Security Specialists: Microsoft’s Discounted Logging Offering Warrants Scrutiny
The log management tool Microsoft is marketing as a way for agencies to fulfill administration requirements for network visibility could contribute to a risky ‘monoculture,’ according to cybersecurity professionals.
The federal government should carefully consider risks associated with reduced-price logging services Microsoft is offering for agencies to meet executive-mandated Office of Management and Budget requirements, according to academics and others closely studying the national security issue.
Microsoft’s offering, announced in a blog post Tuesday, doesn’t detail exactly how the discounts would work but promotes a ‘Maturity Model for Event Log Management solution’ that is designed to adapt to the tiered implementation plan OMB laid out. Under the plan, agencies should have submitted their logging posture and needs to OMB over the fall and be preparing to meet at least a basic level of event logging this coming summer. Microsoft told Nextgov the discounts would vary based on agencies’ needs and that they would work with federal government customers on a case-by-case basis.
The logging issue rose to prominence in discussions of federal cybersecurity policy following the massive hack generally referred to as ‘SolarWinds,’ after the IT management firm adversaries used to distribute malware. That campaign ultimately led to the acknowledged compromise of nine federal agencies and about a hundred companies at the end of 2020.
During a February hearing on the hack, while agencies were still working through the aftermath of the unprecedented breach, Rep. Jim Langevin, D-R.I., confronted Microsoft president Brad Smith asking how much the company was charging for event logging services he said should be standard, not an upsell dependent on certain licenses.
Except at premium levels, Microsoft’s Azure cloud service offers limited logging capabilities. This can affect an organization’s ability to determine how the hackers moved across networks after gaining initial access, and whether they might still be present, the Cybersecurity and Infrastructure Security Agency had said in an alert on the hacking campaign, which Langevin referenced.
In April, with a note of appreciation for questions U.S. federal government customers had about the costs of their logging services, Microsoft said it would offer customers of their government cloud a free trial of its ‘Advanced Audit’ service for one year.
The move failed to soothe critics like Sen. Ron Wyden, D-Ore., who coined the term “cyber pork,” referring to the government “throw[ing] a bunch more money at the same companies that sold the government insecure products that the hackers exploited.”
Wyden had also raised concerns with a contested feature of Microsoft’s cloud federation service in conjunction with a technique known as Golden [Security Assertion Markup Language], which CISA had also flagged after the breach as being in use by hackers since 2017.
Microsoft has said the technique—used to attain lateral movement across a network by forging identities—only came into play after the adversary had already gained initial access to their customers’ accounts, in part due to weaknesses like poor passwords.
The new promotion doesn’t sit well with Stanford’s AJ Grotto and others who generally note an unsustainable rate of patching needed to address vulnerabilities in Microsoft’s software.
“Something's not right about Microsoft marketing its security services after the incident, when Microsoft products were among those that the hackers exploited,” Grotto, who directs a program on geopolitics, technology and governance at the university’s cyber policy center, told Nextgov. “I don't want to impugn Microsoft's motives here, but offering a service for free for twelve months and then turning around and you know, charging anything for it, even if it's a discounted rate just doesn’t feel right.”
What smells off about the move to Grotto also relates to a concern cybersecurity professionals—including Harvard’s Bruce Schneier and IN-Q-TEL Chief Information Security Officer Dan Geer—first likened to the dangers of a monoculture in agriculture in 2003. The observation was that a lack of diversity in software used across operating systems and applications could lead to cascading damage in the event of an attack.
A lot has changed over the last 19 years. As David Wheeler, director of open source supply chain security at the Linux Foundation noted to Nextgov, in 2001, Microsoft suggested Linux’s, competing open-source operating system was un-American, but today “has made many contributions to the Linux kernel.”
And Microsoft told Nextgov, an important feature of the new offering is that it works with other products, providing “prescriptive guidance on how to enable logs from more than 300 different sources including native connector and first-party sources like Microsoft Defender for Endpoints and also third-party logs like those provided by VMware, Cisco, and Zscaler.”
But Microsoft still holds an estimated 85% of the government market for its products and services, and the monoculture concerns still resonate.
“The issue is that scale at a certain point becomes a vulnerability,” Steve Weber, faculty director at the Center for Long-Term Cybersecurity at the Berkeley School of Information, told Nextgov. “The problem is SolarWinds had its hands in too many systems, and so it became a single point of failure. And it is notable that Microsoft is in the same position vis-à-vis the federal government. We shouldn’t set ourselves up for the same kind of failure again.”
Regarding the logging issue specifically, Microsoft has noted such services alone won’t prevent an attack. But criticism of the marketing strategy remains, as logging services are viewed as essential for establishing network visibility and even to create deterrence by contributing to the attribution of intrusion campaigns. Microsoft’s new offering also ties into the use of artificial intelligence for threat hunting efforts.
“It's an extension of the monoculture argument,” Grotto said. “If the security services that are underlying some of [the agency’s] risk management services share some of the same vulnerabilities that come with the software that those services are designed to protect, well that's a problem, you've got correlated risk there.”
He also addressed the pressure agencies are under in the budget and policy environment to give in to Microsoft’s marketing strategies.
“They'd get hammered if they said, 'No, we don't want this free service Microsoft offers.' And after twelve months when it expires, what's the agency going to say, 'let's cancel it, now we're going to reduce our security?' No, there's no way that's gonna happen,” Grotto said.
The Atlantic Council’s Trey Herr, who partnered with Schneier in urging the government to more closely examine the cybersecurity risks presented by the design choices of cloud service providers after the attack, agrees there’s a potential scaling danger in blindly buying into Microsoft’s discounted rates that OMB might address.
“It would be reasonable for OMB to address the concern that discounting by a large vendor might risk vendor lock-in,” Herr, who directs the Atlantic Council’s Cyber Statecraft Initiative, told Nextgov.
But more to the point, he said, “these kinds of tools shouldn't come at a price. So [Microsoft’s offering] is a step in that direction, but it's absolutely not the last step that should be taken.”
Microsoft declined to comment on the criticism surrounding their security products contributing to increased risk associated with a software monoculture.