A little more than a month ago, we announced some new initiatives for the Microsoft Active Protections Program (MAPP). One of those announcements was “MAPP for Responders.” The initial response has been extremely positive, so we wanted to provide more information on how we are moving this program forward.
Since the announcement, we’ve been working towards launching two initiatives as a single beta with a limited set of customers and partners. The first is the pilot of the MAPP Scanner service that we previously announced. The second initiative is a beta of a completely new automated knowledge exchange platform. We alluded to this platform in our first post and want to give some additional details on this project.
Simply put, this is a distributed platform that runs as a web service that provides the ability to automate the sharing and consumption of threat information in machine readable formats. As mentioned before, the platform supports the STIX and TAXII open specifications developed by MITRE, but it has been designed to support any message exchange services and message formats that partners decide to implement. This helps to accomplish multiple goals, but here are two highlights:
First, the platform will empower the industry by facilitating the sharing of threat information and enabling knowledge exchange scenarios that do not exist today. As a platform, customers and partners will have the flexibility to share and consume data with granular control.
Second, the platform has been designed to be extremely extensible, with a modular plugin architecture that will allow for an unlimited number of services to be built on top of and supported by it.
Figures 1 – 3 illustrate some of the sharing scenarios enabled by the platform:
Figure 1 Publisher Subscriber
Figure 2 Peer to Peer
Figure 3 Hub and Spoke
We have designed this platform to integrate into existing environments acting as an interchange point between both external and internal services and data formats. The platform enables real-time information sharing, and because the data is machine-readable, organizations can choose to automatically push the data into their network protection systems.
I mentioned a limited beta with qualified customers and partners and wanted to list some of the criteria for participation. In addition to being able to sign required agreements and having a dedicated incident response team, participants in the initial beta will be required to provide a feed of threat data into the system. The beta will operate in phases with each lasting approximately 3 months. We expect to conduct three to four phases, expanding to more participants as we progress.
Many customers have already contacted us concerning participation and we will be following up with all of you very soon. For those enterprise customers who are interested in finding out more, the best path is to talk to your Microsoft Technical Account Manager (TAM). Other incident responders can send a note to firstname.lastname@example.org.
Keep an eye on this blog for future updates and announcements. We expect this work to go on for several months and are looking forward to input from participants to help shape the future of automated knowledge exchange.
Jerry Bryant Senior Security Strategist Lead Microsoft Trustworthy Computing