That's it!
It's my turn to throw my hat into the Forefront Team Blog ring!
Okay...I'm not 100% what that means.
Moving on.
My name is Ian Hameroff, and I'm one of the many bloggers you'll see up here on the Forefront blog-o-rama. If that's not a stellar enough intro, check out this video we filmed last week at Microsoft's illustrious studio - Conference Room 27/1545 (please note: this "studio" is not affiliated with the really cool Microsoft Studios in building 127):
So, if you've stuck with me this far, thanks!
Let's get to the reason for my post: the upcoming birthday for Windows Networking.
That's right!
Fifteen years ago this Saturday, on October 27, 1992, Microsoft shipped Windows for Workgroups (aka WfW for those who had dial-up Internet access back in the day that charged by the character) v3.1.
One of the major selling points of this release/update was the inclusion of "built in networking functionality" that would help make sharing files, sending electronic mails and "surfing" those Gopher sites -- that is, if you installed that pesky TCP/IP update -- that much easier.
Granted, these networking features were basically NetBIOS, but that didn't stop us from saying proudly on the product box: "Windows for Workgroups: Operating System with Integrated Networking."
While WfW Networking was still a leap forward, you'd have to wait until Windows 95 to get the complete "Internets" ready experience out of the box with Windows.
So, what the devil does have to do with Forefront or security Hameroff?
Great question!
Clearly, integrated networking (or at the very least the more seamless integration of networking as with WfW 3.1) changed the rules of the game for Windows users. While it opened up new opportunities for collaboration and communication, it also introduced the newly connected world to the potential risks of malicious abuse.
Over these 15 years, we've (the industry, not just Microsoft) have learned a ton about how to balance greater access with increased security. This sometimes paradoxical acrobatic act of striking this balance is something I've spoken on for a bunch of years (both at events -- like TechEd -- and on my blog: http://blogs.technet.com/ianhamer), and I'm excited about the fact we're getting closer to another Windows networking birthday which will help us inch closer to the realization of the promise of policy-driven network access.
For me, that's all about the upcoming release of Windows Server 2008 and the Network Access Protection features found within.
NAP enables IT administrators to set policies that determine the minimum requirements for gaining network access to the corporate network - like making sure that Forefront Client Security is both enabled and up to date.
You can check out a killer demo of this in action (okay, get ready to watch this shameless plug, but bear with me) with FCS from my demo in BillG's recent keynote address at WinHEC 2007.
An absolutely shameless plug.
As you'll see in the demo, or if you've already played with the technology in Beta or RC, the ability to set, validate and enforce access policies based on the health of the connecting client helps further reduce the risk of malicious abuse of networked resources. I like to think of NAP as a catalyst for getting even more value of out the investments you've made in your security controls, because it helps make sure it is used properly by your end-users, with the reward of network access for those "up to snuff." This is a platform that will work closely with the Forefront product line -- even more so with the release of "Stirling" -- but also with the wide range of eco-system partners that have signed up to plug into our NAP platform.
So, if you're thinking about one of the Forefront products for your environment, or already have some of this stuff in place, I encourage you to check out the added value NAP can bring to these investments.
Also, don't forget to send Windows networking your birthday wishes this Saturday!
The new Security Intelligence Report (SIR) is out from the Microsoft Malware Protection Center (MMPC) – the folks who make Forefront’s anti-malware engine. Vinnie Gullotto writes on the MMPC blog:
The SIR shares the conclusions drawn by our research team using data gathered from the Microsoft Malicious Software Removal Tool (MSRT), Windows Defender, Windows Live OneCare, Windows Live OneCare safety scanner, Exchange Hosted Services, and Forefront Client Security (FCS). The net of this, is threat related data from several hundred million Windows based systems.
From the data in the SIR we can see that the trends continue in a direction that indicates attackers are financially motivated and are adjusting their tactics along with constantly modifying the threats, both malicious and potentially unwanted (you can read more about what distinguishes each of these in the report) they use to support this goal. Some examples of findings in the new SIR:
· Significant increases in categories, such as Trojan downloaders, potentially unwanted software (which includes rogue security software), and exploits, suggest that distribution of potentially unwanted software is less and less a matter of a normal affiliate model and more often malicious and/or criminal in method and intent.
· We found 65% less Potentially Unwanted Software and 60% less malware on computers running Windows Vista than on computers running Windows XP SP2.
There’s more on the MMPC blog.You can read the SIR at www.microsoft.com/sir
Paul Smith, a designer and retailer of clothing and luxury goods, wanted a client security solution that would be easier to manage. The current solution had to be maintained separately, which conflicted with the company goal of a more streamlined, integrated IT environment. To improve efficiency, Paul Smith chose a solution based on Microsoft Forefront Client Security. Although still in the early stages of implementation, the company reports that integration with familiar tools like Microsoft Systems Management Server and Operations Manager are simplifying management. The IT team has better control over client security through detailed reporting and more effective administration of software and virus definition updates. The company also plans to expand its security solution by deploying Microsoft Forefront Security for Exchange Server and Forefront Security for SharePoint.
There’s more...
Or, to be more precise, it sure looks like they do.
In my other post on the publicly available spam tool, I mentioned that I came across a page that allowed people to verify whether or not an email address is actually live. The question naturally arises: do spammers clean up their email contact lists based upon whether or not the address is legitimate?
Spammers would have an incentive to do this - the fewer mails they have to send, the fewer resources they have to consume. Spam blitzes depend on spammers sending out as much as possible in as small a window as possible. The fewer the bots sending mail, the smaller the rate of spam detection.
Do we actually observe spammers changing their sending patterns? I believe that we have evidence that they do. Our customers have the option of doing Directory Services blocks. The way that this works is that customers upload a list of legitimate email addresses to us. When a message hits our network, we look up to see whether or not that email address is available (live). If no such email address exists on the domain, we send back a 554 - Recipient Address Not Available. These are called Directory Service Blocks, or DS blocks for short.
Recently, some customers have started using our DS services more actively. When they do, they have said that the number of total spam blocks in their statistics drop dramatically, sometimes by a factor of 10. Whereas before they were seeing 10 million spam blocks prior to using DS, now they are seeing only 1 million spam blocks. That's a huge drop. What gives? (It's not a problem with our reporting mechanism, btw).
As it turns out, it looks like spammers are changing their behaviour based upon return codes. DS blocks are our first level of spam blocks and then IP blocklists (which send 550s) are our second level. What appears to be happening is the following:
If this is indeed what is going on, it shows a clever resilience amongst the spam and bot community that allow them to learn what is going on in response to their tactics, and then change their tactics appropriately. This doesn't surprise me, I have stated in the past (somewhere) that spammers are like antibiotic-resistant bacteria, evolving to deal with new threats and figuring out ways to survive.
Of course, if this hypothesis is correct, then it means that spammers are using very polluted lists, that is, emails to no where. Looks like whoever sold them those lists didn't give them much quality. That makes me feel a little better, taking the time to engage in a little schadenfreude.
The Forefront server security products provide several key security capabilities to Exchange and SharePoint customers, including an advanced multiple anti-virus engine manager that allows you to concurrently run up to 5 of the included Microsoft and third-party anti-malware engines. Using multiple scan engines delivers several critical advantages:
A recent set of tests performed by the independent AV-Test.org group found some surprising differences in signature update times from various vendors. The tests compared AV lab response times for eighty-two “in the wild” viruses and variants. Twenty-six of the viruses were quickly detected by all the scan engines, but some engines didn’t detect viruses for more than twenty-four hours. In a few cases (notably 0506 Banwarum.C@mm), some vendors didn’t update their signatures to provide a block until nearly five days had elapsed! Because Forefront Security for Exchange Server and Forefront Security for SharePoint combine multiple engines, the odds that a virus will go unblocked or undetected for long periods are greatly reduced. Organizations benefit from all updates for the set of engines you use, not just from updates to a single engine.
For a larger version of this chart go here