Microsoft is removing password support from its Authenticator app this summer. As of June, you haven’t been able to add new passwords; in July autofill stops working; and by August all saved passwords will be deleted. The replacement?
FIDO-based passkeys that are stored encrypted on your device and use biometrics / PIN for phishing-proof sign-ins.
The Password Problem
Passwords have been the backbone of online security for decades and the way we into most our work and online services like shopping sites, email, Snapchat etc.. You name it.
But.. They are a huge weak link and the primary way people and companies get hacked and online identities stolen!
Microsoft report they see password account attacks in the realm of 7,000 attempts per second against Microsoft consumer accounts alone.
People reuse weak or memorable passwords across dozens of sites because they are hard to remember
Password managers whilst helpful, provide a single attack space for hackers.
Phishing, brute-force and database leaks make passwords a persistent liability and AI in increasing the number of attacks.
Microsoft’s stats show password success rates (getting a log in correct with your password) of 32%, compared with 98% for passkeys—proof that passwords aren’t just less secure, they’re also more error-prone and easier to use once set up.
What Are Passkeys?
Passkeys are an evolution of authentication built on FIDO (Fast Identity Online) standards. Here’s what makes them different:
Stored only on your device protected by your Pin and Biometrics and never on a central server.
Rely on biometrics (Face ID, fingerprint) or a local PIN.
Immune to phishing and replay attacks because there’s no password to steal.
Seamless: once set up, you tap or scan to log in anywhere passkeys are supported.
Easier to use since you don’t have to remember complex passwords.
Microsoft Authenticator Timeline
To ease the transition away from storing passwords and moving to passkeys, Microsoft has shared the process which started last month.
June 2025: Microsoft disabled ability to add new passwords to Authenticator.
July 2025: Password autofill in Authenticator is disabled.
August 2025: All passwords saved in Authenticator are permanently deleted (export before then).
Keeping/Exporting your passwords.
If you want to export your passwords stored in Authenticator you can. These can then be imported into other password managers. To do this:
Open Authenticator
Goto Passwords, then Export.
Save the CSV file securely or import it into another password manager.
If you still rely on passwords, migrate them to Microsoft Edge’s built-in vault or a third-party manager like 1Password.
Start creating Passkeys.
Still in the Authenticator app or via your Microsoft account’s security settings, select Passkeys > Add new passkey.
Follow the prompts to register with Face ID, fingerprint or PIN.
Update your accounts to use Passkeys
This is unfortunately a bit laborious, since you will need to visit each website or service that offers passkey login and link your new passkey.
Why go Passwordless.
There’s a heap of reasons once you’ve got past the process of creating Passkeys.
Stronger Security: No password to steal means it’s virtually impossible to phish or brute-force your credentials.
Better Usability: Unlock with a quick biometric scan or PIN—no more juggling complex passwords.
Future-Proof: Passkeys and the move to passwordless is backed by all major identity provider platforms (Microsoft, Cisco, Apple, Google, Amazon) and over 15 billion accounts already support them.
The industry is moving to passwordless: all the tech giants are moving this was to finally try to rid the world of passwords. Apple, Google and Amazon have also committed to a passwordless future. Whether it’s signing into an app, online banking or shopping, passkeys are becoming the universal standard.
Today, the use of passkeys is growing but with the tech giants behind the Phasing out of passwords they will soon be the way we sign into all. Out online services.
Cisco Live 2025 is happening this week in San Diego (after five years in Vegas) with around 22,000 attendees. As you’d image from any tech event at the moment, the focus was very much AI with the theme being summed up as “All AI, all the time”. Throghout the Day 1 keynotes, Cisco’s message was clear: the “agentic AI era” is upon us, and Cisco is positioning itself as the infrastructure backbone to support service providers, cloud providers and enterprises of this new age.
Cisco’s President and Chief Product Officer Jeetu Patel set the tone with a bold analogy: “The way that you should think about us is like the picks and shovels company during the gold rush. We are the infrastructure company that powers AI during the agentic movement,”
…….In other words, while everyone’s chasing AI gold, Cisco’s approach is to providing the bedrock tools to dig for it – unveiling new innovations spanning networking hardware, unified management software, security, and collaboration tools, all infused with AI.
I wasn’t able to attend the event myself, but here’s my break down the top announcements and innovations from the live streams I watched. Let me know what I have missd 🙂
The “Agentic AI” Era
Cisco Live’s buzzword was undoubtedly “Agentic AI.” Cisco sees a shift from basic chatbots to autonomous agents that don’t just answer questions, but perform tasks and jobs on our behalf. As Jeetu Patel said in the keynote “The world is moving from chatbots intelligently answering our questions to agents conducting tasks and jobs fully autonomously. This is the agentic era of AI”.
Like many of the other tech giants, their view is that in this fast moving era, billions of AI agents could be working for us behind the scenes, which “will soar” the demand for high-bandwidth, low-latency and power-efficient networking in Cloud Providers and Private Hosted data centers.
Cisco’s key mesage here is that they are here to help organisations and providers meet this demand. “Cisco is delivering the critical infrastructure for the AI era — secure networks and experiences, optimized for AI that connect the world and power the global economy“.
Cisco CEO Chuck Robbins said that “no organisation can hire limitless people to tackle increasing IT complexity and cyber threats – instead – machines must scale to share the burden”. He went on to say how Automation and AI-driven operations are not just nice-to-haves; they’re becoming essential and every business is looking to invest and build here and it will only accelerate in pace and scale.
Cisco also set out to explain that “generative AI” and “agentic AI” have different effects on the infrastructure needed to support them. Generaive AI creates sporadic spikes in demand, but Agentic AI creates sustained perpetual demand for inferencing capacity. This means that for agentic AI, networks and Cloud data centers need a continuous heavy-duty upgrade to what they run on today. Cisco expect that many will large enterprises, those setting out to build their own “AIs” and of course Service and Cloud Providers will likley need to “re-rack the entire datacenter and rebuild the network” to handle these new AI workloads.
One Unified Plartform to Manage it all
As (a long time ago) IT Sys Admin, I remember how managing networks used to sometimes feel like herding cats – multiple dashboards for switches, routers, security, cloud, etc., all siloed.
Cisco has now announced Cisco Cloud Control, a new unified management console intended to “drive all its networking, security, and observability tools” from one place. In a nutshell, Cloud Control is Cisco’s approach to bring all those separate management tools into a single pane of glass – making it easier for network admins and giving a Cisco Customers a cohesive platform to showcase it’s new AI innovations in one place.
Of course Cloud Control is AI infused too. There is an AI Assistant that lets IT teams query their infrastructure in plain English. Here they could ask (as per their demo) “Hey Cisco, why is the Wi-Fi slow on the 4th floor?” and get a useful answer.
To achieve this, Cisco are using a new custom large language model trained on decades of Cisco networking knowledge (like an AI powered CCIE) to provide expert guidance. Cisco showed off a new AI Canvas (an “agentic” interface) that auto-generates relevant dashboards that work together to help identify issues, suggest fixes, and even implement changes – with human approval gating the final step. In short – you describe a problem, and the system brings forward the relevant controls and data needed to solve it, all guided by Cisco AI.
Cisco’s message is not just about adding AI for AI sake – it is designed to address real IT headache by combining formerly separate mnagement planes and interfaces into one.
Cisco also announced they are unifying management for their Catalyst and Meraki product lines (switching and wireless) into this single console, with common licensing too.
Overall, the message is that whether it’s campus networks, branch, data center, or cloud, Cisco goal is is to centralise control and inject AI assistance across them all, leading to smarter and simpler unified operations.
Splunk also got a mention – with Cisco talking about how ThousandEyes and Splunk analytics will also be able to integrate into this platform to give end-to-end visibility – from user device to application. This is part of a broader “One Cisco” vision of an integrated portfolio for networking, security, collaboration, and observability.
Net Hardware: Faster, Smarter, and Built for AI
It wouldn’t be Cisco Live without new hardware – and this year, Cisco delivered a loads of it. Recognising that AI workloads are putting unprecedented demands on Service provider and Cloud networks, Cisco unveiled a lineup of new switches, routers, and wireless devices which all give higher throughput, low latency, and security by design. This inlcuded:
Campus Switches (C9350 & C9610): Designed for campus networks and powered by its custom Silicon One chips – they boast a huge 51.2 Tbps of throughput and sub-5 microsecond latency, with quantum-resistant security built in. These are designed to handle “high-stakes AI applications” at the network edge.
Secure Branch Routers (8100, 8200, 8300, 8400, 8500 Series): To connect sites and users to AI resources, Cisco have unveiled these new Secure Catalyst Routers for branches. These are all-in-one boxes that combine SD-WAN, SASE (Secure Access Service Edge) connectivity and next-gen firewall. Cisco say they will deliver up to 3× the throughput of the previous generation too. Why? Cisco is converging networking and security at the WAN edge so that adopting AI doesn’t open new holes in your defenses.
Wi-Fi 7 (Cisco Wireless 9179F): – see new APs, tailored for stadiums and large venues. These APs support the latest Wi-Fi 7 standard bringing multi-gig speeds and better reliability and integrate Ultra-Reliable Wireless Backhaul (URWB) technology alongside Wi-Fi in one device. That means an access point can also serve as a highly reliable wireless bridge/mesh link, useful in places where running fiber/cable is hard.
Ruggedised Switches for Industry 4.0: To support AI at the edge – in places like factories, oil rigs, smart cities – Cisco unveiled 19 new rugged switches built to withstand harsh environments. These come in various form factors (tiny DIN-rail mounts, hardened casings, etc.) to fit into industrial sites where conditions are extreme. Interestingly, Cisco integrated that URWB wireless tech here too, meaning you can have a unified wireless fabric that covers both IT and OT (operational tech) environments via a combination of Wi-Fi and wireless backhaul. In plain terms, these rugged switches + wireless combos let factories and outdoor facilities achieve high-density, reliable wireless coverage as part of one unified infrastructure.
Powered by Cisco Silicon One: All Cisco’s hardware announcements reinforced a key point: networking and security are fusing together in Cisco’s strategy. All new switches and routers all come with baked-in security features (from Hypershield to post-quantum crypto) rather than treating security as an add-on. Jeetu Patel emphasised, that the future is about networks that are programmable and adaptable – Cisco’s own Silicon One custom chips are a big part of that story because it means that Cisco can update these devices for new AI workloads via software without needing to build a new chip and device. This is a major compete play and USP for Cisco.
Security in the AI Era: Zero Trust, Everywhere, All at Once
All the AI in the world won’t help if your business if your network isn’t secure. Cisco used this approach to double down on its message that security must be woven into every layer of the network, especially as AI opens new frontiers (and potentially new threats). In the agentic AI era, Cisco said that attackers will leverage AI, meaning threats could become faster and more sophisticated. The answer? “Secure by design” infrastructure and a unified security architecture that can handle the scale of AI-fueled operations.
As a result Cisco introduced a new network security blueprint anchored by what they call the Hybrid Mesh Firewall and Universal ZTNA (Zero Trust Network Access). They represent a concerted effort to integrate security across all users, devices, and applications more seamlessly including:
Hybrid Mesh Firewall: Annouced earlier this year, Cisco’s next-gen firewall for the AI era, acts as a distributed security fabric spanning your whole environment. It brings together Cisco’s own firewalls and even third-party firewall integrations into one cohesive system to to enable zero-trust segmentation everywhere – from your data center core, across clouds, out to branch offices and all the way to IoT devices at the edge. The goal is that every part of the network becomes a security enforcement point, tightly coordinated.
Universal ZTNA: Cisco’s Zero Trust Network Access solution, now branded “Universal” because it aims to cover any user or device, anywhere. Universal ZTNA provides secure, identity-based access to applications, whether users are on the corporate LAN, at home, or on a mobile device. It extends the zero-trust mode to hard-to-manage endpoints and ensures a unified policy follows the user. For example, whether JimBob from accounting logs in from the office or from a coffee shop Wi-Fi, the system continuously verifies his identity and device posture before granting access to the finance app. The synergy here is that integrating ZTNA and the distributed firewall, Cisco can tightly control user-to-app connections and even monitor the traffic between services, all under a zero-trust philosophy.
Beyond hardware, the cloud-based Cisco Security Cloud got enhancements to help secure those emerging AI workflows. Their platform can now better secure interactions involving AI agents, using tools like Cisco AI Defense (which monitors AI model operations for tampering or misuse) as part of a “Secure AI Factory” concept co-developed with NVIDIA.
Their integration of Splunk also got a mention, where they demonstrated deeper Cisco + Splunk integrations for security analytics – such as sending security events and network telemetry into Splunk’s SIEM and using Splunk’s AI-driven insights to automate responses via Cisco’s tools.
Webex: Smarter Meetings, AI Helpers, and Cameras with a Brain
Cisco did also announce a series of Webex updates with more AI coming into Webex in ways that aim to make meetings less of a chore and customer service more efficient.
Jira Workflow Automation in Webex: For native Webex meetings, this can listen for action items discussed in a meeting and automatically create Jira tickets for them. For example, if during a team call someone says “I’ll update the budget doc next week,” the AI will note that and generate a task in Jira , Monday.com or Asana – fill in your project tool) assigned to that person. It will even capture the context by attaching relevant portions of the meeting transcript or recording. Cisco touted, the integration can also update Jira tickets in real-time if status changes are mentioned in meetings – so, if the team says “the server migration is completed,” the AI could move the Jira task to “done” and note the discussion. It’s like having a diligent virtual project manager in every meeting, so humans can focus on discussion rather than note-taking.
Webex AI Agent for Customer Self-Service: They announced enhancements to the Webex AI Agent – to make it easier to deploy and more powerful. Tgherenis a new set of prebuilt, industry-specific templates – out-of-the-box chatbot templates tailored for industries like healthcare, finance, retail, etc. Instead of a generic bot that has to be trained from scratch, Cisco provides a starting knowledge base (e.g., a healthcare template might know common questions about insurance, appointments, privacy rules, etc.). This can significantly speed up creating a virtual agent and leads to more relevant answers since it’s contextually aware of the industry. Cisco are also enabling these AI agents and features for on-premises deployments as well.
Conclusion
Cisco is all-in on AI, not by making its own AI apps, but by supercharging the underlying tech that makes AI possible.
Cisco seem fully aware of the challenges businesses face with emerging technologies. – whether it’s handling the flood of data and compute that AI workloads generate, securing a more complex threat landscape, and having a true end to end view on the user experence – Cisco is positioning itself as the enabler (and problem-solver) and has signaled it’s not sitting on the sidelines of the AI revolution.
The narrative of “One Cisco” came through strongly: networking, security, collaboration, cloud, and services all interlinking to form a complete platform for the AI era. Cisco is offering a very compelling toolkit for enterprises: blazing-fast hardware to move AI bits, smart software to manage it with minimal hassle, and built-in security every step of the way.
Cisco wants to be “the infrastructure company that powers AI” – the dependable partner under the hood while everyone chases AI magic. By unifying its platforms and injecting AI into network operations, Cisco is making a play to stay indispensable in this new era.
I had the pleasure in taking part in a podcast last week with some of my team, Microsoft and Westcoast. This was aimed at demystifying Copilot+ PCs, part of which got us into the tech trenches of security and sustainability, two of the main reasons, organisations invest in Microsoft and Surface.
As such I thought I’d break out and do a spotlight on Microsoft’s Chip to Cloud Security approach.
Security is a critical consideration across any technology purchase and the laptops/tablets you buy should be no different. Whilst security can be layered on, it works best when it is built-in and part of what you buy. With Surface this is front and centre.
With cyber threats growing more sophisticated each day both at software and hardware layers, Microsoft has a bold and powerful stance: embedding security from chip design, supply chain, firmware/UEFI, Windows and of course the Cloud.
Microsoft Surface is more than a premium class device. Surface is a manifestation of Microsoft’s holistic, Zero Trust security philosophy. Secure by design and Secure by default.
Surface is also the only Windows OEM that controls and owns the entire security stack from the hardware, to the Windows OS to the Cloud Security like Defender.
Microsoft Surface Chip to Cloud Architecture.
Microsoft sets a compelling example of agile defense against emerging threats in what they term “From Chip to Cloud”.
What Does “Chip to Cloud” Mean?
At its core, “chip to cloud” is about ensuring security at every stage – from design, supply chains, the hardware integrated into the device to the operating system and finally, into the cloud where robust analytics and cloud defense form a huge part of the Surface blueprint (see above).
This approach means that when you first power on a Surface device, the user is protected. This starts at the hardware level and continues seamlessly into Windows, the software applications you run, and the cloud services you use.
The Microsoft Surface: A Manifestation of Microsoft’s Security Vision
Microsoft Surface is not just another OEM device. It is built by Microsoft at every level. Surface combines the very best of Microsoft’s technologies under one roof – Windows 11, Defender, and Microsoft 365 security to provide an enterprise-grade, secure experience.
Rather than just layers on, this is security by design built in and baked into every layer including the silicon.. The commitment to Zero Trust is evident, as every layer, whether hardware, firmware, or software, works in concert to provide continuous protection.
Key Takeaways:
Zero Trust Architecture: Every access point, both physical and digital, is continuously verified.
Full-Stack Security Ownership: With Microsoft owning the entire security architecture, the Surface delivers a unified defense that spans the entire ecosystem.
In Windows 11, hardware and software work together to reduce the attack surface, protect system integrity, and safeguard valuable data. New and enhanced features are designed with security by default which include running Win32 apps in isolation, token protection, passkeys, and Microsoft Intune Endpoint Privilege Management providing just some of the latest capabilities helping to shield from attacks.
Windows Hello and Windows Hello for Business integrate with hardware-based features such as Trusted Platform Module (TPM) 2.0, biometric scanners, and Windows presence sensing to enable easier, more secure sign-on and protection of your data and credentials. Microsoft are also closer than ever in moving to a Passwordless future.
It Starts with Silicon – the Pluton Security Processor
The journey of security begins at the hardware layer / the silicon. Newer devices are built in collaboration with Intel, Qualcomm and AMD, ensuring that their internal architecture is as robust and secure as possible. Newer devices will leverage Microsoft’s internally designed Pluton processor which can also act as the Trusted Platform Module (TPM) and hardware root of trust further improving hardware based security.
Pluton Processor Architecture (c Microsoft
Microsoft Pluton security processor is a chip-to-cloud security technology built with Zero Trust principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem, which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem.
The way it works (simplified) is that when the system boots, Pluton hardware initialisation takes place by loading the Pluton firmware from the Serial Peripheral Interface (SPI) flash storage on the motherboard. During Windows 11 startup, the OS uses the latest available version of the Pluton firmware. If no newer firmware is available, Windows defaults to the version loaded during hardware initialisation. This diagram illustrates the process:
Pluton boot process in Windows 11 (c) Microsoft
Note: Microsoft Pluton is currently available on devices with AMD Ryzen® 6000, 7000, 8000, Ryzen AI and Qualcomm Snapdragon® 8cx Gen 3 and Snapdragon X series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2 and later.
Highlights of Pluton.
Secure by Design at the Chip Level: Even if one component is challenged, the Zero Trust framework ensures there is backup protection within other layers—including during the manufacturing and supply chain process.
The Pluton Security Processor: Unlike traditional hardware security modules, Pluton is embedded right into the CPU. This integration provides hardware-based root of trust, secure identity, and cryptographic operations that are virtually immune to physical tampering. Such a design minimizes the risk of sensitive data extraction even when attackers try to bypass conventional boundaries.
Microsoft Pluton can be used as a TPM, or with a TPM. Although Pluton builds security directly into the CPU, Windows device manufacturers might choose to use discrete TPM as the default TPM, while having Pluton available to the system as a security processor for use cases beyond the TPM. Microsoft are adopting the latter for all new devices built. It’s also leveraged by the new Windows 365 Link Devices.
Preempting Advanced Threats: Learning from Spectre & Meltdown
Back in early 2018, vulnerabilities like Spectre and Meltdown demonstrated that even the most advanced processors could be exploited via speculative execution. Microsoft’s response was swift and agile:
Rapid Patch Deployment: Security updates were rolled out on the day of public disclosure, ensuring devices were immediately protected.
Agile Firmware Development: Microsoft built its own UEFI, reducing dependency on third-party providers. They even introduced secure programming languages like Rust to minimize vulnerabilities from the start.
Holistic Integration: By leveraging its full-stack ownership, Microsoft coordinated an end-to-end defense – from patching the OS to reinforcing the hardware.
This agility and forward-thinking approach are core to maintaining trust in a world where new threats emerge on a daily basis.
Moving forward, the March 2021 Security Signals report found that more than 80% of enterprises had experienced at least one firmware attack in the past two years.
OS and Cloud Defense: The Next Layers of Protection
Moving from hardware to software, Microsoft ensures that Surface devices benefit from Windows 11’s robust security features:
Operating System Security: Built-in features such as Windows Hello, TPM 2.0, and Secured-Core PC (with Pluton processors) protections safeguard the operating system, providing seamless defense as soon as the device boots up.
Cloud Integration: The cloud plays a critical role by delivering powerful analytics and AI-driven threat detection. Microsoft Defender continuously monitors devices and endpoints, ensuring that potential breaches are thwarted before they escalate.
Real-Time Intelligence: Integration with Microsoft 365 security tools like Microsoft Defender and cloud-based analytics means Surface devices receive continuous updates and proactive defenses regardless of where the device is located.
A Secure Ecosystem for the Future
What sets the Microsoft Surface apart is its integration into a broader ecosystem that is built from the ground up with security in mind. From hardware collaboration with Intel and silicon experts, the innovative use of the Pluton processor, to agile responses against threats like Spectre and Meltdown – all these measures come together in an environment where the chip is only the beginning. The real secret lies in how this interconnected world of Windows, Defender, and cloud-based intelligence creates a fortress that’s always one step ahead.
Microsoft Surface is not just the most secure Windows device you can buy it is the point into a cohesive zero trust security architecture that works tirelessly to protect your data, your device from hardware to Windows OS through Office apps and Microsoft 365 services and of course Defender.
Conclusion
Secure by design and Secure by default. Microsoft Surface exemplifies this chip-to-cloud approach by combining robust hardware protection with powerful OS and cloud defenses. With Zero Trust principles woven into every layer, Surface devices are designed not only to meet today’s challenges but to anticipate tomorrow’s threats.
Microsoft Surface isn’t just “the most Secure Windows device” on the market, it is part of Microsoft’s wider secure ecosystem that enables security from Chip-to-Cloud.
With Windows 10 support ending in <5 months, I thought I’d talk a little about what Trusted PlatformModule (TPM) is, its role in Windows 11, and how it fits into Microsoft’s Chip-to-Cloud security strategy, along with an explanation of Microsoft’s own Pluton processors.
Why. Well, before Microsoft released TPM and made it a mandatory system requirement, few people paid attention to it but now I get asked more and more “what is TPM”. So here we go….
Introduction
Security in computing has never been more critical. As cyber threats evolve, Microsoft continues to adapt it’s proactive approach to securing Windows devices from the ground up. This is where Trusted Platform Module (TPM) and Pluton processors come into play, forming key components of Microsoft’s Chip-to-Cloud security strategy.
TPM 2.0 is the latest version of TPM, the previous version being TPM 1.2
What is TPM?
TPM is a hardware-based security module designed to protect sensitive data, such as encryption keys, credentials, and system integrity measurements.
Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard.
It acts as a root of trust, ensuring that a device boots securely and remains protected against unauthorised access.
Why is TPM Required for Windows 11
Microsoft made TPM 2.0 a requirement for Windows 11 to enhance security across all devices.
Today, we are announcing Windows 11 to raise security baselines with new hardware security requirements built-in that will give our customers the confidence that they are even more protected from the chip to the cloud on certified devices.
David Weston, Director of Enterprise and OS Security @ Microsoft
Here’s why it’s needed.
BitLocker encryption in Windows 11 (and earlier versions) enhances security by storing encryption keys in the Trusted Platform Module (TPM). When a user accesses their computer, these keys unlock the drive, ensuring seamless protection. Without the keys stored in TPM, attackers cannot decrypt the drive—such as the system drive—nor can they access the files on it.
TPM is needed because it provides and enforces:
Hardware-Based Protection: Unlike software-only security solutions, TPM is embedded in the hardware, making it resistant to malware and physical attacks.
Secure Boot & System Integrity: TPM ensures that the operating system loads securely, preventing unauthorized modifications.
Encryption & Authentication: Features like BitLocker and Windows Hello rely on TPM to securely store encryption keys and biometric data.
Defending Against Emerging Threats: With attackers increasingly targeting firmware and hardware vulnerabilities, TPM provides a trusted executionenvironmentthat mitigates these risks.
Microsoft’s Chip-to-Cloud Security Strategy
Microsoft’s Chip-to-Cloud approach is designed to integrate security at every level, from the silicon inside a device to cloud-based protections. TPM plays a crucial role in this strategy by ensuring that security starts at the hardware level.
Where does Pluton Fit in?
Pluton is Microsoft’s next-generation securityprocessor, built directly into the CPU (known as System on Chip). Unlike traditional TPMs, which are separate chips, Pluton is integrated within theprocessor, making it even more resistant to attacks.
How Pluton Enhances Security
Eliminates Physical Attacks: Since Pluton is embedded within the CPU, attackers cannot extract sensitive data by physically removing or tampering with a separate TPM chip.
Continuous Security Updates**: Pluton receives firmware updates directly from Microsoft via Windows Update, ensuring devices remain protected against evolving threats.
Improved Cryptographic Security: Pluton enhances encryption capabilities, making it harder for attackers to compromise sensitive data.
Is Pluton part of TPM then?
Yes, Pluton can function as aTPM. It supports TPM 2.0 standards, meaning Windows features like BitLocker, Windows Hello, and System Guard can leverage Pluton for security.
Pluton also goes beyond TPM, offering additional security features that traditional TPMs cannot.
Pluton acts as the TPM in the new Surface Laptop and Pro released this month.
Conclusion
Microsoft’s Chip-to-Cloud security strategy ensures that Windows devices are protected at every level. TPM 2.0 provides a trustedfoundation while Pluton takes security to thenext level by integrating protection directly into the CPU. As cyber threats continue to evolve, these technologies will play a crucial role in safeguarding Windows devices.
Microsoft quietly announced yesterday that Microsoft 365 Business Premium customers (this is a SMB license for customers with less than 300 seats) can now add the Microsoft 365 E5 Security as a bolt on for just $12 pupm.
This represents a saving of 57%
Why would I want Microsoft E5 Security Add-on
This upgrade includes a heap of Enterprise E5 features previously only available to Microsoft Enterprise Customers on Microsoft 365 E3. It includes:
Microsoft Entra P2 (Identity protection, Risk Based Conditional Access, Secure Access etc)
Defender for Office Plan 2
Defender for Identity
Defender for Endpoints (Plan 2) with XDR
Defender for AI & Cloud Apps and
more.
The offers huge value for SMBs bringing their security protection in line with what has previously only been included within Microsoft 365 E5 but at a fraction of the cost. The enhanced protection features in Entra P2 and Defender P2 will be highly valuable for business looking to strengthen their security posture with best-in-class solutions, whilst reducing the reliance on multiple technologies and vendors with integrated management across the rest of their Microsoft 365 Security Portal.
How do I get the Microsoft 365 Security Add-on
Simple – if you are a web-direct customer, you can add-on via the Microsoft 365 Admin centre. If you buy from partner (Cloud Solution Provider) via NCE, speak to them for pricing or speak to us at https://www.cisilion.com.
The integration of artificial intelligence (AI) into enterprise environments has introduced new security concerns. As adoption of AI continues at “cautious” pace, organisations must ensure the safety of the hundreds of AI apps that employees use (or try to use) sanctioned or unsanctioned as well as any AI applications built or customised by the organisation. This affects both data governance, exposure, and leakage as well as compliance.
I have aimed to not only compare their key features, similarities, and differences, but also to look at how both offerings can indeed help organisations based on specific business scenarios and needs.
Cisco AI Defense
Overview
Due to be released in March 2025, Cisco’s new AI Defense works slightly differently to Microsoft’s offering and is focused on securing AI applications throughout their entire lifecycle. AI Defense integrates with Cisco’s extensive network infrastructure portfolio providing specialised AI security measures.
Business and technology leaders can't afford to sacrifice safety for speed when embracing AI. In a dynamic landscape where competition is fierce, speed decides the winners. Fused into the fabric of the network, Cisco AI Defense combines the unique ability to detect and protect against threats when developing and accessing AI applications without tradeoffs". Jeetu Patel | Exec VP | Cisco.
Whilst not released yet, it will I have based this product release information I have read.
Cisco AI Defense focused on two primary areas of protection.
Accessing AI Applications: Recognising that whilst third-party AI applications can significantly boost productivity but may pose risks such as data leakage or malicious downloads. Cisco AI Defense is designed to give IT and SecOps full visibility into app usage and can enforce policies to ensure safe, secure access.
Building and Running AI Applications: Cisco acknowledge that developers require the freedom to innovate without worrying about vulnerabilities or safety issues in their AI models. AI Defense discovers your AI footprint, validates models to identify vulnerabilities, and applies guardrails to enforce security measures in real-time across both public and private clouds
Key Features
End-to-End Protection: Protects both the development and use of AI applications, ensuring safety and security throughout the AI lifecycle.
Network-Level Visibility: Leverages Cisco’s unmatched network visibility and control to detect and protect against threats.
AI Model and Application Validation: Identifies potential safety and security risks with automated vulnerability assessments.
Real-Time Protection: Offers robust real-time protection against adversarial attacks, including prompt injections, denial of service, and data leakage.
AI Cloud Visibility: Automatically inventories AI models and connected data sources across distributed environments.
Microsoft Defender for Cloud and AI
Overview
Microsoft Defender for Cloud and AI is designed to offer comprehensive security for AI applications and cloud services. Being a Microsoft product, it integrates seamlessly with Microsoft 365 and their wider cloud ecosystem, providing robust threat protection and security posture management. It also supports multi-cloud environments making it suitable for enterprise organisations.
Microsoft Defender for Cloud and AI’s primary protection areas are based upon:
Threat Protection and Security Posture Management: Microsoft Defender for Cloud and AI provides real-time threat protection for AI workloads and visibility into AI components, identifying vulnerabilities and offering built-in recommendations to strengthen security.
Integration and Continuous Monitoring: It integrates with Defender XDR for centralised alerts and continuous monitoring, ensuring security measures are enforced across hybrid and multicloud environments.
Key Features
AI Threat Protection: Provides real-time threat detection for generative AI applications, including data leakage, data poisoning, jailbreak, and credential theft.Real-time identification and mitigation of threats to generative AI applications.
AI Security Posture Management: Continuous monitoring and management of the security posture of AI applications, with automated vulnerability discovery and remediation recommendations.
Cloud App Security: Protection for SaaS applications, offering visibility into cloud app usage and protection against threats.
Prompt Evidence: Includes suspicious segments from user prompts and model responses in security alerts.
Extended Detection and Response (XDR): Integration with Defender XDR to centralise AI /workload alerts and correlate incidents for efficient incident management.
Integration with Microsoft Ecosystem: Seamlessly integrates with Azure, Microsoft 365, and other Microsoft security solutions and workloads.
Comparative Analysis
In short, both Microsoft and Cisco are providing products which complement their wider security portfolios to help customers better protect their organisations in the rapidly evolving world and adoption of AI technologies.
Similarities
AI Security: Both solutions focus on helping organisations secure AI applications and provide end-to-end visibility into their AI workloads.
Real-Time Threat Detection: Each offers real-time threat detection and protection, ensuring prompt identification and mitigation of security threats.
Integration with respective Ecosystems: Both solutions integrate with their respective broader security ecosystems (Cisco for Cisco products, Microsoft for Microsoft products).
Differences
Whilst both focus on security across the customers domain with a focus on understanding and protecting against (and keeping control of) AI based applications, there are clear, there are some subtle and unique differences.
Scopes of Use
Cisco AI Defense Specialises more in securing AI applications throughout their lifecycle including home grown developed services, where as Microsoft Defender for Cloud and AI is more focused on providing comprehensive security for both AI applications and SaaS applications.
Platform Integration
Cisco AI Defense provides deep integration with Cisco’s network infrastructure and other Cisco security products. Microsoft Defender for Cloud and AI has seamless integration with the wider Microsoft’s ecosystem, including Azure, Microsoft 365, Dynamics, Power Apps as well as being part of the wider Microsoft security solutions.
Capabilities
Cisco AI Defense places a key emphasis on AI-specific security measures that include automated vulnerability assessments and real-time protection against adversarial attacks.
Whilst similar in approach, Microsoft Defender for Cloud and AI offers broader security features, including threat protection for both AI and cloud services, and integrates with Microsoft’s XDR for centralised incident management.
When to choose which?
When to choose Cisco AI Defense
Best For: Organisations with a significant focus on AI development and deployment, particularly those heavily invested in Cisco’s network infrastructure.
Primary Benefits: AI model validation, runtime protection, and extensive integration with Cisco’s network and security products.
When to Choose Microsoft Defender for Cloud and AI
Best For: Organisations utilising a mix of AI and SaaS applications, especially those heavily invested in the Microsoft ecosystem (Azure, Microsoft 365, etc.).
Primary Benefits: Comprehensive threat protection, tight integration with Microsoft 365, Azure, Dynamics 365 and existing Microsoft security solutions.
Case Scenario: Ficticous Enterprise Organisation
Customer Profile: “A large enterprise organisation with a complex infrastructure, several hundred applications (mainly SaaS) as well as in-house and hosted custom applications running in Public Cloud (Azure), mix of productivity tools (Microsoft 365), AI-powered assistants (Microsoft Copilot and Chat GPT), multi-campus network environment (Cisco Meraki), Cloud Voice (Microsoft Teams), Space Management Tools (Cisco Spaces) and network performance monitoring (Cisco ThousandEyes).
Organisation has and uses Microsoft 365 E5. They have a contact centre based on Cisco Webex and use Microsoft Teams Meeting Rooms with Cisco endpoints. User devices as mix of Lenovo and Surface. They also use Cisco Duo. They have a Cisco EA.
They are in the middle of a Microsoft 365 Copilot pilot with around 20% of their organisation but aware that some other departments may have other shadow AI tools. They are also looking at building their own apps that will use a magnitude of AI agents and connectors.”
Cisco AI Defense vs Microsoft Defender for Cloud and AI
Given the complex infrastructure and diverse applications of this large enterprise organisation, the differences, strengths and similarities of each really stand out. Appreciating this a “made up” organisation, you can see where and why each product has its strength and merits.
Microsoft Defender for Cloud and AI
Given the extensive use of Microsoft services and the presence of Microsoft 365 E5, Microsoft Defender for Cloud and AI is highly recommended. It offers comprehensive security coverage for both AI applications and SaaS applications, integrating seamlessly with the existing Microsoft ecosystem. The core services are also included within the Microsoft 365 E5 subscription.
Key Benefits:
Broad Threat Protection: Covers both AI applications and cloud services, ensuring robust security across the organization.
Integration with Microsoft Ecosystem: Seamless integration with Azure, Microsoft 365, and the organisations other Microsoft applications and security solutions.
Centralised Management: Facilitates centralised management and monitoring, improving operational efficiency.
Cisco AI Defense
Considering the organisation’s significant investment in Cisco networking solutions and the presence of Cisco Meraki, Cisco Spaces, and Cisco ThousandEyes, Cisco AI Defense is also recommended. It provides specialised AI security measures and integrates well with Cisco’s network infrastructure.
Key Benefits:
AI-Specific Security: Focuses on securing AI applications throughout their lifecycle, providing tailored protection.
Deep Integration with Cisco Infrastructure: Enhances overall network security by integrating with Cisco’s network and security products.
Real-Time Protection: Offers robust real-time protection against adversarial attacks, ensuring continuous integrity of AI operations.
Combined Approach
Given the organisation’s diverse IT infrastructure and the need for comprehensive security, a combined approach using both Microsoft Defender for Cloud and AI and Cisco AI Defense is advisable. This dual solution ensures that all aspects of the IT infrastructure are covered, from AI applications to cloud services and networking.
By leveraging both solutions, the organization can achieve a robust, integrated security framework that covers all their IT needs, ensuring comprehensive protection and efficient management.
Budget and Management Considerations
Budget: While using both solutions might seem costly, the investment is likely justified by the enhanced security and centralised management capabilities.
Management: Both solutions offer centralised management, making it easier to oversee and control security measures. The tools are managed across the respective product suites which are already in use within the organisation minimising additonal admin / sec ops over head.
Conclusion
Cisco AI Defense and Microsoft Defender for Cloud and AI are both robust solutions tailored to different security needs and infrastructures. Understanding their strengths and integration capabilities allows organisations to make informed decisions, achieving comprehensive and integrated security frameworks.
Cisco AI Defense is new and will be available in March 2025, so please do let me know if I’ve missed anything obvious…
One of the concerns I often talk to organisations about, is the fear that Copilot might surface sensitive information that it should not have access to due to IT/Compliance teams not really knowing who has access to what. The phrase “Security through obscurity” is often what we heard being used.
The primary cause of this is the over-permissioning and sharing of files, which is a growing concern for organisations and one of the “blockers” often cited in Copilot Adoption.
The over-sharing problem
The ability to reason over employee data and shared organisational data is one of Microsoft 365 Copilot’s strengths over other Gen AI tools (that need feeding). These responses Copilot gives and the content it creates rely on access to data that the user already has access to across their organisation’s Microsoft 365 environment. And here often lies the problem. If an organisation has low levels of data governance, no data classification and labelling, combined with high levels of over-sharing can create real concerns for IT and Data Compliance teams.
One of the reasons that Copilot often has access to data that it “perhaps” shouldn’t have is not due to security flaw or issue across Copilot or Microsoft 365, but because files or sites have been shared too widely and have no (or the wrong) privacy and sensitivity set. Addressing this is no small task since many organisations will have million of files and tens of thousands of SharePoint and Teams sites.
Organisations and even teams within organisations often operate at various levels of maturity in governing SharePoint data. While some orgaanisations strictly monitor permissions and oversharing of content, others do not. The situation is further complicated because many people, teams and organisations have “legitimate” reasons to share “some” data widely within the organisation. This can mean users in your organisation may make choices that result in the oversharing of SharePoint content. As an example
Users may save critical files in locations accessible to a wider audience than intended.
Users may prefer sharing content with large groups rather than specific individuals.
Users might not pay close attention to permissions when uploading files.
Users may not understand how to use sensitivity labelling (if enabled) to control access.
Services such as Microsoft SharePoint and Microsoft Copilot for Microsoft 365 utilise all data to which individual users have at least View permissions, which might include broadly shared files that the user is unaware of. As a result, users might see these applications as exposing content that was overshared. Oversharing can lead to sensitive information being exposed to unintended recipients. Users, while well intentioned, might not always grasp the implications of their sharing choices. They might overlook permissions or opt for convenience over security.
As a result, it’s important to use the permission models in SharePoint to ensure the right users or groups have the right access to the right content within your organisation. The following sections describe the key steps that administrators can implement to configure their SharePoint permissions model to help prevent data oversharing.
Dealing with Oversharing
The good news is that Microsoft is adding new features to SharePoint and Purview to make it easier to see, understand and control over sharing across Microsoft 365 with a hope to help adoption efforts and wider roll out of Microsoft 365 Copilot. This includes new Data Security Posture Management (DSPM) and enhancements for Data Loss Prevention policies in Microsoft 365 Copilot, and SharePoint Advanced Management. These can help automate site access reviews at scale and add controls to restrict access to sites if they contain highly sensitive information.
Microsoft have also released a blueprint guide for organisations planning to or deploying Copilot. These are nicely tailored to adjust to those with mainly Microsoft 365 E3 and E5 licenses respectively.
These new tools IMO are going to be vital to help organisation understand and address oversharing so they feel more feel confident in their employees adopting AI tools like Microsoft 365 Copilot.
AI is really good at finding information, and it can surface more information than you would have expected. This is why it’s really important to address oversharing. Typically, these issues are a by-product of good collaboration, particularly across Teams, SharePoint sites and OneDrive.
Alex Pozin | Director of Product Marketing | Microsoft
From early 2025, Microsoft will make access to SharePoint Advanced Management (SAM) available at no extra cost to Microsoft 365 Copilot subscriptions. Outside of this, SharePoint premium (which includes SAM ) will be available at a cost of around $3 per user each month.)
New Capabilities in SharePoint Advanced Management
There are also new features for SAM that Microsoft says will provide greater control over access to SharePoint files.
New permission state reports (available now) can identify “overshared” SharePoint sites. The site access review feature can then provide a easy way to ask site owners to review and address permissions.
Restricted Content Discovery – which should start to roll out this month in public preview (December 2024), will allow IT admins to prevent Copilot from searching and processing data in specific sites for content and result generation. This does not prevent direct access to the site meaning that users can access the content directly as normal. This feature builds on the SharePoint Restricted Access Control, which was released last year, and lets IT admins restrict site access to specific sites to just “site owners” only, while also preventing Copilot from indexing and summarising files in these sites.
One of the use cases for this, are for where there are data locations containing information that needs to be contained to a set of people – such as financial reports, M&A planning, amnd other secret stuff. IT need to be confident that these locations and files will not show up in SharePoint searches and will be well out the reach of Copilot or other AI tools, essentially making sure that nobody can accidently or unintentionally be aware of, see or access the content. This is where Restricted Content Discovery comes in – locking down and hiding this information from plain site and from Copilot’s retrieval augmentation and indexing.
New Capabilities in Microsoft Purview
Microsoft are also adding new capabilities in Purview too. Purview is available as standalone or is part of Microsoft 365 E5.
/
Microsoft Purview is a centralised hub within Microsoft 365 that helps organisations meet regulatory and compliance requirements. It helps organisations manage their compliance obligations, protect sensitive data, and mitigate risks within their Microsoft 365 environment.
Here, there are new tools to help identify “overshared files” that can be accessed by Copilot. These includes oversharing assessments for Microsoft 365 Copilot in the Data Security Posture Management (DPSM) tool which is now in Public Preview (from December 2024) and can be accessed via the newly revamped Purview portal.
DSPM Portal in Microsoft Purview
The oversharing assessments are designed to highlight data that may present exposure risk by scanning files for sensitive data and identifying data repositories such as SharePoint and Teams sites where access permissions appear to be too wide and broad. The tool will also provide recommendations to admins and site owners for ways to mitigate oversharing risk, such as adding sensitivity labels or restricting access from SharePoint.
For example, DSPM can detect and help you deal with controlling ethical behaviour in AI (example demo environment below). For all the recommendation, Microsoft provides a simple step by step “wizard” to help IT and Compliance add policies.
Microsoft Purview Data Loss Prevention for Microsoft 365 Copilot, also in public preview, enables IT and security admins to create data loss prevention (DLP) policies to exclude certain documents from being processed by Copilot based on a the file or sites sensitivity label. This applies to files held in SharePoint and OneDrive, but can be configured at other levels, such as group, site, and user, to provide more flexibility around who can access what.
Insider Risk Management has also been updated to detect “risky AI usage.” This even includes user prompts that contain sensitive information and attempts by users to access unauthorised sensitive information. What’s key to note here is that this feature is not just limited to Microsoft 365 Copilot and also also covers Copilot Studio, and ChatGPT Enterprise.
Oversharing Blue Prints
I really like this. Microsoft’s new blueprint resource pages on Microsoft Learn provide recommended approaches and guidance for organisations to help them understand, mitigate and manage oversharing during what they define as the three main stages of Microsoft 365 Copilot deployment.
Pilot [Pilot]
Wider Deployment [Deploy at Scale]
Organisational Rollout [Operate]
Microsoft provide two blueprint designs. A “foundational path” and what they call an “optimised path” that uses some of the more Microsoft 365 advanced data security and governance tools found in Microsoft 365 E5 subscriptions.
Is there funding available to help?
It depends – but most likely!
Microsoft have a Cyber Security Investment Program open to select/specialist partners like Cisilion. These provide funded workshops, assessments and proof of value deployments across key Security workloads including Microsoft Purview as well as structured Copilot pilot deployments, vision and value
Organisations should speak to their Microsoft Solutions Partner for more information. You can contact Cisilion here should you need to.
Conclusion
In many of the discussions I and my team at Cisilion have with customers, we see that almost all of the organisations we work still have concerns over data governance in the realm of AI access. Of these most expect Microsoft to help them address these whilst some have already invested in third party tools to help them get a “grip” on their data and sharing.
We have seen a plethora of customers invest/upgrade to high-tier Microsoft 365 plans (including E5 Security and Compliance) or full Microsoft 365 E5 in order to gain access to Microsoft Purview. Some argue these tools should be provided as part of their Copilot investment, so it is great to see Microsoft meeting customers in the middle and at least providing some of these tools as part of this license investment.
The issue is not Copilot per-say, but it is that Copilot with it’s ability to access compnay data is causing more organisations to double down and look at the existing issues they have of too many SharePoint Sites, too much over sharing, orphaned data (data with no owner) inadequate data classification and labeling.
By addressing security and data governance and levering the new tools available, this at least should solve one of the blockers to AI adoption.
The second is Adoption and Change Management – more on that in the next blog post!
This week at Microsoft Ignite 2024, Microsoft unveiled new features and controls for SharePoint and Purview, aimed at empowering IT teams and ensuring robust data protection and governance. These enhancements are part of Microsoft’s ongoing commitment to providing intelligent solutions that respect an organisations controls while driving productivity and efficiency. Oversharing of data is one of the most common causes of rogue data and poor data governance and one of the biggest blockers to wider AI adoption.
Microsoft offers two powerful tools to address this concern of oversharing: SharePoint Advanced Management for site management and content governance capabilities, and Microsoft Purview for security, compliance, and governance across data and files. Both have new capabilities and availability following announcements at Ignite in Chicago.
Advanced Management for SharePoint for Copilot.
To give IT teams even more control, Microsoft have said that SharePoint Advanced Management will be included at no additional charge for Copilot customers. There’s also need and updated features coming.
Restricted Content Discovery (RCD) to help identify and manage content that is restricted or sensitive, ensuring that such content is not overshared within the organisation. This works by allowing SharePoint Administrators to restrict specific SharePoint sites from participating in organisation wide search and Microsoft 365 Chat. Once configured, all content from the site will be hidden from tenant-wide search and Microsoft 365 Chat by default for all users in the tenant, even if a user has site access permissions. While child content will be hidden by default, users will still be able to search for content they have recently interacted with. This includes recently accessed and modified files, even if RCD is applied to the parent site. Searches originating from a site context will not be impacted.This will be available in Public Preview in December 2024 and Generally Available from March 2025
Restricted Access Control (RAC) feature allows administrators to control and restrict access to specific sites or content within SharePoint to helps in preventing unauthorised access and oversharing of sensitive information. New AI content governance controls and insights will be available in early 2025.
Deployment Blueprint is a new feature that will offers a structured approach to deploying Microsoft 365 Copilot while addressing the risks of information oversharing. It will include best practices, guidelines, and tools to ensure that sensitive information is protected during the deployment process.
SharePoint Advanced Management will be Generally available in Q1 2025 and will allow IT to better govern access and usage of Copilot and agents, including controls over which users can use Copilot and agents, along with visibility into agent status and life cycle.
SharePoint Advanced Management will be included as standard for organisations with Microsoft 365 Copilot licenses.
Purview
Data Loss Prevention – To provide addition protection, Microsoft Purview Data Loss Prevention (DLP) will soon be extended to support Microsoft 365 Copilot. DLP policies will be able to identify sensitive documents based on sensitivity labels and exclude processing for Copilot interactions in Microsoft 365 Copilot Business Chat. In preview from December.
Data Security Posture Management (DSPM) provides insights into the security posture of data within the organisation. It helps in identifying potential risks and vulnerabilities related to data oversharing and provides recommendations to mitigate these risks.
Risky AI Usage Detection is a new feature which can detect and alert admins about potentially risky usage of AI within the organization. It helps in preventing data leakage and unauthorised access by monitoring AI activities. This is now in public preview.
GenAI Risk Detections is another feature which focuses on detecting risks associated with the use of generative AI. It ensures that AI-generated content does not lead to oversharing of sensitive information or unauthorised access.
Measurement and Reporting with Copilot Analytics
To help IT and business leaders track adoption patterns and return on investment from the use of Copilot and agents, Microsoft is introducing Copilot Analytics.
This new feature includes out-of-the-box experiences to measure Copilot adoption and business impact, customisable reporting for deeper analysis.
The new Copilot Analytics. Microsoft Viva Insights will be included in Copilot at no additional charge as part of this new analytics suite.
How Microsoft partners can help
Cisilion, as your Copilot Jumpstart partner, will be incorporating these new features and controls into our guidance and briefing and expect Microsoft will rapidly be updating their official documentation and guidance.
The Copilot Pilot programme, entwines technical readiness with business guidance and comprehensive adoption and change management to ensures that your organisation receives the most up-to-date and comprehensive support in leveraging these advancements for optimal data protection and governance whilst putting these into practice for a smooth and measurable pilot.
Conclusion
These new controls and features are designed to provide IT teams with the tools they need to govern access, usage, and reporting while ensuring data protection and governance. Microsoft is committed to helping organisations leverage the power of AI to drive productivity, efficiency, and security.
Microsoft is taking a significant step forward in enhancing the Windows Hello experience on Windows 11. This overhaul, now in beta testing for Windows Insiders will bring a more intuitive and visually appealing interface for both facial, passkeys and fingerprint recognition.
New Windows Hello experience on Windows 11
Cleaner, More Intuitive UI
The revamped Windows Hello UI is designed to streamline the authentication process. Users will notice new iconography and visual changes that make switching between authentication options more intuitive. Whether you’re logging into your device or using passkeys for websites and apps, the experience is now more seamless and user-friendly.
Enhanced Passkey Integration
One of the standout features of this update is the improved passkey integration.
New passkey process in testing on Windows 11
Previously, using passkeys from a mobile device involved scanning QR codes and navigating an outdated UI. The new system simplifies this process, allowing for quicker and more secure authentication. Additionally, Microsoft has also introduced a new API for third-party password and passkey managers, enabling developers to integrate directly with the Windows Hello experience.
Future-Proofing Authentication
This update is not just about aesthetics; it’s about future-proofing authentication on Windows 11.
By supporting passkeys from mobile devices and enabling synchronization with third-party apps, Microsoft is ensuring that users have a secure and efficient way to manage their credentials and also allows them to be seemlessly and securely added to your Microsoft Account.
We redesigned Windows security credential user experiences for passkey creating a cleaner experience that supports secured and quick authentication.. Users will now be able to switch between authentication options and select passkey / devices more intuitively.
Currently available to Windows Insiders in the beta channel, and will hopefully hit testers on the other Insider channels soon. This new Windows Hello experience is expected to roll out to all Windows 11 users in the coming months.
Are you looking forward to seeing new Windows Hello UI?
As Microsoft prepares to end support for Windows 10 on October 14, 2025, users have a critical decision to make. They must either migrate to Windows 11 or pay for extended security updates (ESU). Microsoft will offer distinct options for consumer (home) customers. They will also offer options for commercial customers who want or need to continue using Windows 10 after this date.
Consumer Pricing for ESU
We know that commercial enterprises were going to have the “cost” option of paying for extended updates while they “complete” they migration / move to Windows 11, but in the first time in history, Microsoft have also announced that consumers can will also have the option to purchase a single year of Extended Security Updates (ESU) for a one off $30 (£25) cost.
Commercial Pricing for ESU
Pricing to commercial customers will be based on tiered pricing options with pricing set-out at
$61 per device per year for the first year
$122 per device for the second year, and
$244 per device for the third year.
Organisations needed or wishing to pay for ESU for their devices for 3 years will therefore incur costs of $427 per device.
Extended Security Updates: A Temporary Solution
Microsoft’s ESU program will provide a lifeline in helping any organisation or consumer unable or unwilling to upgrade to Windows 11 before October 14th, 2025, (when Windows 10 enters end of support).
Bear in mind though that these ESU updates are just security and zero-day updates. There will be no new features, bug fixes, or technical supportincluded.
These are, of course, optional, but there are huge risks for continuing to use Windows 10 devices without protection from security exploits or newly discovered vulnerabilities.
This is especially true for commercial organisations. They lack protection from security and vulnerability updates.
The Risks of Running an Unsupported OS
Running an operating system without security updates poses significant risks, both for consumers and businesses including:
Increased Vulnerability to Cyber Attacks: Without regular security patches, systems become prime targets for hackers. Vulnerabilities that are discovered post-support will remain unpatched, leaving systems exposed to malware, ransomware, and other cyber threats.
Compliance Issues: For businesses, using unsupported software can lead to non-compliance with industry regulations. It can also lead to non-compliance with standards. This may result in hefty fines and legal repercussions. This can also affect security certifications. These include Cyber Security and Cyber Security Plus. It also impacts trust from customers and business partners.
Operational Disruptions: Security breaches can cause significant downtime, disrupting business operations and leading to financial losses. For consumers, this could mean losing access to important personal data and services.
Higher Long-Term Costs: While the initial cost of ESU might seem manageable, the long-term financial impact of a security breach can be devastating.
The best approach is to start planning the move to Windows 11 now. There are just over eleven months to do this. For consumers, this could mean upgrading. It could also mean replacing their devices with ones capable of running Windows 11. Windows 11 was released and started shipping on new devices in 2021.
Will my device run Windows 11?
Microsoft have a useful website which show the minimum system specifications for Windows 11 which you can access –> here <-
In reality any device newer that 4-5 years old should have no problem running Windows 11, , but in short, you need a device with at least:
Processor: 1 GHz or faster and min of 2 core.
RAM: 4 GB or more.
Storage: 64 GB or larger storage device / HDD / SDRAM – you’ll much more in reality.
System Firmware: UEFI, Secure Boot capable.
TPM: Trusted Platform Module (TPM) version 2.0. (this is important)
Graphics Card: Compatible with DirectX 12 or later with WDDM 2.0 driver.
Display: High definition (720p) – must be greater than 9” diagonally.
Tools to check compatibility
Another really easy way to check your device (if you are a consumer of want to check a couple of devices) is to the use the PC HealthCheck App. This can be downloaded from https://aka.ms/GetPCHealthCheckApp if it’s not already installed on your Windows 10 device.
When you run the tool, you get one of three outcomes. If you device passes, you’ll see a “meets requirements” message, and if it fails, you’ll receive a “doesn’t currently meet”. Coprate devices may see a message stating that “your organisation manages updates” and as such check with IT department (though I suspect they are already on it!)
Commercial Customers IT departments can easily check Windows 11 eligibility using Microsoft Intune or System Centre.
Conclusion
The decision to stick with Windows 10 and not migrate to Windows 11 should not be taken lightly. While ESU provides a temporary solution, the risks associated with running an unsupported OS far outweigh the benefits.
The risks of not updating (or paying for extended security updates) are too high. It is only acceptable if your device is never connected to the internet. Additionally, you should avoid using external sources such as USB devices.
Upgrading to Windows 11 ensures continued security. It also provides access to the latest features and support. This makes it a wise investment for both consumers and businesses.
Q&A
What about my anti-virus applications? In reality these will still work as will any application you are running on your machine. You will need to check with the antivirus provider to check that they will still support Windows 10, but as long as they do and you pay the subscription to them, it shouldn’t impact these anti-virus signature updates.
What about other software like Office Apps? Well Office 2016 and Office 2019 also go end of support in October 2025. You’ll need to upgrade these too if you want to get feature updates and security updates and fixes. You will likely find other software vendors like Adobe will also stop supporting Windows 10 (as many did with Windows 7). You’ll need to check with the software provider.
Can I upgrade the hardware in my device to get compliant? That is also an option. After running the compatibility checker, you may find that upgrading your hard drive, adding more memory or swapping other components may “get your device compliant”. In most cases this isn’t cost effective.
The EU AI Act, effective from August 2024, regulates AI systems within theEU, categorizing them into prohibited, high-risk, and limited or minimal risk. Microsoft is committed to compliance through tools like Purview Compliance Manager, continuous monitoring, data privacy measures, bias mitigation, and transparency initiatives.
Understanding the EU AI Act
The EU AI Act, effective from August 2024, is a comprehensive regulation designed to govern the development, deployment, and use of AI systems within the European Union. It categorises AI systems into three risk levels: prohibited, high-risk, and limited or minimal risk.
Prohibited AI Systems: These are AI applications that pose unacceptable risks, such as those that manipulate human behavior or exploit vulnerabilities of specific groups. Organisations must decommission such systems by February 2025.
High-Risk AI Systems: These include applications used in biometric identification, critical infrastructure, education, and law enforcement. High-risk systems are permitted but must undergo stringent compliance checks, including conformity assessments by accredited third parties or through self-assessment.
Limited or Minimal Risk AI Systems: These cover applications like chatbots and AI-generated content, which are generally permitted but require transparency and informed consent from users.
Key Challenges in AI Compliance
Organisations will likely face several challenges in navigating AI compliance:
Ensuring Continuous Compliance: AI regulations are dynamic, and organisations must continuously update their systems to remain compliant. This involves tracking regulatory changes and implementing necessary updates promptly.
Managing Data and Privacy: AI systems often process vast amounts of data, including sensitive information. Ensuring that AI applications do not inadvertently access or misuse sensitive data is a significant concern.
Addressing Bias and Inaccuracy: AI systems must be trained on diverse and representative data sets to avoid biases. Inaccurate or biased AI outputs can lead to ethical and legal issues.
Maintaining Transparency: Organisations must ensure that their AI systems operate transparently, providing clear information on how data is used and decisions are made.
Microsoft’s Commitment to AI Compliance
Microsoft is at the forefront of ensuring AI compliance and ethical use. Here are some key initiatives and tools that demonstrate Microsoft’s commitment:
Purview Compliance Manager: Part of the Microsoft Purview family, this tool helps organizations manage compliance with various regulations, including the EU AI Act. It offers templates for different regulatory requirements, enabling organizations to streamline their compliance processes.
Continuous Monitoring and Updates: Microsoft ensures that its AI applications, such as Microsoft 365 Copilot, are continuously monitored and updated to comply with evolving regulations. This proactive approach helps organisations stay ahead of compliance requirements.
Data Privacy and Security: Microsoft emphasizes robust data privacy and security measures. AI applications are designed to prevent unauthorised access to sensitive data, and tools like Data Loss Prevention (DLP) policies help safeguard information.
Bias Mitigation: Microsoft is committed to reducing bias in AI systems. By using diverse data sets and implementing rigorous testing protocols, Microsoft aims to ensure that its AI applications provide fair and accurate results.
Transparency and Accountability: Microsoft promotes transparency in AI operations. Users are informed about how their data is used, and AI systems are designed to provide clear explanations for their decisions.
Conclusion
The EU AI Act represents a significant step towards ensuring the ethical and responsible use of AI. As organisations navigate this complex regulatory landscape, Microsoft’s tools and initiatives provide valuable support in achieving compliance. By prioritising continuous monitoring, data privacy, bias mitigation, and transparency, Microsoft is helping organisations harness the power of AI while adhering to the highest standards of ethical conduct.
What organisations can do
As we move forward in this AI-driven future, it’s crucial for every organisation large and small, private and public to stay informed and proactive about regulatory compliance in this space.
If you are invested in Microsoft Technology, be that Microsoft 365 or Azure, ensure to further explore Microsoft’s extensive and comprehensive suite of tools and resources to ensure your organisation and AI connected systems are not only compliant but also ethical and transparent.
Microsoft is building new Windows security features to prevent another CrowdStrike incident and are in talks to enable them to do to more to allow them to better protect the core of their OS to prevent outages and widespread impact like the CrowdStrike incident which impacted more then 8.5 million devices and is estimated to have caused more than $10b financial impact.
Fighting against the anti monopolies commissions.
In an ideal world, Microsoft would have right to protect their core kernel code and prevent any third parties interfering or accessing it.
Today, however, law is preventing them from doing this to ensure they adhere to the anti monopolies and anti compete laws in many parts of globe. Instead Microsoft are doing all they can to further harden security around the kernel and Windows security in general.
Their goal is of course to find a comprised way to protect Windows from software issues caused by security vendors to ensure OS integrity without killing third party security vendors but to avoid them needed kernel level access in the first place…
Enhancing Security without Kernel Access
Since July, Microsoft has been in talks with leading security vendors, including CrowdStrike, Broadcom and Sophos, to develop a new security platform in Windows that still allows security vendors to do their thing, but without Microsoft having to expose full kernel access.
Then last week ( September 10th, 2024), Microsoft, CrowdStrike, and many other security partners who provide endpoint security technologies got together to discuss ways to boost resiliency and protect our mutual customers’ critical infrastructure. Aidan Marcuss, Corporate VP of Microsoft Windows and Devices said “Our objective is to discuss concrete steps we will all take to improve security and resiliency for our joint customers.”
The goal is to prevent incidents similar to the CrowdStrike outage and enhance the overall security framework of Windows without monopolosing the endpoint and XDR markets.
Benefits to Consumers
For everyday users, this would promises a more secure and stable computing experience in a world where attacks on identity and data theft are increasing at pace. By further reducing the risk of security breaches and system outages, whilst reducing the risk of third party apps and services causing system failures, Microsoft is ensuring that consumers continue to trust them to protect their personal data and maintain smooth operation. Enhanced security measures mean fewer disruptions and a safer online environment, which is crucial in an era where cyber threats are increasingly sophisticated.
Benefits to Business Users
For commerciall/business users, they of course would gain significantly from these new security measures. With sensitive corporate data and identity consistency at risk from attack or breach, Microsoft’s enhanced security framework will provide businesses with greater peace of mind and further increase the trust they already have with Microsoft to protect their data, applications and emails.
Of course, reduced risk of breaches and downtime caused by third party apps and services also translates to increased choice (without fear), and lower costs associated with security incidents and system outages incidents.
Whilst this should enable businesses to focus more on their core operations, knowing that their IT infrastructure is robust and secure, it doesn’t remove the need for full business continuity planning….
Microsoft’s Perspective and Benefit
For Microsoft, this move is a strategic step to reinforce its commitment to security and reliability. Arguably, Microsoft is the biggest security company in the world and with over a billion devices running the Windows operating system, they have a duty to continue to protect their products from outages caused by, well things out of their control, such as the CrowdStrike update fail!
By working closely with security vendors and regulatory bodies, Microsoft is not only positioning itself as a leader in the cybersecurity space, but also as a partner that works with its software houses (ISVs) and customers to ensure they still have choice over the aspects of Windows they use (or subscribe too) and the third party vendors they choose to work with.
So what about the third party security vendors then?
Security vendors like CrowdStrike, Broadcom, Sophos, Cisco, and Trend Micro also benefit from this collaboration by being part of a more secure and standardised platform. This partnership allows them to continue to innovate and develop advanced security solutions without the complexities and risks associated with kernel access..it also. Means they will continue to get support and help from Microsoft (as a Isv partner) in developing and supporting their products.
Potential Concerns and Regulatory Involvement
Naturally, there are concerns about potential monopolistic practices. Vendors (and those less. Involved in their initiative) may fear that Microsoft might restrict kernel access for third-party products while retaining it for its own, which could limit their ability to compete effectively, pushing customers to jump. Ship and just adopt Microsoft security products and services.
To address such concerns and ensure transparency, Microsoft has involved US and European government officials in discussions. This move is aimed at addressing regulatory concerns and demonstrating Microsoft’s commitment to a fair and secure computing environment. While the initiative is largely seen as positive, it is crucial for Microsoft to maintain an open and competitive landscape for all security vendors.
Conclusion
Microsoft’s new security measures would represent a significant step towards a safer Windows environment. By working closely with security vendors and involving regulatory bodies, Microsoft is striving to create a secure and fair platform for all users making kernel acess more controlled than it is today. This promises numerous benefits for consumers, business users, and security vendors alike, while also addressing potential concerns about competition and transparency.
Read more. The Register has also covered this story in depth of you want to read more here.
I run a monthly fireside chat panel discussion with IT and Business leaders from a handful of our Cisilion customers. Today, we talked about the outage and reflected on if, can and what we, the industry and our vendors need to do to minimise/prevent this vast impact happening again.
If you missed the "show" - you can watch it below.
September 2024 – Cisilion Fireside Chat
In our September 2024, fireside chat, our panel and I delved into the significant impact and lessons that can be learned from the CrowdStrike outage in July which is estimated to have cost more than $10B US and affected more than 8.5 million Windows devices when CrowdStrike distributed a faulty configuration update for its Falcon sensor software running on Windows PCs and servers.
This update featured a “modification” to a configuration file which was responsible for screening named pipes [Channel File 291]. The faulty update caused an out-of-bounds memory read in the Windows sensor client that resulted in an invalid page fault. The update caused machines to either enter into a bootloop or boot into recovery mode.
Today’s fireside chat conversation covered a range of topics, from the immediate effects of the outage to long-term strategies for enhancing cybersecurity resilience.
The Immediate Impact of the CrowdStrike Outage
The panel began by addressing the widespread disruption caused by the CrowdStrike outage. We discussed the outage’s extensive reach, affecting millions of devices and various sectors, including healthcare, finance, and transportation. In my intro to the episode, I mentioned that “It was really hard to believe…such a small relatively trivial and small update could impact so many people, devices and organisations“. This set the stage for a deeper exploration of the outage’s implications on cybersecurity practices.
As we kicked off, I praised the collaboration between Microsoft and CrowdStrike in addressing the outage. He mentioned that despite initial blame-shifting in the media, there was a concerted effort to resolve the issue, showcasing the importance of vendor cooperation in crisis management. The panel in short didn’t think there was much more Microsoft could have done – the key was updates and openness which is so critical in a global issue like this – as people and businesses need updates and answers as well as help in restoring systems which both Microsoft and CrowdStrike did in drones.
Vendor Reliance and Preparedness
Ken Dickie(Chief Information and Transformation Officer at Leathwaite), emphasised the importance of incident management and the worlds’ reliance on third-party and cloud providers. He shared his insights into the challenges of controlling the fix and the revelation of technology’s utility nature to leadership teams stating that it can be hard to explain to “IT” on “how little control we had over the actual fix“. Matthew Wallbridge(Chief Digital and Information Officer at Hillingdon Council) echoed the sentiment, stressing the need for preparedness and the role of people in cybersecurity, stating, “It’s less about the technology, it’s more about people.”
Supply Chain Risks
Matthew raised concerns about supply chain risks, highlighting recent attacks on media and the need for better understanding and mitigation strategies. This part of the discussion underscored the interconnected nature of cybersecurity and the potential vulnerabilities within the supply chain.
GoherMohammed (Group Head of InfoSec at L&Q Group.) mentioned the impact on their ITSM due to vendor reliance in the supply chain, which degraded their service, emphasising the need for resilience and contingency plans. This led to further discussions about how important understanding the importance of the Supply Chain validation is in our security and disaster recovery planning and co-ordination. Matt talked frequently about “control the controllable” but ask the right questions to the ones (vendors) you can’t control. Goher said that whilst L&Q were not directly affected, they did experience “degraded service due to supply chain impacts“, emphasising the need for resilience and contingency plans and review of that of their supply chain(s).
Resilience and Disaster Recovery Planning
The conversation then shifted to strategies for enhancing resilience. Here I discussed how we at Cisilion are revisiting our own disaster recovery plans to include scenarios like the Crowdstrike outage.
We discussed a lot about the cost of resilience and that there is a “limit” to what you can mitigate against before the cost skyrockets out of control with very little reduction in risk. It was agreed there are many things that can’t “easily” be mitigated in this particular scenario, but that we can be better prepared.
The panel talked about various strategies that “could be considered” including recovering to “on-prem”, re-visiting the considerations around multi-cloud strategies and the potential benefits of edge computing in mitigating risks associated with device reliance.
We also discussed whether leveraging technologies such as Cloud PCs, and Virtual Desktops have a part to play in recovery and preparation as well as whether using Bring Your Own Devices would/could/should be a bigger part of our IT and desktop strategy, along with, of course SASE technology to secure access.
Goher advised “do a real audit, understand the most critical assets, the impact they have further down the line and whether there is more that can be done to mitigate against outage/failure/issue“. This led us into an interesting side discussion around Secure Access Service Edge (SASE) – emphasising the “importance of not relying on trusted devices alone”.
The Human Aspect of IT Incidents
David Maskell (Head of IT and Information Security at Thatcham Research) brought a crucial perspective to the discussion, focusing on the human aspect of IT incidents. He reminded the audience of the importance of supporting IT teams during crises, highlighting the stress and pressure they face. The panel agreed with David, all of whom emphasised the importance of ensuring teams are looked after, highlighting the human aspect of managing IT incidents especially when things are not directly controllable (such with Cloud outages) and the need for good, solid communications to the business.
Ken also reflected on leadership’s reaction to the outage, emphasising the “gap in understanding the reliance on technology” that many business leaders (especially those not from a techy background) have”. The days of “it’s with IT to fix” are clearly not as simple as they once were!
Conclusion: The Path Forward
As we concluded the discussion, the panel dwelled over the lessons and tips to offer viewers, each other and the industry.
In general the guidance acoss the panel were around
The importance of regular security reviews, external audits, and business continuity testing.
The need to adopt a proactive stance around cyber security and technology outages, ensuring that their teams are prepared (they run testing and attack/outage simulations).
Ask more questions of your supply chains – they may be your weakest link. Are they secure, and are their recovery plans robust?
Map your critical systems and know the impact on an outage – what is the continuity plan – if devices are affected, how can people access your technology – look at Cloud PCs (such as Windows 365), can you support the use of personal devices (look at SASE technologies such as Cisco Secure Connect)
Review your technology dependencies. It’s not necessarily about multi-vendor but this might be a consideration – even for backup.
In summary, the CrowdStrike outage serves as a stark reminder of the vulnerabilities inherent in our reliance on technology and the critical need for comprehensive cybersecurity strategies.
We have seen social media frenzy this morning following a triple whammy of issues impacting Azure Virtual Machines (running Windows 10 and Server 2016) and Windows devices across hundreds of organisations where devices are rebooting to the Windows Recovery Screen issue on Windows 10 devices and Server running older versions.
19/7/24 11:00am: The impacts of the issue are still on-going although the root cause is known and CrowdStrike and working with Microsoft on getting a patch out…
19/7/24: 15:00: CrowdStrike have updated their sites to take accountability of the issue (Microsoft still helping) that has impacted devices due to a “bug” in their software update which caused the BSOD. They have pulled and fixed the update and are working with their customers to remediate the impact. Microsoft have also offered guidance on what can be done to reverse the issue – links to this below.
29/7/2024: 18.00: this is not a Microsoft problem (yet I imagine they will be blamed) but it affected millions of Windows systems… Read to the bottom to see why.
Summary
Since the early hours of the morning, several media companies, airlines, transport companies, tech companies, and schools / universities are reporting a Blue Screen (actually a safetyrecovery screen) issue Windows 10.
The issue is impacting Windows 10 devices that are using CrowdStrike Falcon agent – their flagship Extended Detect and Response (XDR) Security platform.
Impacted devices are crashing following this Falcon Client update and then getting stuck at the “Recovery” screen due to a critical system driver failure that is preventing the device from starting back up.
CrowdStrike and Microsoft are actively working on this to drive a permanent fix, workarounds are available which require manually preventing this service from starting on affected devices.
The issue is not known to be affecting devices running Windows 11 and Server 2019 and beyond.
What is CrowdStrike?
CrowdStrike, a cybersecurity firm based in the US, assists organisations in securing their IT environments, which encompasses all internet-connected resources.
Their mission is to “safeguard businesses from data breaches, ransomware, and cyberattacks” and they position themselves as having leading offerings that compete with other vendors including Microsoft themselves, SentinelOne, and Palo Alto Networks. Their client base is extensive and includes legal, banking, finance, travel firms, airlines, educational institutions, and retail customers.
A key offering from CrowdStrike is their Falcon XDR tool, touted on their website for delivering “real-time indicators of attack, hyper-accurate detection, and automated protection” against cybersecurity threats.
Root Cause
Information available from CrowdStrike and Microsoft state that the issue is caused by a “faulty” version of the csagent.sys file which is key system start-up file needed by CrowdStrike’s new sensors update for their Falcon Sensor agent. It is this file that has been responsible for the BSOD errors on Windows 11 and many servers running older Windows Server OS running in private and public data centres such as Microsoft Azure. .
George Kurtz, the CEO of the global cybersecurity firm CrowdStrike, stated that the issues were due to a “defect” in a “content update” for Microsoft Windows devices.
“The issue has been identified, isolated, and a fix has been deployed.” he said as he clarified that the problems did not impact operating systems other than Windows 10 and WIndows Server 2016 and older and also emphasized, “This is not a security incident or cyber-attack.”
Impact
Windows 10 devices are primarily affected.
Devices running Windows Server 2016 and older in Azure are also impacted if they run the CrowdStrike Falcon agent.
Limited/less impact on devices running Windows 11 or Windows 2019 and later.
Note: Windows 10 enters end of support in October 2025.
Is there a fix?
Updated: 21/7/2024: Microsoft have updated their guidance and provided additional support for fixing these issues using managed devices via Intune. This can be found here.
The formal advice if this issue is affecting your organisation is to contact your CrowdStrike Support representative – CrowdStrike and Microsoft are actively working to address the issue both as a response to the issue and preventative to ensure more devices are not impacted.
Since the issue is known to be caused by the csagent.sys file, there are ways to manually prevent this file being loaded, allowing the device to load. There are a couple of ways to do this.
Use Safe Mode and delete the affected file:
Boot the device to Safe Mode
Open Command Prompt and navigate to the CrowdStrike directory which should be C:\Windows\System32\drivers\CrowdStrike
Locate and delete the file matching the pattern C-00000291.sys* – you can do this using the by using a wildcard dir C-00000291*.sys.
Remove or rename the file.
Use Registry Editor to block the CrowdStrike CSAgent service:
Boot to Safe Mode
Open Windows Registry Editor.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSAgent
Change the Start value to 4 to disable the service.
Dan Card, of BCS, The Chartered Institute for IT and a cyber security expert said: “People should remain calm whilst organisations respond to this global issue. It’s affecting a very wide range of services from banks to stores to air travel.“
He also said that whilst the cause is now known, it is still causing worldwide issues and impacts on consumer services, banking, healthcare and travel and will take some time to remediate.
“Companies should make sure their IT teams are well supported as it will be a difficult and highly stressful weekend for them as they help customers of all kinds. People often forget the people that are running around fixing things.”
Updated: 21/7/2024: Microsoft have updated their guidance and provided additional support for fixing these issues using managed devices via Intune. This can be found here.
Conclusion
CrowdStrike has acknowledged the issue and is investigating the cause. Users can follow the above steps to resolve the recovery screen issues and boot their PCs normally.
Crowdstrike and Microsoft worked tirelessly to resolve this issue and prevent further widespread impact.
“The issue has been identified, isolated, and a fix has been deployed.” he said as he clarified that the problems did not impact operating systems other than Windows 10 and WIndows Server 2016 and older and also emphasized, “This is not a security incident or cyber-attack.”
Devices running Microsoft’s latest Operating Systems seem to be less impacted (though information still being collated).
How did Microsoft allow this to this happen?
How did this happen? Many people are asking why Microsoft are shifting blame to Crowdstrike (who have admitted fault) asking why and how did Microsoft allow this?
In short, it’s not their fault and there really wasn’t anything they could have done to prevent it…. Here’s why..
Many Security products such as XDR products made by Crowdstrike, Palo Alto, and even Microsoft’s own XDR product defender, are what is known as “kernel mode products” . Whilst this issue affected Windows the same “hiccup error with the update” could have equally of affected other OS such as MacOS and Linux since they are kernal extensions.. This means is they had made the same mistake on the updates for these OS’s the same product mess up would have occurred.
In an ideal world all applications and services would run in user mode rather than Kernel Mode, but with many security and AV products, these have a need (a legitimately one) to monitor at the lowest levels of the OS in order to detect attacks… This is not possible if running in user mode as the kernel is protected.
The Blue Recovery Screen (which was mistaken by most as the Blue Screen of Death (BSoD) which it actually was not is actually the Windows OS safety net.
As such, there is not much more Microsoft can do here. These are third party applications not managed or developed or controlled/updated by Microsoft. If Microsoft were to manually vet every update and change to an application, Microsoft would be classed as control hogs and the world will crucify them for it!
Microsoft cannot legally wall off its operating system in the same way Apple does because of an understanding it reached with the European Commission following a complaint. In 2009, Microsoft agreed it would give makers of security software the same level of access to Windows that Microsoft gets.
The outage is awful and has impacted so many organisation including crutiic services, but it’s also not fair IMO that Microsoft and Windows have been dragged through the dirt simply because it’s their OS that was impacted by the poor updates and issues another third party application caused.
It’s not the first time this had happened…to other OS’s
According report by Neowin, ” similar problems have been occurring for months without much awareness, despite the fact that many may view this as an isolated incident. Users of Debian and Rocky Linux also experienced significant disruptions as a result of CrowdStrike updates, raising serious concerns about the company”s software update and testing procedures. These occurrences highlight potential risks for customers who rely on their products daily.
In April, a CrowdStrike update caused all Debian Linux servers in a civic tech lab to crash simultaneously and refuse to boot. The update proved incompatible with the latest stable version of Debian, despite the specific Linux configuration being supposedly supported. The lab”s IT team discovered that removing CrowdStrike allowed the machines to boot and reported the incident. “
What this shows it the vital importance on update testing and deployment rings.
Yesterday 17th July 24, a new Cyber Security Bill was announced as part of the King’s Speech with industry experts and cyber security firms and advisory boards applauding the greater scrutiny and policies being placed on protecting the nation, our public services, critical infrastructure, and businesses – small, medium, and large.
The bill, will hand more power to regulators around cybersecurity incidents – and also includes a mandate reporting for ransomware attacks. The bill was announced in today’s King’s Speech, alongside 40 others.
… strengthen the UK’s cyber defences, ensure that critical infrastructure and the digital services that companies rely on are secure
Kings Speech | July 2024
In parallel, a new Digital Information and Smart Data Bill also announced, would have security concerns and implications if this Cyber Security Bill had not also been announced since one of it’s aims is to further support and speed up the digitising of more central and local government services as well as bring in new data-sharing standards, whilst giving the Information Commissioner’s Office (ICO) new powers.
CyberSecurity – State of the nation
The newly introduced Cyber Security Bill acknowledges that the UK as a whole faces increasing attacks from both financially-motivated cyber criminals and state actors, with entities of all sizes being frequent targets. The bill was proposed in response to cyber attacks on the UK’s digital economy, which have affected public services and infrastructure. Its aim is to enhance the protection of essential services and critical national infrastructure, which are particularly vulnerable to hostile actors. This is underscored by numerous cyber attacks in recent years on the NHS, NHS Blood supply, UK Trusts, the Ministry of Defence, the British Library, the Electoral Commission, Royal Mail, and various other government entities.
Life vs Death- The NHS Blood Supply Attack: The announcement comes after a severe Russian cyber-attack on Synnovis, a private firm offering pathology services like blood tests to the NHS. As a result of the attack, some patients were notified that their blood test appointments could be delayed by up to six months. It also affected supply of blood and much needed transfusions.
What’s in the Cyber Security Bill?
The new Cyber Security Bill consists of two main objectives.
To expand the remit of existing regulation
Provide regulators with a stronger foundation for the protection of digital services and supply chains, and enhance reporting requirements to develop a more comprehensive understanding of cyber threats.
The bill will expand the remit of regulators to cover supply chains and companies providing service/managed services to organisations – addressing the growing prevalence of supply-side attacks, where malicious actors gain access to organisation’s networks and systems via third-party suppliers such as MSPs, network providers and CSP providers or though APIs and systems which connect to other systems for things such as stock control, support and remote access. The bill also promises to create a stronger regulatory environment to ensure cyber safety measures are actually being introduced.
What about NIS2?
The Cyber Security Bill aims to revise the current UK Network and Information Security (NIS) Regulations 2018. These regulations originate from the EU’s NIS Directive, which outlines specific cybersecurity and incident reporting duties for operators of ‘essential services’ and digital service providers.
The EU has initiated an update to the original NIS framework, with ‘NIS2’ scheduled for implementation across EU member states by 17 October 2024. Whilst ‘NIS2’ does not expliciitly apply to UK companies, this bill is likley to align closely to it and may even add “icing on top”.
About mandatory reporting on ransomwareattacks
Today, whilst organisations need to report data breaches, there is no law/rule about reporting ransomware attacks. This bill changes this. This is a good move since, introducing the requirement to report of ransomware attacks (whether successful or not) will help the UK better understand the wider cybercrime landscape.
What the Cyber Security Bill means for IT and Security Teams
Cyber Secrity and protection remains one of the biggest threats to organisations and government today and remains one of the biggest budget spends which continues to see an year on year increase along side AI of course.
As we live in an increasingly digital society across almost every industry and service, every organisation needs to have, and will be obligned under the new bill, to have robust security governance and controls in place. Organisations need to shift away from simply deploying products in the hope they will stop attacks and instead ensure they also have effective data on attack vectors and trends as well as having clear kill chain risk analysis and mapping across their entire estate from users and devices, to identity and access, data protection, threat detection, isolution, remiation and of course prevention.
In the context of state-sponsored attacks, national conflicts, and wars, it is evident that cyber attacks have become a standard component of such conflicts, targeting infrastructure, governments, and individuals alike. The Cyber Security Bill emphasizes that sectors such as communications, power, finance, health, education, and transportation, including traffic control systems, are all potential targets.
Cyber Security Bill – Things you can do
The new Cyber Security and upcoming NIS2 requirement presents several opportunities for organisations to prepare and get ready which shoudl underpin their existing cyber security and resiliance programme.
In Cyber Security report by Microsoft earlier, Microsoft Security said that they have seen a ten fold increase in cyber attacks along with a similar attack attempot growth of their own platforms and systems include Microsoft 365 and Azure.
Microsoft say that passwords and account compromose (often leading to phisghing attacks and ransomware attacks) continue to rise the fastest with password attacks per month increasing from 3 Billion attacks per month in 2022, to more than 30 Billion a month in 2023.
Microsoft also say that the UK CyberSecurity market in the UK worth $6.2bn in FY25 and is said to continue to increase at around 20% YoY for the next 4 years. For Microsoft, they see the following key areas of security being of the biggest opportunoity driven by customer demand to protect their businesses and critical infraastucture.
Threat Protection – $2.4bn
Identity Protection & Secure Access – $2.2bn
Security Analytics – $1.6bn
Note: Values are UK TAM for 2025.
Consulting, Assessments and Workshops
Leverage your security partners to help you conduct comprehenise reviews.
Many Cyber Security partners have pre-packaged (often vendor funded) offerings to help businesses of all sizes, through the delivery of tailoured, comprehensive workshops and assessments around the core Zero Trust Security Pillars which loosely fit into the catagories above.
The Cyber Security bill strengthens the powers of regulators, which is likley to lead to more frequent and rigorous security assessments and audits. This means you will likely need to prove you are undertaking these regualry and that you have clear, definaed and proven attack simulation plans, prevent and detect and remediation plans in place.
Security Adoption and Consolidation
In the ever-evolving landscape of cybersecurity, the complexity of security has become a significant challenge for many organisations. With an average of 76 security tools to manage, info sec magazine reports that many organisations are overwhelmed by excessive support tickets, ungainly rulesets, redundant alerts, and cumbersome integrations of different often overlapping security products. This complexity can lead to gaps in security, making organisations vulnerable to cyber threats and huge costs.
As part of any review and assessment, contract renewal and negotiation, most organisations can strengthen their security posture while reducing both spend and complexity through a strategy known as security consolidation. This involves streamlining and integrating various security tools and processes into a cohesive system and leveraging/adopting many of the technologies they may already have but have not turned on – examples of this are the vast security products and services offered in Microsoft 365 E5 which may be under-used or not switched on.
Security consolidation super important is essential for several reasons. Firstly, it can enhances threat detection and response by providing a holistic view of security events, facilitating faster identification of anomalies and coordinated response strategies pulling information from products and suits of products rather than trying to connect. Secondly, it simplifies management and operations, making it easier for security teams to manage and operate, leading to increased efficiency and effectiveness in managing cybersecurity risks. Thirdly, it can massively reduces complexity and cost by eliminating redundant systems and streamlining processes, improving the security posture, and reducing the chances of errors.
The National Cyber Security Centre provides a wealth of resources and guidance on various cybersecurity topics, including security consolidation.
Managed SOC and XDR
In light of the cyber security bill, organisations may consider moving to a Managed Security Operations Centre (SoC) or Managed Extended Detection and Response (XDR) service offered from their MSP provider, CSP provider or specialist Managed Security Provider. These service provide a huge a range of benefits for organisations who dont have the time, resources or desire to manage their security operations including:
Comprehensive Cybersecurity: Managed SoC and XDR services provide comprehensive cybersecurity across an organisations entire IT environment – monitoring threat landscapes, including IT networks, devices, applications, endpoints, and data, for both known and evolving vulnerabilities, threats, and risks.
Reduced Complexity: In most cases, investing in such services can significantly reduce the complexity of managing multiple security tools and processes. Whilst these services “may” take on and suppoprt an organisation’s existing security products , in many cases they will require (as part of onboarding) a more steamlined approach to security management, making it easier for organisations to maintain a robust security posture without having to manage multiple products and services.
Faster Response Times: Managed SoC and XDR services can provide significantly faster and more accurate detection and response times to real and high-risk potential threats. Many will leverage their vast experience, Machine Learning and other advanced technologies like AI and automation to make threat detection and response faster than humanly possible.
More Cost-Effective: Whilst not cheap on the surface, consolidating security operations under a managed service, organisations can potentially reduce the total cost of ownership (TCO) of securioty operations, by eliminating the need for multiple standalone security solutions and sometimes expensive security analysts and consultants.
Access to Expertise: These services give organisations access to highly skilled security experts, which can be particularly beneficial given the current shortage of skills in the cybersecurity industry.
Employee Training and Education
The importance of end-user adoption and training around security awareness must not be overstated. It is a critical component of an any organisation’s cybersecurity strategy. The human factor is often the weakest link in corporate security, with studies suggesting that most cyber attacks are caused by human error. Educating end users on cybersecurity best practices is crucial for reducing the risk of insider threats, phishing attacks, and other cyber threats.
Every business, large and small, needs to develop an effective security strategy mindset that is built into their culture. This ensures that every employee, from frontline staff to managers and executives, understands the importance of cybersecurity and the far-reaching impact that a data breach can have. This means that regular training sessions and awareness needs to be conducted to keep all levels of the organisation updated on the latest threats and defensive practices.
Management plays a key role in this process. They should demonstrate leadership by actively participating in security awareness training, complying with the company’s own cybersecurity policies, and encouraging staff to participate in trainings. This helps to create a culture of enhanced cybersecurity awareness and empowering employees to come forward with observations, suggestions or issues they have seen.
End-user adoption and training around security awareness is a commitment that needs to be made at all levels of an organisation. It is not just about protecting the organisation’s digital assets, but also about safeguarding its reputation and credibility. By making security awareness a priority, organisations can significantly reduce their vulnerability to cyber threats.
Conclusion
In conclusion, the King’s Speech has outlined a much needed robust and forward-thinking approach to cybersecurity in light of the every increasing wave of state nation and cyber terrorism combined with the rapid adoption of generative AI.
The introduction of the Cyber Security and Resilience Bill, as announced in the speech, is set to expand regulation to cover more digital services and supply chains, empower regulators to ensure cybersecurity measures, and mandate increased incident reporting to improve the government’s response to cyber attacks. This initiative is a significant step towards strengthening the UK’s cybersecurity infrastructure and resilience.
In light of these developments, every organisations should take proactive steps to align with these new measures. One of the key steps is preparing for the NIS2 Directive, which aims to establish a higher level of cybersecurity and resilience within organisations of the European Union and will also impact UK organisations. Organisations should start preparing by defining their compliance roadmap and optimising their cybersecurity awareness. They should conduct a thorough audit to identify gaps in their cybersecurity regimen and develop a comprehensive plan to address these gaps and achieve compliance with NIS2 requirements.
Cisco’s annual event, Cisco Live 2024, has seen a huge number of new AI-powered innovations and investments from a Cisco as they took to the stage in Las Vegas. This year the focus has been about powering the AI transformation and has been particularly impactful with the introduction and expansion of AI-enriched solutions across networking, security, and observability domains.
Here’s my take aways from the event based on snipits I watched and blogs from Cisco I’ve read over night on how these advancements are set to further transform the tech industry across almost almost every vertical.
Digital Resilience Through AI
Cisco talked about how their AI-powered innovations which are heavily focussed on the platform that drives transformation (the network and connectivity) are designed to enhance digital resilience, combining the power of the network with industry-leading security and observability. This integration simplifies adoption and provides comprehensive visibility across the digital landscape.
$1 Billion AI Investment Fund
Cisco annouced a new Global AI Investment Fund in a bold move to foster industry innovation and customer readiness and likely help them fund and invest into future aquisitions which is becoming common in the industry with start up innovation and backing. This strategic initiative supports Cisco’s vision of an AI-powered future, connecting and protecting organisations of all sizes through Cisco innovative networking and secure cloud technology platforms.
New Strategic Initiatives
Cisco’s collaboration with industry giants like NVIDIA, Splunk (who they aquired earlier this year) , and others, showcases its commitment to customer success and growth. Cisco referenced some of their largest clients including Steve Madden and McLaren F1 Racing that see Cisco continuing to play a vital role as a strategic ally in business and technology across their entire portfolio from network, security observability and collaboration.
New certifications to empower partners
Designed to prepare partners and ensure skills for the AI powered future, Cisco annouced new AI Fundamentals for their Partners including a new Certification in AI. Cisco plan to ensure they continue to equip partners and the workforce with the necessary skills to thrive in an AI-driven landscape which shows no sign on flowing down.
New innovations to their portfolio announced
Cisco has also announced new AI-powered features for their contact center solutions at Cisco Live 2024. These include.
New capabilities in Webex Contact Center will help organizations design and manage conversational self-service experiences. . This means businesses can automate their customer service to a greater extent, improving efficiency and customer satisfaction.
An AI Assistant is being provided for contact center agents. This assistant can help agents handle customer queries more effectively and efficiently, leading to improved customer service.
Cisco is also enabling the integration of third-party virtual agent solutions into their contact center offerings12. This allows businesses to leverage a wider range of technologies and services to enhance their customer service.
There is no AI without data and networking
With Cisco networking already the motorway for connectivity inside data centres, organisations IT and for connecting people, things and devices:
Nexus HyperFabric AI clusters. This is a “breakthrough” AI cluster solution developed in collaboration with NVIDIA and provides a single place to design, deploy, monitor, and assure AI pods and data center workloads. This means businesses can manage their AI workloads more efficiently and effectively.
Cisco Hypershield support for AMD Pensando DPUs and Intel IPUs,which Cisco say will enables enterprises to “realize an AI-driven, distributed security architecture” that seamlessly goes from the cloud to the data centers to the edge while still being highly performing and energy efficient.
Cisco will also combine the the power of the Splunk with their AppDynamics Application Performance Monitoring (APM) with the introduction of Splunk Log Observer for Cisco AppDynamics. This integration will enable users to drive faster troubleshooting across on-prem and hybrid environments.
Excitement overdrive
As a leading UK Cisco Partner, Cisco Live brought excitement to our teams and will give new innovation enablement for Cisco customers.
Cisco’s innovations will help us continue to help out customer build a more resilient, intelligent, and secure digital environment.
We’re thrilled to share incredible innovation and new AI-powered capabilities for our customers this week at Cisco Live… Cisco is uniquely positioned to revolutionize the way infrastructure and data connect and protect organizations of all sizes, and we are confident we are the right strategic partner for our customers in this era of AI.”
Chuck Robbins |Chair and CEO | Cisco.
For Cisco, it represents a step forward in leading the industry towards an inclusive AI-powered future. And for partners like Cisilion, it’s an opportunity to leverage these advancements to deliver cutting-edge solutions to our clients.
It’s not over yet.
Stay tuned for more updates from Cisco Live 2024, as we continue to explore the possibilities of AI and its impact on the world of technology.
This blog post captures Microsoft’s latest achievements, innovations and recognition in cybersecurity as reported by Forrester in their recent wave report on Extended Dedection and Response (XDR) plafforms. Here is have focussed on the latest developments and Microsoft’s move to leading in this report.
The ever-evolving landscape of cybersecurity, organisations face the challenge of defending against increasingly sophisticated cyberattacks. Based on the analysis performed by Forrester in their 2024 Wave report, Microsoft has yet again risen to the occasion, with them being placed at the far out leader in Forrester Wave: Extended Detection and Response (XDR) platforms – Q2, 2024, pushing them ahead of both Palo Alto and Crowdstrike in this recent report. They have been leaders in this space for over 4 years but this year pulled further ahead than ever before.
In the last year, 75% of security professionals witnessed an increase in attacks with 85% attributing this rise to bad actors using generative AI
Report By Security Magazine 2023
The Forrester report details how to protect against the constant and more spohisticated AI powered “intelligent attacks”, a Unified Approach to Cybersecurity is needed rather than a traditional add-on and multi-vendor approach. Forrester comment how Microsoft Defender XDR stands out with its unified visibility, investigation, and response capabilities. It integrates seamlessly across endpoints, IoT, OT, identities, email, collaboration tools, SaaS apps, cloud workloads, and data insights, providing end-to-end protection.
Generative A is the Game-Changer
Forrester say that the introduction of Microsoft Copilot for Security marks a significant milestone in Microsoft’s approach to XDR. This generative AI solution simplifies incident remediation, reverse engineers malware code, and empowers analysts with natural language processing to generate Kusto Query Language (KQL) queries.
Microsoft’s Automatic Attack Disruption – also powered by their latest AI and Threat Hunting services, has led to the development of automatic attack disruption features in Defender XDR. This technology can detect and disrupt ransomware and other advanced attacks within minutes, showcasing the power of AI in cybersecurity. The services work seemlessly toegther across their wider Azure and Microsoft 365 security portoflio making these a real multi-layered protect, detect and respond approach rather than multiple products stacked on top of each other.
The Future of Cyber Defense
Microsoft’s recognition by Forrester underscores its dedication to innovation and excellence in cybersecurity. As cyber threats continue to evolve, Microsoft’s XDR and unified security operations platforms will remain essential tools in the arsenal of cybersecurity professionals.
In Microsoft’s own blog post on the matter they state that “We believe Forrester’s recognition showcases that Microsoft Defender XDR is the broadest native XDR solution on the market and that our most recent additions of Microsoft Defender for Cloud data and Microsoft Purview Insider Risk Management data are critical to give the SOC access to end-to-end data. Its incident-level visibility, automatic attack disruption of advanced attacks, and accelerated detection and response now work across endpoints, Internet of Things (IoT), operational technology (OT), on-premises and cloud identities, email and collaboration tools, software as a service (SaaS) apps, cloud workloads, and data insights.”
“Microsoft is refining the most complete XDR offering in the market today, their dedication to innovation is demonstrated by its percentage of the R&D budget by revenue, which rivals the most innovative vendors in security.”
Forrester Wave Report: Q2 2024
Summary
Great to see Microsoft continue to innovate in this area, after Satya Nadella stated that they are “priotitising security above all else” in a recent report.
The recent report from Forrester does not of course mean that the other vendors in this report are no good. The familiar vendors such as Palo Alto, Crowdsrike continue to innovate in this space and the others are working hard to move up the quadrant.
Others to mention are Cisco who have moved into the Challengers Quadrant this year, following huge investments in thier Cisco Secure Cloud platform and their continued invenstment to bolster their security portfolio.
It is worth noting that XDR is just one of the security pillars reported on by Forrester and other leading analysts like Gartner.
This week, I had the pleasure of running a Fireside Chat with Mark Brown, who leads the engineering team at Splunk. The chat was streamed live on Linked In and YouTube as part of Cisilion’s monthly technology chat show which has been running for more than three years.
This month, we took to the virtual stage to discuss the acquisition of Splunk by Cisco, the history and innovation that Splunk brings across security and data analytics and observability, and some of the huge success stories and customers of Splunk since the company’s founding in 2003.
Cisilion and Spunk – May Fireside Chat
In this month’s show, we delved into Splunk’s history and capabilities, its evolution over the last 20 years, and its role as a data analytics platform. We talked about Splunk’s diverse customer base, including huge “high street” brands like Siemens and Gatwick Airport, where we discussed how Splunk’s data analytics is helping to enhance operational efficiency and security at the airport and how by processing local traffic and weather data along with real time people traffic in the airport, they help to ensure that LGW meet their people flow SLAs of getting people from check-in and through security.
Finally we talked about why Cisco have acquired Splunk, the market opportuntiy it creates and how partners like Cisilion will be able to leverage this aquisition into the Cisco portfolio over time. Mark talks about this being a strategic move to integrate Splunk’s data analytics with Cisco’s network and security solutions, offering a comprehensive approach to observability and security and giving them a real competitive edge whilst, increasing their market share and making the solutions simpler for their customers.
Using the power of AI, I have used Microsoft Copilot to breakdown the key sections of the video and help you to navigate to areas you think might be useful to you.
(I have a video on how to do this which you can access -> here -<
Cisilion and Splunk Fireside Chat – Key Coversations
[00:01:18] Introduction of Mark Brown from Splunk
Leads the UK solution engineering team
Discusses Splunk’s recent acquisition by Cisco
Highlights the value Splunk brings to businesses
[00:03:00] Explanation of what Splunk is
Describes Splunk as a platform for searching logs in data centers
Evolved into a leader in security and observability
Known as the “Google for the data center”
[00:18:09] Cisco’s acquisition of Splunk
Seen as a natural fit with little overlap in technology offerings
Expected to enhance both Cisco’s and Splunk’s product portfolios
Acquisition aligns with Cisco’s strategy to expand software offerings
[00:08:14] Reference customers of Splunk
Splunk’s reference customers span 110 countries and includes major brands across various industries
Talking through examples including Siemens, Singapore Airlines, and Gatwick Airport
Talking about wider use cases that demonstrate Splunk’s adaptability and impact
[00:14:22] Splunk’s competition in the market
How and where Splunk competes with and partners with various tech companies such as Data Dog and Relic
How Microsoft Sentinel have also become a leader in the SIEM space in just two years and how Microsoft and Splunk are working together to deliver Splunk Solutions to customers in Azure.
How Splunk have been leaders for more than 10 years.
[00:17:46] Cisilion’s perspective on the acquisition
How Cisilion are excited about the integration and potential for new market opportunities and the alignment between Cisco and Microsoft, Cisilion’s two strategic partners.
How we see the acquisition as a way to complete the technology journey for clients bringing together multiple technnologies and creating a single pane of glass for security logs and observability.
Our forward looking view on the game-changing advancements in observability and security this aquisition could bring to Cisco.
00:25:23] The chat continues around use cases, market trends and the future of security and observability
Welcome your views on the video and the discussion as always.
The digital security landscape is constantly challenged by sophisticated threats, making the role of Security Information and Event Management (SIEM) systems more critical than ever. In the 2024 Gartner® Magic Quadrant™ for SIEM, Microsoft and Splunk have been recognised as leaders, demonstrating excellence in vision and execution in the SIEM space.
Gartner said in their 2024 report that “The SIEM market grew from $5.03 billion in 2022 to $5.7 billion in 2023 (see Market Share: All Software Markets, Worldwide, 2023), a 13% annual growth rate compared to a 22% increase the previous year. The primary drivers of a SIEM purchase are threat detection, response, exposure management and compliance. Buyers are seeking a SIEM ecosystem with broad and deep capabilities to satisfy multiple security and business use cases with capabilities to support a diverse environment.”
Image (c) Gartner 2024
The Significance of SIEM in Cybersecurity
SIEM technology is essential for organisations to effectively manage security events and information. It provides real-time visibility across an organisation’s information security systems (multi vendor), providing single pane of glass event log management, compliance reporting, and incident response capabilities. The ability to swiftly detect, analyse, and respond to security incidents is what makes SIEM a cornerstone of enterprise security strategies.
Friends and Foes?
In 2023, Splunk and Microsoft agreed to partnering to help build Splunk’s enterprise security and observability offerings on Microsoft Azure. This means that Splunk solutions are now available for purchase on the Microsoft Azure Marketplace as well as AWS Market place. This is great for both parties and Microsoft Partners who sell and deploy Azure Services to their clients.
Gartner cite Microsoft Sentinel as being best for organisations that require or demand a cloud-native SIEM solution with advanced AI capabilities and integration with other Microsoft security products will find Microsoft Sentinel to be an ideal fit. Sentinel works with a huge number of external cloud and on-premises data connectors (including Splunk).
Splunk’s Data-Centric Excellence in SIEM
Splunk remains a joint leader in the SIEM market, praised as always for their data-centric security analytics solution, The Enterprise Security application from Splunk is available both on-premises and as SaaS. Splunk provides pricing flexibility, which can be based on daily data ingestion or cloud workloads, referred to as Splunk Virtual Compute. Splunk primarily serves large enterprise organizations in North USA
Splunk have said they are launching a new AI Assistant for Security, which will be integrated with Enterprise Security to enhance detection and response functions. Cisco finalized the acquisition of Splunk on March 18, 2024 and we expect to see integration and cross pollenisation of their combined portfolio at somepoint in 2025.
Gartner point out that currently Splunk has a significantly higher-than-average cost compared to other vendors in their report, is more complex to deploy and configure (measured in pro services days) and currently low numbers of sales support staff outside the US – though with Cisco’s aquisiton of Splunk this is likely to change over the next 18-24 months.
Strengths:
Overall observability: The Splunk platform can integrate security, IT, application and other data sources. This, coupled with its federated search and analytics capabilities across third-party data stores, is a strength for clients seeking to build highly enriched queries and alerts.
Extensive integration: Splunk’s integration of SOAR enhances a wide range of common SIEM use cases. Clients wanting quick time to production automation for common SIEM operational functions will find Splunk’s library of playbooks a strength.
User interface: Splunk’s UI and dashboard provide significant customization. Clients requiring custom animations and visualization for specialized monitoring, such as OT or financial systems, will find the UI editor an overall strength
Best Fit
Splunk is particularly suited for very large organisations that value a data-driven approach to security and need powerful analytics to manage complex security environments. Microsoft is actually one of Spunk’s largest customers.
Conclusion
Microsoft and Splunk continue to lead the SIEM market with their innovative solutions. Sentinel offers a world-class leading, cloud-native, AI-enriched platform that simplifies operations and accelerates threat resolution.
Splunk provides a robust, data-centric approach to security analytics, enabling organizations to respond to threats with speed and precision and is ideally suited for the largest of enterprises as well as those who remain mainly on-prem and less “all in with cloud”. Splunk also has a strategic alignment and integration with Microsoft Sentinel.
As a Microsoft and Cisco leading UK partner, we are excited to be working with both Cisco and Splunk (Cisco) in this space with the abiluty to guide and consult around customer hosted, Azure hosted and cloud-native SIEM solutions. We also love ther fact that we can now meet customers on their ground with the ability to deploy Splunk on Azure via the market place to our clients.
Cisco has introduced a new product called Hypershield, which they claim is one of the most significant security products in Cisco’s history. It is expected to be generally available starting from July 2024.
What is Hyper Shield?
Hypershield is a cloud-native, AI-powered system designed to enhance the security of AI-scale data centers. Unlike traditional security products, hyper shield is integrated directly into the network’s fabric, offering a revolutionary approach to protecting digital infrastructure services in data centres, protecting applications, devices, and data across public and private data centers, clouds, and physical locations.
This is the Most Consequential security announcement In Cisco’s 40-Year History
Cisco.
The holistic system promises to bring the security advantages of a hyperscale model to enterprises, allowing security to be embedded in every software component of every application running on the network, on every server, and in both public and private cloud deployments.
How Hyper Shield is different.
Hypershield is different to traditional security “bolt ons” because it not just a new security product or the next version of something that already exists. What makes this different and unique, is that Hyper Shield represents a brand-new security architecture model built from the ground. It uses an open-source technology called eBPF that hyperscalers use to automate patching and other time-consuming jobs. It has the ability to transform every network port into a high-performance security enforcement point and works by blocks application exploits in minutes while preventing lateral movement of attacks.
Innovation from within
I think Hypershield is exciting because it represents a significant shift in how security is approached within the data centre fabric.
“Why we think this is the most consequential is we’re taking what used to be a firewall, an appliance, and we’re like melting into the network. It’s not a separate thing that you add on. It’s like magic. It writes its own rules, it tests its own rules, it qualifies its own rules, deploys its own rules, and then overnight it upgrades itself”
Tom Gillis | VP Security | Cisco
It is built with technology originally developed for hyperscale public clouds Cisco are making this technology available for enterprise IT teams of all sizes regardless of how big their data centre foot print is. It works by enabling security enforcement to be placed everywhere it needs to be, at the application and data layer, which is a major shift and change in how traditional data centre security works. Cisco say that it’s expected to have a significant impact on how businesses protect their digital assets.
With this innovation … we have actually been able to deliver something that’s unlike anything we’ve done in the last 40 years at Cisco. And I will say that we’re just getting started.
Jeetu Patel | Cisco’s EVP
Rather than relying on traditional network and application level firewalls in the datacentre, Hypershield works by essentially providing security boundaries around every application and service. It naturally uses artificial intelligence to learn and adapt, so it gets better at detecting and understand normal activity from attack attempts.