In the film Red Dawn,the United States was invaded by Communists, forcing ordinary citizens and soldiers alike to take up arms and fight for their freedom. Although fictional, it was an epic tale of cooperation against a common foe, not unlike the situation that corporations and governments find themselves in today, fighting shoulder-to-shoulder with users to fend off the Internet-based attacks of determined adversaries. According to the most recent reports from uscollegeresearch.org, as of June 2011, about 73 percent of U.S. and 65 percent of global Internet users had been victimized by cyber criminals, mainly via social engineering.

The theme of this year’s BlueHat was, fittingly, “We fight for the user.” Whether that user is within our own corporate infrastructure, or is a customer, it is more important than ever for us to stay focused on security by regularly improving our Security Development Lifecycle (SDL), honing our security response, and helping each user avoid social engineering attacks, a leading cause of computer compromise. 

BlueHat v11 focused on bringing real-world security threats and issues to light by taking us on a journey that began with discussions about real attacks and adversaries, as witnessed by Context Security. Context Security has performed penetration testing simulating targeted attacks, as well as responded to many victims of industrial Internet espionage and crime. The picture it painted of the adversaries and the targets reinforced the overarching themes and lessons learned at the conference around appropriate risk management and secure product development. The approach must go beyond tools and code review, and into more advanced threat modeling that takes the entire ecosystem into account.  

BlueHat, as always, was filled with many memorable talks, which focused on risks that leverage weakness at the seams of deployment, at the interfaces between components, between applications and infrastructure, and amid the relationships of the “trifecta” (the platform, the apps, and the app store), as described in Matias Brutti’s talk. While we as platform providers make our products more secure, we realize that they are not always deployed in ideal scenarios or configurations, and that we must work closely with intermediary vendors like OEMs who are in a position to make changes to specific devices that may decrease the effectiveness of some of our security measures. Andrew Cushman reminded us in his keynote address that in an age of transition toward “The Internet of Things,” where IP-enabled devices (e.g., cars, appliances, medical devices) begin to far outnumber traditional computers and mobile devices, we need to work with the ecosystem to help provide end-to-end security assurance.

Adam Shostack’s talk about the statistics of how malware actually gets onto Windows machines demonstrated that social engineering accounts for 45 percent of compromised systems, versus 0-day exploits, which represents less than one percent of all attacks. Fittingly, Adam works on a team within Microsoft that is dedicated to helping us improve both Microsoft and third party user interfaces.  With the work of Adam’s team, we can help users make smart security choices when faced with decisions like “should I proceed to this webpage even though there is an error in its certificate?” when they might not know what a certificate is or begin to guess what it does. Further, the user might not know whether or not the certificate’s issuing certificate authority (CA) was compromised, resulting in fraudulent certificates used in attacks, as was the case with DigiNotar this year and Comodo prior to that.

Moxie Marlinspike wrapped up the conference with a thought-provoking presentation highlighting the journey through the compromise of certificate authority, Comodo, and subsequent consequences (or lack thereof). The fact that the CA system of trust is rigid and does not recover well in cases where CAs are compromised is an issue that we as an influential participant in the ecosystem must consider, even though we did not create the CA system itself. Moxie challenged the audience to envision a new model where trust is agile and the decision of who to trust is made (and can be revoked) by the user.

No matter the threat, whether attacks are random or targeted, whether the attacker is unskilled or sophisticated, we must attempt to protect our systems, data and users. When attacks do occur, we must hone our ability to detect, contain and recover from them quickly. Working with our partners and customers is the best strategy for dealing with and adapting to these threats.

Many thanks go to all the speakers, attendees, organizers, and volunteers for a memorable and enlightening BlueHat v11. We will continue to work together, shoulder to shoulder, defending our Internet neighborhoods from invasion, as we fight for the user in a Blue Dawn.

Katie Moussouris

Senior Security
Strategist Lead, MSRC Security Ecosystem Strategy Team

Follow
Katie on Twitter at http://twitter.com/k8em0

Growth and change can come in big doses or small increments. That can be professional or organizational growth or technical or societal change. Since we started doing BlueHat waaay back in 2005, I’ve seen some significant change at Microsoft, experienced a fair bit of professional and personal growth, and witnessed stunning technical and social change.

 This year I have a slightly different role in BlueHat.

As I reflect on this year’s BlueHat, there is a three letter (or occasionally four-) acronym that nicely tees up a number of topics – AFGO - Another Fun Growth Opportunity. Over the course of time, new attacks, new relationships, new positions, new technical or business challenges offer opportunities to expand our skills, tune our strategies, and take on new challenges. We see that despite the progress already made, there are still challenges ahead along with plenty of growing and learning available to the interested and the willing.

The BlueHat attendees are the interested and the willing. They come for the official program on attacks, threats, and technologies. More importantly, they come for the “hallway track”, the discussions that happen between like-minded security “apassionados”. This year’s program challenges the attendees to go beyond the easily understood remedies. Presentations on Targeted Attacks should give the attendees that visceral learning experience – AFGOs that challenge us to accept we have done great work and yet more remains in order to protect our infrastructure and intellectual property and that of our customers.  Similarly, there are a number of
talks that explore the painful reality of “wait, I thought I did the right things” – You incorporated security into the development culture and operations, and yet your risk profile may still be higher than desired. Money spent and certifications earned don’t equal security – AFGO.  

These days I find myself focused on two growth areas – one is anti-abuse as an engineering discipline and the other is the area of security policy.

Attackers are moving away from implementation errors such as buffer overflow attacks and towards abuse of the design seams of the networked system. This presents us with a more complex challenge that may not be as straightforward to eliminate with traditional security tools or testing. We must engineer anti-abuse solutions for Microsoft services that minimize customer impact and at the same time improve the customer’s trust experience and ease of use.   We can do both, we have done it before. I see before us an opportunity for a second wave of security culture change within Microsoft as we harden our services to withstand abuse and enhance the user experience.

The helpful short hand I use to describe my work on Security Policy issues is that I am looking for solutions to non-technical security problems. I look to help governments and industry come up with reasonable, effective, and implementable policy/legislative/regulatory solutions to security problems.  Talk about growth opportunities! Technical solutions are relatively straightforward, unemotional and fact based, while politics usually has to do with business model or personality. In the Office of Global Security Strategy and Diplomacy offers me an opportunity to leverage my technical background and bring my unique perspective to the strategy discussions of how countries and organizations manage the security risks at a global level.

Can’t wait to see you all at BlueHat.

Andrew Cushman
Director, GSSD, Microsoft Corporation

It seems like we only just had BlueHat v10, but already BlueHat v11 is less than a month away. Our schedule is ready, the banners are printed, and now seems like a great time to give some more detail on what’s coming up.

As you probably know already, BlueHat is an invitation-only conference where security experts get to mingle with Microsoft’s own security team and core product groups. I attended v10 as an outsider to Microsoft, but to see it come together from the inside has been even more gratifying. It is amazing to be part of the engine that brings these people together and helps us develop more secure products, allows us to build stronger relationships with the security community, and lets our development teams get a few precious moments of sunlight.

BlueHat v11 will take place on Microsoft’s Redmond campus on the 3^rd and 4^th of November, and this year our focus is a field that’s seen a lot of expansion in the last twelve months, and not just for Microsoft: web apps and the cloud. We’ll also explore the current threat landscape, taking in tales of real-world attacks by determined adversaries from world-class experts in national defense and corporate anti-espionage. As criminals and adversaries refine their attacks, we are once again bringing some of the sharpest minds in security together to help us shore up our defenses, as we come together as a community to fight for the user.

Here’s a quick overview of the speakers we have lined up over the two days. Full details for the conference and schedule are available on the BlueHat web site.

Day 1: Thursday,
November 3rd – BlueHat v11

We will begin the first day of BlueHat v11 with Andrew Cushman of Microsoft, who will give a short presentation on his experience with BlueHat over the years. Then there will be an exclusive conversation with Shawn Henry of the FBI. Mark Raeburn, CEO of Context, will share insights on current and evolving threats from his experience as an ethical hacker-for-hire, as well as a first-responder to actual compromises. The morning sessions will conclude with Mark Oram, Principal Security Program Manager at Microsoft, and a special session on what Microsoft is doing to fight for the user.

The afternoon track will be dedicated to Web Application Security. Jeremiah Grossman, former speaker at BlueHat, will give an overview of the current state of Web Application Security and provide some statistical data on website compromises. Then Mario Heiderich will present the up-to-date talk on cross-site scripting attacks and mitigations, especially in HTML5 implementations. Finally, we will conclude with a presentation from Joe McCray on Web Application Firewalls, their drawbacks and the importance of designing secure web applications that don’t make security assumptions.

Day 2: Friday,
November 4th – BlueHat v11

Day two will kick off with David Treadwell, Director of Cloud Services at Microsoft, presenting an overview from his perspective on Cloud Security. Rich Lundeen, Jesse Ou, and Travis Rhoades of Microsoft will give an informative presentation on new (and not so new) web application attacks that can also be exploited if the backend systems are cloud based. Jared Pfost, formerly of Microsoft, will share some insights on the value of security. As companies are driving towards the ease and ubiquity of the cloud, it is vital to understand the security implications involved regarding financialsdata security, and the required effort to ensure that your company is investing its security resources in the best place possible. John Walton of Microsoft will conclude this track with an innovative approach to thinking about cloud security. John’s talk abandons the “Get it right the first time” attitude when thinking about a security implementation, opting instead for exploring and addressing the implementation with the assumption that your system is already breached -- that you are already vulnerable. This talk will challenge you to think of what YOU will do next.

The final track of BlueHat Redmond v.11 will investigate the sometimes surprising deployment context of Microsoft’s products and services, as well as present some interesting ways users can be compromised. Alex Plaskett, a researcher at MWR in the UK, will share research that he and his team have performed on the Windows Phone platform and how it compares to other mobile platform security models, while taking a closer look at what types of vulnerabilities are introduced by OEM software. Matias Brutti of IOActive will present data on the interactions between the platform, the applications, and the app stores -- the security trifecta that puts mobile devices and users potentially at risk. Moxie Marlinspike will conclude BlueHat with his insights on SSL and the Certificate Authority system and potential directions of authentication and authorization systems that could help to create a more robust model moving forward.

Cheers,
Noelle Murata
Security Program Manager, MSRC

Today on the MSRC blog, Matt Thomlinson announced the BlueHat Prize, the first and largest incentive prize Microsoft has ever offered to seek out and reward new ideas in computer security defense.  While you can get the details of the contest on the new program’s website, I’m going to talk about some of the factors that went into the making of the BlueHat Prize, and why we think defensive security technology is a crucial place for vendors like Microsoft to invest.

Microsoft decided to offer large cash awards for innovations in runtime mitigation technology (a $200,000 grand prize, followed by a $50,000 second prize), both to acknowledge the value of defensive security work, as well as to encourage more security experts to start thinking about mitigations.

Select organizations have offered small cash rewards to security researchers who found and reported security vulnerabilities in their products. As more vendors began offering bug bounties for individual vulnerabilities in their products, many people speculated that Microsoft would follow the trend. Before considering such an approach , we conducted an analysis of the data we have relative to security researcher motivations; current prices in the existing white, grey, and black markets for vulnerabilities and exploits; and of course, what finders of Microsoft vulnerabilities typically do with their discoveries.

What we found can be summarized as follows:

1. Motivation: Researchers have many other motivations other than money, including recognition (either public or just among their peers).

2. Prices: The prices for vulnerabilities sold to the white market do not even come close to the amounts offered by the grey and black markets. By “white market,” we mean either vulnerability brokers who give the details to the vendors privately to get the issues fixed, or the bug bounties offered directly by some vendors. By “grey and black markets,” we are referring to those who purchase the vulnerabilities and exploits for offensive use, and specifically don’t give the vendors info to help get the vulnerabilities fixed. No organization who rewards bug bounties for vulnerabilities in their own products, nor white market vulnerability brokers, offer prices intended to “compete” with the grey and black market prices.

3. Disclosure: 90 percent of security researchers who privately report Microsoft vulnerabilities to us choose to report them to Microsoft directly, rather than seeking monetary payment via a white market vulnerability broker.

With that in mind, Microsoft respects researchers’ choices in whether or not they seek individual payment for vulnerabilities they find, and the means certainly exist for them to do so if they wish. If researchers do sell their vulnerability findings, we hope they choose white market vulnerability brokers to provide Microsoft the opportunity to fix the issues before details are made public and risk to customers is amplified.

So if money doesn’t appear to be the driving motivation for the majority of researchers who are willing to report issues privately in Microsoft products, why did we decide to offer a huge cash reward for defensive security research? Because we believe that the existing security research economy has been exclusively focused on offense for too long.

As a company, Microsoft believes that the best way to secure our products is not through reactive measures, but instead to invest in secure development throughout the product lifecycle, and in overall platform defense technology.

Rather than compete with the existing white market vulnerability economy, we decided to start something no one has ever done before, and introduce a new economic factor and incentive where none existed. While Microsoft continues to invest in improving the security of our products via our Security Development Lifecycle, and address individual vulnerability reports via our security response process, we are simultaneously looking to the horizon both in our vision of securing our platform, and the ways we reward the security researcher community.

We hope other vendors who would like to seek the help of the global talent pool of security researchers will also consider this model of investing in and rewarding innovations in defensive security technology. We also hope that current and future generations of security researchers will be inspired to look at the defensive side of the equation when designing new offensive techniques, thanks to the BlueHat Prize. In our experience, some of the best defenders come from the offense side of security.

I’m Katie Moussouris, and THIS is what a “security strategist” does at Microsoft. Now you know. :-)

You can follow me on Twitter: http://twitter.com/k8em0

Hi everyone,

Together with my colleagues Jeff Williams and Holly Stewart from the Microsoft Malware Protection Center (MMPC) I am here at the 23^rd Annual FIRST conference in Vienna, Austria this week.

FIRST is the Global Forum for Incident Response and Security Teams, an organization that aims to bring together computer security incident response teams from government, industry and education. FIRST is at the root of a number of standardization efforts in security, such as the Common Vulnerability Scoring  System (CVSS). Its main strength, though, is that it offers incredible networking opportunities for people in the security community to find each other and collaborate on protecting internet users.

Microsoft is proud to be a Platinum sponsor of the FIRST conference, and looks forward to our continued collaboration with the valuable members of this community.

This week also marks the 3-month anniversary of an exciting project we embarked upon with many of the national incident response teams that are present here this week.

On March 17^th, our colleagues at the Microsoft Digital Crimes Unit (DCU) publicly announced their successful effort to take down the notorious Rustock botnet. At the time, Rustock was estimated to have consisted of close to a million infected computers, and it was capable of sending billions of spam messages each day. These messages included advertisements for fake prescription medication, which can in some cases, be dangerous.

Microsoft has a great security group, but as a single company, we quickly realized that we would not be able to reach out to every infected customer worldwide. However, many countries have stood up Computer Security Incident Response Teams (CSIRTs), which are exactly intended to process this type of information and protect constituents. Over the last few months, we have worked with several of these organizations to further advance our joint goal of protecting and cleaning infected Rustock machines worldwide.

We would like to thank the following CSIRT partners for their contribution so far in this takedown effort:

ArCERT, Argentina
CERT.AT, Austria
Cert.BE, Belgium
CERT-BR, Brazil
CERT-EE, Estonia
CERT-FI, Finland
CERT.LV, Latvia
CERT-UA, Ukraine
CNCERT, China
Federal Office for Information Security (BSI), Germany
GovCERT.nl, The Netherlands
GovCertUK, United Kingdom
HKCERT, Hong Kong
INTECO CERT, Spain
JPCERT/CC, Japan
MYCERT, Malaysia
PISA CERT, Pakistan
Public Safety Canada – CCIRC, Canada
CERT-SA, Saudi Arabia
ThaiCERT, Thailand
TwCERT/CC, Taiwan

Each of these organizations has tirelessly worked with us over the last months to reach out to affected service providers and consumers in their constituency and ensure they were aware of tools that existed to remediate infected machines. In fact, they are part of a much larger group of organizations in the CSIRT community, some of which preferred to not be publicly called out for their efforts at this time. Microsoft values collaboration and the insights these organizations continue to provide to us on this significant challenge, which we are tackling, together.

Within the United States, Microsoft also works with a community of Internet Service Providers. In addition, anyone who owns a network range can subscribe to Smart Network Data Services (SNDS), which makes this information available to any legitimate network administrator.

If you would like to learn more about these and other efforts of Microsoft to clean the Internet of botnet activity, you can find more information at support.microsoft.com/botnets.

Cheers,

Maarten Van Horenbeeck
Senior Program Manager, MSRC

Today on the MSRC Blog, Matt Thomlinson announced three new efforts to provide more transparency into Microsoft’s vulnerability disclosure process.  These included a Coordinated Vulnerability Disclosure (CVD) at Microsoft procedures document, the first release of MSVR Advisories on vulnerabilities that were discovered by Microsoft and fixed by affected vendors, and an internal employee disclosure policy.

The vulnerability disclosure debate has continued over the years with all sides seeking the best way to protect users.  We believe the best way to improve software security is through comprehensive Security Development Lifecycle (SDL) programs that build security into software from the very beginning.   For vulnerabilities that remain after software is released, we feel that disclosure of vulnerability details should be done in a way that allows vendors an opportunity to address the issues without amplifying risk.

In our experience as finders and coordinators, we know that disclosing vulnerabilities to a vendor can be a complex process. This is why we developed the Microsoft Vulnerability Research (MSVR) program as a way for our employees to report vulnerabilities they find to affected vendors.

We understand that there are differing approaches to vulnerability disclosure.  Even if finders do not share our disclosure philosophy, we appreciate any information finders are willing to share with us. Our hope is that finders will give us the opportunity to address the issue comprehensively with a fully tested update before releasing technical details publicly. We hope our transparency with our disclosure process encourages more finders to work with us who may not have otherwise.

We’ve listened to the security community, including security researchers, vendors and CERTs, in documenting our approach to disclosure.  We’d like to thank the following people for reviewing our Coordinated Vulnerability Disclosure at Microsoft document. If you have comments or opinions, we'd like to hear from you. Please follow us on Twitter at @msftsecresponse or me at @k8em0.

Microsoft thanks the following people for reviewing our Coordinated Vulnerability Disclosure procedures document:

Bryan Burns, Distinguished Engineer, Juniper Networks

Arturo 'Buanzo' Busleiman, Independent Security Consultant

Steve Christey, CVE Editor, MITRE

Dave Dittrich, Security Engineer/Researcher, Applied Physics Laboratory, University of Washington

Jussi Eronen, Infosec adviser, CERT-FI

Ian Glover, President, Council of Registered Ethical Security Testers (CREST)

Jake Kouns, CEO, Open Security Foundation

Zach Lanier, Intrepidus Group

Marc Maiffret, Chief Technology Officer, eEye Digital Security

Art Manion, CERT Vulnerability Analysis Team

Steve Manzuik, Director of Security Research, Leviathan Security Group

Charlie Miller, Independent Security Evaluators

Toshio Miyachi, Board Member, JPCERT Coordination Center

Bruce Monroe, Senior Information Security Specialist, Intel

Mike Prosser, Symantec Product Security Team

Ryan Permeh, Manager of Product Security, McAfee

Marsh Ray, Senior Software Development Engineer, Phonefactor

Russell Smoak, Sr Director / GM Security Research and Operations, CISCO Services

Chris Wysopal, Chief Technology Officer, Veracode

 

Hello All,

I enjoy telling stories. Perhaps, in a former life, I spent time as a bard telling stories of Robin Hood and Maid Marian as I travelled from town to town. Perhaps I just spent too much time playing The Bard’s Tale on my Tandy 1000 back in the day. Either way, I enjoy telling stories to people. It’s even better when I get to tell stories that relate to my job. Recently, I was given the opportunity to tell some stories at BlueHat V10, and that presentation is now online for the world to see. One area of my job that always piques people’s interest is the challenges we face on a day-to-day basis. These are the stories I chose to highlight in the Bluehat V10 presentation, and unlike most old bard’s tales, these stories actually happened.

 

Of course, stories always have a greater impact when they make a point. In each of the case studies I talk about, something went wrong. And let’s face it, if I’m involved, it means something has already gone wrong. That doesn’t mean that someone was at fault, just that things did not go exactly as we expected.

 

When I was originally approached about presenting something, I immediately thought of a few themes I wanted to highlight about what goes on in MSRC. First, few people understand the scope that we deal with every day. I may joke about rebooting countries (just watch the video of the presentation), but it’s really not much of a hyperbole to say that. The actions I take and decisions we make have far reaching consequences, so we take them seriously.

 

I also hoped to highlight the number of moving parts we have in any given security update. In addition to all of the work I do, there are developers, testers, engineers, product groups, communications people, security gnomes, operations personnel, release partners, independent security researchers, and the list just keeps on going (sorry if I left you off). My job is to ensure all of these folks work together toward the common goal of addressing each issue and protecting our customers. I’m not asking for your sympathy here (though I’ll gladly take it), but most people have little understanding of the massive amount of coordination and work it takes to release five new lines of code across 22 platforms in 36 languages.

 

So how do we manage to make all of this happen the second Tuesday of every month? Well, there are 3 P’s that exist here that really drive us to success:

 

·         Passion – Everyone I work with is very passionate about security and protecting customers. Let’s face it, if we weren’t passionate about this, we wouldn’t last long in the sixth worst job in science. And hey, we actually did buy a customer’s laptop just to get repro (and that wasn’t the first time).

·         Process – We’ve done this before. And each time we do it, we learn more and apply those lessons toward doing it better the next time.

·         Pragmatism – Although we might not get everything 100% perfect 100% of the time, we realize we can go back to those first two P’s to cover us when something goes a bit askew. Release Tuesday is huge for us, but it’s not the end of anything; just a major milestone. We actively monitor the ecosystem to make sure everything is behaving the way it should.

 

Well, I hope you enjoy the presentation and the stories I tell in it. If nothing else, it provides a framework for understanding what’s behind that little bundle of joy we deliver every second Tuesday. And if you happen to find me wandering in Skara Brae and would like to hear any more stories, we can head over to ye old tavern where I will spin a few yarns for you. I might even be the one buying. :-]

Cheers!
Dustin
MSRC

“We want to remain what we are” (“Mir wëlle bleiwe wat mir sinn”) is the national motto of the Grand Duchy of Luxembourg. It expresses a strong pride in identity, something that is also reflected in its approach to information security. A small nation in the center of Europe, Luxembourg is the home of an innovative, well respected security conference, Hack.lu. I was in the area last week and was fortunate enough to attend.

Hack.lu is organized by the Computer Incident Response Centre Luxembourg (CIRCL), the country's national CERT. What makes Hack.lu special is its unique combination of free workshops and conference presentations. Where other conferences often provide day-long training sessions, Hack.lu chooses a different model by filling its first few days with short, incredibly potent workshops. For example, Didier Stevens, a well respected researcher, taught attendees how to analyze malicious PDF documents; Philippe Langlois discussed how to assess SS7, a set of ubiquitous PSTN signaling protocols; and Saumil Shah showed us the value of return-oriented programming in breaking buffer overflow mitigations.

After the obligatory beer tasting workshop, attendees also had an opportunity to attend a good number of presentations. European security conferences tend to be places where a lot of attention is given to design-level vulnerabilities, as opposed to relatively easy-to-understand coding errors, and Hack.lu very much follows this trend. From a Microsoft point of view, I learned the most from Tom Keetch and Emmanuel Bouillon, who each covered a different design issue in our products. Both of them had contacted us before the conference to let us know what they had found, and it was very interesting to catch-up with them in person at the conference and learn more about their research.

On Friday afternoon, there were plenty of good laughs with Chris Nickerson of “Tiger Team” fame, who told the gathered attendees interesting and amusing stories about social engineering and the use of body language. I, for one, learned many new and fascinating meeting techniques, which my colleagues will get to enjoy very soon now.

Overall, this conference is a great example of the valuable contributions the computer hardware/software emergency response community brings to the table.

An update on me -- three months ago I began leading the information sharing group on Microsoft's ecostrat team. Our group works on building relationships and sharing information with third-party security providers, national governments, and the global incident response community. Our team’s goal is to help choose partners who will protect our mutual customers, and to help them build protections against vulnerabilities in our products.

To this effect, the EcoStrat team runs a number of different programs, which you’ll learn more about on this blog over the course of the next few months:

·         The Microsoft Active Protections Program (MAPP) shares vulnerability information with providers of security software so they can release detection signatures and protections simultaneously with our monthly security bulletin releases. MAPP also helps us bring together partners in the industry on specific projects, and gives them a direct path for reporting vulnerabilities they identify to our engineering teams.

·         The Defensive Information Sharing Program (DISP) is a pilot program that, under strong restrictions, shares vulnerability information (including limited source code snippets) with specific government agencies for the purpose of protecting critical national infrastructure against attack.

·         The Exploitability Index (EI) shares our internal assessment of the exploitability of a security vulnerability with our customers. This helps them prioritize which security updates should be installed first in order to better allocate their own security resources.

·         In addition, we work with the global public-sector community CERT and CSIRT teams through the Security Cooperation Program. This program gives defenders the tools and information they need to successfully identify and stop exploitation of security vulnerabilities in the wild. Quite often, Microsoft has a difficult time reaching and defusing malware and exploit servers in distant lands, but our local CERT partners are powerful allies for spreading information and taking action at the local level.

If you’re interested in more detail about these programs, I recommend reading our MSRC 2010 Progress Report published last July. It contains some hard numbers on the success of these projects, and the feedback we’re getting from various partners is also very encouraging.

Conferences such as Hack.lu are great opportunities for us to meet others in the industry, build bridges between islands of competence, and deal with some of the more difficult information security issues together. Most of the joy in this role isn’t so much about Microsoft being in touch with a researcher, or building a new collaboration, but more about bringing that researcher together with another researcher or existing partner, and then marveling at the nifty ideas both wizards concoct.

Often heavily funded, cybercrime is not easily deterred by a single player. We recognize that Microsoft will be less successful fighting the problem alone, in isolation. Given this, we are eager to partner with others to help put an end to cybercrime together!

Cheers,

Maarten Van Horenbeeck
senior security program manager

 

 

 

 

This year marks the tenth BlueHat at Microsoft, and my sixth round in participating in the event that has been so instrumental in keeping Microsoft developers and executives in touch with the pulse of security research outside Microsoft, and serves as one of the key crossroads for the exchange of ideas from our internal security experts to the outside world. It is this bi-directional exchange of ideas that not only enriches our security knowledge and awareness, but helps to showcase our expertise to the external security research community.  But this is old news. Good news, but old. ;-)

So what is new?  One major change for our team this time around is that I now have the honor of leading the team that organizes BlueHat.  I officially stepped into the role of head of security community outreach and strategy at the beginning of September, taking on not only the BlueHat planning team, and overseeing all of TwC Security's worldwide security conference sponsorship, but also I now run the program I founded in 2008: Microsoft Vulnerability Research (MSVR).  

The security community outreach team at Microsoft has a challenging job – act as bi-directional liaisons between external and internal people whose passion is security.  For some, that passion is focused on attack, and for us, it is focused on defense.   We need to understand attacks in order to be good defenders, and so our relationships with the external security community are vital to keeping us aware of current and emerging trends in threats.  The work of the team is most visible at BlueHat, but it continues throughout the year at established and emerging security conferences around the world.

The expanded scope of the security community outreach team to include MSVR will allow us to not only help shape how Microsoft engages with the security research community, but also to help usher in the next evolutionary step in Windows platform security, as we continue to expand our own security research to include finding, reporting, and helping to resolve more third party vulnerabilities that affect our customers. 

So look for more news this year from MSVR, more innovations in security community outreach, and more cowbell in everything we do.  As this year's BlueHat comes to a close, my further work as leader of this team begins in earnest.  I am excited for this next chapter in Microsoft's security history where our team will get to pen a few more lines in an already impressive novel.  As always, we welcome input from the security community, including security researchers, partners, and customers.  You can find me on Twitter, and coming soon to a security conference near you!

*Postings are provided "AS IS" with no warranties, and confers no rights.*

I’m here playing MC at the tenth edition (!!!) of the BlueHat Security Briefings on the Microsoft Campus in Redmond. So far it is shaping up to be an immensely successful event. As Celene mentioned in her announcement post, this is the most robust line up of content we have ever had, with a wide range of topics including threats to next-generation infrastructure, mobile technology risks, the Web browser landscape, and predators of the ecosystem. We started off the day examining the dark underground of this security culture of ours, looking across continents to understand who the real players are. As we enter the next-generation infrastructure block this afternoon, I’m convinced there will be even more technical insights to come, both eye-opening and reassuring, as is the typical fashion at BlueHat.

Hanging out with us in the speaker lounge today and tomorrow are nearly 150 attendees from across the security ecosystem. Attendees span the industry, from those in the security researcher communities at large to our friends in government, security protection partner groups, and security response teams. It’s amazing to have such a diverse group of people here for two-way conversations with our engineers. It’s those talks, as well as the countless side meetings, community mixer events, and “hallway tracks” that make BlueHat successful. The interactions between our internal and external audiences always leave us more excited and committed as we all work toward building a more secure planet through shared ideals.

Last week I had the pleasure of being invited by Cisco to keynote their very first BlueHat-esque type of conference, which aims to improve their own security posture by bringing in key researchers who can share their findings with Cisco security professionals. It’s encouraging to see our peers and partners continuing the formula that has been so successful for us at Microsoft and inviting us to be a part of it. When Chris Hoff from Cisco gave a talk at BlueHat v9, it was one of the most highly rated talks on the cloud that our conference had ever seen. Sharing our platforms for these types of win-win outcomes makes it all worth it.

Okay, I need to go grab the mic and step back into my MC duties…until next time.

- Mike

*Postings are provided "AS IS" with no warranties, and confers no rights.*