What happens when Microsoft's on-premises security falls behind while cloud innovation accelerates? In this episode of The Future of Threat Intelligence, Wes Miller, Research Analyst for Microsoft Identity, Security, and Management at Directions on Microsoft, pulls back the curtain on Microsoft's fragmented security landscape.

Having survived the historic Windows security push during his 7 years at Microsoft and spent the last 15 years analyzing their enterprise strategy, Wes delivers an insider's perspective on why vulnerable legacy systems like Exchange Server, Certificate Services, and Federation Services have become prime attack vectors while Microsoft focuses its innovation almost exclusively on cloud services.

He also walks David through why organizations are struggling with critical misconceptions about Entra ID, reveals how Microsoft's release notes contain hidden threat intelligence, and shares tactical approaches to influence Microsoft's security roadmap through strategic stakeholder relationships.

Topics discussed:

• The critical security gap between Microsoft's cloud-focused investments and neglected on-premises systems like Exchange, Certificate Services, and Federation Services.
• How analyzing Microsoft Defender update notes provides a "hidden" threat intelligence feed that reveals emerging attack patterns targeting enterprise environments.
• The misconception that Active Directory and Entra ID are similar systems, when they require fundamentally different security approaches.
• Why entitlement management represents the essential intersection between security and identity teams, connecting HR processes directly to access lifecycles.
• The strategic challenge of harmonizing legacy and cloud identity systems while protecting non-Microsoft workloads in increasingly Microsoft-centric environments.
• Practical methods for large enterprises to influence Microsoft's security roadmap through targeted stakeholder relationships and coordinated feedback.
• How certificate servers often operate as "forgotten infrastructure" within organizations, creating prime attack vectors that Microsoft's Defender for Identity is specifically designed to detect.
• The threat of Microsoft potentially limiting third-party identity provider integration capabilities, and strategies for maintaining ecosystem diversity.

Key Takeaways:

• Monitor Microsoft Defender release notes to identify emerging attack patterns that Microsoft is actively detecting across their customer base, providing valuable threat intelligence without additional cost.
• Implement entitlement management systems that connect HR processes directly to identity lifecycles, ensuring proper access provisioning and deprovisioning throughout employee transitions.
• Audit your on-premises certificate servers and federation services which often operate as "forgotten infrastructure" and represent prime attack vectors.
• Develop a comprehensive strategy for synchronizing Active Directory and Entra ID, recognizing their fundamental architectural differences rather than treating them as interchangeable systems.
• Establish strategic relationships with Microsoft stakeholders to influence their security roadmap, leveraging coordinated feedback when features don't align with real-world enterprise security needs.
• Harmonize legacy and cloud identity systems by mapping complete workflows and identifying potential integration gaps between Microsoft's on-premises and cloud-based security tools.
• Evaluate third-party identity providers for critical non-Microsoft workloads, addressing the potential limitations of Microsoft's tightening control over Entra ID integration capabilities.
• Prioritize Exchange Server security through rigorous patch management and enhanced monitoring, as Microsoft has effectively "abandoned" on-premises Exchange according to Wes Miller.
• Integrate security and identity management teams through shared workflow processes, recognizing their interdependence rather than maintaining traditional organizational silos.
• Document architectural limitations of Microsoft's identity systems, particularly in hybrid environments where cloud and on-premises systems must interoperate securely.

Join us for the 15th anniversary of RISE in San Francisco this April 8-9, where cybersecurity professionals, law enforcement, and threat intelligence analysts come together for two days of TLP-RED content sharing and hands-on collaboration in the fight against cybercrime.

Apply now at http://www.cymru.com/rise.