As one of the largest and fastest growing operators of cloud services in the world, Microsoft makes cloud security a top priority. Incidents are handled by multiple teams throughout the company, and many business groups have their own incident response teams with specific focus areas and authority. Despite this decentralized structure, all Microsoft cloud incident response teams face certain intrinsic challenges. For example, the infrastructure required to serve hundreds of millions of customer accounts on every continent generates an astronomical amount of data in the form of logs, alerts, and other telemetry. Over the course of one recent month, the domain controller logs for servers that manage primary Microsoft production environment domains generated 57.1 billion Windows security events. Add in network data (including NetFlow telemetry), firewall events, and intrusion prevention system (IPS) events, and event counts easily reach the trillions. And thatâ€™s primarily from non-virtual systems!
Even at this scale, the Microsoft cloud infrastructure faces many of the same security challenges and attack patterns that affect much smaller computing environments. The scale may be vastly different, but many of the challenges that Microsoft cloud services administrators and security response teams face are similar or identical in nature to issues faced by every IT administrator reading this report. For example, administrators who manage monthly security updates from Microsoft might find it interesting to consider that the Microsoft cloud team deploys the same set of updates to a server base numbering in the hundreds of thousands. Automation plays an invaluable role, but system administration in massive, distributed cloud infrastructures is still a significant undertaking.
Similarly, some of the high-profile attack vectors that have been deeply problematic for system administrators around the world in recent times have not gone unnoticed by Microsoft cloud security teams. This section of the Microsoft Security Intelligence Report examines two of these attack vectors from the perspective of Microsoft cloud services and incident response teams.