San Francisco has always been a somewhat odd but pleasant outpost with an appeal that attracts people from all over. It was so in the late 1840s, when the prospects of gold lured people to the area, in a short time transforming the small settlement of San Francisco to a boomtown. More recently, many in the IT field have been attracted to San Francisco because of the pleasant weather, even in winter. And last week at the Moscone Center, in the buzzing SoMa neighborhood, was brought to town one of the largest security conferences in the world: RSA.
One of the things I get to do in the Microsoft Security Response Center (MSRC) is talk to our customers and tell them about the process by which Microsoft identifies potential security vulnerabilities in its products, eliminates those vulnerabilities, and provides remediation and information to customers. In other words, I get to explain what I do for a living to anyone who will listen. I really enjoy doing this, because I find out first-hand what is most important to our customers as well as what questions they have about the Microsoft response process.
As you may know, the Microsoft Security Response Center (MSRC) EcoStrat blog has served to inform Microsoft customers, security professionals, IT Pros, and developers of the MSRC Ecosystem Strategy Team’s activities. Our goal is to provide a deeper, more personal look into the work the Microsoft Security Response Center does to understand and help support an effective security ecosystem. We do this by showcasing particular individuals and insider stories to offer transparency around the complexity of the many challenges our community faces. We believe that by sharing our experiences, everyone can better understand the magnitude of the problems we face as a community, and how we can work together to mitigate them by helping build an army of defenders.
Hi All, This is Dustin and Karl from the Microsoft Security Response Center (MSRC). Recently, we were fortunate enough to attend the Black Hat DC 2010 conference held in Washington, D.C. We wanted to share our personal highlights from this great conference and provide a bit of a weather report too.
What speaks English, Portuguese and Spanish, has a hundred set of eyes, and battles in the defense of good against evil on a daily basis? No, it’s not the mythological Chupacabra ;-)—it’s the BlueHat Security Forum: Buenos Aires Edition. With the Forum ~5 weeks away I’m pleased to share the speaker line up and content details for what is sure to be a an eventful security briefing.
Guten Morgen! Joe Hemmerlein hier vom Microsoft Security Response Center (MSRC). I just returned from Germany earlier this month, where I spent some time mingling with security researchers. It's customary that we share a bit of our experience at security conferences right here, on the EcoStrat blog - and this is my first posting.
G’day, or should I say howdy, y’all. As the newest member of the Microsoft EcoStrat team, I figured I would do a quick self-introduction before getting down to work. I am a Senior Security Strategist with the Microsoft Security Response Center (MSRC) based in Redmond. Prior to my big move to the USA, I was the Operations Manager of AusCERT in Australia (that’s the place that is famous for kangaroos and Tim Tams, to ensure you didn’t think I meant Austria!) My role here at Microsoft varies, but at the very top of my list is ensuring that Microsoft strengthens its relationship with the global community of national and government Computer Emergency Response Teams (CERTs).
Celene here from the MSRC Ecosystem Strategy Team. BlueHat v9: Through The Looking Glass ended just over a month ago and the success of the con lives on due to the outstanding training and networking between Microsoft employees, external speakers, and guests. I'm happy to say that the speaker video interviews and selected recorded presentations are now live on the BlueHat TechNet Page. As promised, we have posted talks from every track block. The samples available are from the e-crime, cloud, mobile and fuzzing content blocks.
As you probably know by now, BlueHat is primarily about educating our own Microsoft population so we can better understand how to build more secure products. The more we know about the security ecosystem, the more we at Microsoft can truly comprehend and assess our security reality. Our secondary goals are to build bridges and bring transparency to the security community to facilitate positive information exchanges.
Hi! It's been a while since I've had a chance to blog about all the things we have been doing here. As travelling around to various security events is a big part of our mantra, I’ve been to Tokyo Japan for PacSec and Seoul, South Korea for POC 2009. Both were great conferences and had great security talks.
PacSec had a lot of the Japanese security scene in attendance (the local powerhouses are pretty sharp and savvy) along with international researchers and past BlueHat speakers, Charlie Miller and Alex Stamos. Take a minute to check out archived presentations from our own Tony Lee introducing the SIRv7 and Jason Shirk discussing fuzzing strategies. But the biggest interest concerned mobile code threats such as malware and how the perimeter defenses are fading away as a viable protection. This seems to be a hot topic everywhere, so hot that the just wrapped-up BlueHat v9 con had an entire track dedicated to mobile security, and in June 2010, at the annual FIRST Conference, how the perimeter defenses are fading away will be the theme for the whole conference.
BlueHat v9 will take place from October 21 to 23 at the Microsoft campus in Redmond. Last year, we experimented with a day dedicated to attacks and a day dedicated to SDL security mitigations. This year, we will give you the best content out there… we are interweaving talks from internal and external security subject matter experts with themes related to e-crime, mobile security, cloud computing, and fuzzing.
We kick it off with the BlueHat Executive Sessions on October 21 with condensed versions of the presentations delivered in a deeply technical "Cliff Notes" style. October 22 and 23 are filled with BlueHat General Sessions for our Microsoft IT pro and developer population.
When complex security issues that affect multiple vendors arise, calling them “challenging” is an understatement. We created the Microsoft Vulnerability Research Program (MSVR) to meet those challenges, learn from those experiences and strengthen the ties of our community of defenders across the industry in the process. As the state of software security matures beyond straightforward issues such as buffer overflows and elevation of privilege, we are working diligently towards a new level of cross-industry collaboration on a scale never seen before. We must do so in order to provide our mutual customers with the best possible experience on our platform.
OMG it’s great to be back in Vegas again – the shows, the shopping, the nightlife, and let’s not forget the talks at Black Hat, the old and new friends, the excitement and the drama. I can hardly wait to see what develops this year!
Last year at Black Hat, the Microsoft Security Response Center announced three new programs – Microsoft Active Protections Programs (MAPP), Microsoft Vulnerability Research (MSVR), and Microsoft Exploitability Index. I was honestly a bit nervous about how the programs would be received. Would the community ridicule them (and us)? Were the programs as solid as we thought they were? Would they stand the test of time? And most importantly, would they help advance community-based defense?
It’s that time of year again for all of us to pack up and head out to the desert to reconnect, discuss, and plan for the future, or at least what we think will be the future of security. It’s hard to predict what the next year will bring as the security landscape is ever-changing. This is probably why most of us “grey beards” in the security industry mark the Black Hat/Defcon conferences as the de facto year in review/preview of the next year for the state of security. These conferences have defined a lot of security strategies for a number of people for years. But I digressJ; I started to talk about the year-end review for the security landscape.
Looking back over the year, I am pleased to see that we have executed nicely on a couple of strategies we put into place to change the security landscape. The ones I am talking about are the three programs listed below that we launched last year around this time.
video: Take a gander as Billy Rios, Security Engineer, Business Online Services, and Bryan Sullivan, Senior Security Program Manager, Secure Development Lifecycle (SDL), discuss their experiences with the security community both inside and outside of Microsoft.
As mentioned in Sarah’s Black Hat post, we’re profiling some of our own internal security members and sharing their perspectives around Microsoft’s engagement in the security community. Maarten Van Horenbeeck, Security Program Manager, Microsoft Security Response Center (MSRC) and Katie Moussouris, Senior Security Strategist, Secure Development Lifecycle (SDL), answer the following two questions:
How did we become involved in security at Microsoft?
What changes have we seen at Microsoft security over the years?