So basically what I tried to show you in the next 20 minutes is I give you a little bit an idea about what we learned, especially in the context of the, the war in Ukraine when it started, and kind of a little bit the context, what we learn based on the data we have in our cloud, the title actually protecting the, the environment, the infrastructure and exposed environment came up when we, when the, when the war started in Ukraine, because I was running, well, I'm responsible for Germany's Switzerland, Industrial, the Netherlands, and East Europe, which means I was kind of in the middle of the storm when, when the whole thing started in Ukraine, when the whole war started.
And a lot of customers came to us. And there were two kind of questions in there.
One is, how do we handle Ukraine? How do we handle the infrastructure we have on site in Ukraine?
But the other one which was probably more challenging is how do we handle infrastructures in Russia and, and in in, in Belarus, and how do we deal with the risks connected to that? And if we start, and I'll, I'll get into the second part of the, of the questions in a minute. But if we start with what happened in Ukraine, and if you look at what the Ukraine in government actually did, there is for me an extremely interesting move.
Basically I have a lot of discussions with customers about sovereignty and you know, keeping data within the country. And all these discussions, Ukraine actually went the completely opposite way. The government, a week before the, the war started, decided to change the law and allow government organizations to move data outside the country into the cloud. And these days, all the 16 ministries of the Ukrainian governments basically are running an Office 365 and Azure.
So from a business continuity perspective, customers started to move, or Ukrainian governments started, started to move outside the country. We had some customers actually reaching out to us, which had data centers close to the finish at the, the border between Finland and Russia saying they wanna evacuate the data centers. So that was one of the, of the angles we had. And then the second one was, what do we do now with the infrastructure we have in in Russia and how do we deal with that the moment we want to pull back? That was one side of the coin.
The other one is, I, I'd like to give you a little bit an idea what an exposed environment at the moment is, and then I give you some ideas how you can protect that. Kind of interesting, I only see parts of my slide here. That's data which we released actually just last week, a week ago, showing you a little bit how the, the world looks like out there.
And the data we have just to be clear, is the data which we have from our cloud. So sometimes when I talk to customers, they say, Yeah, but they have a completely different view on the threat landscape.
This might well be if you are under attack on Preem, we obviously don't have any data. What we can give you is an idea how especially nation states these days behave when it comes to attacking our environment. And you know, for me it starts with ransomware. And if we look at ransomware, the, the world actually changed dramatically over the last one to two years. An year ago you could go and buy a ransomware kit that then kind of distributed yourself and you have to do the whole business chain yourself. These days you can buy ransomware as a service.
And if we do incident response, ransomware is basically 50% of of what we do.
And this leads me back to what I said initially when I talked about Russia and Ukraine, when Russia attacked the Illa won cry and, and not Pat was one of the consequences. And basically what we, we in in Western Europe suffered was basically collateral damage. They couldn't contain the virus within Ukraine and it just spread across the globe. So one of the big questions we had was, does the same thing happen again now in Russia attacks Ukraine?
It didn't so far, but one of the points I learned and when I worked with customers is most customers don't have a backup which they can access without authentication. That was actually an interesting point when we started discuss what they should do now in the first 24, 48 hours after the, the beginning of the war. And that's closely connected to ransomware attacks, right?
The second point you have here is one, one which is dear to my heart, and I come back to identity and authentication in a second, but most of the, of the attacks we see basically somewhere are related to or connected to any legacy authentication protocols.
And you know, probably two years back I said, you should probably slowly think about moving off these days I'm probably more direct, it's time to move. It's really, it's not, you should probably in the next few years, it's really time to move on.
Because if you look at how especially nation states changed, everybody started to be in the cross sales of nation states. It's not that they attack only government organizations or departments of defense or defense contractors. It's really getting across the globe. And that's the reason why you need to move off. And you know that that's something you see in the third point as well. When we see customers being attacked on our cloud by a nation state, we issue so-called nation state notifications.
So we inform you that you're under attack, we inform you what actually happens and what you can do against it.
And since 2018, which means four years, we issued more, a little bit more than 67,000 of these nation state notifications. And that's huge. Now let me put it a little bit into context, especially the month before the war started, the months before the war started, Russia was extremely active towards Europe with password spray attacks. So they took one password and threw it against a lot of different accounts. And they are by definition extremely noisy.
And that's one of the reasons why the number is so high. But even if you caught it by half, it's the, it's still a lot which happens out there. If you look at the countries in the last probably 12 months, you see that Germany is an interesting target for a lot of organizations.
Again, Russia was pretty active in Germany and that was up to a given point because that's at least our interpretation because Germany was seen as probably one of the weakest links in the whole European and Western setup within countries.
But again, it wasn't only nation states, it was actually across the board. And you heard just before you talked about supply chains and, and auditing your suppliers, a few of the governments, Russia, China moved on from attacking customers directly to attracting the cloud service providers.
So the organizations which are between your hyperscaler and you, the guy, the organization who is basically delivering the service to you, they try to get into a one to many situation. They move away from just attacking one, one organization to actually getting into a situation where they can spread their attacks. Solos was a kind of a, a prime example to that. And I'm getting into the, the accounts in a second.
I mean the one which strikes me most is within Azure active directory, we currently see about 26% of the accounts being multifactor authentication enabled one fourth, which means three-fourths are not.
And you know, when we talk about mfa, we these days look into two setups. One is the fishable MFAs and then the non fishable MFAs. To give you an example, the classical one where you just get a prompt on your phone is one which is easy fish. I can just, you know, create enough noise until you feel like, okay, then you go in and we see these kind of attacks.
And so you can probably kind of split this into half and then we have really strong authentication. Talking briefly about nation states, it might be worth reading it if you're interested. The digital defense report is, as I said out since last Friday. Those are the countries we see actively reaching a certain bar hitting our cloud. The US is not on it, the UK is not on it. This is not because we don't wanna show them this is simply because they don't make the bar these days. Maybe they're too clever, maybe they don't attack us because we are an American company.
The reason why I often say or always say you are all kind of targeted by nation states, countries like North Korea, they have two approaches. One is everything around espionage. They want to understand rockets and nuclear technology, but on the other hand they are huge in rent and wear business. They need money and they go after every target which is willing to pay. China is obviously big in in espionage, we all know that. We see Iran somewhere, they're extremely, currently they are in the espionage business. So there you're probably out of jail.
And then we get back to Russia and the last quarter of last calendar of Russia was basically the only one we've seen across Europe. So they are, they were so far number one, that all the other actors kind of disappeared to prepare for the war and they moved away from attacking or getting into the espionage kind of approach.
They got into the randomware business as well because they need money desperately. And on the other hand, they are strong in this attacking the cloud service provider.
So if you use a cloud service provider, look into the admin accounts they have, do they all need these kind of admin accounts and think about monitoring them heavily that you really know what they're doing. But that's kind of the, the picture of the globe. That's what we do with the Microsoft Threat Intelligence Center. So we are not only looking at the, at the, at the signals we have and the techniques, but we look at actors behind it to try to understand them and disrupt them as well as far as we can.
Yeah, that's basically what I summarized there. You see the different sectors and there is more information in the report itself. The sectors actually changed quarter by quarter. So they're pretty fluid depending on where the core focus of certain governments currently. Lay a prime example, there was when Sweden announced that they want to join the nato, the the focus of of Russia completely shifted into Sweden. So Sweden was the number one country and government and especially NGOs which are advisory to the advisors, to the public sector actually got attacked heavily.
But no matter where you are, sometimes we have retail on here, we have manufacturing on here, transportation, communication, media, it's kind of everywhere these days. And for me this really means, I, I talk about Zoom breach in quite a while, but taking this notion of Zoom breach home and think about whether your architecture actually fulfills or is able to cope with an assumed breach in your environment is for me, number two of the priorities I have.
Number one is this one, and I know it's small, but if you look at the, at lower right corner, this shows the evolution of multifactor authentic authenticated and authentication enabled accounts on Azure active directory. You see how fast we grow,
That's number one of the problems we need to solve jointly because as our teams always says, attack breaking the login and the more you use username password, the more you are exposed to that. The more you use legacy authentication, the more you're exposed to that. That's the number one problem we need to fix.
And it kind of goes hand to hand with Zoom breach, but that's the number one problem we jointly need to fix. Now the last point from a data perspective, you know, I I was back in the old days, in the very old days I was running incident response of blaster at Microsoft Switzerland. And when we started to draw the communication, and this was all extremely reactive, we talked about three or four things to the end users. We told them go and patch have an ware installed and up to date and switch on your firewall and have a backup.
I think those were the four.
If we look at the five reasons why our customers these days get compromised, number one is enable multifactor authentication. Number two is somewhere, I think it's number four, four on that list, keep up to date, which is patch management. Then you have keep your anti malware up to date.
So, and deploy edr. So I I sometimes feel we don't learn, right? I mean we don't even force the attack to be creative. They can just use what they had 20 years ago. But that's kind of what you should take home if you leave here, if, if there is anything those with these five things and that's mfa, that's identity, that's for me top of of the list with these five list things you can avoid 98% of all the attacks.
Now, I talked about Ukraine a little bit and when customers reached out to us, we had a lot of calls in the first few days with our customers, what they can do and what they can do to protect themselves.
And it was interesting to listen to Aon just before that because I had a call with Aon with the chief of Aon just immediately after the, the, the war started. And he made an interesting remark and he told me recently attacking even quote in publicly, he said, You know, my risks didn't change. Now just because we have the war, what changed is the probability of certain risks.
And that's actually true even though most customers didn't look at it that way. We had a lot of discussions like I have as I have active directory in in Moscow, what do I do with them? I might lose them now. I felt sometimes you probably already lost them. So what we, we looked a little bit at the potential scenarios in these, in the context of this war and in the context of nation states. And we came with these cop came up with these threat scenarios and they were probably 90%, we all know them, right?
I mean we talk about randomware and destructive attacks.
We were extremely worried about those initially. So if as we did, we said we are not gonna sell any software anymore in Russia. Do we see now ransomware attack tax as a retaliation to that which didn't happen, The physical loss of infrastructure, that's a typically a typical war scenario. But still if you think about earthquakes and those things, we are in the same bucket. One which changed at least from a mindset of people dramatically was the physical threat to high value targets. That's basically the admin gunpoint. That was a scenario we looked into with a lot of customers.
So what do we do if we have an administrator or anybody with access to sensitive data in, in a, in an area of war? I kind of felt like being back to the days when I helped banks built their infrastructure because when we did the ad design for certain banks, especially Swiss banks, this scenario we needed to look, we needed to cover was what happens if CIA or FBI sits behind my administrator in New York and forces the admin to look into a Swiss environment to get access to customer data.
So again, the scenario isn't new.
Maybe our, well the risk and the way we look at looked at it was new. And then we had interesting reactions. We started, one big customers came, customer came to us, it was literally on a Friday, a week after the start of the war and said how fast can you roll out inside the risk management to a certain small group of people sitting in Moscow? So we want to know if an admin changes behavior, we trust our people, but it might be that they're forced to log in.
And I looked at them and said, But we had all these discussions with your worker councils and you know, can you do it so we don't care anymore. You know, our CEO and the board decided we are gonna just gonna do it. So on a Friday we had the first discussion.
So Monday we rolled it out. We didn't find a lot inside the risk management. It's a little bit noisy but it's an interesting technology in this context. But they want to get, they wanted to get there with these kind of technologies.
And then we split it in three and there's a link in the paper if you want the first phase and it's kind of classical crisis, right? First phase is all about making sure your communication channels are up to date. You know how to contact people, you know how to contact people in Russia and so on and so forth. Switch on mfa, protect your admins, monitor your admins and make sure you have the backups. And then you start to spread the whole thing, you know.
And then at the end of the day, we had some classical, when we looked at the recommendations we had in the paper or we came up with how to protect that, we came up with classical protection of your infrastructure.
It led us back to the zero trust principles. And you know, assume breach to me war or not is number one. That's a huge cultural change. And if you take, assume breach seriously, things like explicit verification comes immediately. Just because you're sitting on my network, I'm not gonna trust you. Lease privileged access comes immediately.
Admin at gunpoint, how much does it cost to buy an admin If you need to, you need your policy decision point to make that happen. And that's where a lot of customers moved into the cloud as well. They moved away from active directory into Azure active directory to use these kind of policies. And the other thing which we could do with them as well is geofencing pretty easily because the infrastructure was there, we saw where they're coming from. So use these kind of technologies going forward to protect your environment.
And you know, at the end of the day, if you start to rethink your architecture, if you start to rethink your assumed breach approach, those are for me, the four silos you have to go or it shouldn't be silos. The the four pillars you have to go for, you start with that entity, clean your, clean, your entities go towards mfa, you understand the information you have. And that was a big discussion as well in the context of Russia. Understand the, the compliance you have from a technical point of view. So where are you, how are you patched and all that stuff.
And the last point is everything around your seam, your soc, your automation. Good. According to my clock, I still have 55 seconds left, so if somebody wants a question or to that, I don't have a
Quick check. I think there were no questions in the chat, but, but I do have one. Okay.
We, we had this, this brilliant talk by this morning when she talked about how these, this, this Ukrainian group, this think tank monitored the information sphere before the war. It almost felt like this think tank acts like a, like a secret service. Does Microsoft do that the same way?
Well, I mean we monitor what, what we do. We have people
Anticipation.
Well what, what we try to understand is what the bad guys will do going forward because we want to get the infrastructure prepared. Obviously we monitor the groups, we try to understand what they do. We moved away from nation state only more into the ransomware environments, but the ransomware activities. But we are not the national intelligence. Sure.
I mean even if you look at the paper we published around Ukraine, what we could show is a time correlation between attacks on media environments which we run and the physical attacks on the transmission towers in Ukraine. Just as an example, is this now really connected from a Russian perspective? We don't know. We don't have have people on ground. It's just kind of obvious how closely together they are from a time perspective. So our job is to make sure that we understand where the bad guys move to be prepared from a technology side, but that's it.
The rest is relief that to the government and I think that's the role of the government at the end of the day. Absolutely.
Thank you very much. Brilliant presentation. Thank you. Thank you.