Virtualization and Empowerment: Microsoft’s VSOC Revs Up During COVID-19

When disaster strikes, can you take your security operations to-go? A long-term push toward digital transformation paid off for Microsoft’s security department when COVID-19 hit, putting business continuity and security monitoring plans to the test.

If a major disruption hits the Microsoft global security operations center (GSOC) in Redmond, Washington, the staff transfers controls over to the sister GSOC in Hyderabad, India, and analysts grab their go bags—stocked with everything they need to replicate their workstations remotely, whether that’s at a different Microsoft location or at their respective homes. Within 30 to 60 minutes, the virtual security operations center (VSOC) is back up and running, says Brian Tuskan, chief security officer at Microsoft.

“We were really big on remote operability and load sharing, just in case of an emergency,” he says. “We developed—specific to the operations centers—very robust contingency planning in case we had to leave the center during an emergency.”

While these continuity plans were established and tested to prepare for natural disasters, fires, or widescale outages, they were put to the test during the coronavirus pandemic.

Washington was one of the first U.S. states heavily affected by COVID-19 in early 2020, and the Microsoft headquarters quickly shifted to remote work as much as possible. While some security staff needed to be on-site for guard tours and compliance purposes, VSOC analysts, security managers, and some other personnel could function just as well remotely.

“The concern was the number of people within the SOC at the height of infection—we wanted to limit the number of people physically on site and ensure we’re at safe social distance protocols,” Tuskan says.

The virtual SOC—run through cloud-based systems—was part of Microsoft’s digital transformation and business continuity planning efforts. Technology like Microsoft Teams enabled the security team to collaborate more closely with stakeholders around the world and manage operations without physically being close together.

“This is the ‘V’ in the virtual security operations center,” Tuskan says. “That was the strategy: we virtualized the experience. Anyone can be part of the SOC because of technology. And we proved it in this crisis—you do not need to be in a particular building to do your job effectively.”

Microsoft’s mission is to empower people and organizations to achieve more, he says. Virtualization—and the heightened team connectivity it brings—empowers team members to provide the same or higher levels of service during a crisis. While some groups may feel compelled to physically be on site, most of the security team’s job is strategic—analyzing alerts, data, and risk, as well as making high-level decisions. Armed with a mobile phone, Bluetooth headset, and a laptop, security personnel can manage practically anything from a home command center, Tuskan adds.

For example, one regional security manager in China was on vacation when COVID-19 triggered widescale lockdowns and travel restrictions. For three months, he was able to work remotely from his coastal vacation home, running operations and providing continuity of leadership for his team.

Through the VSOC, analysts provide remote monitoring of alarms, doors, and access management for more than 700 Microsoft facilities worldwide, which had been left largely vacant during the pandemic. If there is a physical break-in at a Microsoft location, Tuskan says, there is no difference in response whether the security operator is on-campus in Redmond, at home, or working in the GSOC in Hyderabad.

Despite VSOC employees’ familiarity with technology, shifting to remote work has still presented challenges.

“We’ve never been through a crisis like this, in this modern time, and people are figuring out how to get work done, finding workarounds, and being creative about ways to keep operations running,” Tuskan says. “Working from a home environment, leveraging technology, you can be highly productive.”

While roughly half of Microsoft’s global security team typically works remotely, many of the U.S. team members operated out of office spaces pre-pandemic. While the whole team was equipped with remote work stations, the shift required them to learn good work-from-home practices quickly. Employees have had to learn how to build break time and focus time into their calendars, and not pack their calendars with back-to-back calls and meetings, Tuskan says.

Large-scale remote work has spotlighted the importance of a results-oriented work environment, or ROWE approach, he says. “I care about the results and less about busy work—sending tons of emails, setting up a bunch of meetings, and having a lot of calls. What I really focus my team on operationally is what are the results—what are we executing on and executing flawlessly on our deliverables. I use a lot of data to determine what resources we need.”

One of those key resources is the Microsoft security employees themselves. The global security team makes a concerted effort to hire experienced security professionals—not entry-level employees—to fill VSOC and analyst positions. Those employees’ existing breadth of knowledge as investigators, risk managers, and analysts is supplemented by cross-role training, so they are available to step into different positions when needed to meet goals and operational objectives.

“I created hybrid roles that could pick up the slack for other teams that were getting overloaded or for additional depth,” Tuskan says.

In responding to changes in risk due to COVID-19, for example, operational security personnel and time were in high demand; however, other security functions such as investigations or event security—given that all Microsoft events were cancelled—had staff and resources that could be reallocated to complete operational tasks. When needs shift during different phases of the pandemic response, the cross-trained personnel are prepared to step in, albeit remotely.

As regions and facilities reopen, Microsoft’s crisis management teams—with input from security—will gauge appropriate return-to-workplace pathways. Because most corporate Microsoft employees—including security operators—can work remotely, reopening facilities can be a more gradual, hybrid process, Tuskan says.

“It’s going to be a very thoughtful process,” he adds. “Our number one objective is to ensure the health, safety, and security of employees, guests, and visitors.”