Skip to main content
Microsoft Security
placeholder text for image

Expert Profile

Russ McRee: Partner Director, Operations; Microsoft Security Response Center (MSRC)

May 6, 2022

As Partner Director, Operations for the Microsoft Security Response Center (MSRC), Russ McRee leads a global team of security incident responders and analysts charged with the responsibility to protect, detect, and respond on behalf of Microsoft infrastructure, services, and products. Today he shares his thoughts on the state of modern security.

Microsoft’s transition from a software-centric company to a cloud-first focus has driven a massive shift in the landscape of security, including the nature of vulnerability discovery and adversary actions.

“The symmetric, relatively uniform approach to resolving security issues in software and products is not consistent with the asymmetric, hyperscale nature of cloud services and operations,” McRee explains. “Providing security services at cloud speed and scale has changed how we track inventory, monitor and log, apply prevention, and respond in times of crisis.”

As he further considers the changes of the cloud computing era, McRee says that the MSRC has been more regularly engaged and on heightened watch than in prior years. He describes the MSRC as constantly evolving and scaling to new and interesting problems, always with attention and intent to solutions that are repeatable, sustainable, and viable.

So much has changed in the era of cloud of computing, McRee continues. Threat levels have increased significantly, and today’s adversaries are more cavalier and callous than ever before.

“Sharp, refined attention on identity security is the starting point for success. Prevent the theft and unauthorized use of credentials and secrets, combat social engineering with awareness and education, and above all else, ensure the use of effective, enforced, and ubiquitous multifactor authentication.”

Russ McRee; Partner Director, Operations; Microsoft Security Response Center (MSRC)

McRee offers the LAPSUS$ attack group as a stand-out example of a persistent and callous menace. The group is known for using a pure extortion and destruction model without deploying ransomware payloads, and the ease with which it has been able to succeed has been alarming. LAPSUS$ targets stolen credentials and social engineering exploits, which is a continued weak spot for many organizations. Organizations must implement and enforce comprehensive and effective multifactor authentication (MFA) schemes, he warns, to reduce and prevent attacks as seen by LAPSUS$.

McRee also cautions security professionals to be mindful of their supply chains. Malicious code can be introduced into commonly used packages or libraries. Malware could be signed via trusted signing mechanisms. Flaws and vulnerabilities have been found in deeply engrained services and capabilities. He also reminds organizations that new services and platforms built for use at cloud scale are at risk for abuse if not hardened against it. Anything made easy for cybercriminals and adversaries will certainly be capitalized on before other more hardened and protected services.

“I remain consistent in my thinking that doing the basics well, practicing simplicity while reducing complexity, and focusing on well-practiced standards-based processes will improve security incident outcomes and ideally prevent some of them in the first place,” he says.

“Sharp, refined attention on identity security is the starting point for success. Prevent the theft and unauthorized use of credentials and secrets, combat social engineering with awareness and education, and above all else, ensure the use of effective, enforced, and ubiquitous multifactor authentication.”

left arrow

Expert Profile