Today we are shipping a new security suite from Microsoft, to help Enterprise customers protect and manage their IT security. One of the questions we know we are going to be asked is: “So what new does Microsoft have to bring to the table?”
I have been in and near the security business for almost two decades now, and I remember once how in the early 90’s when I was proud of the code I wrote… a colleague came to me and told me how security is about ‘Assessing, Detecting, Protecting, and re-evaluating policy’ in a typical circular arrows graph. Of course, at the time it had no clear meaning to me. I did recognize that the process in which our customers deal with security at the enterprise level is such that goes over these steps in an everlasting battle against malicious software with various intents, and new technologies that are adopted at the enterprise.
Do we really expect customers to work with dozens of security technologies with very little in common? It was quite clear to the industry, even back then, that no single protection technology in the world exists to address all security risks. It was then that I realized that for a security solution to be effective and adopted, the overall approach must be more of a suite that manages a life-cycle and allows administrators to interact with different protection technologies from one console and in very similar way.
Well, that was a worthy goal, but the reality was that each domain in enterprise-IT brought a set of challenges and vocabulary that was not easy to simply glue together in one console. Clearly, the thought and consideration of administrators in the enterprise that deal with security for desktops, servers, applications, and network protection needs to be part of the design of the solution from the ground up. Such a solution should have the right balance that allows aggregating data, policy, and configuration from all sources, while keeping the roles of people with their own set of authorities and administration capabilities segregated correctly. Stirling is offering exactly that.
But then again, you might be asking yourself: “Well, all protection technologies can now be managed from one location and allow the different IT teams to work, but is that enough of a value? Do we get more than just one console?” The answer to that is that Stirling is actually taking a much more comprehensive approach for connecting different protection technologies than just a management console. So, we came up with a concept to connect all protection technologies in a way that one technology can benefit from the findings of the other, or the findings of one technology can cause an action (blocking, isolation, or increased logging) to be taken elsewhere. The beauty of assessment sharing is the fact we can abstract the findings from each protection technology in such a way that hides the details of each technology. All the protection technologies that connect would be able to understand each other, with no need for special domain knowledge about the other participating technologies. Let’s look at the following scenario:
Forefront Security for Exchange Server, an Exchange protection service, determines that a mail sent to or from a corporate client computer has malicious content. Forefront Security for Exchange Server issues an assessment about the client computer, and through Stirling policy it triggers a malware scan on the client computer that detects malware on that computer. Not only that, but the edge protection (Forefront “TMG”) that also subscribes to the assessment sharing channel of Stirling notices this assessment about the computer and increases internal thresholds for detecting port scans from this computer - and detects port scans from the client computer. The security administrator is notified with this chain of events, and the relationship between them in one single console. Sounds like a tale? Well, this is actually a real life scenario with Stirling.
Principal Product Unit Manager, SAS