As I am traveling in Europe, about to attend the GOVCERT.NL Symposium 2008, I wanted to explain how we work with Guidance Providers (CERTs and similar groups) and why we consider them one of the most important segments in the ecosystem.
One of the problems facing our customers is that the MSRC is not the only communication channel. Often during an event or issue customers hear from many different players: researchers, vendors, other customers, press, governments, and of course CERTs. Our goal is to help the customer understand the issue and know what action, if any, they can or should take. So we work with all of these segments but often the message can get confused due to a lack of understanding, wording, and a, let’s call it, “desire for drama.” CERTs are unique in that they interact with most of the same players that we do, and they are typically focused on providing the best protections for their stakeholders. This means CERTs have influence in the same segments we work with.
In the past we found ourselves at odds with some CERTs' messaging during events which only serves to confuse the customer, regardless of “who is right” (and often there is no one way to be “right”). Later, by building relationships, we have found that most of the time (if not all) the CERTs either did not understand the issues as we did, or, just as likely, we did not understand the issue as they did. By working with the CERTs we can help minimize the false conflict and confusion delivered to our customers. In order to do that we must step up and offer a channel to the CERTs where they can ask about the nuances and variations of an issue and we can listen. CERTs supply us with critical information about attacks, samples of exploits, and real world experience from their stakeholders. Some of the best value CERTs can offer us is a sanity check on what the customers are seeing, feeling and expecting.
So this week I am not just learning from the presentations and conversations, I am meeting with as many CERTs as I can. This is a great conference and people come, not just from Europe, but around the world. I am here to talk about the MSRC and what we do, but more importantly, I am hear to listen to what the CERTs are doing, what they are seeing, and what they expect from us.
- Zot O'Connor
*Postings are provided "AS IS" with no warranties, and confers no rights.*
Well it’s been a busy week at GOVCERT.NL Symposium 2008. I thank the wonderful people at GovCERT.nl for creating an amazing event. I ate many Dutch delicacies, attended several good talks, and have decided that Nicholas Witchell should moderate and host all conferences, security or not (his sense of humor and ability to speak on topic is refreshing). More importantly, I talked to and listened to over 15 different CERTs and Guidance Providers (GPs).
This brings me to the core of this blog post: SCPcert. I work with several CERTs and GPs closely, but the reality is I can only handle 10-20 relationships before my time is maxed and the relationships weaken. Also, many of these relationships are based on a personal connections made during events or chance meetings, rather than purposeful or strategic efforts. While these relationships have proven extremely valuable, they are difficult to scale. Given that there are 200+ CERTs in the world, clearly we have an opportunity to do better.
We have faced this problem in the past with AV vendors, ISPs and governments. For each of those sectors we created programs: VIA for AV vendors, GIAIS for ISPs and SCP for governments. We placed all of these programs under an umbrella program called the Microsoft Security Response Alliance (MSRA). It was clear that we needed a MSRA program for CERTs. However, the problem with CERTs is that no two CERTs are alike, and the first step to a successful program is clearly defining the membership criteria. Therefore I identified a subset of CERTs we could build a program around: National and Regional CERTs. Once I did that, it was clear the SCP program was closely in line with these CERTs (in fact many of these CERTs are represented in SCP already). Thus we named the new program SCPcert.
We defined "National CERTs" as a CERT that is either part of the government, or are widely recognized as representing a country, region, or a clear population (as recognized by the government, population, or other CERTs). Therefore we have a defined group to target and a successful program to leverage so we can expand quickly and recruit new members. We are doing this with no real increased cost, and with scalability and, most importantly, durability. By durability, I mean we can survive all forms of change, good and bad. For example, the MSRA program has existed for over 10 years, and during that time the threats increased in their complexity and nature, the focus of information flows has been on new goals, and while some of the faces are the same, there are more new faces every year. During all of these changes the program has survived and improved, and we want the same for SCPcert.
So what does SCPcert offer members?
This is good, but what can SCPcert offer members in the future? Previously we have had some great ideas for CERTs, but the stumbling block has always been "we need 20 CERTs who do the following..." The reason is a simple cost to benefit problem. For example, we might be able to manually parse a large data set for 1 or 2 CERTs, and that might be acceptable for a one-time event, but to do it for 4-5 Certs starts to have a high cost for potentially diminishing returns. Instead, if we spend even more resources, but we can build a process that does it for 20-30 CERTs (or more) and that process is repeatable and automated, we can justify the resource cost.
This works in the other direction too. CERTs often have good data to share with us. To manually process one or two feeds of the same data can be time well spent, but again, at 4-5 feeds the returns diminish but the resource cost stays the same per feed. By working with the CERTs, we can standardize the feeds and work to absorb, process, and analyze larger amounts of real-world data. This not only gives us “more data” it can give us sources from more diverse geographic areas and market segments. This in turn may allow us to see trends that might otherwise be lost in the aggregate of global sources. This has assisted us during events to identify regions or markets that are being affected greatly, while the overall world view shows little impact. This allowed us to focus support and response efforts on the affected regions.
Over the next year as we expand SCPcert, we will have that list of 20 or more CERTs for each good idea, and we can expand the information flows, and strive to protect our customers in new and better ways.
How do you join? Email msra@microsoft.com with the following:
We look forward to working with our friends at the various CERTs around the world! You can look for us at other major CERT events in the coming year, including APCERT, AusCERT and FIRST.
Zot O’Connor