Dear Microsoft,
Let me begin by saying that you're one of the world's most high-impact companies, and that I love and respect Microsoft.
I may have spent only a few years at Microsoft, but when you're working 16 hour days, so immersed and in love with what it is you do, driven by the satisfaction and adrenalin of knowing that your work impacts billions of people worldwide, it truly is an incredibly satisfying and gratifying feeling. For me, working at Microsoft was a truly memorable and incredible experience.
If I might add, as Program Manager for Active Directory Security, I was at the epicenter of cyber security in Microsoft's Windows ecosystem, and when your work directly impacts the foundational cyber security of thousands of organizations worldwide, and you get to work with and earn the respect of some of the best security folks on the planet, John Lambert, David Cross, Michael Howard, Stuart Kwan, Paul Leach, Steve Riley, Ben Smith, Scott Charney and so many others, its an indelible experience.
But this isn't about me. This is about the thousands of organizations that we (you and us) have the opportunity to impact (, and in turn the billions of people whose lives they impact,) and the responsibility to do so in a positive manner that betters their lives.
As you know, Active Directory plays a foundational and in fact a monumental role in IT and cyber security across the world, or as I like to put it - "not a leaf moves in the organizational IT and cyber security world without Active Directory being involved."
As former Microsoft Program Manager for Active Directory Security, i.e. someone who spent years on this ocean of an esoteric subject, after having moved on from Microsoft in 2005, upon taking time to reflect back, it became clear to me a decade ago that as solid as Active Directory is, it unfortunately lacks one fundamental capability, the absence of which could likely pose a huge security risk for thousands of (y)our organizational customers worldwide, in years to come.
Thus in the late 2000s, I several times dutifully brought this deficiency in Active Directory to the attention of several individuals at several levels within Microsoft. Unfortunately, for reasons know best to them, no one seemed to want to do much about it.
It is because I knew just how critical this capability would be for the world to have in years to come, that I was convinced that it had to be built. Of course, back then, I was merely an ex-Microsoftie with the mere meagre resources of an average citizen, so I knocked the doors of some of the world's biggest venture capital (VC) firms, who all were kind enough to give me an audience.
(They were Kleiner Perkins Caufield and Byers (KPCB), Greylock Partners, Sequoia Capital, and a few others in Menlo Park.)
Unfortunately [for me then :-( , and for them now :-)] they too didn't " get it ", so they respectfully passed, and wished me luck.
Speaking of luck, there's an old saying - "Luck is the residue of diligence." They (i.e. those VC firms) may not have realized that they not only turned down a former Microsoft cyber security expert, but more importantly, they turned down someone who cares deeply about doing the right thing. Perhaps they may have underestimated the power of human will.
Undeterred, I decided to do something about it myself, within my own meagre financial means. I'll spare you the details of my journey, but in short I worked four years (1,460 days) straight without earning a penny, and when I was done, I had architected and developed one of the most important cyber security capabilities and amongst the most innovative patented intellectual property on the planet, which is today formidably backed and embodied into some of the world's most innovative solutions by some of the world's most professional developers (our employees), and can today do at a button's touch, what no one else can.
As a completely unintended consequence, I ended up creating possibly the most important, relevant and valuable cyber security company on the planet, and today, not all the financial resources at the disposal of all the venture capital companies combined, could possibly compete with us. (You may not yet understand why I say so, but you'll hopefully understand it by the end of this.)
(You see, there are 100s of cyber security companies in the world today, most of whom also run on Active Directory, but not a single one of them can help accurately determine effective permissions in Active Directory. If you can find even one that can do so, on even just one Active Directory object, let alone on an entire domain comprised of 100s of 1000s of objects, let me know.
Now, in case you're wondering why being able to do so is a BIG deal, its because he/she who can accurately and efficiently determine effective permissions on the thousands of objects that reside in each Active Directory domain worldwide, ultimately holds the keys to global security ; don't worry if you don't understand this now, for you will by the time we're done with school.)
Incidentally, given the nature of what it is we so uniquely do, today we are formidably backed by an entity who understands the strategic importance of our endeavor to the business and national security interests of the United States AND its allies.
But again, this isn't about me. This is about applying the best one is capable of, towards solving one of the most important cyber security challenges on the planet for our customers, the thousands of business and government organizations worldwide that operate Active Directory, to help them stay safe and secure. In other words, this is about you and (y)our customers worldwide.
You're not going to believe this, but imagine our surprise when after having solved arguably the biggest cyber security challenge facing Microsoft's organizational customers today, we found that hardly any of your customers seem to understand this problem!
Thus, last year, we had to bring this to the attention of the executive leadership of the Top-200 organizations worldwide, and to this day we continue to help thousands of your organizational customers understand this, for they all seem to be in the dark.
It appears that the reason most of them are in the dark is perhaps because while you were busy making a paradigm shift, you may have (completely) forgotten to provide them sufficient guidance on one of the most vital aspects of Windows Security.
I believe that it is not our burden to educate your customers about this profoundly important challenge; that's yours to do; we've done the hardest part, which is to solve it; you can do the rest. However, it appears that even you do not seem to understand it.
So, in the best interest of the foundational security of thousands of organizations worldwide, who are (y)our customers, in days to come, I'm going to most respectfully help you understand this profoundly important yet esoteric cyber security challenge.
(Also, I'm sorry if I may have been a little hard on you recently - one, two. That was only because I care deeply about everyone ; as they say, along with great power comes great responsibility, and I felt that you may inadvertently have not been living up to that. When we play such a vital & foundational role in global security, we have an obligation to do so as responsibly as we can.)
Please know that the only reason I'm doing so is so that you can help your customers understand this problem, because we worry greatly that if they don't understand this soon, the not-so-good folks out there could seriously endanger their security.
In fact, considering that 100% of all major recent cyber security breaches involved the compromise and misuse of a single Active Directory privileged user account, organizations that ignore The Paramount Brief may be doing so at their own peril.
(Also and most pertinently, as credential-theft attacks (e.g. Pass-the-Hash, Kerberos Golden Tickets etc.) become harder to enact, perpetrators are shifting their efforts towards directly attacking Active Directory, a fact concretely evidenced by Mimikatz DCSync, which leverages unauthorized / excessive effective permissions in Active Directory to compromise all credentials.)
Thus, I hope that once you understand this risk, you'll see why you need to help organizations worldwide understand it ASAP.
Thank you very much.
Most Respectfully,
Sanjay
PS: Active Directory Security School: Today was supposed to be Day-1 of Active Directory Security School, but I decided to make June 2017 Active Directory Security Awareness Month, so I figured it might be best to hold school from June 01 to June 30, 2017. So, the official Day-1 of School will start right here on June 01, 2017. Until then, you may want to read this.
No comments:
Post a Comment