CISA works with Microsoft to expand cloud logging after U.S. gov’t hack controversy

Microsoft is expanding access to critical tools that will help organizations investigate cybersecurity incidents after facing significant backlash following a breach linked to Chinese hackers.

On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) said it worked with Microsoft to expand access to free cloud logging capabilities for all government and commercial customers after several organizations were unable to detect the hacking campaign, which targeted cloud-based email accounts.

Microsoft said in a blog post that in September it will begin offering access to detailed logs of email access and more than 30 other types of log data previously only available to customers who paid for a top-tier cloud service.

CISA Director Jen Easterly said the move was a “a step in the right direction toward the adoption of Secure by Design principles by more companies.”

“After working collaboratively over the past year, I am extremely pleased with Microsoft’s decision to make necessary log types available to the broader cybersecurity community at no additional cost,” Easterly said.

“We will continue to work with all technology manufacturers, including Microsoft, to identify ways to further enhance visibility into their products for all customers.”

Microsoft has faced withering criticism over the last two weeks after several of the 25 organizations victimized in an alleged Chinese espionage hacking campaign said they were unable to detect that they were hacked because they were not premium customers with access to the kinds of logs needed to identify the incident.

In a call with reporters last week and in statements on Wednesday, CISA reiterated that in recent years, their operational teams have found that several security logs critical for detecting and preventing threat activity costs extra for organizations utilizing the Microsoft basic enterprise license.

As an example, CISA referenced the recent U.S. government incident – which involved the compromise of the email inbox of Commerce Secretary Gina Raimondo, several State Department employees and a U.S. Congressional staffer. They said the government agencies had access to the premium logs which enabled them to limit the damage.

Microsoft said it decided to make the change in light of the “increasing frequency and evolution of nation-state cyberthreats” and after consulting with CISA about the the types of security log data they provide to cloud customers for insight and analysis.

Logs are important because they provide a more granular look at a cyberattack and offer insights into “how different identities, applications, and devices access a customer’s cloud services,” Microsoft explained.

“These logs themselves do not prevent attacks, but they can be useful in digital forensics and incident response when examining how an intrusion might have occurred, such as when an attacker is impersonating an authorized user,” they said.

"Today’s announcement comes as a result of our close partnership with CISA, who have called for the industry to take action in order to better protect itself from potential cyber-attacks,” said Microsoft vice president Vasu Jakkal.

“It also reflects our commitment to engaging with customers, partners, and regulators to address the evolving security needs of the modern world.”

While CISA has declined to attribute last week’s hack to China, the State Department said on Tuesday that it has “no reason to doubt” Microsoft’s assessment that the attack was launched by hackers connected to China’s government.