MSRC Ecosystem Strategy Team : Community-based Defense

Ahn-young-ha-seh-yo & Kon-ni-chi-wa

msrcecostrat — Mon, 23 Nov 2009 16:07:00 GMT

Handle:
Cap'n Steve

IRL:
Steve Adegbite

Rank:
Senior Security Program Manager Lead

Likes:
Reverse Engineering an obscene amount of code and ripping it up on a snowboard

Dislikes:
Not much but if you hear me growl…run

Hi! It's been a while since I've had a chance to blog about all the things we have been doing here. As travelling around to various security events is a big part of our mantra, I’ve been to Tokyo Japan for PacSec and Seoul, South Korea for POC 2009. Both were great conferences and had great security talks.

PacSec had a lot of the Japanese security scene in attendance (the local powerhouses are pretty sharp and savvy) along with international researchers and past BlueHat speakers, Charlie Miller and Alex Stamos. Take a minute to check out archived presentations from our own Tony Lee introducing the SIRv7 and Jason Shirk discussing fuzzing strategies. But the biggest interest concerned mobile code threats such as malware and how the perimeter defenses are fading away as a viable protection. This seems to be a hot topic everywhere, so hot that the just wrapped-up BlueHat v9 con had an entire track dedicated to mobile security, and in June 2010, at the annual FIRST Conference, how the perimeter defenses are fading away will be the theme for the whole conference.

It’s a cyclic state when it comes to the effectiveness of protections. I remember back in the 80s and 90s when the firewall was going to fix it all. But like everything in life, things evolve and the firewall became a part of a complex mesh of other technologies created to evolve with the threats.

This cyclic and evolving process is something we know a lot about here in Microsoft. The continued security evolution built the MSRC process and the Security Development Lifecycle (SDL). This is how we had to react to threats.

Visiting POC 2009 and PacSec, I got more of a sense of how people outside Microsoft evolve and react; most created either more complex processes or bought more technologies. As I was sitting at POC 2009 watching the presentations, I saw the same theme here as well. It seems that with the evolution of threats, security people everywhere are throwing up more complex processes and technologies. But what happens when the complexity we have created outstrips the problem? I can see that we are always going to have the technological challenges of new threats.

For instance, Conficker, a new threat that helped every security professional evolve due to the complex nature of the threat. However, something else happened with Conficker that really turned on a light in my head. Conficker took advantage of old threats and long-standing security best practices. The fact that Conficker used these old threats and was still widely successful in exploiting our complex processes and technologies is interesting.

I couldn't help asking myself this question, could it be that due to our complexity that we have failed to take into account past experiences? I don’t think so. I think what we may have done is forgotten one or two primary focus security factors. Those factors are “people” and “process”. People management for security is a key tenet of any type of security plan. This fact has been proven everywhere and in every topic including computer security.

If your plan does not take into account an understanding of the human factor and what it means to your security process, you are missing an important point. Understanding the “people” factor will help you in the next important part of the security plan, which is the process part.

Sitting down at PacSec and POC 2009, I see that we have a firm grip on the technological-advancement front. The presentations at both conferences were excellent technically and on the cusp of new developments. But I still believe that a more focused approach on the “people” factor of computer security would do more to enhance the security than technology advancements will.

Here at Microsoft we are looking in that direction as we look at the technological enhancements coming to the continent of Africa. Here is a place where we will have the chance to stress a focus on the ”people” aspect while building up the processes to take advantage of the new technologies afforded the populace. Hopefully you’ll be seeing more of this model in future posts from me as this new initiative develops. But for now make sure to look at the “people” factor as you create, modify or react to problems in the security landscape. It may surprise you what fresh new perspectives and solutions it gives you.

- -Steve

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Announcing BlueHat v9: Through the Looking Glass

msrcecostrat — Mon, 14 Sep 2009 09:14:00 GMT

BlueHat v9 will take place from October 21 to 23 at the Microsoft campus in Redmond. Last year, we experimented with a day dedicated to attacks and a day dedicated to SDL security mitigations. This year, we will give you the best content out there… we are interweaving talks from internal and external security subject matter experts with themes related to e-crime, mobile security, cloud computing, and fuzzing.

Handle:
C-Lizzle

IRL:
Celene Temkin

Rank:
Program Manager 2 & BlueHat Project Manager

Likes:
Culinary warfare, BlueHat hackers and responsible disclosure

Dislikes:
Acts of hubris, MySpace, orange mocha Frappaccinos!

We kick it off with the BlueHat Executive Sessions on October 21 with condensed versions of the presentations delivered in a deeply technical "Cliff Notes" style. October 22 and 23 are filled with BlueHat General Sessions for our Microsoft IT pro and developer population.

As a refresher, this conference is primarily about educating our own Microsoft population so we can better understand how to build more secure products. The more we know about the security ecosystem, the more we at Microsoft can truly comprehend and assess our own security reality.

We were able to record talks and deliver them to the masses on the Web for BlueHat v8 -- we'll continue this momentum and keep the "technical equivalent of those free online courses from MIT" coming for all attendees. You can also count on the usual speaker video podcasts, anecdotes, archives, and new to BlueHat v9, the first BlueHat Training Video examining Office Binary File Formats, content provided by our benevolent counterparts on the MSRC Engineering Team.

As always, I’m incredibly excited to see the amazing security education, partnerships, and networking opportunities that come out of our community-based defense platform. Like Alice going through the looking glass to get to Wonderland, we have to change our perspective to understand the threat landscape. Should Alice want to send a message back to Bob in the real world, it’s up to all of us to keep Eve out of the conversation. ;-)

Here’s a brief overview of the talks and speakers. Full details will be available on the BlueHat web site within the week.

October 22, 2009

Morning Block: Hyper Reality: Who’s Been Painting My Roses Red?

Tumble down the rabbit hole with us as we kick off the BlueHat v9 General Sessions examining e-crime motivation, attacks, and how to navigate through the mounting social engineering aspect of security coverage. We kick off with Jose Nazario taking a deep dive into DDoS attacks and their growing role as an online political weapon in Politically Motivated Denial of Service Attacks. Next up, Adobe’s Peleus Uhley and our own Jesse Collins will scrutinize the great power and responsibility that comes along with those flashy Web applications in RIA Security: Real-World Lessons from Flash and Silverlight. We then wrap up the morning *Cheshire Cat grin* exploring a little flaw by the name of ATL in The Language of Trust: Exploiting Trust Relationships in Active Content, by Ryan Smith, Mark Dowd and David Dewey.

Afternoon Block: Mobile (in)Security: Curiouser and Curiouser

As more people onboard themselves to smart mobile devices our wonderland certainly has gotten curiouser and curiouser. Take a ride with us as Luis Miras and Zane Lackey uncover Attacking SMS and show us how easy it is to be a victim when there is hardly any user interaction needed to fall prey to attack. Next up, our own Josh Lackey will serve some of the teacups of goodness and tell us what is on the horizon with Mobile Security and Software Radio. Charlie Miller will then show us how to stand on our heads and use automated fuzzing on the iPhone and outline the vuln he found as well as how to exploit it in iPhone SMS Hacking with a Touch About Payloads. Last, we will hear from Patrick McCanna of AT&T Security as he gives us an overview of security threats that face mobile operators in Mobile Operator Security: Security Challenges for Global Networks for Pocket-sized Devices.

October 23, 2009

Morning Block: Cloud Services & Virtualization: Up Above the World You Fly, Like a Tea Tray in the Sky…

Kicking off day 2, we find ourselves up in the clouds, quite literally. In Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure, Chris Hoff of Cisco takes us on a journey where we learn some really scary things happening with the massive convergence of virtualization and cloud computing and their effect on security models and the information they are designed to protect. Our own Mad Hatter, John Walton, will walk us through advantages and challenges within the Microsoft Software-plus-Services model in Get Your Head Out of the Clouds: Security in Software-plus-Services. Flying up even further, Robert Fly takes on a journey highlighting unique aspects of building enterprise-ready cloud services and how to avoid the torrential rainfall of unforeseen problems in Creating Clouds: Avoiding Rain In The Transition From On-Premise To Services. We then wind up the afternoon with past BlueHat speakers Billy Rios and Nitesh Dhanjani engaging us in new discussions on the security implications and magic mushrooms that are likely to effect the cloud platforms and their clients in the near future in Sharing the Cloud with Your Enemy.

Afternoon Block: Fuzzing Tools & Mitigations: Chasing the White Rabbit

As we end our adventure through the looking glass, our Google friends Tavis Ormandy and Neel Mehta will paint a picture on how their technique of sub-instruction profiling uncovered multiple vulnerabilities in Windows. Next up, we get to take a peek Under the Kimono of Office Security Engineering with our own Tom Gallagher and Dave Conger as they show us a framework built by the Office team to efficiently fuzz any file format parser. The final session before hearing from our guests in the security community amongst the ill-fated gong of our lighting talks will be Chris Webers’ Character Transformations: Finding Hidden Vulnerabilities. This talk will cover ways which latent character and string handling can transform clever inputs into malicious outputs in cross-site scripting.

We will continue to update the BlueHat blog and the TechNet site to keep you current on the happenings during and around the conference. See you in Wonderland!

-Celene

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Threat Complexity Requires New Levels of Collaboration

msrcecostrat — Mon, 27 Jul 2009 22:43:00 GMT

When complex security issues that affect multiple vendors arise, calling them “challenging” is an understatement. We created the Microsoft Vulnerability Research Program (MSVR) to meet those challenges, learn from those experiences and strengthen the ties of our community of defenders across the industry in the process. As the state of software security matures beyond straightforward issues such as buffer overflows and elevation of privilege, we are working diligently towards a new level of cross-industry collaboration on a scale never seen before. We must do so in order to provide our mutual customers with the best possible experience on our platform.

Handle:
StoneZ

IRL:
Adrian Stone

Rank:
Senior Security Program Manager Lead

Likes:
Predictive Analytics, Game Theory, Databases, Sports Cars, NFL Football, Direct People

Dislikes:
Losing, Liars, Posers, No Talent Clowns

Handle:
k8e

IRL:
Katie Moussouris

Rank:
Senior Security Program Manager

Likes:
Cool vulns (responsibly disclosed of course), girls with soldering irons, Spanish tapas, quantum teleportation

Dislikes:
Rudeness, socks-n-sandals, licorice

The recent Active Template Library (ATL) issue required us to find a new and more collaborative manner to respond to the developing threats as more information about the vulnerability details became public. MSVR was at the heart of the response and coordination, along with MSRC, to find a solution. As MSRC focused on what it does regularly, which is driving change within Microsoft, MSVR kicked into high gear to coordinate and assist as many third-party affected vendors as possible to help resolve an industry-wide issue.

Several firsts and questions had to be met head-on by our relatively young MSVR program now celebrating its first birthday.

· How do we maintain and respect the overarching tenets of Responsible Disclosure while sharing the issue outside of Microsoft?

· How do we communicate openly and directly with multiple impacted parties while not putting customers at risk by a potential broad disclosure prior to the availability of mitigation?

· How do we translate an issue that we came to understand very well to third parties that may not have the same technical history or security response methodologies and practices that we do?

· Can we coordinate across the industry so that everyone is moving to the same goal of addressing the problem, despite differing development practices and engineering requirement timelines?

The talented security researchers that reported the issue to Microsoft had done so in a responsible manner with the goal of improving the ecosystem and helping us protect our customers. At the same time, it became clear to us that this was an industry-wide problem and that the best way to secure the ecosystem was to notify affected vendors while engineering efforts were underway here in Redmond. Microsoft is a supporter of Responsible Disclosure, which aims to allow affected vendors to understand and try to resolve their respective issues before discussing the details of the issue publicly. In this instance, MSVR’s actions demonstrated a variety of responsible disclosure recently dubbed "partial disclosure," when we alerted third-party vendors who we believed had controls compiled with our vulnerable ATL headers. In the past year of MSVR operations, we have acted in the Responsible Disclosure roles of Finder and Coordinator. The ATL issue required us to act in both of those roles, plus in the role of affected Vendor.

While we knew we had to disclose technical details to a broad group, the clock was also ticking as we began to see more and more details about this issue being discussed and discovered in the security community. The original security researchers that reported the issue to us worked with us diligently and patiently to continue acting responsibly with their understanding of the problem, while we began developing a process and technical tools to analyze our controls and look for a solution. At the same time, we began the process of identifying and analyzing the controls that are most commonly deployed but were developed by other vendors. It is at this point we felt that we had a viable way to individually engage as many of these affected vendors as possible to discuss the impact of the issue as it relates to their potentially vulnerable controls.

Due to their potential scope, library-related vulnerabilities can often stir uncertainty and concern in the industry, so we focused our efforts to understand the true depth and breadth of the impact. Our analysis indicated that the vast majority of controls that would impact our users could be addressed by a few key vendors in the ecosystem. With this in mind, MSVR reached out to vendors who had the broadest footprint in the ecosystem that we believed were affected by the issue. We also felt confident that the defense-in-depth engineering solutions being worked on here at Microsoft would help provide a safeguard against attacks and allow other vendors more time to modify and recompile their own controls.

Overall, our goals and objectives were straightforward, if not exactly effortless, and required us to also leverage many of the key lessons learned by the MSRC over the years. After we distilled the actions and goals down to their most elemental levels, it became clear we had to move quickly on several fronts, including:

· Coming up with our own defense-in-depth solution to help protect customers and mitigate the threat.

· Taking steps to identify quickly the affected third-party vendors who we thought had the broadest impact on our platform.

· Finding the right security contacts at the vendors who met those criteria.

· Packaging and disseminating the vulnerability information to them securely.

Our goals in doing so were to:

· Alert as many of the community of vendors who have affected controls as possible that there was an issue with ATL.

· Provide the third-party vendors with technical details necessary to perform the broad analysis of all of their controls to look for the vulnerability in their products.

· Support the third-party vendors in their analysis, answering their questions, and clarifying the issue when necessary.

· Coordinate with the major affected third parties in both the release of the updates, as well as with guidance for our mutual customers.

We learned a lot during this process. After all, evolution requires change in the way we think and in the way we act, which leads to growth. We will incorporate these lessons into MSVR processes moving forward. We have formed stronger relationships across organizations that MSVR has worked with on other issues in the past, and we have forged many new bonds with security teams across company boundaries. Overall, we are very pleased with the positive industry response, and we salute our counterparts in the security organizations of all the third-party vendors we have worked with during this historic collaboration, including but not limited to Adobe and Sun. We are also incredibly thankful and appreciative of Ryan Smith and David Dewey, the original security researchers that reported the issue to us responsibly, as it was a multidimensional challenge that required significant patience and understanding on their part as we determined how to best address the problem.

As we move forward toward the next challenges on the security horizon, we can anticipate deeper integration among the community of defenders, whether they work for Microsoft or a third-party vendor, whether they are security researchers or are members of a CERT – we can expect more collaboration. After all, progress towards securing our platform, as has been made with our own SDL, will naturally lead to attacks being more complex, more dependent on how applications interact with each other and with the underlying operating system, and therefore will require us all to look past our company logos and focus on that threat horizon.

I’m Adrian Stone, who ran the ATL coordination and is the new driver of the MSVR program since July 1, and I’m Katie Moussouris, founder of the MSVR program, and together with the security community, we look forward to advancing community-based defense and helping to usher in this new age of collaborative security for the good of all our customers.

Community Based Defense - Redux

msrcecostrat — Mon, 27 Jul 2009 11:18:00 GMT

Handle:
The Crushman

IRL:
Andrew Cushman

Rank:
Security Director

Likes:
Cranberry juice (thanks Jay!)

Dislikes:
Super helpful hotel desk clerks (thanks Raoul?)

OMG it’s great to be back in Vegas again – the shows, the shopping, the nightlife, and let’s not forget the talks at Black Hat, the old and new friends, the excitement and the drama. I can hardly wait to see what develops this year!

Last year at Black Hat, the Microsoft Security Response Center announced three new programs – Microsoft Active Protections Programs (MAPP), Microsoft Vulnerability Research (MSVR), and Microsoft Exploitability Index. I was honestly a bit nervous about how the programs would be received. Would the community ridicule them (and us)? Were the programs as solid as we thought they were? Would they stand the test of time? And most importantly, would they help advance community-based defense?

It’s a year later and I’m happy to report that the programs were not only well received, but have proven to be effective, accurate, and continue to deliver results. MAPP is changing the balance between attacker and defender, MSVR is raising the security of the overall ecosystem, and the Exploitability Index continues to provide customers with accurate, easy to understand, and actionable guidance. Today, MSRC published a report card – “Building a Safer, More Trusted Internet through Information Sharing” – that both summarizes these results and provides specifics around goals achieved. Read all about it here.

Today at Black Hat, MSRC also released a new set of tools and guidance aimed at continuing to advance community-based defense and simplify customers’ management of the risk environment.

First up, the Microsoft Security Update Guide - a one stop shop of information on Microsoft’s Patch Tuesday, including what information we release, best practices, and a framework to help make the complex patch management landscape more clear. It’s available for free download here.

On the tooling front, the MSRC Engineering team (owners of and contributors to the SRD blog) released the Microsoft Office Visualization Tool. Available for free download here, the new tool lowers the barrier to understanding the Office binary file format by allowing IT professionals, security researchers, and malware protection vendors to deconstruct .doc-, .xls- and .ppt-based targeted attacks.

Lastly, we’re pleased to point to the latest updates from Project Quant, a cost model program for patch management response collaboratively lead by Rich Mogulll (Securosis) and Jeff Jones (Microsoft). With the new information released today – Project Quant Report 1.0, Model Spreadsheet 1.0, and the Survey Report – the community is better able to improve their update practices by addressing many of the challenges organizations face optimizing their systems and maintaining security while striving to keeping costs down.

Black Hat is an exciting time and I’m thrilled to showcase the impact and continued progress of MSRC – and even more so to demonstrate how Trustworthy Computing continues to evolve in response to the changes in the threat landscape, and truly helps protects customers through community-based defense and collaboration.

See you at Caesars!

Andrew

The year-end review – well, sort of :)

msrcecostrat — Mon, 27 Jul 2009 08:08:00 GMT

Hey!

It’s that time of year again for all of us to pack up and head out to the desert to reconnect, discuss, and plan for the future, or at least what we think will be the future of security. It’s hard to predict what the next year will bring as the security landscape is ever-changing. This is probably why most of us “grey beards” in the security industry mark the Black Hat/Defcon conferences as the de facto year in review/preview of the next year for the state of security. These conferences have defined a lot of security strategies for a number of people for years. But I digressJ; I started to talk about the year-end review for the security landscape.

Looking back over the year, I am pleased to see that we have executed nicely on a couple of strategies we put into place to change the security landscape. The ones I am talking about are the three programs listed below that we launched last year around this time.

I am going to talk about the first two programs as I have been working on both of them for a bit. MSVR has been worked by my colleague Adrian who will be blogging on MSVR in the near future. He will update you about all the exciting things they have been doing over there.

So let’s begin. I want to talk to you first about the Exploitability Index. Like I said, the one-year anniversary is right around the corner and we have been getting a lot of positive feedback from customers on this new program. Looking back, I am happy to see that out of the 140 ratings we provided so far that we only had to revise one rating. The one rating we did change went from a high severity to a lower one (1 to 3).

Let me give some of our reasons for this. We are extremely cautious when we rate things and when in doubt, will tend to go with the higher rating. We want to make sure that those who are using our ratings are protected against exploitation. This is kind of like putting a deadbolt lock on your door even though you live right next to the police station – I would rather be safe than sorry. However, we are always looking for ways to improve our ratings, and we tend to seek out the critical areas where we can or need to improve.

There is no better place, in our mind, to get good feedback than from the security ecosystem. So we were extremely happy when iDefense took up the charge to review our Exploitability Index ratings for the first 120 days. I am sure you are thinking, "Is 120 days really enough time?" Well, it definitely gave a decent snapshot into how the program is progressing. I think it’s also a good timeframe for catching early process deficiencies and other issues. So let me highlight a few things that were discovered during the iDefense review.

Overall assessment: iDefense concluded that the Microsoft Exploitability Index was a step in the right direction. They felt that the Index provides clear value to customers in providing more risk mitigation information. iDefense also felt that it helps system administrators with the prioritization of their system-updating efforts, because with the Index, they can use another piece of information to help set their update schedule.

Out of the fifty-seven vulnerabilities reviewed by iDefense, they considered that only fourteen should have been rated differently. This is a ~75% percent similarity between their analyses and our own.

As with all early efforts, they did find some areas where they had suggestions for improvement. One area is with the rating differences mentioned above. We will be reviewing the reasons for the differences and will be looking at our present process to take their suggestions into account. Check out the full report here.

Now let’s talk about the Microsoft Active Protections Program, or as we call it in the hallways of building 27, “MAPP”. The MAPP program goals were to find a way to shorten the attack window for consumers. We wanted to be able provide enough “just in time” technical information on the vulnerabilities that we were updating every month to help defenders provide software protections faster. It didn’t make sense in our eyes to have verified defenders in the same boat as malicious attackers trying to understand and reverse-engineer our updates to build defenses for our mutual customers.

I am glad to say that we have exceeded our goal. In the program to date, we have 47 companies from around the world, with new partners added in Central and South America, Europe, Middle East, Africa, India, South East Asia, China, Korea, Japan, Australia, and New Zealand. This partner network global reach represents software protections that cover a range from tens of thousands to hundreds of millions of consumers. That is nothing to sneeze at! J It doesn’t stop there; we will continue to add more partners to ensure that we arm the defenders with information they need to protect you, our mutual customers. We have some more proof points on how we are shrinking that attack window, but don’t take my word for it, check out the testimonials from the MAPP members themselves in the year-end progress report from MSRC here.

Well, that’s it. Don’t forget to check out the iDefense paper located here and the MAPP paper here. And keep an eye on www.microsoft.com/twc/blogs for more Black Hat blogs from the front lines.

Til next time….

Steve

Black Hat USA: Hoping what happens in Vegas doesn’t actually stay in Vegas…

msrcecostrat — Wed, 22 Jul 2009 19:27:56 GMT

Handle:
Security Blanki

IRL:
Sarah Blankinship

Rank:
Senior Security Strategist Lead

Likes:
Vuln wrangling, teams of rivals, global climate change - the hotter the better

Dislikes:
Slack jawed gawkers (girls are geeks too!), customers @ risk, egos

This week our team is preparing to travel to Black Hat USA in Las Vegas Nevada, a hotspot (literally and figuratively), and one of the largest gatherings of security professionals in the world. Black Hat brings together diverse security communities to discuss, debate, deploy, and disseminate security information. It is a week of breaking bread with our friends and rivals, learning from others around the world and bridging the roles of researcher and vendor to raise our security awareness.

Within Microsoft, we have a community of security defenders.

Our internal community also discusses, debates, deploys, and disseminates security information. We don’t always agree; our perspectives and backgrounds are as diverse as the world we live in. We strive to understand and mitigate flaws in our own products and platforms, and also responsibly research vulnerabilities in third-party software most commonly used by Windows customers. We focus on many different areas, working on not only improving the security of Windows, but of the entire Windows ecosystem.

For me, security is more than a mindset or an end state, it is a mission. Security is a theme that has the power to unite organizations and individuals across teams across geographic and company boundaries. Within this mission, I, along with our internal community, strive to help ‘secure our planet’ by building bridges and creating opportunities for technical information exchange.

As we look to meeting with our security comrades from around the world in Vegas, we thought it would be interesting to highlight the perspectives and backgrounds of individuals within our internal security community of defenders and present them in short videos to be rolled out over the next week.

The Microsoft security community folks profiled answered two questions:

How did we become involved in security at Microsoft?

What changes have we seen at Microsoft security over the years?

As our challenges have evolved and become a great deal more complex, our collective communities must also rise to the occasion, evolving our security awareness and response. From our security community to yours, we hope you enjoy learning a little bit more about us as we work to understand more about you all.

And remember, in this digital age, what happens in Vegas doesn’t actually stay in Vegas. ;-)

Stay Secure!
Sarah

P.S.: Check out our new Trustworthy Computing blog aggregator! (http://www.microsoft.com/mscorp/twc/blogs/default.mspx) This handy aggregator is a one-stop TwC resource for security and privacy blogging news at Microsoft. Add it to your RSS feeds to stay up to date on security updates, privacy, malware response, security science news and more.

*Postings are provided "AS IS" with no warranties, and confers no rights.*

心の会合: The Gathering

msrcecostrat — Fri, 17 Jul 2009 15:00:00 GMT

Konnichiwa!

I guess you are wondering why I said hello in Japanese. I have just recently returned from attending the 21^st Forum of Incident Handling and Security Teams (FIRST) annual conference hosted in the awesome city of Kyoto in Japan. The city of Kyoto is beautiful. I was amazed at all the interesting palaces and temples located right in the middle of a modern city. It was truly awesome. What was even more awesome was the 21^st FIRST Annual Conference. You have heard us here at Microsoft talk a lot lately about community-based defense initiatives. These initiatives drive the security ecosystem to work in a coordinated fashion to address security issues. This works best by creating a community that is built on trust and common goals. The common goal here is to build coordinated defense from attacks. FIRST is one such trusted, security-focused community. This is one reason why Microsoft supports their efforts. As a community of incident and security response teams, FIRST provides a trusted network to share information and provide coordination efforts that is all member-driven.

Most members work for larger companies but their efforts in the FIRST organization are at times above and beyond the duties of their jobs. FIRST relies on its member community to do a lot of work since it is a not-for-profit organization. The conferences are no different. This year the Japanese local teams of FIRST had the task of assisting the conference organizers set things up. Let me say they did an excellent job. It was surreal from the banquet to the mixer session; it was, in a word, “exquisite.” I personally loved the entertainment by a troupe of local taiko drummers. Check them out here.

It wasn’t all fun and games, though some of it was. Check out the picture above. As you can see, we got the rare chance to interact with the potential future security community thanks to Ziv Mador, a Microsoft security professional from the Microsoft Malware Protection Center (MMPC) group, who brought his family along to the conference. Thanks to Eyal and Ofer Mador who provided us a wonderful chance to show them how cool security professionals can be.

Back to business. As a member of the Steering Committee (SC), we meet year round. However, we usually conduct most annual business at the conference. That business can range from giving status updates on projects to providing the organization’s financial numbers. We also hold elections for the committee when an SC member’s term is up. This year, we elected two new members to the SC, joining the three current members of the committee.

Speaking of elections, I am glad that Microsoft views our participation in FIRST as a key thing. This is extremely good, as it seems I will be spending a fair bit more time working on the FIRST Steering Committee and Board of Directors. At this annual general meeting (AGM), I was elected to be the Chairman of the Steering Committee and President of the Board of Directors for FIRST. I look forward to stepping into these roles to help steer the organization toward its goals.

The conference tracks presented were great and focused on relevant problems faced by incident handling teams, from network monitoring to malware analysis.

We also conducted meetings of special interest groups (SIG) to cover in-depth problems and issues faced by members in the same interest and focus areas. These sessions are really great because you get to meet like-minded peers who are facing the same problems you face. The Law Enforcement SIG and Network Monitoring SIG were well attended this year.

You have heard Andrew Cushman talk about “Hallway Tracks” as a way to label all connections and conversations taking place outside of the presented tracks. The hallway tracks at the conference were golden. The amount of focused security discussion I had out in the hallway will have me set for a month with action items.

Well, that’s it for now. But before I go I wanted to take the time to introduce a new member to the EcoStrat Team. I want to welcome Karl Hanmore to the team. He comes to us from Auscert with a strong CERT background. He will be with us in Vegas at Black Hat… so see ya there!

-Steve

*Postings are provided "AS IS" with no warranties, and confers no rights.*

A Brussels retrospective from Oahu

msrcecostrat — Fri, 12 Jun 2009 10:31:00 GMT

Aloha from the Shakacon III, a security conference held each year in lovely Honolulu, Hawaii! Although I’m currently in a different region of the world, talking with a completely different segment of the security ecosystem, I wanted to take a few moments to reflect on the BlueHat Security Forum EU event recently held in Brussels, Belgium.

Celene’s EcoStrat blog post highlighted the collaborative nature of the event and described the amazing content that was presented to the group of key EU security stakeholders. While to be a part of building a new platform for technical information exchange was a success in itself, we all have different priorities. In order to effect change, we must understand each other and work together, across technologies, organizations, and country boundaries. With the building of better collaboration in this community, we all have taken one more step in helping to secure the planet as a collective.

I’ve mentioned in a previous EcoStrat post that the EcoStrat team strives to build bridges and help folks get over them. The BlueHat Security Forum EU event was an example of bridge-building in action. It was rewarding to introduce representatives from governments, industry, and enterprises, as well as individual participants to each other. Prior to the BlueHat Security Forum, this particularly diverse group had never been in the same room discussing current security threat landscapes, understanding together the realities of securing critical national infrastructures and corporate networks alike.

With such a diverse collection of attendees, participants naturally had a wide-range of security priorities. Concerns ranged from targeted attacks to ID theft, defending Web applications and supply chains, developing and deploying secure coding practices to policy development, political concerns within and outside of the EU, and the list goes on.

Certainly the message that there is no one magic solution to security was delivered. There is still so much work to be done. It will take defense-in-depth, secure coding, securing third-party applications and proprietary applications; it will take technology and people. We all understand that security can be likened to an arms race; every innovation we make in security is met by a very sophisticated collective of global malicious actors. We must be vigilant together; we must work together.

Mahalo for reading and here’s to another step towards achieving community-based defense.

Sarah

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Announcing the BlueHat Security Forum: EU Edition

msrcecostrat — Tue, 02 Jun 2009 11:30:00 GMT

Hey folks! I know this is typically the time of year when birds are chirping, the rain is supposed to be letting up, and those of you in the BlueHat network who are normally invited to attend the Spring BlueHat conference are asking yourselves, "Why did MSRC start doing the con only once a year?" The answer, of course, is pretty simple and complicated at the same time. Today marks the beginning of the next evolution of the BlueHat Security Briefings, with the launch of the BlueHat Security Forum taking place at the Microsoft Executive Briefing Center in Brussels, Belgium.

Following the success of the BlueHat Security Briefings, entering its 9^th iteration this October 22-23 at the Microsoft campus in Redmond, the BlueHat Security Forum EU event is an invitation-only gathering and network of select government and enterprise decision-makers from throughout the European Union. Attendee country representation includes Austria, Belgium, Denmark, Finland, France, Germany, Italy, Norway, Sweden, Switzerland, and the UK. Today’s Forum gathering in Brussels features lively presentations on the latest developments in information security from Microsoft leaders and external security researcher luminaries.

The primary objective of the BlueHat Security Forum is to build bridges between our Microsoft Security Leadership team, key Enterprise security stakeholders, and members of the security research community. The secondary objective is to participate in candid, actionable, and constructive dialogue with key enterprise customers that will help Microsoft produce enterprise-ready, value-laden products and services. The BlueHat Security Forum planning team formulates discussion topics for these meetings based on current security hot topics, new research and trends.

Today's BlueHat Security Forum EU event agenda will address:

· E-crime attacks, the vulnerability economy and the global threat landscape

· Security in the cloud, DNS security, and the malware landscape

· Microsoft Security Response Center (MSRC) processes and integrating a Security Development Lifecycle (SDL)

And did I mention our stellar line up? J Presenters from Microsoft Trustworthy Computing include Andrew Cushman, Director of Trustworthy Computing Security; David Pollington, Director of Security, Europe; Vinny Gullotto, General Manager, Microsoft Malware Protection Center; Alex Lucas, Principal Security Development Lead; Mike Reavey, Director of MSRC; and from Global Foundation Services, Martin Rues, Director for Cloud Security, Microsoft & Scott Oxley, Lead Architect for Cloud Security, Microsoft. External presenters include Iftach Amit, Director, Security Research, Aladdin; Dragos Ruiu, CEO SecWest Conferences, Security Technology Specialist; Dan Kaminsky, Director of Penetration Testing, IOActive; and Scott Stender, Principal, iSEC Partners, Inc.

We are seeking to build upon the momentum of past events by showcasing how individual strategies can intersect to offer substantial benefits and positive-sum outcomes. As with the local BlueHat conference, we are looking to demystify global and regional security threats, and to create channels for productive information exchange on common threats between the security industry, governments and researchers. Future regional BlueHat Security Forums are planned for Asia in 2010 and LATAM in 2011.

Next up: save the date for BlueHat v9 this October 22-23 in Redmond. Stay tuned for more updates and information to come here and on the BlueHat Blog. Be sure to check out Iftach Ian Amit’s post also coinciding with the Forum, Getting a business degree as part of Security Research?

Bon chance!

Celene

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Chills and Thrills at FIRST

msrcecostrat — Wed, 11 Feb 2009 09:00:00 GMT

Sveika! Hey Steve here, been a while since I posted on the EcoStrat blog. With all the security events that happened during the latter half of 2008, I have been very focused on working with the security update releases and Microsoft Active Protections Program (MAPP).

You are probably wondering what an EcoStrat guy has to do with security updates and other technical deliverables. Well, I want to take a moment to explain why this makes sense. Before taking on the role of working with the monthly security release team and the MAPP program team, I primarily worked with the partner outreach team, managing ecosystem changes through industry partnerships. The partner outreach team’s goals/focus, within the scope of the EcoStrat team, is to work with industry to establish partnerships and initiatives to protect consumers. One of the most visible results is the MAPP initiative. This is a program that works with the security industry ecosystem to create an effective conduit for inbound and outbound information flow.

This was a large effort to affect ecosystem change externally, but what about internally? Microsoft is a large company that has an interesting culture and ecosystem of its own with developers, technology evangelists, security engineers, program managers, marketers, etc...

It became very clear that external ecosystem changes weren’t going to be enough without an effort focused on internal ecosystem changes as well. We needed a number of ways to effectively drive internal change with information we were getting from the external ecosystem while still following one of our core tenets to focus primarily on efforts that protect customers. One way we can do that is by releasing monthly security updates. Within the Microsoft Security Response Center (MSRC), we have an exceptional security release team that manages this large and complex effort. The team’s main focus is to make sure quality security updates are delivered to customers in a consistent manner. We noticed that a way to accomplish this was to become what we call “change agents.” Change agents influence change on a large scale most of the time without the formal authority to do so. This made sense as the release team manages the monthly release via a process that doesn’t have them building/owning any binary packages for release. They effectively were driving ecosystem changes just internally. So it made sense to have someone bridge both the internal and external sides of ecosystem change efforts.

So I’m grateful, and excited, to be in a position to work on both sides of the coin to effect change. And, I get to work with folks currently managing MAPP and the security release every month to help make these changes possible. Their good work also makes it possible for me leave Redmond and engage directly with the community in crucial industry events. Just recently, I had the chance to jump back into my partner outreach role within the EcoStrat team and had the chance to travel.

I am starting to really understand the need to be multicultural in the job we do here on the EcoStrat team. Many times it’s the cultural differences that sometime make or break the security messages we are trying to get across. This is one reason why this team travels a lot to target every place that Microsoft technologies are prevalent. It’s also the number one reason why I pick myself up and out of the day-to-day operations to understand these differences.

Last month, I got to put back on my FIRST Steering committee hat, and I traveled to the beautiful but cold city of Riga, Latvia. The FIRST Steering Committee has four meetings a year to get work done for its members. We usually use the technical colloquiums (TC) as good times to get together and partake in the great “watering hole” activities described in Andrew Cushman’s last blog.

The TC is organized by a local host. The local host for this one was Trans-European Research and Education Network Association (TERENA) computer security incident response team (TF-CSIRT). TERENA is an organization that focuses on offering a forum to collaborate, innovate and share knowledge in order to foster the development of internet technology, infrastructure and services for the research and education communities. They present and train at the TC server to educate security teams, highlighting new techniques to deal with relevant computer security issues. Usually I get to just sit back and enjoy the presentations but his time was a little different. The majority of the presentations were centered on the latest Conficker worm. Not familiar to you? Well, cruise on down to the following Microsoft Conficker page and relevant posts on the MSRC and MMPC blogs.

Being the lone Microsoft guy and a member of the Steering Committee was very interesting to say the least. After this conference, I personally know almost every European CERT or CSIRT contact after fielding some good and frank questions about Conficker.

Like I said, I spent most of the day fielding questions about Conficker and Microsoft’s actions to help security teams in their effort to protect consumers from this threat. Microsoft has a robust process when it comes to our response to issues so I was well prepared with information that went above and beyond the out-of-band security update that was released for this issue back in October (MS08-067)

Although the frank questioning felt like on-the-spot cavity cleaning, I was extremely happy to have the chance to clear up some of the myths and give some actionable information to these important security stakeholders. It also allowed me to understand information that the MSRC usually doesn’t get a chance to receive first hand. Also, having a response guy from Microsoft at FIRST allowed the security teams to understand that we are taking the problem seriously. One internal ecosystem change that was supported came about from feedback from this trip. One clear feedback item was to make sure that we had a single authoritative source/place for Microsoft efforts on Conficker. This information added more key data points to indicate that the teams in Microsoft managing the Conficker efforts were doing the right thing in moving forward with creating a single place for outlining Conficker resources. This is just one example of using external information to aid in driving change to help the greater ecosystem at large.

My Trip wasn’t all fun J

There was the 3 ½ days worth of Steering Committee (SC) meeting to decide various organizational things. One major topic was the 2009 Annual FIRST conference (AGM) in Kyoto, Japan. The AGM gives us the opportunity to meet and share presentation on a number of security topics. The logistics of putting on a large conference are mind boggling in my opinion. I am glad to say, I will enjoy watching our own Andrew Cushman figure out some of these issues firsthand as he was named the 2010 Program chair for the 2010 Annual First conference.

I love the fact that Microsoft makes a point to work with the security community at large and truly values community-based defense. Our consistency and trusted relationships make it much easier to have the conversations at the proverbial “watering holes” to get messages across to the security ecosystem that we do care and take the job of securing customers at all level as our main priority.

Now that I am settling back into a groove, I look forward to heading out and doing more in my EcoStrat role. Stay tuned for more from me as I travel to CanSecWest and Black Hat Europe.

Later...

Steve “Capt Steve” Adegbite

Share this post :

*Posting is provided "AS IS" with no warranties, and confers no rights.*

Constants and Change

msrcecostrat — Tue, 03 Feb 2009 11:00:00 GMT

Microsoft has been talking about community-based defense for some time now. This week, I want to provide a personal dimension to the campaign, and give an update on recent activities. Curiously, as I started to write this post, a couple of phrases popped up, which despite being somewhat trite, seemed appropriate – "change is constant" and "the more things change the more they stay the same."

Handle:
The Crushman

IRL:
Andrew Cushman

Rank:
Security Director

Likes:
Cranberry juice (thanks Jay!)

Dislikes:
Super helpful hotel desk clerks (thanks Raoul?)

Over the last years my outreach efforts expanded beyond the security researcher part of the security ecosystem to include CERTs and other guidance providers, as well as security organizations and companies. My most recent past and future activities give a view.

Before we get into the trip report, though, I want to spend just a second on a couple of guiding principles and introduce some vocabulary.

I attend a lot of conferences around the world. A number of years ago, I started referring to them as “watering holes” – like watering holes security conferences are the places in the ecosystem that attract a diverse population focused on a common need. The most interesting conferences are the ones with the best “hallway track” – the ones that attract the most diverse and most interesting attendees also typically generate the most interesting hallway (or after hours) discussions.

My objective in attending conferences is twofold. I want to foster community support, help make connections between Microsoft and different parts of the ecosystem, and make bridging connections between parts of the ecosystem that might not otherwise mingle. Secondly, I want to stimulate conversation about shared problems, ensure attendees understand what Microsoft is doing and promote discussion about collaborative solutions.

In December, I was in Sao Paulo at the DISI 2008 – Dia Internacional de Segurança em Informática; an event co-hosted the Brazilian Army and FIESP – the Industry Federation of the State of Sao Paulo. This conference was interesting because of the community it brings together and the challenges unique to Brazil. I presented last year and delivered an embryonic call to action for community-based defense. I was very pleased to be able to return a year later and give an update that showed Microsoft’s progress. I pointed to programs like the Microsoft Active Protections Program (MAPP), the Industry Consortium for Advancement of Security on the Internet (ICASI), the Exploitability Index and Microsoft Vulnerability Research (MSVR) to demonstrate that we are walking the walk.

January found me in California at a Bay Area security confabulation whose theme was “Partnerships: finding ways to energize a common defense.” The attendees came from across the industry and the security ecosystem. I found the hallway track(s) exceptionally valuable and especially enjoyed the discussion and presentations on cloud computing security. I presented on ICASI, and gave a behind the scenes look at its goals, formation, and current state. Microsoft, along with Cisco, IBM, Intel, and Juniper formed ICASI in 2008 to drive excellence and innovation in security response and to promote effective industry collaboration to address the rising tide of multi-vendor security issues.

Also in January, I volunteered (and was accepted J) to be the Program Chair for the 2010 conference organized by the Forum for Incident Response and Security Teams (FIRST). I’m a relative newcomer to the FIRST family and realize I have a fair amount to learn – the education starts at the next Steering Committee meeting in Miami and continues at the FIRST 2009 conference this June in Kyoto. I am very pleased by the warm reception and the opportunities this group has to influence and drive positive ecosystem change.

I also took on a new role within TwC Security in January. I handed over responsibility for the monthly security update releases to Mike Reavey in order to better focus on understanding and addressing emerging security threats. The new job is completely different, yet very much still the same. You’ll continue to see me at conferences around the world, I’ll continue to be active in the industry and ecosystem and I’ll continue to promote dialog about the changing threat landscape and what Microsoft can and should do to strengthen Community Based Defense.

-Andrew

MS08-067: Example of Need for Increased Collaboration

msrcecostrat — Thu, 23 Oct 2008 17:05:00 GMT

You've probably heard that we released an out-of-band Security Bulletin for a vulnerability in Windows (MS08-067). By now you have probably also heard of the Microsoft Active Protections Program (MAPP). Let me take a moment to talk to you about how they worked in concert for this issue. As announced at Black Hat in August, prior to release of the monthly security updates, MAPP members receive technical details on vulnerabilities in order to speed the development of protections. Due to the unique threat from this vulnerability and because the issue was released out-of-band, we decided to not only share the information in advance but to also make our security engineers behind the SVRD Blog available for questions with MAPP partners.

During this meeting, we outlined technical details on this update and allowed for more in-depth questions on the information provided. We did this to ensure full understanding of the issue so that timely protections could be provided. We are happy to say it worked nicely, and that most MAPP partners had protections out shortly after the bulletin published and the rest should have their protection available by end of day. If you have questions about which partners have protection, see the links to their pages here.

This is a great example of the kind of community-based defense we discussed at Black Hat and I’m pleased to see us working together to collaboratively protect the ecosystem.

For more information about this release see the MSRC Blog here: http://blogs.technet.com/msrc/default.aspx

Steve “Capt Steve” Adegbite

*Postings are provided "AS IS" with no warranties, and confers no rights.*

The Valley Between Black & Blue

msrcecostrat — Thu, 21 Aug 2008 20:05:00 GMT

Handle:
C-Lizzle

IRL:
Celene Temkin

Rank:
BlueHat Project Manager

Likes:
Culinary warfare, BlueHat hackers and responsible disclosure

Dislikes:
Acts of hubris, MySpace, orange mocha Frappaccinos!

I affectionately call this time between summer conferences, the black and blue phase, where I wear security like a Hypercolor t-shirt, changing colors depending on where we are in our conference shipping and planning cycles. We just shipped a successful Black Hat and we are within T-minus 60 days until BlueHat v8.

Although the BlueHat v8 schedule has yet to be formally announced, there has been some early buzz around the speaker line up and I can assure you the two days of cutting-edge content will not disappoint. Please keep an eye out for speaker line-ups, abstracts, and bios, which will be posted on the BlueHat TechNet Security Briefing Page in the next couple of weeks. As always, keep up with the rolling thunder of the BlueHat Blog, which highlights internal and external BlueHat speakers from past, present, and (hint, hint) future.

But let’s back up for a second, what is BlueHat and what are the goals of this conference in the ever-evolving security industry?

First, we believe in educating our own because only when we truly comprehend our security reality, can we begin to defend ourselves and anticipate mitigations for the looming threats on the horizon. We educate our own by making BlueHat an invitation-only conference where our Microsoft developers, security engineers and product teams can receive security training credits for attending. Since security is not a spectator sport, we also encourage Microsoft employees to present alongside the external researchers recruited to present. We try and stay as transparent as possible with all our speakers, so none of the talks are under NDA.

Second, we use BlueHat as a vehicle for our partner and product teams to outreach to the security community. At every con out there, everyone knows that the “hallway track” is often the most fruitful and interesting. We seed our hallway track at BlueHat deliberately to maximize everyone’s experience. Countless introductions and targeted outreach occurs on the sidelines while the talks are going on. Researchers meet developers, speakers meet architects, CERTs meet security strategists—you name it, everyone’s engaging and the best part is it can take new relationships to a completely organic state far beyond our wildest expectations. Only at a venue like BlueHat could we pair two independent security researchers to do research on Silverlight in conjunction with the Silverlight & Adobe teams, and then have them present the results. Their presentation went so well that Manuel Caballero and Fukami won the “International Tag-Team Patches Award” at the BlueHat v7 Community Dinner, highlighting this alliance.

Third, BlueHat promotes Microsoft’s responsible disclosure policy, with the goal of coordinated release of an update and public disclosure of the vulnerability details. We also promote responsible disclosure with all of the conferences our team sponsors worldwide and ask conference organizers to promote vendor notification and the coordinated release of updates and vulnerability information.

The BlueHat Planning Team strategically invites security product vendors, security researchers, security officers, members of security response teams and past BlueHat speakers to engage while propelling MSRC values in real-time with a human face.

An almost overwhelming pupu platter of submissions sits before us; limitless in possibilities and all the better to educate our developers and execs with. Along with the great privilege of reviewing these submissions with the fellow members of the BlueHat Planning Team, comes the bittersweet burden of nailing down the final talks to exceed our audience’s expectations. The cool part is we get to immediately start working on the next BlueHat as it’s the best way to stay current on the latest trends around security and privacy.

- Celene Temkin, BlueHat Project Manager

*Postings are provided "AS IS" with no warranties, and confers no rights.*

DNS: An Example of Ecosystem Partnerships

msrcecostrat — Wed, 06 Aug 2008 15:37:00 GMT

Handle:
Zot

IRL:
Zot O'Connor

Rank:
Program Manager 2

Likes:
Taking on the enemy with partners, Automating processes, good scotch and bourbon

Dislikes:
Poor reporting, FUD, miscreants, dangling participles

My name is Zot O'Connor and I am a computer genius. Really, the Seattle Post-Intelligencer says so . Okay, not directly, but I was one of the group of "computer geniuses" converging on our campus back in March because of this DNS issue. I am not a programmer, so what was I doing there? Fulfilling one of the roles of the EcoStrat team, being a trusted advisor and helping prove it "Takes an Internet Village."

Shortly after Dan Kaminsky discovered the design issue, he and Dave Midturi (the MSRC Security Program Manager working on the issue) realized that this was an industry issue and holding a summit at our campus right after CanSecWest would maximize the opportunity for getting the real geniuses in the room. They came to me and Katie Moussouris for help with organizing and making this process successful.

Our team swung into action, taking care of the hosting details (which we do for events like BlueHat), reviewing the list of invitees, and offering advice when asked. We knew this could be rough: we are talking about a coordinated release of open source, proprietary and embedded software, each with different distribution methods and issues. We are also talking about a diversity of personalities, philosophies and skills.

At the event itself I was impressed with how everyone checked their egos, emotions and issues at the door and focused on the grave problem at hand. A plan was formed, a schedule set and communication channels determined. Everyone left knowing what we had to do, except maybe Dan and me.

Personally, I set up channels to inform more partners as the update was rolled out. I've been spending a lot of time getting folks to understand the gravity of the situation and to pass the word to the rest of the communities. As the details and exploits have emerged, that task is easier, but laying the groundwork certainly sped up adoption rates.

This issue goes to the heart of community-based defense. No one DNS server provider can fix the problem. A combination of our experience in working across boundaries, the dedication of the convened group and the support of global security communities showed how we can collectively provide protection for the ecosystem.

I enjoyed Dan’s talk today here at Black Hat, worry about attacks that may come, and wish I could wave a magic wand and get everyone to update their systems. In the meantime, I will continue to work with the ecosystem: together we are monitoring for attacks, analyzing information, coordinating data feeds and sharing information that can help protect users.

Once we get a handle on that, I’ll try to figure out how to add "computer genius" to my official title...

- Zot O'Connor

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Black Hat 2008: What it Means, What to Expect

msrcecostrat — Mon, 04 Aug 2008 16:05:00 GMT

Handle:
The Crushman

IRL:
Andrew Cushman

Rank:
Security Director

Likes:
Cranberry juice (thanks Jay!)

Dislikes:
Super helpful hotel desk clerks (thanks Raoul?)

Hey Andrew Cushman here…

It’s that time of year, August in Vegas, time for the big show, it’s Black Hat time… Along with the vivid memories of crowded briefing rooms, the critical mass of security talent, great side conversations, and the ever present "ching-ching" of slot machines - this year, it brings up thoughts of where Microsoft, the Microsoft Security Response Center (MSRC) and our commitment to Trustworthy Computing (TwC) have been and keen anticipation of where we’re going.

I read the headlines about online threats evolving and get a firsthand look at that evolution and the scope of what we’re facing. As attacks become more complex, stealthier, and increasingly targeted, the security industry is forced to adapt and to innovate in step. We can and will continue to develop new technologies, new best practices, and educational offerings (check out “Defend the Flag”). Even with these investments and changes, the reality is that security is not a problem that can be solved, and it’s a problem where the complexity often leads to more insecurity.

The industry is reaching a point where delivering an acceptable level of security today is beyond what one company can do alone. There’s real merit in the cliché “It takes a village….” It’s time that we approached this problem collectively—industry, partners, customers, and public organizations—acting together to improve the broader security ecosystem. Think of it as Community-Based Defense, where we commit our skills and strengths to defend beyond our boundaries to protect our common customers.

In that spirit, look for several announcements from Microsoft this week that reflect the growing importance industry collaboration and information sharing play as we shift to Community-Based Defense. It’s time for the industry to come together—researchers, vendors, and the like—to take security innovation and defense to the next level.

I’m excited to be in Vegas and be a part of the announcements this week. This is a fundamental shift for Microsoft and the ecosystem. This is one case where ‘what happens in Vegas’ doesn’t apply.

- Andrew Cushman

*Postings are provided "AS IS" with no warranties, and confers no rights.*