Category Archives: Security strategies

How to organize your security team: The evolution of cybersecurity roles and responsibilities

Digital transformation, cloud computing, and a sophisticated threat landscape are forcing everyone to rethink the functions of each role on their security teams, from Chief Information Security Officers (CISOs) to practitioners.

With billions of people around the globe working from home, changes to the daily practice of cybersecurity are accelerating. Organizations are shifting from defending a traditional network perimeter (keeping business assets in a safe place) to more effective zero trust strategies (protect users, data, and business assets where they are). This transformation brings technology changes and also opens up questions of what people’s roles and responsibilities will look like in this new world.

At the same time, continuous delivery models are requiring security teams to engage more closely during business planning and application development to effectively manage cyber risks (vs. the traditional ‘arms-length’ security approaches). This requires security professionals to better understand the business context and to collaborate more closely with stakeholders outside of security.

In this new world, traditional job descriptions and security tools won’t set your team up for success. Leaders must create role clarity in this transformation to help their teams navigate uncertainty. This will reduce distractions and stress, as well as help people focus on the important tasks that make the whole team shine.

While each organization and each person will have a unique journey, we have seen common patterns for successfully transforming roles and responsibilities. To help security leaders and practitioners plan for this transformation, Microsoft has defined common security functions, how they are evolving, and key relationships. In this blog, we’ll provide a summary of our recommendations to help you get started.

Security roles must evolve to confront today’s challenges

Security functions represent the human portion of a cybersecurity system. They are the tasks and duties that members of your team perform to help secure the organization. Depending on your company size and culture, individuals may be responsible for a single function or multiple functions; in some cases, multiple people might be assigned to a single function as a team.

High performing security teams understand their individual roles, but also see themselves as a larger team working together to defend against adversaries (see Figure 1). The following functions represent a fully populated enterprise security team, which may be aspirational for some organizations. Organizations often need to prioritize where to invest first based on their risk profile, available resources, and needs.

An image showing each function works as part of a whole security team, within the organization, which is part of a larger security community defending against the same adversaries.

Figure 1: Each function works as part of a whole security team within the organization, which is part of a larger security community defending against the same adversaries.

Policy and standards

This team develops, approves, and publishes security policy and standards to guide security decisions within the organization and inspire change. This team must take into account cloud platforms, DevOps processes and tools, and relevant regulations, among other factors. Read more about security policy and standards function.

Security operations center (SOC)

A security operations center (SOC) detects, responds to, and remediates active attacks on enterprise assets. SOCs are currently undergoing significant change, including an elevation of the function to business risk management, changes in the types of metrics tracked, new technologies, and a greater emphasis on threat hunting. Read more about the SOC function.

Security architecture

Security architecture translates the organization’s business and assurance goals into a security vision, providing documentation and diagrams to guide technical security decisions. A modern architecture function needs to consider continuous delivery, identity-centric security solutions for cloud assets, cloud-based security solutions, and more. Read more about the security architecture function.

Security compliance management

The objective of cloud security compliance management is to ensure that the organization is compliant with regulatory requirements and internal policies. As you modernize this function, consider the role that cloud providers play in compliance status, how you link compliance to risk management, and cloud-based compliance tools. Read more about the security compliance management function.

People security

People security protects the organization from inadvertent human mistakes and malicious insider actions. The cloud and changing threat landscape require this function to consider how to effectively engage employees in security, organizational culture change, and identification of insider threats. Read more about the people security function.

Application security and DevSecOps

The objective of application security and DevSecOps is to integrate security assurances into development processes and custom line of business applications.

Cloud services and APIs have enabled a faster delivery cadence and influenced the creation of the DevOps team model, driving a number of changes. The biggest change we see is the integration of security into the development process, which requires culture and process adjustments as each specialty adopt the best of each other’s culture. This function must also adopt an agile mindset and stay up to date on new tools and technologies. Read more about the application security and DevSecOps function.

Data security

The main objective for a data security team is to provide security protections and monitoring for sensitive enterprise data in any format or location. New regulations and data loss prevention models are influencing the evolution of this function, and the sheer volume of data being stored on numerous devices and cloud services has also had a significant impact. Read more about the data security function.

Infrastructure and endpoint security

The infrastructure and endpoint security function is responsible for security protection to the data center infrastructure, network components, and user endpoint devices. Software-defined datacenters and other cloud technologies are helping solve longstanding data center security challenges, and cloud services are transforming the security of user endpoint devices. Read more about the infrastructure and endpoint security function.

Identity and keys

The main objective of a security team working on identity management, is to provide authentication and authorization of humans, services, devices, and applications. Key and certification management provides secure distribution and access to key material for cryptographic operations (which often support similar outcomes as identity management).

One of the big changes is that identity and key/certification management disciplines are coming closer together as they both provide assurances on the identity of entities and enable secure communications. This function also plays a significant role in modernizing security by establishing an identity-based perimeter that is a keystone of a zero-trust access control strategy. Read more about the identity and keys function.

Threat intelligence

Security threat intelligence provides context and actionable insights on active attacks and potential threats to empower organizational leaders and security teams to make better (data-driven) decisions. Threat intelligence usually grows from a technical scope into servicing the larger organization with strategic, tactical, and operational (technical) threat intelligence. Read more about the threat intelligence function.

Posture management

Posture management builds on existing functions like vulnerability management and focuses on continuously monitoring and improving the security posture of the organization. Posture management is typically one of the largest changes because it supports decisions in many other functions using information that only recently became available because of the heavy instrumentation of cloud technology. This function includes zero-trust based access controls, real-time risk scoring, threat and vulnerability management, and threat modeling, among others. Read more about the posture management function.

Incident preparation

The primary objective for the incident preparation function is to build process maturity and muscle memory for responding to major incidents throughout the organization, including security teams, executive leadership, and many others outside of security. These practice exercises have become powerful tools to ensure stakeholders are informed and familiar with their role in a major security incident. Read more about the incident preparation function.

Looking forward

In the beginning of the journey, clarity is critical to shine a light on the path forward and the journey ahead. As you walk the path, healthy doses of empathy and continuous learning are key to maintaining forward momentum. Organizations should invest in both formal training and supporting self-directed exploration to ensure people get the knowledge they need and have the confidence to take the risks required to transform.

In addition to the cloud security functions guidance, Microsoft has also invested in training and documentation to help with your journey—see the CISO Workshop, Microsoft Security Best Practices,  recommendations for defining a security strategy, and security documentation site.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to organize your security team: The evolution of cybersecurity roles and responsibilities appeared first on Microsoft Security.

Microsoft Joins Open Source Security Foundation

Microsoft has invested in the security of open-source software for many years and today I’m excited to share that Microsoft is joining industry partners to create the Open Source Security Foundation (OpenSSF), a new cross-industry collaboration hosted at the Linux Foundation. The OpenSSF brings together work from the Linux Foundation-initiated Core Infrastructure Initiative (CII), the GitHub-initiated Open Source Security Coalition (OSSC), and other open-source security efforts to improve the security of open-source software by building a broader community, targeted initiatives, and best practices. Microsoft is proud to be a founding member alongside GitHub, Google, IBM, JPMC, NCC Group, OWASP Foundation, and Red Hat.

Open-source software is core to nearly every company’s technology strategy and securing it is an essential part of securing the supply chain for all, including our own. With the ubiquity of open source software, attackers are currently exploiting vulnerabilities across a wide range of critical services and infrastructure, including utilities, medical equipment, transportation, government systems, traditional software, cloud services, hardware, and IoT.

Open-source software is inherently community-driven and as such, there is no central authority responsible for quality and maintenance.  Because source code can be copied and cloned, versioning and dependencies are particularly complex. Open-source software is also vulnerable to attacks against the very nature of the community, such as attackers becoming maintainers of projects and introducing malware. Given the complexity and communal nature of open source software, building better security must also be a community-driven process.

Microsoft has been involved in several open-source security initiatives over the years and we are looking forward to bringing these together under the umbrella of the OpenSSF. For example, we have been actively working with OSSC in four primary areas:

Identifying Security Threats to Open Source Projects

Helping developers to better understand the security threats that exist in the open-source software ecosystem and how those threats impact specific open source projects.

Security Tooling

Providing the best security tools for open source developers, making them universally accessible and creating a space where members can collaborate to improve upon existing security tooling and develop new ones to suit the needs of the broader open source community.

Security Best Practices

Providing open-source developers with best practice recommendations, and with an easy way to learn and apply them. Additionally, we have been focused on ensuring best practices to be widely distributed to open source developers and will leverage an effective learning platform to do so.

Vulnerability Disclosure

Creating an open-source software ecosystem where the time to fix a vulnerability and deploy that fix across the ecosystem is measured in minutes, not months.

We are looking forward to participating in future OpenSSF efforts including securing critical open source projects (assurance, response), developer identity, and bounty programs for open-source security bugs.

We are excited and honored to be advancing the work with the OSSC into the OpenSSF and we look forward to the many improvements that will be developed as a part of this foundation with the open-source community.

To learn more and to participate, please join us at: and on GitHub at

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Joins Open Source Security Foundation appeared first on Microsoft Security.

Cybercrooks likely using EMV by-pass attack to weaken payment card protection: report

Gemini Advisory, a U.S. cybersecurity firm, warned Thursday that hackers might have found a way around the tough security on ATM access cards with data-encrypting Europay, Mastercard, and Visa (EMV) without cloning them. The sale of stolen card data from two hacks in the U.S. this year is likely the result of the vulnerability being abused by cybercriminals, Gemini said in a report.

The report highlights that the technique can be “dangerously effective” if banks don’t perform a check when processing card transactions. The reverse is also true: If banks properly do security checks, the technique is blunted.

Gemini calls the technique “EMV by-pass cloning.” Briefly, by using malware on point-of-sale (POS) machines, a small but vital piece of data is extracted from the EMV chip called the iCVV number, which is needed for transaction verification. This number can then be copied onto the magnetic stripe on the back of a blank payment card. The criminal then swipes (not taps, because it doesn’t have a chip) the new card in a bank or retailer’s card reader, which reads the mag stripe and sees the iCVV. Without proper processing by the financial institution, it might be accepted as if it was the original card with an EMV chip.

In short, a crook can take information from an EMV chip and transfer it to a mag stripe on a different card. No need to clone the chip; the scam works because POS machines around the world still accept the less secure mag stripes for transaction information.

Gemini credited a report issued earlier this month by a consulting firm called Cyber R&D Lab with discovering the technique. Lab researchers did a proof of concept and then tested it on cards from 11 unnamed banks in Europe and the U.S., out of which four accepted transactions using the fake cards.

After reading the report, Gemini says it believes that this discovery explains the recent sale on the dark web of 720,000 payment card numbers with iCVV numbers from the January hack of a northeastern U.S. supermarket chain and the June 29 hack of card data from a wine and liquor store in the state of Georgia. Gemini also says it believes that the cybercriminals must have used the EMV by-pass cloning technique to get the iCVV numbers.

There is another way of getting iCVV numbers, and that’s by secretly installing an electronic shimmer inside a point of sale device or ATM to capture the number as customers use the cards. However, Gemini notes the two hacks involve too many payment card numbers for even several compromised POS devices to capture. So, it concludes, the by-pass cloning technique was used in those hacks.

“EMV technology has until now been as secure as it gets,” Christopher Thomas, an intelligence production analyst at Gemini Advisory, said in an interview. “So it’s significant there’s a workaround… That is certainly a cause for alarm. However, it’s also important to note that Cyber R&D Lab compromised four out of 11 cards, the verification systems of the other banks did work. This seems to be a problem that only affects banks that are not verifying the way they should be.”

The Canadian Bankers’ Association, which represents the country’s major banks, wouldn’t comment on the Gemini report. Instead, it issued the following statement, “Banks are leaders in cybersecurity and their highly-skilled IT security teams use advanced technologies to safeguard their operations and keep their customers’ money and data safe from illegitimate acts. Banks constantly scan the threat horizon to stay on top of ever-evolving fraud typologies and thwart attacks of all kinds.”

Detailed explanation

Now for the more detailed explanation of the Gemini and Cyber R&D Lab reports: Most people know the back of payment or access cards have a CVV number for card and transaction verification in what the payment industry calls “card not present” purchases over the phone or online. Buyers are sometimes asked to read out or type in the number.

The CVV number is also part of the hidden information (including issuing bank, cardholder name) on the magnetic stripe on the back of cards for point-of-sale machines to read when the cards are swiped in “card present” purchases in stores. The coding on mag stripes was cracked by cybercriminals decades ago, allowing them to create counterfeit payment cards with cloned mag stripes, thus forcing banks and credit card companies to adopt the EMV chip.

These chips are protected by tough data encryption that prevents cloning. The transaction data on every chip includes an iCVV number, which is different from the card’s CVV number. When processing a transaction with an EMV card, bank computer systems are supposed to compare the CVV number on the mag stripe to make sure it hasn’t been substituted for an iCVV number. If the card has it, then the card isn’t safe.

EMV chips have foiled counterfeiters since they were introduced in the late 1990s, first in Europe, then in Canada and more recently in the U.S. Last year’s Visa said for those merchants whose stores had converted to accepting EMV cards saw a 76 per cent drop in fraud over three years.

Criminals who use stolen credit cards for card-not-present transactions rely on data they can take from magstripes.

Use of NFC data

If it’s not hard to clone mag stripes, Cyber R&D Lab wondered if EMV data could be transferred to a mag stripe, getting around the problem of cloning chips. It did it by using the wireless Near Field Communication (NFC) capability on many EMV cards, the technology that enables tap-and-go transactions. To read the data from the NFC interface of real credit cards, researchers used an Android app called Card Reader Pro. This data was then compared to the data on the card’s magstripe for similarities or differences. Using that data the researchers could calculate the card’s iCVV number and substitute it on the mag stripe of a cloned card.

When a point of sale machine is used for a transaction, a bank is supposed to check the card security code for validity. If the process isn’t done right, a mag stripe card will seem to the bank to be an EMV card.