Hi everyone,

Together with my colleagues Jeff Williams and Holly Stewart from the Microsoft Malware Protection Center (MMPC) I am here at the 23^rd Annual FIRST conference in Vienna, Austria this week.

FIRST is the Global Forum for Incident Response and Security Teams, an organization that aims to bring together computer security incident response teams from government, industry and education. FIRST is at the root of a number of standardization efforts in security, such as the Common Vulnerability Scoring  System (CVSS). Its main strength, though, is that it offers incredible networking opportunities for people in the security community to find each other and collaborate on protecting internet users.

Microsoft is proud to be a Platinum sponsor of the FIRST conference, and looks forward to our continued collaboration with the valuable members of this community.

This week also marks the 3-month anniversary of an exciting project we embarked upon with many of the national incident response teams that are present here this week.

On March 17^th, our colleagues at the Microsoft Digital Crimes Unit (DCU) publicly announced their successful effort to take down the notorious Rustock botnet. At the time, Rustock was estimated to have consisted of close to a million infected computers, and it was capable of sending billions of spam messages each day. These messages included advertisements for fake prescription medication, which can in some cases, be dangerous.

Microsoft has a great security group, but as a single company, we quickly realized that we would not be able to reach out to every infected customer worldwide. However, many countries have stood up Computer Security Incident Response Teams (CSIRTs), which are exactly intended to process this type of information and protect constituents. Over the last few months, we have worked with several of these organizations to further advance our joint goal of protecting and cleaning infected Rustock machines worldwide.

We would like to thank the following CSIRT partners for their contribution so far in this takedown effort:

ArCERT, Argentina
CERT.AT, Austria
Cert.BE, Belgium
CERT-BR, Brazil
CERT-EE, Estonia
CERT-FI, Finland
CERT.LV, Latvia
CERT-UA, Ukraine
CNCERT, China
Federal Office for Information Security (BSI), Germany
GovCERT.nl, The Netherlands
GovCertUK, United Kingdom
HKCERT, Hong Kong
INTECO CERT, Spain
JPCERT/CC, Japan
MYCERT, Malaysia
PISA CERT, Pakistan
Public Safety Canada – CCIRC, Canada
CERT-SA, Saudi Arabia
ThaiCERT, Thailand
TwCERT/CC, Taiwan

Each of these organizations has tirelessly worked with us over the last months to reach out to affected service providers and consumers in their constituency and ensure they were aware of tools that existed to remediate infected machines. In fact, they are part of a much larger group of organizations in the CSIRT community, some of which preferred to not be publicly called out for their efforts at this time. Microsoft values collaboration and the insights these organizations continue to provide to us on this significant challenge, which we are tackling, together.

Within the United States, Microsoft also works with a community of Internet Service Providers. In addition, anyone who owns a network range can subscribe to Smart Network Data Services (SNDS), which makes this information available to any legitimate network administrator.

If you would like to learn more about these and other efforts of Microsoft to clean the Internet of botnet activity, you can find more information at support.microsoft.com/botnets.

Cheers,

Maarten Van Horenbeeck
Senior Program Manager, MSRC

Today on the MSRC Blog, Matt Thomlinson announced three new efforts to provide more transparency into Microsoft’s vulnerability disclosure process.  These included a Coordinated Vulnerability Disclosure (CVD) at Microsoft procedures document, the first release of MSVR Advisories on vulnerabilities that were discovered by Microsoft and fixed by affected vendors, and an internal employee disclosure policy.

The vulnerability disclosure debate has continued over the years with all sides seeking the best way to protect users.  We believe the best way to improve software security is through comprehensive Security Development Lifecycle (SDL) programs that build security into software from the very beginning.   For vulnerabilities that remain after software is released, we feel that disclosure of vulnerability details should be done in a way that allows vendors an opportunity to address the issues without amplifying risk.

In our experience as finders and coordinators, we know that disclosing vulnerabilities to a vendor can be a complex process. This is why we developed the Microsoft Vulnerability Research (MSVR) program as a way for our employees to report vulnerabilities they find to affected vendors.

We understand that there are differing approaches to vulnerability disclosure.  Even if finders do not share our disclosure philosophy, we appreciate any information finders are willing to share with us. Our hope is that finders will give us the opportunity to address the issue comprehensively with a fully tested update before releasing technical details publicly. We hope our transparency with our disclosure process encourages more finders to work with us who may not have otherwise.

We’ve listened to the security community, including security researchers, vendors and CERTs, in documenting our approach to disclosure.  We’d like to thank the following people for reviewing our Coordinated Vulnerability Disclosure at Microsoft document. If you have comments or opinions, we'd like to hear from you. Please follow us on Twitter at @msftsecresponse or me at @k8em0.

Microsoft thanks the following people for reviewing our Coordinated Vulnerability Disclosure procedures document:

Bryan Burns, Distinguished Engineer, Juniper Networks

Arturo 'Buanzo' Busleiman, Independent Security Consultant

Steve Christey, CVE Editor, MITRE

Dave Dittrich, Security Engineer/Researcher, Applied Physics Laboratory, University of Washington

Jussi Eronen, Infosec adviser, CERT-FI

Ian Glover, President, Council of Registered Ethical Security Testers (CREST)

Jake Kouns, CEO, Open Security Foundation

Zach Lanier, Intrepidus Group

Marc Maiffret, Chief Technology Officer, eEye Digital Security

Art Manion, CERT Vulnerability Analysis Team

Steve Manzuik, Director of Security Research, Leviathan Security Group

Charlie Miller, Independent Security Evaluators

Toshio Miyachi, Board Member, JPCERT Coordination Center

Bruce Monroe, Senior Information Security Specialist, Intel

Mike Prosser, Symantec Product Security Team

Ryan Permeh, Manager of Product Security, McAfee

Marsh Ray, Senior Software Development Engineer, Phonefactor

Russell Smoak, Sr Director / GM Security Research and Operations, CISCO Services

Chris Wysopal, Chief Technology Officer, Veracode

 

Celene here from the MSRC Ecosystem Strategy Team. BlueHat v9: Through The Looking Glass ended just over a month ago and the success of the con lives on due to the outstanding training and networking between Microsoft employees, external speakers, and guests. I'm happy to say that the speaker video interviews and selected recorded presentations are now live on the BlueHat TechNet Page. As promised, we have posted talks from every track block. The samples available are from the e-crime, cloud, mobile and fuzzing content blocks.

As you probably know by now, BlueHat is primarily about educating our own Microsoft population so we can better understand how to build more secure products. The more we know about the security ecosystem, the more we at Microsoft can truly comprehend and assess our security reality. Our secondary goals are to build bridges and bring transparency to the security community to facilitate positive information exchanges.

One way we measure how well are meeting our goals is through surveying our attendees. Here are some of the survey highlights from BlueHat v9 that I want to share with you.

Survey Results for BlueHat General Sessions:

• 92% of attendee respondents believed the overall quality of the event (speakers, venue, logistics, etc.) was good or excellent
• 92% of attendee respondents felt attending was a good use of their time
• 74% of attendee respondents say they will be able to apply knowledge they learned at the BlueHat general sessions to make their product(s) more secure

W00t! Strong numbers like those make it all worth it, I tell you! Big thanks to all our speakers and now new members of the BlueHat network, the BlueHat content review team, and Dana Hehl for making everything look so easy.

Mark your calendars! The next BlueHat is October 14-15, 2010. See you all there.

-Celene Temkin

BlueHat Project Manager

*Postings are provided "AS IS" with no warranties, and confers no rights.*

In the film WarGames, an artificial intelligence program named Joshua asked the main character, a teenage hacker, the now famous question, “Shall we play a game?” When Microsoft announced the BlueHat Prize at the Black Hat Briefings in Las Vegas last summer, we asked a different question of the security researchers of the world, focused on defense.

Microsoft is offering over $250,000 in cash and prizes to security researchers who submit the best new security defense technology that meets the contest criteria. The top prize is $200,000 in cash, and the “mad loot” still could be yours!

With just under a week left in the entry period for the contest, which closes April 1, security researchers still have time to enter the competition to win the first and largest prize a vendor has offered for security defense research.

The ability to defeat the latest exploit mitigation technologies on various platforms is an extremely rare skill, as we have seen with several existing competitions that focus on vulnerability exploitation. Taking that knowledge to the level of helping to design new or enhanced mitigation technologies to help defend against exploit techniques like heapspray or Return Oriented Programming (ROP) was a challenge that we were hoping would garner at least as much interest.

The BlueHat Prize contest has exceeded our expectations for participation. So far we’ve had ten entries to the competition, the last four of which arrived over the past couple of weeks – an impressive showing, considering the difficulty of the problem we posed and the very small estimated number of individuals worldwide who possess the knowledge and expertise to seriously compete.

The entries cover a wide variety of ideas designed to help defend against different exploitation techniques, and it’s been great to see fresh insight into these technical areas. We’ve also been excited to see who the contestants are who have chosen to compete for the prize – some of them are security researchers with great track records in the security community, some are from academia, and some are from other venues altogether.

For those beautiful minds who have yet to enter their ideas for the contest, here are some highlights from the official rules:

- Complete entries must be received by midnight Pacific Time April 1, 2012.

- Complete entries must include a verbal description of the idea in English, as well as prototype code to show the exploit mitigation idea in action.

- For an entry to be valid, one of the criteria is that it should not be public at the time of entry (i.e., it must be new). However, a valid entry can be a new improvement on existing exploit mitigation techniques.

- If you have more questions, see the FAQ on the BlueHat Prize website or, if you don’t see your question answered there, contact the BlueHat Prize team.

With over $250,000 in cash and prizes on the line, we are excited that the first BlueHat Prize contest has already garnered great participation. One of my favorite quotes is from the great hockey player Wayne Gretzky, and it applies here for sure: “You miss 100% of the shots you don’t take.”

So, shall we play a game?

-Katie Moussouris

Senior Security Strategist, Microsoft Security Response Center

Follow Katie on Twitter.

G’day, or should I say howdy, y’all. As the newest member of the Microsoft EcoStrat team, I figured I would do a quick self-introduction before getting down to work. I am a Senior Security Strategist with the Microsoft Security Response Center (MSRC) based in Redmond. Prior to my big move to the USA, I was the Operations Manager of AusCERT in Australia (that’s the place that is famous for kangaroos and Tim Tams, to ensure you didn’t think I meant Austria!) My role here at Microsoft varies, but at the very top of my list is ensuring that Microsoft strengthens its relationship with the global community of national and government Computer Emergency Response Teams (CERTs).

It was in that capacity that I was privileged recently to attend the GovCERT.NL symposium, hosted by the Dutch Government CERT in the city of Rotterdam. What an event! The Dutch government CERT, GovCERT.NL, put on a truly world-class event. I cannot recall ever having been to an event so well-polished and professionally presented. The program was rich, varied, and robust, with a number of international and domestic speakers. But for me, the highlight was the interaction in the CERT community.

Although the symposium is primarily focused on meeting the needs of GovCERT.NL’s constituents, the attendance from much of the international CERT community makes the event all that much more dynamic. The national CERT community is a thriving and robust effort, allowing teams across national borders to work together and deliver collective results to provide more protection to the ecosystem. If you are in government, law enforcement, or industry and you don’t know your national CERT, you don’t know what you are missing! I was fortunate enough to meet with quite a number of national CERTs during this event from the European region and as far afield as Asia. This was most useful, as the MSRC is looking to engage more strongly with the community of national CERTs. In addition, Mike Reavey, Director of the MSRC, was also able to attend, and not only sat on a panel, but also spent time talking in depth with several CERTs about the issues facing the CERT community as well as how to develop better working relationships. It is this open dialogue and the coalescence of like-minded individuals that tends to be a hallmark of CERT-based events. In addition to formal meetings on the days before and after the symposium, it was clear that the global CERT representatives present were spending quality time sharing techniques, discussing common strategies, and building stronger interpersonal relationships. It is still the case that interpersonal relationships are the life-blood of this community, but there have also been some strong moves towards establishing organizational-level relationships with increasing bilateral and multilateral formal relations. I am keen to watch this grow, and will assist where I can.

I consider these groupings of CERTs to be invaluable. We have all heard that the Internet is a global thing, with no concept of borders or jurisdiction. While this may be the case, this also implies that there is no one responsible for looking after the problems on the Internet. I see the Internet as a global ecosystem, and in any ecosystem you need those who keep order. That is where I see the role for the National CERTs, tackling the problems of the Internet on a nation-by-nation basis. It is something that every country can do, take responsibility for their “own patch"; it is the Internet version of “think globally, act locally”. It is important also to realize that Internet security is not a problem that can be fixed by law enforcement, or any other group, alone. CERTs perform an important role, not only providing advice and guidance, but also assisting with coordination and remediation. A CERT from one country knows that they can reach out to a trusted partner in another country to resolve an issue and that means the CERT only needs to know their own constituents and their fellow CERTs. In the absence of such a network, every CERT would need to be able to communicate with every organization, and potentially every individual, to resolve issues.

For a great practical example of a CERT working locally to assist in protecting the global ecosystem, I would recommend that you look at the work being done by CERT-FI and their Autoreporter service. This service is a great example of a CERT, working with feeds from the globally community, taking responsibility for their constituency and working to remediate the threat within their own borders. This is the sort of work I feel all CERTs globally should be looking to when considering how to be an effective and contributing member in the global security community. This sort of activity has helped the Finnish IP space to become one of the “cleanest” in the world, as called out in the recent Microsoft Security Intelligence Report volume 7. Great work CERT-FI!

I hope to see those national CERTs, who are not already a part of Microsoft Security Cooperation Program for CERTs (SCPcert), look at joining this initiative, as a first step in building a deeper and more substantive operational relationship with Microsoft. It is from the bedrock of this program that I hope to find new and innovative ways to assist the CERT community in the shared responsibility of protecting the ecosystem.

In conclusion, the GovCERT.NL event was great to attend. It gave me a quick refresher on just how much potential there is within the CERT community globally to work together, and with industry, to increase the level of ecosystem-wide security. I am looking forward to my part in working with and helping foster this important community

-Karl Hanmore, Senior Security Strategist

*Postings are provided "AS IS" with no warranties, and confers no rights.*

.

This year marks the tenth BlueHat at Microsoft, and my sixth round in participating in the event that has been so instrumental in keeping Microsoft developers and executives in touch with the pulse of security research outside Microsoft, and serves as one of the key crossroads for the exchange of ideas from our internal security experts to the outside world. It is this bi-directional exchange of ideas that not only enriches our security knowledge and awareness, but helps to showcase our expertise to the external security research community.  But this is old news. Good news, but old. ;-)

So what is new?  One major change for our team this time around is that I now have the honor of leading the team that organizes BlueHat.  I officially stepped into the role of head of security community outreach and strategy at the beginning of September, taking on not only the BlueHat planning team, and overseeing all of TwC Security's worldwide security conference sponsorship, but also I now run the program I founded in 2008: Microsoft Vulnerability Research (MSVR).  

The security community outreach team at Microsoft has a challenging job – act as bi-directional liaisons between external and internal people whose passion is security.  For some, that passion is focused on attack, and for us, it is focused on defense.   We need to understand attacks in order to be good defenders, and so our relationships with the external security community are vital to keeping us aware of current and emerging trends in threats.  The work of the team is most visible at BlueHat, but it continues throughout the year at established and emerging security conferences around the world.

The expanded scope of the security community outreach team to include MSVR will allow us to not only help shape how Microsoft engages with the security research community, but also to help usher in the next evolutionary step in Windows platform security, as we continue to expand our own security research to include finding, reporting, and helping to resolve more third party vulnerabilities that affect our customers. 

So look for more news this year from MSVR, more innovations in security community outreach, and more cowbell in everything we do.  As this year's BlueHat comes to a close, my further work as leader of this team begins in earnest.  I am excited for this next chapter in Microsoft's security history where our team will get to pen a few more lines in an already impressive novel.  As always, we welcome input from the security community, including security researchers, partners, and customers.  You can find me on Twitter, and coming soon to a security conference near you!

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Microsoft often has the pleasure of welcoming foreign government officials to our headquarters. MSRC’s engagement with them usually starts with us trying to better understand the specific Internet security situation in a particular country, and to see how we can better cooperate together. In the past, we have implemented training programs, announced programs such as the Defensive Information Sharing Program (DISP) and supported technical initiatives to help address their very specific risks, and protect their citizens online.

Malware, botnets and cyber criminals often behave very differently in specific countries, and have different goals or intentions. In Asia, for instance, trojans often target passwords to online games or services, whereas in Brazil, banking trojans are a larger issue of concern. It’s helpful for us to learn about country-specific threats, so we can relay concerns back to our product teams that have the ability to battle them.

In center, Mr. Kwangjin Park, Executive Vice President, Korea Internet & Security Agency (KISA)
From left to right:
Maarten Van Horenbeeck, Senior Program Manager, MSRC
Mark McIntyre, Director, Government Security

 

 

Earlier this month, our team was honored by a visit of a delegation of KISA, the Korea Internet & Security Agency. KISA is a government agency that concentrates its work in three areas: Internet Promotion, Internet Security and Promote International Cooperation in the area of ICT and broadcasting. Their overarching goal is to make the Internet accessible, secure and useful to the people of Korea as well as to promote broadcasting and communications technology and services.

Korea is a special country when it comes to Internet use. It has a highly sophisticated, Internet-aware population with very high usage rates. In addition, much of their Internet use is mobile, with smart phones offering access to a large set of the population.

During our discussions, Mr. Park and his team presented to us the specific issues they are concerned about, and introduced some of their techniques to protect Korean internet users. Given Korea’s widespread use of the Internet for both public and private services, they have a thorough understanding of the need for clean and safe access to the Internet.

In Korea, their team manages the e-call center 118. This service is a hotline that provides toll-free, 24-hour Internet-related response services. Essentially, their trained team helps any Korean with issues such as a compromised machine, computer viruses and malware, spam, infringement of a user’s privacy, or any questions related to the use of the Internet. Wherever and whenever in Korea, a user can simply press 118 on his phone, and will be connected to a specialist to discuss the security issues he or she is experiencing. In addition, KISA operates a service that allows users to automatically forward spam to their team, which then investigates. Some years ago, Korea implemented stringent laws against spam, which they have the ability to enforce.

Microsoft has long recognized a need for expert assistance with security issues. Many years ago, we made a decision as well to support our customers for free regarding any malware issues, or problems during the deployment of security updates. In the US and Canada, this service is available by phone at 1-866-PCSAFETY. It is great to see this need acknowledged and to see KISA do this for Koreans at a national level.

From our end, we were happy to be able to provide KISA’s delegation with a briefing on how we are seeing many security issues in Asia, and Korea in particular, evolve. In particular, a lot of time was spent discussing how to combat malicious code and Distributed Denial of Service (DDoS) attacks, which is a common concern to Korea. In addition, we discussed Microsoft’s ability to share guidance and technical information to work together with KISA to further promote safe and secure internet access to Koreans.

감사합니다,
Maarten

*Postings are provided "AS IS," with no warranties, and conferring no rights.*

Today on the MSRC blog, Matt Thomlinson announced the BlueHat Prize, the first and largest incentive prize Microsoft has ever offered to seek out and reward new ideas in computer security defense.  While you can get the details of the contest on the new program’s website, I’m going to talk about some of the factors that went into the making of the BlueHat Prize, and why we think defensive security technology is a crucial place for vendors like Microsoft to invest.

Microsoft decided to offer large cash awards for innovations in runtime mitigation technology (a $200,000 grand prize, followed by a $50,000 second prize), both to acknowledge the value of defensive security work, as well as to encourage more security experts to start thinking about mitigations.

Select organizations have offered small cash rewards to security researchers who found and reported security vulnerabilities in their products. As more vendors began offering bug bounties for individual vulnerabilities in their products, many people speculated that Microsoft would follow the trend. Before considering such an approach , we conducted an analysis of the data we have relative to security researcher motivations; current prices in the existing white, grey, and black markets for vulnerabilities and exploits; and of course, what finders of Microsoft vulnerabilities typically do with their discoveries.

What we found can be summarized as follows:

1. Motivation: Researchers have many other motivations other than money, including recognition (either public or just among their peers).

2. Prices: The prices for vulnerabilities sold to the white market do not even come close to the amounts offered by the grey and black markets. By “white market,” we mean either vulnerability brokers who give the details to the vendors privately to get the issues fixed, or the bug bounties offered directly by some vendors. By “grey and black markets,” we are referring to those who purchase the vulnerabilities and exploits for offensive use, and specifically don’t give the vendors info to help get the vulnerabilities fixed. No organization who rewards bug bounties for vulnerabilities in their own products, nor white market vulnerability brokers, offer prices intended to “compete” with the grey and black market prices.

3. Disclosure: 90 percent of security researchers who privately report Microsoft vulnerabilities to us choose to report them to Microsoft directly, rather than seeking monetary payment via a white market vulnerability broker.

With that in mind, Microsoft respects researchers’ choices in whether or not they seek individual payment for vulnerabilities they find, and the means certainly exist for them to do so if they wish. If researchers do sell their vulnerability findings, we hope they choose white market vulnerability brokers to provide Microsoft the opportunity to fix the issues before details are made public and risk to customers is amplified.

So if money doesn’t appear to be the driving motivation for the majority of researchers who are willing to report issues privately in Microsoft products, why did we decide to offer a huge cash reward for defensive security research? Because we believe that the existing security research economy has been exclusively focused on offense for too long.

As a company, Microsoft believes that the best way to secure our products is not through reactive measures, but instead to invest in secure development throughout the product lifecycle, and in overall platform defense technology.

Rather than compete with the existing white market vulnerability economy, we decided to start something no one has ever done before, and introduce a new economic factor and incentive where none existed. While Microsoft continues to invest in improving the security of our products via our Security Development Lifecycle, and address individual vulnerability reports via our security response process, we are simultaneously looking to the horizon both in our vision of securing our platform, and the ways we reward the security researcher community.

We hope other vendors who would like to seek the help of the global talent pool of security researchers will also consider this model of investing in and rewarding innovations in defensive security technology. We also hope that current and future generations of security researchers will be inspired to look at the defensive side of the equation when designing new offensive techniques, thanks to the BlueHat Prize. In our experience, some of the best defenders come from the offense side of security.

I’m Katie Moussouris, and THIS is what a “security strategist” does at Microsoft. Now you know. :-)

You can follow me on Twitter: http://twitter.com/k8em0

Hey all – Mike Reavey here. I’ve been with the Microsoft Security Response Center (MSRC) for over five years now, and working in security for over a decade. One of the reasons I’m truly passionate about this type of work is that it’s always changing, and very exciting.

However, in some ways the security ecosystem is a very predictable place.

For example, I can almost guarantee we’ll see a lot of charts at Black Hat with arrows going “up” showing that things are still rough in the security space. And in fact, if you read George’s thoughts in a ZDNet guest editorial you’ll see things are going “up” in a lot of areas.

One other predictable activity is that following every 2^nd Tuesday, after we’ve released our security updates, there’s a community of folks reverse engineering our updates and creating exploit code. Consequently, another very predictable activity is that customers always ask us which of the vulnerabilities we’ve fixed have had exploit code released each month. That’s a key factor in their risk assessment.

When we reviewed why they asked that question, one thing we realized is that not every vulnerability we release updates for has functional exploit code created. And that’s in the face of very competent people like those behind tools like Metasploit, Immunity CANVAS and Core’s IMPACT - who have systems and people geared up to produce exploit code every time we release updates.

When doing the math, roughly 30 percent of the vulnerabilities we fix each year have exploit code released. You can see more details on this analysis in the SIR (www.microsoft.com/sir). There’s a lot of reasons it’s not at 100 percent - some just aren’t interesting from an attacker’s or a pen tester’s perspective, and others only affect products that have low penetration, but some are more challenging to exploit given the way the vulnerability manifests itself. For example, a defense in depth approach may make a particular vulnerability especially hard to exploit consistently, maybe /GS causes the process to crash without any data aside from the /GS cookie being overwritten, or maybe it’s just an area of code where the system memory isn’t structured in a reliable way to gain execution.

This morning, we’ve announced an “Exploitability Index.” The Microsoft Exploitability Index is designed to provide additional information to help customers better prioritize the deployment of Microsoft security updates. This Index will provide customers with guidance on the likelihood of functional exploit being developed for vulnerabilities addressed by Microsoft security updates.

This index will attempt to predict if a vulnerability is likely to have functioning exploit code released, or have inconsistent exploit code released that wouldn’t work every time an attacker attempted to used it. We’ll even highlight vulnerabilities where we think it’s unlikely that functioning exploit code will ever be released.

The first question I get when I talk about this is, “How are you going to make this assessment? “

Well, first we’ll review our understanding of the vulnerability and what it would take to exploit it with folks like our Security Vulnerability Research & Defense (SVRD) team as part of our standard MSRC process. Second, we’re also incorporating the same methodologies we’ve seen used in the community for years – some of these we’ve even had presented at our own conference, BlueHat, by folks like Halvar Flake and Lurene Greenier. And third, since, as Steve says, “it takes a village” to raise a healthy security ecosystem, we’re asking members of the Microsoft Active Protections Program to also review the vulnerabilities to check our work before we release the index each month.

Bottom line… we are giving customers more information to help their risk assessment, and that, we think, is a good thing. And a very reasonable request, given the security ecosystem’s emerging shift towards more collaboration.

I’ll be talking more about this and other Black Hat happenings at my Twitter feed: www.twitter.com\mreavey 

- Mike Reavey

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Yut!!! Nothing like a motivating US Marine Corps yell to get your attention. Hey Steve Adegbite here, just wanted to drop some words and give you my perspective on some of the News we (Microsoft) announced this morning.

You may have seen already we launched a trusted information sharing program for security software providers. It’s a program we created in hopes of actually helping the defenders get a leg up on protecting consumers. The Microsoft Active Protections Program will allow vetted security software providers early access to the technical details on the vulnerabilities we are addressing with each monthly security update. Microsoft is doing this in hopes that we can give the defenders more time to produce timely signatures. Basically, in doing this, we’re betting that cutting out the time to reverse engineer our security updates will give valuable time back to the defenders to focus on protection enhancement and faster delivery.

Most of the security community knows me from my work with the military and government before coming to Microsoft (i.e. founder of the USMC Information Assurance Red Team). One thing I harped on was that I believe security has to take a community-based focus. One aspect of this community-based approach is the establishment of a "trusted information sharing" program. As a red teamer, my job was to find the vulnerable points and feed that information to the defenders via trusted information channels. This helped the defender shore up their defenses or at least let them know where weak spots existed.

Microsoft Active Protections Program is doing a similar thing, just in a "commercial" way, and without me looking for vulnerable spots in code/networks at 3:45am. It’s not enough to point the finger at one entity and say “Fix it.” Those of us who belong to the security ecosystem must own the problem, and share in the solution.

I believe in this so much that when the opportunity arose to run for the steering committee at FIRST, I couldn’t miss it. I am glad Microsoft saw the same value, as they have allowed me to do this as a two-year commitment. That shows tremendous dedication to the idea that security at large is an ecosystem problem. But more on that in another time on this blog.

The point here is that everything can be addressed with the right collaborative effort. Microsoft gets that and is doing its part. The next upcoming year you’re going to see a lot of that action shining through in all arenas we engage on for security. Stay tuned and remember it takes a village to raise a child...but the digital village is where I live, and we are working together to raise a great and safe cyber ecosystem for consumers to enjoy.

For more of my insight live from Vegas check me out on twitter at www.twitter.com\SteveAdegbite

- Steve Adegbite

*Postings are provided "AS IS" with no warranties, and confers no rights.*