Report: Orgs Losing Trust in 'Legacy' Software Providers
- By Kurt Mackie
- December 14, 2021
Organizations are struggling with security issues, and losing trust in "legacy" software vendors such as Microsoft, according to a recent survey by CrowdStrike.
Microsoft specifically gets named and blamed in the CrowdStrike white paper, the "2021 CrowdStrike Global Security Attitude Survey," which uses data from market researcher Vanson Bourne. The survey included responses from "2,200 senior IT decision makers and IT security professionals" from around the world, who were interviewed over the last three months.
This fourth-annual CrowdStrike survey found that there was an increase of supply-chain attacks within the last year, with 32 percent saying such attacks had occurred on several occasions, compared with 16 percent saying the same thing in 2018.
Ransomware problems increased over the year, with 32 percent of respondents saying that they had been hit more than once, vs. 24 percent of respondents saying the same thing in the 2020 survey.
The respondents listed several barriers to getting better protections against ransomware, including "lack of internal awareness around cybersecurity" (42 percent), "lack of skills in the IT/cybersecurity team" (40 percent), "lack of adequate threat intelligence" (37 percent) and "lack of the right security solutions" (37 percent), among others.
The average time to detect a cybersecurity incident was estimated at 146 hours, according to the respondents. That number is up compared with the 2020 survey (117 hours) and the 2019 survey (120 hours).
Respondents were asked about any blocks to detecting and responding to cybersecurity threats. They listed having too many disparate solutions (47 percent), lack of resources (42 percent) and having a "legacy infrastructure that is a challenge to upgrade/secure" (42 percent), among others.
The CrowdStrike white paper didn't show any specific question about Microsoft, but possibly it was part of the survey and not reproduced in the white paper. The report does include a CrowdStrike statement that "according to 63% of respondents, their organization is facing a crisis of trust in legacy IT vendors, such as Microsoft, due to frequent security incidents."
The point about Microsoft being the problem was repeated by George Kurtz, CrowdStrike's president and CEO, in a couple of media interviews given last week.
Kurtz told Yahoo News that it's mainly Microsoft software vulnerabilities have led to recent attacks:
The second data point is you have to look at the vulnerabilities of Microsoft. Almost 50 percent from 2019 to 2020, they were up, almost 1,300 vulnerabilities. So a lot of these vulnerabilities were key in these attacks. If you look at PrintNightmare, you look at the Microsoft Exchange vulnerabilities, you look at a lot of the authentication issues that we've seen, being abused by things like Sunburst. So these are the facts. And when we talk to customers, they are increasingly concerned about the crisis and trust on Microsoft, and that's basically the environment that we've seen.
Kurtz also last week told Emily Chang of Bloomberg Technology that "63% of respondents admit that they're losing trust in their current security vendors like Microsoft and others." Kurtz added that "and I think we've seen the attacks become so sophisticated that existing signature based solutions and legacy technology just can't keep up with it."
When Chang brought up the notion that CrowdStrike's claims were just "self-serving" because Microsoft competes with CrowdStrike, Kurtz suggested it was just the numbers in the survey that indicated a lack of trust in Microsoft:
We didn't come up with the math on this and I think when you talk to customers that are out there and you know the feedback is they're being attacked; these technologies are not being able to prevent against them. And one of the biggest areas is Zero Day Tuesday. Customers are just fatigued with constantly patching all the latest zero-day vulnerabilities, which the bad guys are taking advantage of. So I mean, I certainly hope that Microsoft is able to address some of their issues. I mean, we want the best security for the entire landscape. But at the end of the day, it's still a big problem in that a lot of its software they have is causing the issues and their technologies are not able to keep up with defending against those attacks
Microsoft later responded to CrowdStrike's claims. Vasu Jakkal, Microsoft's corporate vice president for security, compliance and identity, presented a mild rebuke in a Bloomberg Technology interview, suggesting that security is a team effort and that CrowdStrike was veering from that goal:
We work with more than 200 security vendors across the board. They are part of our Microsoft Intelligence Security Association to solving the problem at hand. And it's really unfortunate when some vendors disparage other defenders because right now is the time to come together to solve the problem and to fight cybercrime…. So it is about trust and who you choose to be on the journey with you. And in the case of Microsoft we have 650,000 security customers who have chosen Microsoft security, increasing 50 percent year over year.
Active Directory 'Architectural Flaws'
The pointed attacks on Microsoft had occurred before when Kurtz testified during a February Congressional hearing on the SolarWinds Orion "Solorigate" or "Sunburst" supply-chain attacks, later attributed to groups affiliated with Russia (dubbed "Nobelium" by Microsoft). He had suggested that Active Directory and Azure Active Directory had architectural flaws that facilitated the attacks.
However, it appears that the SolarWinds supply-chain attackers used a bunch of additional tactics to gain access to the Microsoft 365 e-mail of organizations.
Security consultancy Mandiant recently described expanded and recent Nobelium efforts to target organizations using Microsoft 365 services by infiltrating their Cloud Solution Provider partners using various means in this Dec. 6 post. "The abuse of a third party, in this case a CSP, can facilitate access to a wide scope of potential victims through a single compromise," Mandiant indicated.