New Security Signals study shows firmware attacks on the rise; here’s how Microsoft is working to help eliminate this entire class of threats

Cybersecurity threats are always evolving, and today we’re seeing a new wave of advanced attacks targeting areas of computing that don’t have the protection of the cloud. New data shows that firmware attacks are on the rise, and businesses aren’t paying close enough attention to securing this critical layer.

Recently, Microsoft commissioned a study that showed how attacks against firmware are outpacing investments targeted at stopping them. The March 2021 Security Signals report showed that more than 80% of enterprises have experienced at least one firmware attack in the past two years, but only 29% of security budgets are allocated to protect firmware.

Security Signals is a comprehensive research report assembled from interviews with 1,000 enterprise security decision makers (SDMs) from various industries across the U.S., UK, Germany, China, and Japan. Microsoft commissioned Hypothesis Group, an insights, design, and strategy agency, to execute the research.

The study showed that current investment is going to security updates, vulnerability scanning, and advanced threat protection solutions. Yet despite this, many organizations are concerned about malware accessing their system as well as the difficulty in detecting threats, suggesting that firmware is more difficult to monitor and control. Firmware vulnerabilities are also exacerbated by a lack of awareness and a lack of automation.

But the tide may be starting to turn against firmware exploits. There is a growing awareness of the issue worldwide, a new willingness to invest in protections, and an emerging class of secured-core hardware is showing the potential to empower organizations with chip-level security and new automation and analytics capabilities.

Firmware provides fertile ground to plant malicious code

Firmware, which lives below the operating system, is emerging as a primary target because it is where sensitive information like credentials and encryption keys are stored in memory. Many devices in the market today don’t offer visibility into that layer to ensure that attackers haven’t compromised a device prior to the boot process or at runtime bellow the kernel. And attackers have noticed.

If that’s not enough, the National Institute of Science and Technology (NIST) has shown more than a five-fold increase in attacks against firmware in the last four years, and attackers have used this time to further refine their techniques and get ahead of software-only protections.

Yet the Security Signals study shows that awareness of this threat is lagging across industries. Even with this onslaught of firmware attacks, the study shows that SDMs believe software is three times as likely to pose a security threat versus firmware.

“There are two types of companies – those who have experienced a firmware attack, and those who have experienced a firmware attack but don’t know it.” – Azim Shafqat, Partner at ISG and Former Managing VP at Gartner

The OS Kernel is an emerging gap in defense

A look at respondents’ investments bears out this disparity. Hardware-based security features such as Kernel data protection (KDP), or memory encryption, which blocks malware or malicious threat actors from corrupting the operating system’s kernel memory or from reading it at runtime, is a leading indicator of preparedness against sophisticated kernel-level attacks. Security Signals found that only 36% of businesses invest in hardware-based memory encryption and less than half (46%) are investing in hardware-based kernel protections.

Security Signals also found that security teams are too focused on outdated “protect and detect” models of security and are not spending enough time on strategic work — only 39% of security teams’ time is spent on prevention and they don’t see that changing in the next two years. The lack of proactive defense investment in kernel attack vectors is an example of this outdated model.

Physical attacks using hardware

In addition to firmware attacks, respondents identified concerns with attack vectors exposed by hardware. The recent ThunderSpy attack targeted Thunderbolt ports, leveraging direct memory access (DMA) functionality to compromise devices via hardware access to the Thunderbolt controller. Another flaw, this one unpatchable, was found in the T2 security chip used in many common consumer devices. Other major firmware attacks in the last year included the RobbinHood, Uburos, Derusbi, Sauron and GrayFish attacks that exploited driver vulnerabilities.

Lack of automation and investment leads to a gap in focus on firmware

Part of the disconnect may be due to security teams being stuck in reactive cycles and manual processes. The vast majority (82%) of Security Signals respondents reported that they don’t have the resources to allocate to more high-impact security work because they are spending too much time on lower-yield manual work like software and patching, hardware upgrades, and mitigating internal and external vulnerabilities. A full 21% of SDMs admit that their firmware data goes unmonitored today.

Lack of automation is another factor causing organizations to lose time and detracting from building better prevention strategies. Seventy-one percent said their staff spends too much time on work that should be automated, and that number creeps up to 82% among the teams who said they don’t have enough time for strategic work. Overall, security teams are spending 41% of their time on firmware patches that could be automated.

Meanwhile, most SDMs (62%) believe more time should be spent on strategic work like setting the strategy and preparing for sophisticated threats like those targeted at firmware.

New investments are accelerating—and paying off

The challenge is global, and many organizations are realizing the importance of investing in these critical areas. Eighty-one percent of the German companies we surveyed were prepared and willing to invest, as compared to 95% of Chinese organizations and 91% of businesses in the U.S., UK, and Japan. Eighty-nine percent of regulated industry companies felt willing and able to invest in security solutions, although those in the financial services sector are not quite as ready to invest as companies in other markets.

Those that do make the right investments are seeing returns, and surveyed organizations that made a real investment in security saw a big payoff. Almost two-thirds (65%) of SDMs reported that investing in security increased efficiency throughout their organizations because it freed up SecOps teams to work on other projects, promoted business continuity, enabled end-user productivity, decreased downtime and saved on investments needed elsewhere.

Across all industry verticals, proven frameworks can lay the groundwork for a successful security strategy that includes automation, increases proactivity, and measures security progress.

“Firmware runs the hardware, but there isn’t a way to inspect to say you are 100% safe with firmware. Firmware attacks are less common (than software), but a successful attack will be largely disruptive.” – SANS Senior Instructor

Hardware security is paramount to protecting from future threats

With our partners, Microsoft has created a new class of devices specifically designed to eliminate threats aimed at firmware called Secured-core PCs. This was recently extended to Server and IOT announced at this year’s Microsoft Ignite conference. With Zero Trust built in from the ground up, this means SDMs will be able to invest more of their resources in strategies and technologies that will prevent attacks in the future rather than constantly defending against the onslaught of attacks aimed at them today.

The SDMs in the study who reported they have invested in secured-core PCs showed a higher level of satisfaction with their security and enhanced confidentiality, availability, and integrity of data as opposed to those not using them. Based on analysis from Microsoft threat intelligence data, secured-core PCs provide more than twice the protection from infection than non-secured-core PCs. Sixty percent of surveyed organizations who invested in secured-core PCs reported supply chain visibility and monitoring as a top concern. According to Accenture’s State of Cyber Resilience report, indirect attacks into the supply chain now account for 40% of security breaches.

Secured-core PCs provide powerhouse protection out of the box, with capabilities such as Virtualization-Based Security, Credential Guard, and Kernel DMA protection. The subsequent automation and out-of-the-box capabilities also free up time for SDMs to focus more of their efforts on high-value and strategic endeavors and less on low-level activities.

Security Signals also found that companies are investing in larger devices to protect against hardware security breaches: more than half are focusing on servers. Microsoft is planning ahead and innovating there as well. With our partners AMD and Intel, we announced the extension of secured-core to servers and edge devices at our virtual Spring Ignite.

To learn more about the more than 100 certified secured-core PCs available today from Microsoft, Acer, Dell, HP, Lenovo, Panasonic, and more, visit our Secured-core web page.

Server investments are high today because they are used as stepping stones in the cloud migration journey.” – Azim Shafqat, Partner at ISG and Former Managing VP at Gartner

The most important takeaway from the Security Signals report is that companies want to have more proactive strategies in place for security, especially when it comes to addressing firmware attacks. Microsoft is working to address that need by partnering with leading PC manufacturers and silicon vendors to establish a proactive strategy towards device security.

Ultimately, those enterprises who align their resources to develop such preventive strategies will give themselves a better chance for business continuity, productivity, and protection from emerging threats.


Security Signals research occurred from August – Dec. 2020, when a 20-minute online survey was conducted with 1,000 decision makers involved in security and threat protection decisions at enterprise companies from a range of industries across the US, UK, Germany, China, and Japan.

The Security Signals report works to create a detailed picture of the current security landscape: to understand the unique mindset and priorities that security decision makers (SDMs) bring to their organizations; to shed light on the benefits and challenges of adopting security solutions; to assess what impacts and shapes SDMs’ business decisions; and to see what the future of security may hold. The goal of this paper is to provide up-to-date research on the state of security, across countries and industries, in order to better serve our customers and partners, and enable security decision makers to further their development of security strategies within their organizations.