MSRC Ecosystem Strategy Team : BlueHat

A Brussels retrospective from Oahu

msrcecostrat — Fri, 12 Jun 2009 07:31:00 GMT

Handle:
Security Blanki

IRL:
Sarah Blankinship

Rank:
Senior Security Strategist Lead

Likes:
Vuln wrangling, teams of rivals, global climate change - the hotter the better

Dislikes:
Slack jawed gawkers (girls are geeks too!), customers @ risk, egos

Aloha from the Shakacon III, a security conference held each year in lovely Honolulu, Hawaii! Although I’m currently in a different region of the world, talking with a completely different segment of the security ecosystem, I wanted to take a few moments to reflect on the BlueHat Security Forum EU event recently held in Brussels, Belgium.

Celene’s EcoStrat blog post highlighted the collaborative nature of the event and described the amazing content that was presented to the group of key EU security stakeholders. While to be a part of building a new platform for technical information exchange was a success in itself, we all have different priorities. In order to effect change, we must understand each other and work together, across technologies, organizations, and country boundaries. With the building of better collaboration in this community, we all have taken one more step in helping to secure the planet as a collective.

I’ve mentioned in a previous EcoStrat post that the EcoStrat team strives to build bridges and help folks get over them. The BlueHat Security Forum EU event was an example of bridge-building in action. It was rewarding to introduce representatives from governments, industry, and enterprises, as well as individual participants to each other. Prior to the BlueHat Security Forum, this particularly diverse group had never been in the same room discussing current security threat landscapes, understanding together the realities of securing critical national infrastructures and corporate networks alike.

With such a diverse collection of attendees, participants naturally had a wide-range of security priorities. Concerns ranged from targeted attacks to ID theft, defending Web applications and supply chains, developing and deploying secure coding practices to policy development, political concerns within and outside of the EU, and the list goes on.

Certainly the message that there is no one magic solution to security was delivered. There is still so much work to be done. It will take defense-in-depth, secure coding, securing third-party applications and proprietary applications; it will take technology and people. We all understand that security can be likened to an arms race; every innovation we make in security is met by a very sophisticated collective of global malicious actors. We must be vigilant together; we must work together.

Mahalo for reading and here’s to another step towards achieving community-based defense.

Sarah

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Announcing the BlueHat Security Forum: EU Edition

msrcecostrat — Tue, 02 Jun 2009 08:30:00 GMT

Handle:
C-Lizzle

IRL:
Celene Temkin

Rank:
Program Manager 2 & BlueHat Project Manager

Likes:
Culinary warfare, BlueHat hackers and responsible disclosure

Dislikes:
Acts of hubris, MySpace, orange mocha Frappaccinos!

Hey folks! I know this is typically the time of year when birds are chirping, the rain is supposed to be letting up, and those of you in the BlueHat network who are normally invited to attend the Spring BlueHat conference are asking yourselves, "Why did MSRC start doing the con only once a year?" The answer, of course, is pretty simple and complicated at the same time. Today marks the beginning of the next evolution of the BlueHat Security Briefings, with the launch of the BlueHat Security Forum taking place at the Microsoft Executive Briefing Center in Brussels, Belgium.

Following the success of the BlueHat Security Briefings, entering its 9^th iteration this October 22-23 at the Microsoft campus in Redmond, the BlueHat Security Forum EU event is an invitation-only gathering and network of select government and enterprise decision-makers from throughout the European Union. Attendee country representation includes Austria, Belgium, Denmark, Finland, France, Germany, Italy, Norway, Sweden, Switzerland, and the UK. Today’s Forum gathering in Brussels features lively presentations on the latest developments in information security from Microsoft leaders and external security researcher luminaries.

The primary objective of the BlueHat Security Forum is to build bridges between our Microsoft Security Leadership team, key Enterprise security stakeholders, and members of the security research community. The secondary objective is to participate in candid, actionable, and constructive dialogue with key enterprise customers that will help Microsoft produce enterprise-ready, value-laden products and services. The BlueHat Security Forum planning team formulates discussion topics for these meetings based on current security hot topics, new research and trends.

Today's BlueHat Security Forum EU event agenda will address:

· E-crime attacks, the vulnerability economy and the global threat landscape

· Security in the cloud, DNS security, and the malware landscape

· Microsoft Security Response Center (MSRC) processes and integrating a Security Development Lifecycle (SDL)

And did I mention our stellar line up? J Presenters from Microsoft Trustworthy Computing include Andrew Cushman, Director of Trustworthy Computing Security; David Pollington, Director of Security, Europe; Vinny Gullotto, General Manager, Microsoft Malware Protection Center; Alex Lucas, Principal Security Development Lead; Mike Reavey, Director of MSRC; and from Global Foundation Services, Martin Rues, Director for Cloud Security, Microsoft & Scott Oxley, Lead Architect for Cloud Security, Microsoft. External presenters include Iftach Amit, Director, Security Research, Aladdin; Dragos Ruiu, CEO SecWest Conferences, Security Technology Specialist; Dan Kaminsky, Director of Penetration Testing, IOActive; and Scott Stender, Principal, iSEC Partners, Inc.

We are seeking to build upon the momentum of past events by showcasing how individual strategies can intersect to offer substantial benefits and positive-sum outcomes. As with the local BlueHat conference, we are looking to demystify global and regional security threats, and to create channels for productive information exchange on common threats between the security industry, governments and researchers. Future regional BlueHat Security Forums are planned for Asia in 2010 and LATAM in 2011.

Next up: save the date for BlueHat v9 this October 22-23 in Redmond. Stay tuned for more updates and information to come here and on the BlueHat Blog. Be sure to check out Iftach Ian Amit’s post also coinciding with the Forum, Getting a business degree as part of Security Research?

Bon chance!

Celene

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Hack in the Box, and beyond…

msrcecostrat — Wed, 13 May 2009 08:00:00 GMT

Handle:
EcoStrat's All-Stars

IRL:
TwC Security All-Star Guest Bloggers

Likes:
Security, Vulnerability Research & Science, Defense and Responsible Disclosure

Dislikes:
0-day, FUD

Marhaban! Maarten Van Horenbeeck here from the Microsoft Security Response Center (MSRC). This is the first time I have blogged here on EcoStrat. As a Security Program Manager with MSRC, one of the roles I have is to work with security researchers, and this often involves attending security conferences to meet with you. Two weeks ago, a couple of us in Trustworthy Computing (TwC) attended the Hack in the Box (HITB) security conference in hot and sizzling Dubai, United Arab Emirates.

There is a saying that "every word in Arabic either means itself, its opposite, or a camel." Working in the information security industry, I often use this to illustrate to my clients how a piece of code that one person considers a vulnerability, can very well be seen as valid functionality by another. As such, my Microsoft colleagues and I were very interested in learning more about other Arabic sayings that could be applied to the information security industry as a whole.

Hack in the Box is a twice-annual conference, taking place in Dubai, UAE during April, and somewhat later in the year in Kuala Lumpur, Malaysia. Given our past experiences with the value of the talks at the conference, Microsoft was a Titanium sponsor of this event.

The Dubai conference is more intimate than the Malaysia one, but that is exactly what makes it a great way for local information security professionals to network and learn more about cutting edge security research that is taking place all across the world. Presenters ventured from as far as Indonesia, the United States, and Germany.

At Microsoft, I think we can safely admit that in order to pioneer security efforts, we were forced to make every single mistake in the book and learn from it. When I started with the company, I was fascinated to see that we are in fact very good at learning. When we deal with an issue, we like to understand how we can resolve similar issues more effectively in the future. As such, we don’t just attend conferences to learn, but to start up a conversation – we are interested in sharing our own experiences as well as touching base with others.

Microsoft employees had two presentations lined up for this event. Mark Curphey, the director of Microsoft's Information Security Tools team, had a keynote presentation on security tools and technology for effective risk management. Mark focused on how most security tools and technology available to effectively manage risk can only be described as primitive in comparison to those used in most other areas of risk management, such as online gaming or healthcare. From my own experience as a security consultant, I can echo his finding that Microsoft Office Excel is often the most effective tool risk managers have at their disposal.

This is a gloomy situation, given the amount of risk most organizations are exposed to, but a broad sigh of relief was voiced by the audience when Mark clarified his team is working here at Microsoft on solving just that issue.

After Mark's talk, Ian Hellen from Microsoft's Security Assurance team and I spoke to several attendees who wanted to learn more about how M

icrosoft deals with application security issues. We understood from them that there is a lot of internal software development taking place in Dubai to support business processes, and many of the attendees asked questions about how they could make their own applications more secure. We talked to them about the Microsoft Security Development Lifecycle (SDL), which is our standardized approach to software security. If you have similar interests, you can read more about it here.

Billy Rios, one of our resident security engineers, delivered a fascinating presentation on the concept of trust relationships in Web applications, and more specifically how a disparity exists between the security models implemented in Web applications, and those implemented by the browsers that host those applications. In addition, he collaborated with Chris Evans from Google to share with the audience some of their experiences with cross-domain issues and practical man-in-the-middle attacks on SSL.

While there was too much content at the conference for me to discuss in depth here, I will mention some of the other highlights.

Roberto Preatoni from WabiSabiLabi, one of our guests at BlueHat 6, presented on cyber warfare. He refuted Marcus Ranum’s 2007 statement at HITB Malaysia that cyber warfare is an overrated issue, by calling out several examples of contemporary cyber war. He illustrated how it may not just affect nation-states but its conflicts of interest can affect industries and individual corporations as well.

Reverse engineers in the audience welcomed Sebastian Porst from Zynamics. He spoke about REIL, their Reverse Engineering Intermediate Language, and more specifically how it can be used to optimize static binary code analysis. They actually used one of our vulnerabilities, the Windows Server Service vulnerability patched in MS08-067 (read more about it here and here) to illustrate how their tool works. This was definitely a topic many of our own engineers are deeply interested in.

Another well received talk came from Wes Brown of IOActive. He provided a good primer on analyzing malicious code, and gave it a twist by describing how languages, Unicode, and even culture all make a difference and make the reverse engineer’s work just a wee bit more difficult.

At the end of the conference, Microsoft sponsored the sunset Post-Conference Reception, which allowed for more valuable networking opportunities.

Sometimes dealing with security incidents and vulnerabilities can feel like marching across a desert. Confidentiality is an unspoken requirement, and often you can only rely on your own senses, knowledge and intuition. It is a great thing that just like in Dubai, there are watering holes where we can come together and rely on each other implicitly, sharing information and improving the state of the art in our business. Thanks, Hack in the Box, for a great conference, and we’ll see you next time. Ma’a salama.

[Editor's note: check out the BlueHat Blog for another Microsoft perspective on HITB-Dubai]

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

CanSecWest: Caution, Community at Play

msrcecostrat — Wed, 18 Mar 2009 12:20:00 GMT

CanSecWest, in beautiful Vancouver BC, is one of my favorite conferences each year. It’s a cozy little security con that brings together security researchers from all parts of the security ecosystem. Like a PhNeutral or a BlueHat, one never quite knows what to expect out of a CanSecWest, but we do know that Microsoft products and engineers will play a prominent role. We’ll be presenting new security innovations and new tools, we’ll be watching Pwn2Own closely for possible hacks, and we’ll be happy to discuss our industry best practices in the hallway track.

Security gatherings such as this allow the ecosystem to exchange information and awareness in order to become more secure. The more we know about the attacks, the better prepared we can be on defense. Presentations like Matt Miller’s “The Evolution of Microsoft's Exploit Mitigations” and Jason Shirk and Dave Weinstein’s “Automated Real-time and Post Mortem Security Crash Analysis and Categorization” demonstrate that as Microsoft learns more about an attack, we incorporate this information into techniques and tools that we share with our developer community. Stay tuned for more news and posts throughout the show.

Again this year, CanSecWest features the Pwn2Own contest – a contest that pits researchers against technologies to see whether technology or human wins. It’s also a contest that presents interesting challenges to Microsoft and a contest which you might think Microsoft opposes. Like many other issues in the security ecosystem – it’s not that simple. The contest exemplifies two basic tenets behind the TwC Security teams’ efforts. You can’t hide from the truth (wishing doesn’t make it so) and every issue is an opportunity to learn and improve.

We recognize that all vendors’ products may be found vulnerable and Microsoft welcomes the contest as another opportunity to engage the security community in productive dialogue around responsible disclosure and effective security engineering. We also see that Pwn2Own provides an opportunity to educate the public and we believe it can showcase Microsoft’s security engineering efforts, both relative to our competitors and in an absolute sense.

The security community is offering knowledge of attacks and defenses that consumers and other vendors can use to stay safe or create more secure products. The rest of the story – and an additional measure the security community could use to evaluate vendors’ products - is what happens after the content ends. Rest assured Microsoft will take this information and apply it towards securing our networks, platforms and applications (hopefully before they ship), and to create strong response process and engineering discipline that are necessary for our communal security. And as always, the MSRC are ready to work to investigate any vulnerabilities that researchers might find during the Pwn2Own contest.

By the end of the contest, co-sponsor Tipping Point will be the owners of many new vulnerabilities. They value the protection of their customers and will need to work with their partners in the security ecosystem to make sure everybody is protected as quickly as possible (one more way consumers benefit). One of the goals of responsible disclosure is for the vulnerability details to emerge at the same time that an update is available from the vulnerable vendor. The CanSecWest conference organizer also has a responsible disclosure policy, as do all of the conference organizers that the EcoStrat team is able to support worldwide each year.

Although innovative contests put some of us in a place that is not always comfortable, it’s valuable for the ecosystem to come together with contests like Pwn2Own and Iron Chef Black Hat, to better understand and solve common issues. It’s yet another example of the “team of rivals” strategy. Let the contest begin!

-Sarah

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Observations from the EcoStrat-isphere

msrcecostrat — Thu, 30 Oct 2008 10:24:00 GMT

As part of the quest to help "secure the planet", our team travels over this planet a lot, and I wanted to highlight a few of the interesting security gatherings I've been to lately.

September brought sunshine and the Executive Women’s Forum (EWF). An all-women’s security event was completely refreshing and a great contrast to the usual technology scene. In addition to the great technical content, it’s always a treat to discourse with others who see computer science as a social science, Mary Anne Davidson’s blog post about synthesis had some great insights:

One of the things I have been doing some thinking and speaking about is the idea of synthesis. More specifically, the lessons we can learn in IT security from other disciplines, such as business, economics, history (especially military history and strategy) and biology.

Hey, those are social sciences (except for biology, although its neighbor epidemiology counts). She also mentions strategy which is a subject close to my heart. :-)

Additionally, I had a chance to break bread with former colleagues and friends from around the planet. I got to hear from women starting their own companies or in amazing roles at their organizations -- women whom I would want as mentors, colleagues and partners. It was also eye-opening in terms of the old school/new school debate among women decision makers, the parallels we see in the male-dominated environments, centered around the question of whether it's possible to solve security ecosystem problems through regulation. The security ecosystem is like the weather – you can’t predict or control it – but you want to be prepared for it. EWF presents an opportunity to continue educating and networking with this community about the risk environment and how to mitigate threats, concurrent to ongoing policy, privacy and regulation initiatives.

One of my personal goals is to (paraphrasing a line on a favorite greeting card) "build bridges and help people get over them." One of those goals was realized when, in October, the Microsoft Security Response Center (MSRC) and friends went down to the Southern hemisphere for some mmmm BA-Con. Even better than bacon, was the gathering of some mavericks, if you will, including Argentinean security superstars and underground up-and-comers. The conference was the culmination of years of conversations and grassroots community partnerships between traditional "rivals": Core Security, well-known in the attack tool community, in alignment with our team and other protection providers.

An interesting trend we’ve noted, alongside traditional security conferences, we are starting to see the development of "micro-communities" thriving around the world with different parts of the security ecosystem overlapping. Just as Black Hat has its Defcon, the security conferences worldwide are realizing the value of leveraging different and respected security communities. BA-Con has ekoparty Security Conference and Xcon has XKungfoo, both great examples of diverse communities collaborating. Mary Anne’s post talks about the risks of a lack of "biological diversity”. By contrast, the collaboration between these communities provides illustrations of diversity from a social science perspective: language, organizational affiliation, age.

Each year, we also have the pleasure of *not* traveling, and welcome members of the security community here to the Microsoft Corporate Campus for BlueHat. Ask the BlueHat network of past speakers or catch some great blog posts recently, one of the most interesting watering holes in software security is @BlueHat. Thanks to all who have helped us grow from a friendly little hacker con to a platform to educate the broader security community with the BlueHat: SDL Sessions, to give back to the developer population by releasing developer tools, and for building more relationships toward community-based defense.

A lot of people are surprised that we don't make a bigger deal out of BlueHat by inviting the press in. Even though BlueHat is a great story, that's not primarily how we see it. It is a network, a voice for the community, a platform to launch people, research and ideas. The interactions are different, somehow more open and sincere when folks don’t have a press audience or "preconditions". The good stuff and paradigm shifts that come out of BlueHat in the form of new awareness, collaborations and security innovations, will pay off for years to come. We aren’t willing to risk the platform for a press story.

There is a lot of excitement that we are making the BlueHat: SDL Sessions public! That's right; you don’t have to come to BlueHat to watch a great day of security content! Thanks for the feedback and stay tuned for BlueHat: SDL Sessions releasing on TechNet, we’re working on getting them up as soon as we can. And the rumors are true: TwC will release a tool to the public within the fiscal year.

As a part of the MSRC, a big part of our team life these days has been releasing MS08-067* out-of-band. With the update, we are all more secure. That means that a many of your security colleagues worked 24 by 7 to get this out to you as quickly as possible.

Throughout my travels, a common theme in these experiences are the opportunities for shared goals and cooperation from organizations and people usually seen on different sides: security researchers and software engineers, Macs and PCs, browser developers and browser hackers, vendors and competing vendors from the infrastructure to the cloud. BlueHat has demonstrated that well-chosen strategies, while easy to overlook, offer substantial benefits and positive outcomes. It is a great example of "reaching across the aisle" to create those multivendor solutions.

Next: around the world in 14 days. Really!

Sarah

Security EcoStrategist

* As with all security updates, MS08-067 is a free download with no check for Windows Genuine Advantage. For details and a link to the software for your operating system, click here to go to the Microsoft TechNet Security page.

*Postings are provided "AS IS" with no warranties, and confers no rights.*

BlueHat Special, Aisle 8…

msrcecostrat — Tue, 07 Oct 2008 09:22:00 GMT

Handle:
C-Lizzle

IRL:
Celene Temkin

Rank:
BlueHat Project Manager

Likes:
Culinary warfare, BlueHat hackers and responsible disclosure

Dislikes:
Acts of hubris, MySpace, orange mocha Frappaccinos!

Hopefully by now you’ve seen the lead in to BlueHat v8 blog post, the official announcement post, and perused the spiffy, revamped BlueHat page. I’m truly amazed to see how the content has shaped up as we approach the final countdown to BlueHat v8: C3P0wned on October 16-17. It’s thrilling to see what was once a little hacker con turn into a platform to educate developers and execs with an end-to-end story. Day one of BlueHat will focus on security issues facing the ecosystem while Day two leverages the Security Development Lifecycle (SDL) to discuss the full cycle of proactive security and "baking security in," so to speak.

BlueHat is first and foremost about educating all the Microsoft "cooks in the kitchen" so we can better understand the security space and ship more secure products. This time, Microsoft will share some of that education with the world. The BlueHat team will post publicly, for the first time ever, a day of BlueHat content. You can also count on speaker video interview podcasts, anecdotes and archives to be on the site as well.

This is the fifth BlueHat I’ve had the pleasure of being a part of. I can’t help but get nostalgic, as I’ve seen the con continue to grow and pick up momentum. Microsoft and the ecosystem continue to endure some pretty significant threats, such as the recent DNS issue, ActiveX issues, etc. In addition, issues including blended threats and other vulnerabilities that affect multiple vendors demonstrate that complex threats are increasing. Understanding these trends give us a strategic call to action. We can leverage BlueHat to bring vendors, researchers, ISV’s, CERT’s (and others) together to understand complex issues and to create recipes for collaboration. It’s not just Microsoft working with other vendors on issues, but Microsoft working with the overall security community to meet these challenges.

Even other companies are taking the time to create BlueHat-like conferences and events at their own facilities to help their own employees sharpen their security skills. The good folks at eBay host Red Team eBay where their security team members can meet and exchange ideas with industry experts. It’s beyond encouraging to witness other companies leading with their best foot forward in creating a melting pot of security information exchange.

I can’t wait for BlueHat v8 and I encourage you all to follow the virtual trail on the BlueHat Blog and SDL Blog leading up to and during the event.

-Celene Temkin

*Postings are provided "AS IS" with no warranties, and confers no rights.*

The Valley Between Black & Blue

msrcecostrat — Thu, 21 Aug 2008 17:05:00 GMT

I affectionately call this time between summer conferences, the black and blue phase, where I wear security like a Hypercolor t-shirt, changing colors depending on where we are in our conference shipping and planning cycles. We just shipped a successful Black Hat and we are within T-minus 60 days until BlueHat v8.

Although the BlueHat v8 schedule has yet to be formally announced, there has been some early buzz around the speaker line up and I can assure you the two days of cutting-edge content will not disappoint. Please keep an eye out for speaker line-ups, abstracts, and bios, which will be posted on the BlueHat TechNet Security Briefing Page in the next couple of weeks. As always, keep up with the rolling thunder of the BlueHat Blog, which highlights internal and external BlueHat speakers from past, present, and (hint, hint) future.

But let’s back up for a second, what is BlueHat and what are the goals of this conference in the ever-evolving security industry?

First, we believe in educating our own because only when we truly comprehend our security reality, can we begin to defend ourselves and anticipate mitigations for the looming threats on the horizon. We educate our own by making BlueHat an invitation-only conference where our Microsoft developers, security engineers and product teams can receive security training credits for attending. Since security is not a spectator sport, we also encourage Microsoft employees to present alongside the external researchers recruited to present. We try and stay as transparent as possible with all our speakers, so none of the talks are under NDA.

Second, we use BlueHat as a vehicle for our partner and product teams to outreach to the security community. At every con out there, everyone knows that the “hallway track” is often the most fruitful and interesting. We seed our hallway track at BlueHat deliberately to maximize everyone’s experience. Countless introductions and targeted outreach occurs on the sidelines while the talks are going on. Researchers meet developers, speakers meet architects, CERTs meet security strategists—you name it, everyone’s engaging and the best part is it can take new relationships to a completely organic state far beyond our wildest expectations. Only at a venue like BlueHat could we pair two independent security researchers to do research on Silverlight in conjunction with the Silverlight & Adobe teams, and then have them present the results. Their presentation went so well that Manuel Caballero and Fukami won the “International Tag-Team Patches Award” at the BlueHat v7 Community Dinner, highlighting this alliance.

Third, BlueHat promotes Microsoft’s responsible disclosure policy, with the goal of coordinated release of an update and public disclosure of the vulnerability details. We also promote responsible disclosure with all of the conferences our team sponsors worldwide and ask conference organizers to promote vendor notification and the coordinated release of updates and vulnerability information.

The BlueHat Planning Team strategically invites security product vendors, security researchers, security officers, members of security response teams and past BlueHat speakers to engage while propelling MSRC values in real-time with a human face.

An almost overwhelming pupu platter of submissions sits before us; limitless in possibilities and all the better to educate our developers and execs with. Along with the great privilege of reviewing these submissions with the fellow members of the BlueHat Planning Team, comes the bittersweet burden of nailing down the final talks to exceed our audience’s expectations. The cool part is we get to immediately start working on the next BlueHat as it’s the best way to stay current on the latest trends around security and privacy.

- Celene Temkin, BlueHat Project Manager

*Postings are provided "AS IS" with no warranties, and confers no rights.*