Zot O'Connor

Program Manager 2

Taking on the enemy with partners, Automating processes, good scotch and bourbon

Poor reporting, FUD, miscreants, dangling participles

Well it’s been a busy week at GOVCERT.NL Symposium 2008. I thank the wonderful people at GovCERT.nl for creating an amazing event. I ate many Dutch delicacies, attended several good talks, and have decided that Nicholas Witchell should moderate and host all conferences, security or not (his sense of humor and ability to speak on topic is refreshing). More importantly, I talked to and listened to over 15 different CERTs and Guidance Providers (GPs).

This brings me to the core of this blog post: SCPcert. I work with several CERTs and GPs closely, but the reality is I can only handle 10-20 relationships before my time is maxed and the relationships weaken.  Also, many of these relationships are based on a personal connections made during events or chance meetings, rather than purposeful or strategic efforts. While these relationships have proven extremely valuable, they are difficult to scale.  Given that there are 200+ CERTs in the world, clearly we have an opportunity to do better.

We have faced this problem in the past with AV vendors, ISPs and governments.  For each of those sectors we created programs:  VIA for AV vendors, GIAIS for ISPs and SCP for governments.  We placed all of these programs under an umbrella program called the Microsoft Security Response Alliance (MSRA).  It was clear that we needed a MSRA program for CERTs. However, the problem with CERTs is that no two CERTs are alike, and the first step to a successful program is clearly defining the membership criteria. Therefore I identified a subset of CERTs we could build a program around: National and Regional CERTs. Once I did that, it was clear the SCP program was closely in line with these CERTs (in fact many of these CERTs are represented in SCP already). Thus we named the new program SCPcert.

We defined "National CERTs" as a CERT that is either part of the government, or are widely recognized as representing a country, region, or a clear population (as recognized by the government, population, or other CERTs).  Therefore we have a defined group to target and a successful program to leverage so we can expand quickly and recruit new members. We are doing this with no real increased cost, and with scalability and, most importantly, durability.  By durability, I mean we can survive all forms of change, good and bad. For example, the MSRA program has existed for over 10 years, and during that time the threats increased in their complexity and nature, the focus of information flows has been on new goals, and while some of the faces are the same, there are more new faces every year. During all of these changes the program has survived and improved, and we want the same for SCPcert.

So what does SCPcert offer members?

  • o Secured web portal
  • o Microsoft Security alerts
  • o Advisories
  • o Monthly Security Briefings
  • o Quarterly speaker series
  • o Monthly Newsletter with detailed analysis of security metrics and articles
  • o Invitation to the annual MSRA summit

This is good, but what can SCPcert offer members in the future?  Previously we have had some great ideas for CERTs, but the stumbling block has always been "we need 20 CERTs who do the following..."  The reason is a simple cost to benefit problem. For example, we might be able to manually parse a large data set for 1 or 2 CERTs, and that might be acceptable for a one-time event, but to do it for 4-5 Certs starts to have a high cost for potentially diminishing returns. Instead, if we spend even more resources, but we can build a process that does it for 20-30 CERTs (or more) and that process is repeatable and automated, we can justify the resource cost.

This works in the other direction too. CERTs often have good data to share with us. To manually process one or two feeds of the same data can be time well spent, but again, at 4-5 feeds the returns diminish but the resource cost stays the same per feed. By working with the CERTs, we can standardize the feeds and work to absorb, process, and analyze larger amounts of real-world data. This not only gives us “more data” it can give us sources from more diverse geographic areas and market segments. This in turn may allow us to see trends that might otherwise be lost in the aggregate of global sources. This has assisted us during events to identify regions or markets that are being affected greatly, while the overall world view shows little impact. This allowed us to focus support and response efforts on the affected regions.

Over the next year as we expand SCPcert, we will have that list of 20 or more CERTs for each good idea, and we can expand the information flows, and strive to protect our customers in new and better ways.

How do you join?  Email msra@microsoft.com with the following:

  • • Name of your CERT organization
  • • Business contact details
  • • Nature of the organization
  • • Whom the CERT represents

We look forward to working with our friends at the various CERTs around the world! You can look for us at other major CERT events in the coming year, including APCERT, AusCERT and FIRST.

Zot O’Connor

*Postings are provided "AS IS" with no warranties, and confers no rights.*