The Deputy CISO blog series is where Microsoft Deputy Chief Information Security Officers (CISOs) share their thoughts on what is most important in their respective domains. In this series, you will get practical advice, tactics to start (and stop) deploying, forward-looking commentary on where the industry is going, and more. In this article, John Lambert, Chief Technology Officer, Corporate Vice President and Security Fellow at Microsoft dives into the future of cyber defense.* *

Ten years ago, as threat actors began following our growing customer base to the Microsoft Cloud, I founded the Microsoft Threat Intelligence Center (MSTIC), which focuses deeply on addressing this type of cyberattacker. One of the first things we learned was that to find threat actors you need to think like them. That’s what led me to begin thinking in graphs. Any infrastructure you need to defend is conceptually a directed graph of credentials, dependencies, entitlements, and more. Cyberattackers find footholds, pivot within infrastructure, and abuse entitlements and secrets to expand further. Software systems and online services are built from components—many of these components have logs of what’s happening, but this results in a lot of siloed logs. To see what a threat actor is doing, you have to reconstruct that red thread of activity from logs. Then, from those logs you can create a graph.

By adopting this same graph-based thinking, we put ourselves on more even footing with cyberattackers. But we don’t really want to be on even footing. We want to retake the advantage for ourselves. That’s why it’s also important to keep our best practices up, making sure our infrastructure is well managed, maintaining a well-educated team of analysts on our team, and collaborating with our competitors on defense. All together, this is of course a lot of work. It’s easy to see why some security professionals out there see the physics of defense as being against them. And in some ways, it has been. So, let’s change that.

We’ve got more data and more advanced tools at our fingertips than ever before, including some very good AI. Let’s take a look at each of these best practices, as well as how we can use our new tools to reduce the cost and effort involved in maintaining the advantage against threat actors.

The defense benefits of attack graphs

Most defenders today live in a tabular, relational world of data and the databases in which that data lives. At Microsoft, this is Azure Data Explorer databases queried using Kusto Query Language (KQL). And we know that if we can represent data in other ways, like in a graph, we can suddenly look at our data in ways that are difficult to do in traditional databases. This is a chief reason why threat actors build attack graphs of their targets. The graph lets them more easily see the many ways they can break into the target’s network, pivot to the things they need, get the credentials they need, and exploit things within the blast radius those credentials give them. That’s why it’s important to build a great attack graph for all the things that you must defend and equip your defenders with it. With a graph, you can ask questions like “what’s the blast radius of this kind of access?”, “can I get from identity A to infrastructure B?”, or “if a threat actor has taken over this specific node, can they get to our crown jewels?” With an attack graph in hand, those questions become easier to answer.

Relational tables and graphs are just two of the ways to represent security data. We’re currently working on broadening those ways to also include anomalies and vectors over time. All together, these four data representations are what I refer to as the algebras of defense. As a defender equipped with these algebras, you can easily represent security data in multiple different ways. You can ask it questions in domains they are highly specialized in answering and get the answers you need from your security data in ways that drive you very quickly to the outcomes you need. What’s really exciting about this concept is that the benefits don’t just extend to your security team. Your advanced AI can use them to similar effect, turning each algebra into a new way to detect, for instance, what constitutes an anomaly and what does not. It’s giving AI the ability to use the same intuitions that human experts use but in a much more highly dimensional space.

Building difficult terrain through proper cyber defense hygiene

A well-managed target is a harder target to attack. Defenders that excel in security don’t just react to cyberthreats, they proactively shape their environments to be inhospitable to bad actors. This begins with investing in preventative controls. Rather than waiting for incidents to occur, successful defenders deploy technologies and processes that anticipate and block cyberattacks before they materialize. This includes endpoint protection, network segmentation, behavioral analytics, threat modeling, and more.

It’s also important to deprecate legacy systems as they often harbor vulnerabilities that cyberattackers exploit. By retiring outdated solutions and replacing them with modern, secure alternatives, organizations reduce their exposure and simplify their defense posture. The same goes for entitlement management. By continuously reviewing who has what access, organizations can help prevent lateral threat actor movement.

You’ll also want to make sure you’re conducting top-tier asset management. You can’t protect what you don’t know exists. Maintaining an accurate, real-time inventory of devices, applications, and identities helps defenders monitor, patch, and secure every component of the environment. Removing orphaned elements goes hand-in-hand with this concept. Unused accounts, forgotten servers, and abandoned cloud resources—all of these remnants of past projects can easily become low-hanging fruit for cyberattackers.

You should invest time and effort into creating difficult terrain for attackers, making it harder for them to traverse your networks. Phishing-resistant multifactor authentication is a way to do this. So is not just having strong identity management, but requiring it to be used from expected, well-defined places on the network. For example, forcing admin access to be used from hardened, pre-identified locations.

Layered defenses with multiple controls working in concert help quiet your network. By reducing randomness and enforcing predictability, you can eliminate much of the noise that threat actors rely on to hide, ultimately removing entire classes of threat actors from the equation.

Invest in internal expertise and collaborate with others who do the same

While preventative controls are essential for raising the cost of cyberattacks, no defense is impenetrable. That’s why remediation remains a critical pillar of cyber hygiene. Organizations must be equipped to both block threats and to detect and respond to those that slip through.

This begins with data visibility. Security teams need to be on top of their telemetry so they can spot anomalies quickly. And you’ll need a team of educated analysts who understand cyberattacker behavior and can distinguish signal from noise. With their expertise, you’ll be better equipped to identify subtle indicators of compromise and initiate swift, effective remediation efforts.

It’s also important to work on cyber defense together with organizations that you otherwise view as your competitors. And, thankfully, here’s where I get to impart a bit of good news. Over the past decade, the tech industry has undergone a profound shift in how it approaches this concept. As organizations, we’re now way better about taking news about the security events happening to us to trusted spaces and talking about them in trusted ways than we were 10 years ago. What was once taboo, like the sharing of breach details with competitors, is now a mainstay of our collective defense. This cultural shift has led to the rise of trusted security forums, cross-industry intelligence sharing, and joint incident response efforts, allowing all of our defenders to learn from each other and respond faster to emerging threats.

Optimizing the defense curve

We now operate in a world where vast, high-fidelity data sets and advanced AI systems can amplify our reach, sharpen our detection, and accelerate our response. By embracing graph-based thinking, cultivating difficult terrain, and investing in collaborative intelligence, defenders can fundamentally shift the physics of defense beneath their would-be attackers’ feet.

With the algebras of defense, defenders can interrogate their environments in ways that were previously impossible, surfacing insights that drive proactive, precision-based security. And with AI as a partner, we can turn complexity into clarity, noise into signal, and partner swift remediations with anticipation. By rewriting the physics of defense, we can reclaim the advantage and redefine what it means to be secure.

Learn more

To hear more from Microsoft Deputy CISOs, check out the OCISO blog series. To stay on top of important security industry updates, explore resources specifically designed for CISOs and best practices for improving your organization’s security posture join the Microsoft CISO Digest (sent every two months) distribution list, go to this webpage.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.