{“lastseen”:”2025-12-09T18:14:56″,”description”:”__The Deputy CISO blog series is whereMicrosoft _Deputy Chief Information Security Officers_ __(CISOs) share their thoughts on what is most important in their respective domains. In this series, you will get practical advice, tactics to start (and stop) deploying, forward-looking commentary on where the industry is going, and more._ In this article, John Lambert, _Chief Technology Officer, Corporate Vice President and Security Fellow at Microsoft dives into the future of cyber defense__.__\\n\\nTen years ago, as threat actors began following our growing customer base to the Microsoft Cloud, I founded the Microsoft Threat Intelligence Center (MSTIC), which focuses deeply on addressing this type of cyberattacker. One of the first things we learned was that to find threat actors you need to think like them. That\u2019s what led me to begin thinking in graphs. Any infrastructure you need to defend is conceptually a directed graph of credentials, dependencies, entitlements, and more. Cyberattackers find footholds, pivot within infrastructure, and abuse entitlements and secrets to expand further. Software systems and online services are built from components\u2014many of these components have logs of what\u2019s happening, but this results in a lot of siloed logs. To see what a threat actor is doing, you have to reconstruct that red thread of activity from logs. Then, from those logs you can create a graph. \\n\\nAnticipate and stop cyberattacks with Unified SecOps from Microsoft\\n\\nBy adopting this same graph-based thinking, we put ourselves on more even footing with cyberattackers. But we don\u2019t really want to be on even footing. We want to retake the advantage for ourselves. That\u2019s why it\u2019s also important to keep our best practices up, making sure our infrastructure is well managed, maintaining a well-educated team of analysts on our team, and collaborating with our competitors on defense. All together, this is of course a lot of work. It\u2019s easy to see why some security professionals out there see the physics of defense as being against them. And in some ways, it has been. So, let\u2019s change that.\\n\\nWe\u2019ve got more data and more advanced tools at our fingertips than ever before, including some very good AI. Let\u2019s take a look at each of these best practices, as well as how we can use our new tools to reduce the cost and effort involved in maintaining the advantage against threat actors.\\n\\n## **The defense benefits of attack graphs**\\n\\nMost defenders today live in a tabular, relational world of data and the databases in which that data lives. At Microsoft, this is Azure Data Explorer databases queried using Kusto Query Language (KQL). And we know that if we can represent data in other ways, like in a graph, we can suddenly look at our data in ways that are difficult to do in traditional databases. This is a chief reason why threat actors build attack graphs of their targets. The graph lets them more easily see the many ways they can break into the target\u2019s network, pivot to the things they need, get the credentials they need, and exploit things within the blast radius those credentials give them. That\u2019s why it\u2019s important to build a great attack graph for all the things that you must defend and equip your defenders with it. With a graph, you can ask questions like \u201cwhat’s the blast radius of this kind of access?\u201d, \u201ccan I get from identity A to infrastructure B?\u201d, or \u201cif a threat actor has taken over this specific node, can they get to our crown jewels?\u201d With an attack graph in hand, those questions become easier to answer.\\n\\nRelational tables and graphs are just two of the ways to represent security data. We\u2019re currently working on broadening those ways to also include anomalies and vectors over time. All together, these four data representations are what I refer to as the algebras of defense. As a defender equipped with these algebras, you can easily represent security data in multiple different ways. You can ask it questions in domains they are highly specialized in answering and get the answers you need from your security data in ways that drive you very quickly to the outcomes you need. What\u2019s really exciting about this concept is that the benefits don\u2019t just extend to your security team. Your advanced AI can use them to similar effect, turning each algebra into a new way to detect, for instance, what constitutes an anomaly and what does not. It\u2019s giving AI the ability to use the same intuitions that human experts use but in a much more highly dimensional space.\\n\\n## **Building difficult terrain through proper cyber defense hygiene**\\n\\nA well-managed target is a harder target to attack. Defenders that excel in security don\u2019t just react to cyberthreats, they proactively shape their environments to be inhospitable to bad actors. This begins with investing in preventative controls. Rather than waiting for incidents to occur, successful defenders deploy technologies and processes that anticipate and block cyberattacks before they materialize. This includes endpoint protection, network segmentation, behavioral analytics, threat modeling, and more.\\n\\nDisrupt ransomware with Microsoft Defender for Endpoint\\n\\nIt’s also important to deprecate legacy systems as they often harbor vulnerabilities that cyberattackers exploit. By retiring outdated solutions and replacing them with modern, secure alternatives, organizations reduce their exposure and simplify their defense posture. The same goes for entitlement management. By continuously reviewing who has what access, organizations can help prevent lateral threat actor movement.\\n\\nYou\u2019ll also want to make sure you\u2019re conducting top-tier asset management. You can\u2019t protect what you don\u2019t know exists. Maintaining an accurate, real-time inventory of devices, applications, and identities helps defenders monitor, patch, and secure every component of the environment. Removing orphaned elements goes hand-in-hand with this concept. Unused accounts, forgotten servers, and abandoned cloud resources\u2014all of these remnants of past projects can easily become low-hanging fruit for cyberattackers.\\n\\nYou should invest time and effort into creating difficult terrain for attackers, making it harder for them to traverse your networks. Phishing-resistant multifactor authentication is a way to do this. So is not just having strong identity management, but requiring it to be used from expected, well-defined places on the network. For example, forcing admin access to be used from hardened, pre-identified locations.\\n\\nHelp secure access to resources with multifactor authentication\\n\\nLayered defenses with multiple controls working in concert help quiet your network. By reducing randomness and enforcing predictability, you can eliminate much of the noise that threat actors rely on to hide, ultimately removing entire classes of threat actors from the equation.\\n\\n## **Invest in internal expertise and collaborate with others who do the same**\\n\\nWhile preventative controls are essential for raising the cost of cyberattacks, no defense is impenetrable. That\u2019s why remediation remains a critical pillar of cyber hygiene. Organizations must be equipped to both block threats and to detect and respond to those that slip through.\\n\\nThis begins with data visibility. Security teams need to be on top of their telemetry so they can spot anomalies quickly. And you\u2019ll need a team of educated analysts who understand cyberattacker behavior and can distinguish signal from noise. With their expertise, you\u2019ll be better equipped to identify subtle indicators of compromise and initiate swift, effective remediation efforts.\\n\\nIt\u2019s also important to work on cyber defense together with organizations that you otherwise view as your competitors. And, thankfully, here\u2019s where I get to impart a bit of good news. Over the past decade, the tech industry has undergone a profound shift in how it approaches this concept. As organizations, we\u2019re now way better about taking news about the security events happening to us to trusted spaces and talking about them in trusted ways than we were 10 years ago. What was once taboo, like the sharing of breach details with competitors, is now a mainstay of our collective defense. This cultural shift has led to the rise of trusted security forums, cross-industry intelligence sharing, and joint incident response efforts, allowing all of our defenders to learn from each other and respond faster to emerging threats.\\n\\n## **Optimizing the defense curve**\\n\\nWe now operate in a world where vast, high-fidelity data sets and advanced AI systems can amplify our reach, sharpen our detection, and accelerate our response. By embracing graph-based thinking, cultivating difficult terrain, and investing in collaborative intelligence, defenders can fundamentally shift the physics of defense beneath their would-be attackers\u2019 feet.\\n\\nWith the algebras of defense, defenders can interrogate their environments in ways that were previously impossible, surfacing insights that drive proactive, precision-based security. And with AI as a partner, we can turn complexity into clarity, noise into signal, and partner swift remediations with anticipation. By rewriting the physics of defense, we can reclaim the advantage and redefine what it means to be secure.\\n\\n## Microsoft \\nDeputy CISOs\\n\\n**To hear more from Microsoft Deputy CISOs, check out the OCISO blog series**:\\n\\nTo stay on top of important security industry updates, explore resources specifically designed for CISOs, and learn best practices for improving your organization\u2019s security posture, join the Microsoft CISO Digest distribution list.\\n\\n\\n\\n## Learn more\\n\\nTo hear more from Microsoft Deputy CISOs, check out the OCISO blog series. To stay on top of important security industry updates, explore resources specifically designed for CISOs and best practices for improving your organization\u2019s security posture join the Microsoft CISO Digest (sent every two months) distribution list, go to this webpage.\\n\\nTo learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.\\n\\nThe post Changing the physics of cyber defense appeared first on Microsoft Security Blog.”,”published”:”2025-12-09T17:00:00″,”modified”:”2025-12-09T17:00:00″,”type”:”mssecure”,”title”:”Changing the physics of cyber defense”,”source”:””,”references”:””,”id”:”MSSECURE:4562F953D66272BA6B83EFA135EEC35C”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/12\/09\/changing-the-physics-of-cyber-defense\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-09T18:14:56″,”description”:”__The Deputy CISO blog series is whereMicrosoft _Deputy Chief Information Security Officers_ __(CISOs) share their thoughts on what is most important in their respective domains….<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,110,13,33,7,11,5],"class_list":["post-29724","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-mssecure","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n