MSRC Ecosystem Strategy Team : CERT

Constants and Change

msrcecostrat — Tue, 03 Feb 2009 11:00:00 GMT

Microsoft has been talking about community-based defense for some time now. This week, I want to provide a personal dimension to the campaign, and give an update on recent activities. Curiously, as I started to write this post, a couple of phrases popped up, which despite being somewhat trite, seemed appropriate – "change is constant" and "the more things change the more they stay the same."

Handle:
The Crushman

IRL:
Andrew Cushman

Rank:
Security Director

Likes:
Cranberry juice (thanks Jay!)

Dislikes:
Super helpful hotel desk clerks (thanks Raoul?)

Over the last years my outreach efforts expanded beyond the security researcher part of the security ecosystem to include CERTs and other guidance providers, as well as security organizations and companies. My most recent past and future activities give a view.

Before we get into the trip report, though, I want to spend just a second on a couple of guiding principles and introduce some vocabulary.

I attend a lot of conferences around the world. A number of years ago, I started referring to them as “watering holes” – like watering holes security conferences are the places in the ecosystem that attract a diverse population focused on a common need. The most interesting conferences are the ones with the best “hallway track” – the ones that attract the most diverse and most interesting attendees also typically generate the most interesting hallway (or after hours) discussions.

My objective in attending conferences is twofold. I want to foster community support, help make connections between Microsoft and different parts of the ecosystem, and make bridging connections between parts of the ecosystem that might not otherwise mingle. Secondly, I want to stimulate conversation about shared problems, ensure attendees understand what Microsoft is doing and promote discussion about collaborative solutions.

In December, I was in Sao Paulo at the DISI 2008 – Dia Internacional de Segurança em Informática; an event co-hosted the Brazilian Army and FIESP – the Industry Federation of the State of Sao Paulo. This conference was interesting because of the community it brings together and the challenges unique to Brazil. I presented last year and delivered an embryonic call to action for community-based defense. I was very pleased to be able to return a year later and give an update that showed Microsoft’s progress. I pointed to programs like the Microsoft Active Protections Program (MAPP), the Industry Consortium for Advancement of Security on the Internet (ICASI), the Exploitability Index and Microsoft Vulnerability Research (MSVR) to demonstrate that we are walking the walk.

January found me in California at a Bay Area security confabulation whose theme was “Partnerships: finding ways to energize a common defense.” The attendees came from across the industry and the security ecosystem. I found the hallway track(s) exceptionally valuable and especially enjoyed the discussion and presentations on cloud computing security. I presented on ICASI, and gave a behind the scenes look at its goals, formation, and current state. Microsoft, along with Cisco, IBM, Intel, and Juniper formed ICASI in 2008 to drive excellence and innovation in security response and to promote effective industry collaboration to address the rising tide of multi-vendor security issues.

Also in January, I volunteered (and was accepted J) to be the Program Chair for the 2010 conference organized by the Forum for Incident Response and Security Teams (FIRST). I’m a relative newcomer to the FIRST family and realize I have a fair amount to learn – the education starts at the next Steering Committee meeting in Miami and continues at the FIRST 2009 conference this June in Kyoto. I am very pleased by the warm reception and the opportunities this group has to influence and drive positive ecosystem change.

I also took on a new role within TwC Security in January. I handed over responsibility for the monthly security update releases to Mike Reavey in order to better focus on understanding and addressing emerging security threats. The new job is completely different, yet very much still the same. You’ll continue to see me at conferences around the world, I’ll continue to be active in the industry and ecosystem and I’ll continue to promote dialog about the changing threat landscape and what Microsoft can and should do to strengthen Community Based Defense.

-Andrew

What is SCPcert?

msrcecostrat — Fri, 19 Sep 2008 19:02:00 GMT

Handle:
Zot

IRL:
Zot O'Connor

Rank:
Program Manager 2

Likes:
Taking on the enemy with partners, Automating processes, good scotch and bourbon

Dislikes:
Poor reporting, FUD, miscreants, dangling participles

Well it’s been a busy week at GOVCERT.NL Symposium 2008. I thank the wonderful people at GovCERT.nl for creating an amazing event. I ate many Dutch delicacies, attended several good talks, and have decided that Nicholas Witchell should moderate and host all conferences, security or not (his sense of humor and ability to speak on topic is refreshing). More importantly, I talked to and listened to over 15 different CERTs and Guidance Providers (GPs).

This brings me to the core of this blog post: SCPcert. I work with several CERTs and GPs closely, but the reality is I can only handle 10-20 relationships before my time is maxed and the relationships weaken. Also, many of these relationships are based on a personal connections made during events or chance meetings, rather than purposeful or strategic efforts. While these relationships have proven extremely valuable, they are difficult to scale. Given that there are 200+ CERTs in the world, clearly we have an opportunity to do better.

We have faced this problem in the past with AV vendors, ISPs and governments. For each of those sectors we created programs: VIA for AV vendors, GIAIS for ISPs and SCP for governments. We placed all of these programs under an umbrella program called the Microsoft Security Response Alliance (MSRA). It was clear that we needed a MSRA program for CERTs. However, the problem with CERTs is that no two CERTs are alike, and the first step to a successful program is clearly defining the membership criteria. Therefore I identified a subset of CERTs we could build a program around: National and Regional CERTs. Once I did that, it was clear the SCP program was closely in line with these CERTs (in fact many of these CERTs are represented in SCP already). Thus we named the new program SCPcert.

We defined "National CERTs" as a CERT that is either part of the government, or are widely recognized as representing a country, region, or a clear population (as recognized by the government, population, or other CERTs). Therefore we have a defined group to target and a successful program to leverage so we can expand quickly and recruit new members. We are doing this with no real increased cost, and with scalability and, most importantly, durability. By durability, I mean we can survive all forms of change, good and bad. For example, the MSRA program has existed for over 10 years, and during that time the threats increased in their complexity and nature, the focus of information flows has been on new goals, and while some of the faces are the same, there are more new faces every year. During all of these changes the program has survived and improved, and we want the same for SCPcert.

So what does SCPcert offer members?

o Secured web portal
o Microsoft Security alerts
o Advisories
o Monthly Security Briefings
o Quarterly speaker series
o Monthly Newsletter with detailed analysis of security metrics and articles
o Invitation to the annual MSRA summit

This is good, but what can SCPcert offer members in the future? Previously we have had some great ideas for CERTs, but the stumbling block has always been "we need 20 CERTs who do the following..." The reason is a simple cost to benefit problem. For example, we might be able to manually parse a large data set for 1 or 2 CERTs, and that might be acceptable for a one-time event, but to do it for 4-5 Certs starts to have a high cost for potentially diminishing returns. Instead, if we spend even more resources, but we can build a process that does it for 20-30 CERTs (or more) and that process is repeatable and automated, we can justify the resource cost.

This works in the other direction too. CERTs often have good data to share with us. To manually process one or two feeds of the same data can be time well spent, but again, at 4-5 feeds the returns diminish but the resource cost stays the same per feed. By working with the CERTs, we can standardize the feeds and work to absorb, process, and analyze larger amounts of real-world data. This not only gives us “more data” it can give us sources from more diverse geographic areas and market segments. This in turn may allow us to see trends that might otherwise be lost in the aggregate of global sources. This has assisted us during events to identify regions or markets that are being affected greatly, while the overall world view shows little impact. This allowed us to focus support and response efforts on the affected regions.

Over the next year as we expand SCPcert, we will have that list of 20 or more CERTs for each good idea, and we can expand the information flows, and strive to protect our customers in new and better ways.

How do you join? Email msra@microsoft.com with the following:

• Name of your CERT organization
• Business contact details
• Nature of the organization
• Whom the CERT represents

We look forward to working with our friends at the various CERTs around the world! You can look for us at other major CERT events in the coming year, including APCERT, AusCERT and FIRST.

Zot O’Connor

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Why CERTs are Important to the MSRC

msrcecostrat — Tue, 16 Sep 2008 11:06:00 GMT

As I am traveling in Europe, about to attend the GOVCERT.NL Symposium 2008, I wanted to explain how we work with Guidance Providers (CERTs and similar groups) and why we consider them one of the most important segments in the ecosystem.

One of the problems facing our customers is that the MSRC is not the only communication channel. Often during an event or issue customers hear from many different players: researchers, vendors, other customers, press, governments, and of course CERTs. Our goal is to help the customer understand the issue and know what action, if any, they can or should take. So we work with all of these segments but often the message can get confused due to a lack of understanding, wording, and a, let’s call it, “desire for drama.” CERTs are unique in that they interact with most of the same players that we do, and they are typically focused on providing the best protections for their stakeholders. This means CERTs have influence in the same segments we work with.

In the past we found ourselves at odds with some CERTs' messaging during events which only serves to confuse the customer, regardless of “who is right” (and often there is no one way to be “right”). Later, by building relationships, we have found that most of the time (if not all) the CERTs either did not understand the issues as we did, or, just as likely, we did not understand the issue as they did. By working with the CERTs we can help minimize the false conflict and confusion delivered to our customers. In order to do that we must step up and offer a channel to the CERTs where they can ask about the nuances and variations of an issue and we can listen. CERTs supply us with critical information about attacks, samples of exploits, and real world experience from their stakeholders. Some of the best value CERTs can offer us is a sanity check on what the customers are seeing, feeling and expecting.

So this week I am not just learning from the presentations and conversations, I am meeting with as many CERTs as I can. This is a great conference and people come, not just from Europe, but around the world. I am here to talk about the MSRC and what we do, but more importantly, I am hear to listen to what the CERTs are doing, what they are seeing, and what they expect from us.

- Zot O'Connor

*Postings are provided "AS IS" with no warranties, and confers no rights.*