A review of the 23rd Microsoft SIR

There are a lot of security reports that are published out in the industry today.  One of them is the Microsoft Security Intelligence Report (SIR).  Version 23 was released just recently.  You can download the source document here.  The goal of this post is to capture some of my thoughts after reading the report.

Ugh, not botnets again!  It is amazing how often we talk about botnets.  Their prevalence in today's cyber society is pervasive and it is amazing the lengths that we have to go through to dismantle them.  This years SIR spend quite a few pages talking about botnets, in particular, the Gamarue variant.  One thing that I found super interesting is the global map that was put together of infected devices.







This botnet was so pervasive.  But one thing is the lack of red in Canada. Now this could obviously be because of population density, but I still find it interesting.  I wonder if there are any good resources out there that could help correlate this data.

Support for HSTS is still low among cloud providers.  HSTS, or HTTP Strict transport security, is a web security policy mechanism that allows servers to specify when clients need to use HTTPS and not allow for protocol downgrade.  Browsers have implemented security features that key off of this response header to help secure the users experience.

When I do a security review of an application, I always recommend using/setting the HSTS headers.  In fact, this is part of the OWASP ASVS guidance.  What is interesting is that despite this being a recommendation (for some time now) adoption rates are relatively low.




The solutions and recommendations to protect against ransomware haven't changed.  Microsoft is still recommending the same solutions:
- Backup your data
- Apply multi-layered security defenses
- Keep all software up-to-date
- Manage and control privileged access to data
- Isolate or retire certain computers

I think the problem here is that we need to start focusing on provisioning security by default into some of these storage systems.  For reference, the above solutions are hard for even large companies to get right, let alone small companies or individuals.  I'm not sure what the answer is here, but we need to start thinking about creative ways to solve this issue.

In conclusion, I enjoy reading these types of reports.  It is amazing how little changes year-over-year and really showcases how our approaches to security are not really making an impact at scale.