Cybersecurity threats are always evolving, and today we’re seeing a new wave of advanced attacks targeting areas of computing that don’t have the protection of the cloud. New data are demonstrating that firmware attacks are on the rise, and firms aren’t paying close enough attention to securing this critical layer.

Recently, Microsoft commissioned a study that demonstrated how attacks against firmware are outpacing investments targeted at stopping them. The March 2021 Security Signals report showed that more than 80% of enterprises have experienced at least one firmware attack in the past two years, but simply 29% of security budgets are allocated to protect firmware.

Security Signals is a comprehensive research report assembled from interviews with 1,000 endeavor security decision makers( SDMs) from various industries across the U.S ., UK, Germany, China, and Japan. Microsoft commissioned Hypothesis Group, an insights, design, and strategy bureau, to execute the research.

The study showed that current investment is going to security updates, vulnerability scanning, and advanced menace protection answers. Yet despite this, many organizations are concerned about malware accessing their system as well as the difficulty in discover threats, suggesting that firmware is more difficult to monitor and control. Firmware vulnerabilities are also exacerbated by a lack of awareness and a lack of automation.

But the tide may be starting to turn against firmware exploits. There is a growing awareness of the issue worldwide, a new willingness to invest in protections, and an emerging class of secured-core hardware is showing the potential to empower organisations with chip-level security and new automation and analytics capabilities.

Firmware offers fertile ground to flower malicious code

Firmware, which livings below the operating system, is emerging as a primary target because it is where sensitive info like credentials and encryption keys are stored in memory. Many devices in the market today don’t offer visibility into that layer are responsible for ensuring that attackers haven’t compromised a device prior to the boot process or at runtime bellow the kernel. And attackers have noticed.

If that’s not enough, the National Institute of Science and Technology( NIST) has shown more than a five-fold increase in attacks against firmware in the last four years, and attackers have used this time to further refine their techniques and get ahead of software-only protections.

Yet the Security Signals study shows that awareness of this threat is lagging across industries. Even with this onslaught of firmware attacks, the study shows that SDMs believe software is three times as likely to pose a security menace versus firmware.

“There are two types of companies- everyone else who has experienced a firmware attack, and those who have experienced a firmware attack but don’t know it.”- Azim Shafqat, Partner at ISG and Former Managing VP at Gartner

The OS Kernel is an emerging gap in defense

A look at respondents’ investments endures out this disparity. Hardware-based security features such as Kernel data protection( KDP ), or memory encryption, which blocks malware or malicious threat actors from perverting the operating system’s kernel memory or from reading it at runtime, is a leading indicator of preparedness against sophisticated kernel-level attacks. Security Signals found that merely 36% of businesses invest in hardware-based memory encryption and less than half( 46%) are investing in hardware-based kernel protections.

Security Signals also found that security squads are too focused on outdated “protect and detect” simulates of security and are not spending enough time on strategic project — simply 39% of security teams’ time is spent on prevention and they don’t see that changing in the next two years. The lack of proactive defense investment in kernel attack vectors is an example of this outdated model.

Physical assaults using hardware

In addition to firmware attacks, respondents identified concerns with assault vectors exposed by hardware. The recent ThunderSpy attack targeted Thunderbolt ports, leveraging direct memory access( DMA) functionality to compromise devices via hardware access to the Thunderbolt controller. Another flaw, this one unpatchable, was found in the T2 security chip used in many common customer devices. Other major firmware attacks in the last year included the RobbinHood, Uburos, Derusbi, Sauron and GrayFish strikes that exploited driver vulnerabilities.

Lack of automation and investment should contribute to a gap in focus on firmware

Part of the unplug may be due to security teams being stuck in reactive cycles and manual processes. The vast majority ( 82%) of Security Signals respondents was pointed out that they don’t have the resources to allocate to more high-impact security work because they are spending too much time on lower-yield manual work like software and patching, hardware upgrades, and mitigating internal and external vulnerabilities. A full 21% of SDMs admit that their firmware data moves unmonitored today.

Lack of automation is another factor causing organizations to lose time and detracting from constructing better prevention strategies. Seventy-one percent said their staff invests too much time on project that should be automated, and that number creeps up to 82% among the teams who said they don’t have enough time for strategic operate. Overall, security teams are spending 41% of their day on firmware spots that could be automated.

Meanwhile, most SDMs( 62%) believe more day should be spent on strategic work like setting the strategy and preparing for sophisticated threats like those been aimed at firmware.

New investments are accelerating–and paying off

The challenge is world, and many organizations are realizing the importance of investing in these critical areas. Eighty-one percent of the German corporations we surveyed were prepared and willing to invest, as compared to 95% of Chinese organizations and 91% of businesses in the U.S ., UK, and Japan. Eighty-nine percent of regulated industry companies felt willing and able to invest in security answers, although those in the financial services sector are not quite as ready to invest as corporations in other markets.

Those that do attain the right investments are seeing returns, and surveyed organizations that made a real investment in security consider a big payoff. Almost two-thirds( 65%) of SDMs reported that investing in security increased efficiency throughout their organizations because it release up SecOps teams to work on other projects, promoted business continuity, enabled end-user productivity, decreased downtime and saved on investments needed elsewhere.

Across all industry horizontals, proven frameworks can lay the groundwork for a successful security strategy that includes automation, increases proactivity, and measures security progress.

Firmware runs the hardware, but there isn’t a style to inspect to say you are 100% safe with firmware. Firmware attacks are less common( than software ), but a successful attack will be largely disruptive.”- SANS Senior Instructor

Hardware security is paramount to protecting from future menaces

With our partners, Microsoft has created a new class of machines specifically designed to eliminate threats aimed at firmware called Secured-core PCs. This was recently extended to Server and IOT announced at this year’s Microsoft Ignite conference. With Zero Trust built in from the ground up, this intends SDMs will be able to invest more of their resources in strategies and technological sciences that will prevent attacks in the future rather than constantly defending against the onslaught of attempts aimed at them today.

The SDMs in the study who reported they have invested in secured-core PCs proved a higher level of comfort with their security and enhanced confidentiality, accessibility, and unity of data as opposed to those not using them. Based on analysis from Microsoft threat intelligence data, secured-core PCs provide more than twice the protection from infection than non-secured-core PCs. Sixty percent of surveyed the organisations which invested in secured-core PCs reported supply chain visibility and oversight matters as a top concern. According to Accenture’s State of Cyber Resilience report, indirect strikes into the supply chain now account for 40% of security breaches.

Secured-core PCs render powerhouse protection out of the box, with abilities such as Virtualization-Based Security, Credential Guard, and Kernel DMA protection. The subsequent automation and out-of-the-box capabilities also free up time for SDMs to focus more of their efforts on high-value and strategic endeavors and less on low-level activities.

Security Signals also found that companies are investing in larger machines to protect against hardware security violates: more than half are focusing on servers. Microsoft is planning ahead and innovating there as well. With our partners AMD and Intel, we announced the expansion of secured-core to servers and boundary machines at our virtual Spring Ignite.

To learn more about the more than 100 attested secured-core PCs available today from Microsoft, Acer, Dell, HP, Lenovo, Panasonic, and more, visit our Secured-core web page .

Server investments are high today because they are used as stepping stones in the cloud migration journey.”- Azim Shafqat, Partner at ISG and Former Managing VP at Gartner

The most important takeaway from the Security Signals report is that companies want to have more proactive strategies in place for security, specially when it comes to addressing firmware attacks. Microsoft is working to address that need by partnering with contributing PC manufacturers and silicon marketers to establish a proactive strategy towards machine security.

Ultimately, those enterprises who align their resources to develop such preventive strategies will give themselves a better opportunity for business continuity, productivity, and protection from emerging threats.


Security Signals research resulted from August- Dec. 2020, when a 20 -minute online survey was conducted with 1,000 decision makers involved in security and threat protection decisions at enterprise companies from a range of industries across the US, UK, Germany, China, and Japan.

The Security Signals report works to create a detailed picture of the current security landscape: to understand the unique mindset and priorities that security decision makers( SDMs) bring to their organizations; to shed light on the benefits and challenges of adopting security answers; to assess what impacts and shapes SDMs’ business decisions; and to see what the future of security may hold. The goal of this paper is to provide up-to-date research on the nation of security, across countries and industries, in order to better serve our customers and partners, and enable security decision makers to further their development of security strategies within their organizations.

The post New Security Signals study proves firmware attacks on the rise; here’s how Microsoft is working to help eliminate this entire class of threats seemed first on Microsoft Security .

Read more: