsoft Azure Active Directory (Azure AD) Conditional Access policies deployed has more than doubled over the last year.

Timeline showing the transition from Global pre-Covid onsite work for Microsoft employees beginning at around 100,000 employees entering Microsoft buildings in January 2020 and falling to around 30,000 employees by August of 2021.

Figure 1: Rate of onsite versus remote work at Microsoft (Jan 2020 to Aug 2021).

Organizations that don’t maintain basic security hygiene practices in the new workplace—applying updates, turning on multifactor authentication (MFA)—are placing their data, reputation, and employees’ privacy at much greater risk. On October 7, 2021, we published the 2021 Microsoft Digital Defense Report (MDDR) with input from thousands of security experts spanning 77 countries. In the report, we examine the current state of hybrid work and recent trends in cybercrime. You’ll also get actionable insights for strengthening defenses across your entire organization.

Hybrid work requires a Zero Trust strategy

Along with basic security hygiene, adopting a Zero Trust security strategy protects your digital estate by applying a “never trust, always verify” approach. The prevalence of cloud-based services, IoT, and the use of personal devices (also known as bring your own device or BYOD) in hybrid work environments has changed the landscape for today’s enterprise. Unfortunately, security architectures that rely on network firewalls and virtual private networks (VPNs) to isolate and restrict access to resources won’t cut it for a workforce that operates beyond traditional network boundaries.

There is no one-size-fits-all approach to Zero Trust implementation, and that’s a good thing. It means you’re free to start anywhere. Organizations of all sizes begin in different areas, based on their immediate needs and available resources. Most organizations approach Zero Trust as an end-to-end strategy that can be completed over time.

Graph showing Zero Trust implementation across areas of Identity, Endpoints, Apps, Network, Infrastructure, Data, and Automation & Orchestration.

Figure 2: Zero Trust implementation areas (from the Microsoft Security Zero Trust Adoption Report).

6 pillars for securing your hybrid workforce

Zero Trust controls and technologies are deployed across six technology pillars. Each pillar in a control plane is interconnected by automated enforcement of security policy, correlation of signal and security automation, and orchestration:

1. Identities

Identities can represent people, services, or IoT devices. As companies adapt for a hybrid workforce, we’ve seen more than a 220 percent increase in strong authentication usage (like MFA) in the last 18 months. Still, in Azure AD for the calendar year to date, we’re observing 61 million password attacks daily. Strong authentication can protect against 99.9 percent of identity attacks, but even better is passwordless authentication, which can provide the most usable and secure authentication experience. Legacy protocols, such as IMAP, SMTP, POP, and MAPI, are another major source of compromise. These older protocols do not support MFA; for that reason, 99 percent of password spray and 97 percent of credential-stuffing attacks exploit legacy authentication.

2. Endpoints

Once an identity has been granted access, data can flow to different endpoints—from IoT devices to smartphones, BYOD to partner-managed devices, on-premises workloads to cloud-hosted servers—creating a massive attack surface. With the Zero Trust model, enterprises can reduce provisioning costs and avoid additional hardware purchases for work-from-home use. For example, an administrator can grant access only to verified and compliant devices while blocking access from a personal device that’s been rooted or jailbroken (modified to remove manufacturer or operator restrictions) to ensure that enterprise applications aren’t exposed to known vulnerabilities.

3. Applications

Modernized applications and services require users to be authenticated prior to having access. However, thousands of applications and services still remain heavily reliant on network firewalls and VPNs to restrict access. These traditional architectures built for legacy applications were designed for lateral connectivity (CorpNet) rather than micro-segmentation. They violate the fundamental Zero Trust principle of “least-privilege access” and are more vulnerable to lateral movement across the network by an adversary. To modernize your applications, deploy one of these three solutions:

4. Network

Microsoft Azure Firewall blocks millions of attempted exploits daily. Our signals show that attackers most commonly used malware, phishing, web applications, and mobile malware in their attempts at network attacks during July 2021. Also in July, there was a significant uptick in the use of coin miners, a type of malware that uses the network to mine cryptocurrency. Protocols leveraged most often in attacks were HTTP, TCP, and DNS, since these are open to the internet. A Zero Trust approach assumes your network is always under attack; therefore, you need to be prepared with a segmented layout that minimizes the blast radius.

Graph showing the top 10 network threats with malware attacks accounting for 40 percent of threats as of July 2021.

Figure 3: Top 10 network threats (July 2021).

Distributed denial of service (DDoS) attacks on internet-facing endpoints ramped up significantly this year. Compared to the latter part of 2020, the average daily number of attack mitigations in the first half of 2021 increased by 25 percent while the average attack bandwidth per public IP increased by 30 percent. Microsoft Azure DDoS Protection mitigated 1,200 to 1,400 unique DDoS attacks every day in the first half of 2021. Europe, Asia, and the United States remain the most attacked regions because of the concentration of financial services and gaming industries in those regions. Over 96 percent of the attacks were of short duration—less than four hours. To get our latest research on DDoS attacks, download the 2021 MDDR.

Circle graph showing Distributed Denial of Service Acts with the United states accounting for 56 percent of attacks.

Figure 4: DDoS attack destination regions.

5. Infrastructure

Infrastructure—whether on-premises, cloud-based, virtual machines (VMs), containers, or micro-services—represents a critical threat vector. As the move to the cloud enables a more secure hybrid workforce, organizations are also increasing their dependency on cloud storage, requiring effective threat protection, mitigation strategies, and tools to manage access. Azure Defender treats data-centric services, such as cloud storage accounts and big data analytics platforms, as part of the security perimeter and provides prioritization and mitigation of threats. We’ve produced a threat matrix for storage to help organizations identify gaps in their defenses, with the expectation that the matrix will evolve as more threats are discovered and cloud infrastructures constantly progress toward securing their services.

6. Data

With the rise of hybrid work, it’s especially important that data remain protected even if it leaves the devices, apps, infrastructure, and networks your organization controls. While classification, labeling, encryption, and data loss prevention remain core data security components, organizations that effectively manage the lifecycle and flow of their sensitive data as part of their business operations make it much easier for data security and compliance teams to reduce exposure and manage risk. Reducing that risk means reevaluating how your organization conducts business with sensitive data to ensure its proper storage, access, flow, and lifecycle.

Picture advising the audience to know, govern, protect and control your data to reduce sensitive data risks.

Figure 5. The cumulative impact of unified data governance and security on sensitive data risk.

Actionable insights

As we adapt to a hybrid work world, Microsoft is aware of cybersecurity paradigm shifts that will support the evolution of work in a way that centers on the inclusivity of people and data.

Practice digital empathy

By applying empathy to digital solutions, we can make them more inclusive toward people with diverse perspectives and varied abilities. Factoring in digital empathy leads to the inclusion of security professionals with a broader range of abilities, skill sets, and perspectives—increasing the effectiveness of cybersecurity solutions. It also means developing technology that can forgive mistakes. Whether as an organization or an individual, our ability to be empathetic will help us to adapt during this time of constant change.

Don’t wait to start your Zero Trust journey

As we look past the pandemic to a time when workforces and budgets finally rebound, Zero Trust will become the biggest area of investment for cybersecurity. This means that right now, every one of us is on a Zero Trust journey—whether we know it or not. As shown in Figure 2, it doesn’t matter whether you start in endpoints, applications, or infrastructure, all that matters is that you get started now. Something as simple as enabling MFA (free with Microsoft Security solutions) can prevent 99 percent of credential theft.  To see where you are at in your Zero Trust journey, take the Zero Trust Assessment.

Diversity of data sources matters

Microsoft processes over 24 trillion daily security signals across a diverse set of endpoints, products, services, and feeds from around the globe. We were able to identify and block new COVID-19-themed threats—sometimes in a fraction of a second—before they reached customers. Our rich diversity of data allowed Microsoft cyber defenders to understand COVID-19-themed attacks in a broader context—determining that attackers were primarily adding new pandemic-themed lures to familiar malware. This is just one example of how the diversity of data and the power of the cloud deliver a clear advantage in combating threats.

Cyber resilience equals business resilience

The latest cyberattacks are deliberately targeting core business systems to maximize destructive impact and increase the likelihood of a ransomware payout. Knowing this, it’s imperative that a comprehensive approach to operational resilience includes cyber-resilience. At Microsoft, our strategy focuses on four basic threat scenarios: events we can plan for, such as extreme weather; unforeseen natural events, such as earthquakes; legal events, such as cyberattacks; and deadly pandemics, such as COVID-19. Cloud technology, due to its scalability and agility, helps organizations develop a comprehensive cyber-resilience strategy and makes preparing for contingencies less complicated.

Focus on integrated security

Recent attacks by nation-state actors against Microsoft Exchange, Colonial Pipeline, and JBS USA brought into stark reality the agility and callousness of our adversaries. To uncover shifting attack techniques and stop them before they do serious damage, organizations need to have complete visibility across their own applications, endpoints, network, and users. To do this, while simplifying and reducing costs, businesses can adopt the security capabilities built into the cloud and productivity platforms they’re already using. Security tools that are fully integrated help improve efficacy and provide the end-to-end visibility today’s organization needs.

While digital acceleration will continue to drive these paradigm shifts, one thing remains the same: security technology is about improving productivity and collaboration through secure and inclusive user experiences. By practicing security for all, Microsoft is committed to making cybersecurity empowering for your organization every day.

Learn more

Hybrid work is the new normal, and organizations need the latest data on how to defend themselves in a constantly evolving threat landscape. To get 100 plus pages of insights gathered across more than 23 billion daily security signals across the Microsoft cloud, endpoints, and intelligent edge, download the 2021 Microsoft Digital Defense Report. Also, see our past blog posts providing information for each themed week of Cybersecurity Awareness Month 2021. Read our latest posts:

Be sure to visit our  Cybersecurity Awareness Month page for more resources and information on protecting your organization year-round. Do your part. #BeCyberSmart

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.