MSRC Ecosystem Strategy Team : EcoStrat

Ahn-young-ha-seh-yo & Kon-ni-chi-wa

msrcecostrat — Mon, 23 Nov 2009 16:07:00 GMT

Handle:
Cap'n Steve

IRL:
Steve Adegbite

Rank:
Senior Security Program Manager Lead

Likes:
Reverse Engineering an obscene amount of code and ripping it up on a snowboard

Dislikes:
Not much but if you hear me growl…run

Hi! It's been a while since I've had a chance to blog about all the things we have been doing here. As travelling around to various security events is a big part of our mantra, I’ve been to Tokyo Japan for PacSec and Seoul, South Korea for POC 2009. Both were great conferences and had great security talks.

PacSec had a lot of the Japanese security scene in attendance (the local powerhouses are pretty sharp and savvy) along with international researchers and past BlueHat speakers, Charlie Miller and Alex Stamos. Take a minute to check out archived presentations from our own Tony Lee introducing the SIRv7 and Jason Shirk discussing fuzzing strategies. But the biggest interest concerned mobile code threats such as malware and how the perimeter defenses are fading away as a viable protection. This seems to be a hot topic everywhere, so hot that the just wrapped-up BlueHat v9 con had an entire track dedicated to mobile security, and in June 2010, at the annual FIRST Conference, how the perimeter defenses are fading away will be the theme for the whole conference.

It’s a cyclic state when it comes to the effectiveness of protections. I remember back in the 80s and 90s when the firewall was going to fix it all. But like everything in life, things evolve and the firewall became a part of a complex mesh of other technologies created to evolve with the threats.

This cyclic and evolving process is something we know a lot about here in Microsoft. The continued security evolution built the MSRC process and the Security Development Lifecycle (SDL). This is how we had to react to threats.

Visiting POC 2009 and PacSec, I got more of a sense of how people outside Microsoft evolve and react; most created either more complex processes or bought more technologies. As I was sitting at POC 2009 watching the presentations, I saw the same theme here as well. It seems that with the evolution of threats, security people everywhere are throwing up more complex processes and technologies. But what happens when the complexity we have created outstrips the problem? I can see that we are always going to have the technological challenges of new threats.

For instance, Conficker, a new threat that helped every security professional evolve due to the complex nature of the threat. However, something else happened with Conficker that really turned on a light in my head. Conficker took advantage of old threats and long-standing security best practices. The fact that Conficker used these old threats and was still widely successful in exploiting our complex processes and technologies is interesting.

I couldn't help asking myself this question, could it be that due to our complexity that we have failed to take into account past experiences? I don’t think so. I think what we may have done is forgotten one or two primary focus security factors. Those factors are “people” and “process”. People management for security is a key tenet of any type of security plan. This fact has been proven everywhere and in every topic including computer security.

If your plan does not take into account an understanding of the human factor and what it means to your security process, you are missing an important point. Understanding the “people” factor will help you in the next important part of the security plan, which is the process part.

Sitting down at PacSec and POC 2009, I see that we have a firm grip on the technological-advancement front. The presentations at both conferences were excellent technically and on the cusp of new developments. But I still believe that a more focused approach on the “people” factor of computer security would do more to enhance the security than technology advancements will.

Here at Microsoft we are looking in that direction as we look at the technological enhancements coming to the continent of Africa. Here is a place where we will have the chance to stress a focus on the ”people” aspect while building up the processes to take advantage of the new technologies afforded the populace. Hopefully you’ll be seeing more of this model in future posts from me as this new initiative develops. But for now make sure to look at the “people” factor as you create, modify or react to problems in the security landscape. It may surprise you what fresh new perspectives and solutions it gives you.

- -Steve

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Announcing BlueHat v9: Through the Looking Glass

msrcecostrat — Mon, 14 Sep 2009 09:14:00 GMT

BlueHat v9 will take place from October 21 to 23 at the Microsoft campus in Redmond. Last year, we experimented with a day dedicated to attacks and a day dedicated to SDL security mitigations. This year, we will give you the best content out there… we are interweaving talks from internal and external security subject matter experts with themes related to e-crime, mobile security, cloud computing, and fuzzing.

Handle:
C-Lizzle

IRL:
Celene Temkin

Rank:
Program Manager 2 & BlueHat Project Manager

Likes:
Culinary warfare, BlueHat hackers and responsible disclosure

Dislikes:
Acts of hubris, MySpace, orange mocha Frappaccinos!

We kick it off with the BlueHat Executive Sessions on October 21 with condensed versions of the presentations delivered in a deeply technical "Cliff Notes" style. October 22 and 23 are filled with BlueHat General Sessions for our Microsoft IT pro and developer population.

As a refresher, this conference is primarily about educating our own Microsoft population so we can better understand how to build more secure products. The more we know about the security ecosystem, the more we at Microsoft can truly comprehend and assess our own security reality.

We were able to record talks and deliver them to the masses on the Web for BlueHat v8 -- we'll continue this momentum and keep the "technical equivalent of those free online courses from MIT" coming for all attendees. You can also count on the usual speaker video podcasts, anecdotes, archives, and new to BlueHat v9, the first BlueHat Training Video examining Office Binary File Formats, content provided by our benevolent counterparts on the MSRC Engineering Team.

As always, I’m incredibly excited to see the amazing security education, partnerships, and networking opportunities that come out of our community-based defense platform. Like Alice going through the looking glass to get to Wonderland, we have to change our perspective to understand the threat landscape. Should Alice want to send a message back to Bob in the real world, it’s up to all of us to keep Eve out of the conversation. ;-)

Here’s a brief overview of the talks and speakers. Full details will be available on the BlueHat web site within the week.

October 22, 2009

Morning Block: Hyper Reality: Who’s Been Painting My Roses Red?

Tumble down the rabbit hole with us as we kick off the BlueHat v9 General Sessions examining e-crime motivation, attacks, and how to navigate through the mounting social engineering aspect of security coverage. We kick off with Jose Nazario taking a deep dive into DDoS attacks and their growing role as an online political weapon in Politically Motivated Denial of Service Attacks. Next up, Adobe’s Peleus Uhley and our own Jesse Collins will scrutinize the great power and responsibility that comes along with those flashy Web applications in RIA Security: Real-World Lessons from Flash and Silverlight. We then wrap up the morning *Cheshire Cat grin* exploring a little flaw by the name of ATL in The Language of Trust: Exploiting Trust Relationships in Active Content, by Ryan Smith, Mark Dowd and David Dewey.

Afternoon Block: Mobile (in)Security: Curiouser and Curiouser

As more people onboard themselves to smart mobile devices our wonderland certainly has gotten curiouser and curiouser. Take a ride with us as Luis Miras and Zane Lackey uncover Attacking SMS and show us how easy it is to be a victim when there is hardly any user interaction needed to fall prey to attack. Next up, our own Josh Lackey will serve some of the teacups of goodness and tell us what is on the horizon with Mobile Security and Software Radio. Charlie Miller will then show us how to stand on our heads and use automated fuzzing on the iPhone and outline the vuln he found as well as how to exploit it in iPhone SMS Hacking with a Touch About Payloads. Last, we will hear from Patrick McCanna of AT&T Security as he gives us an overview of security threats that face mobile operators in Mobile Operator Security: Security Challenges for Global Networks for Pocket-sized Devices.

October 23, 2009

Morning Block: Cloud Services & Virtualization: Up Above the World You Fly, Like a Tea Tray in the Sky…

Kicking off day 2, we find ourselves up in the clouds, quite literally. In Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure, Chris Hoff of Cisco takes us on a journey where we learn some really scary things happening with the massive convergence of virtualization and cloud computing and their effect on security models and the information they are designed to protect. Our own Mad Hatter, John Walton, will walk us through advantages and challenges within the Microsoft Software-plus-Services model in Get Your Head Out of the Clouds: Security in Software-plus-Services. Flying up even further, Robert Fly takes on a journey highlighting unique aspects of building enterprise-ready cloud services and how to avoid the torrential rainfall of unforeseen problems in Creating Clouds: Avoiding Rain In The Transition From On-Premise To Services. We then wind up the afternoon with past BlueHat speakers Billy Rios and Nitesh Dhanjani engaging us in new discussions on the security implications and magic mushrooms that are likely to effect the cloud platforms and their clients in the near future in Sharing the Cloud with Your Enemy.

Afternoon Block: Fuzzing Tools & Mitigations: Chasing the White Rabbit

As we end our adventure through the looking glass, our Google friends Tavis Ormandy and Neel Mehta will paint a picture on how their technique of sub-instruction profiling uncovered multiple vulnerabilities in Windows. Next up, we get to take a peek Under the Kimono of Office Security Engineering with our own Tom Gallagher and Dave Conger as they show us a framework built by the Office team to efficiently fuzz any file format parser. The final session before hearing from our guests in the security community amongst the ill-fated gong of our lighting talks will be Chris Webers’ Character Transformations: Finding Hidden Vulnerabilities. This talk will cover ways which latent character and string handling can transform clever inputs into malicious outputs in cross-site scripting.

We will continue to update the BlueHat blog and the TechNet site to keep you current on the happenings during and around the conference. See you in Wonderland!

-Celene

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Threat Complexity Requires New Levels of Collaboration

msrcecostrat — Mon, 27 Jul 2009 22:43:00 GMT

When complex security issues that affect multiple vendors arise, calling them “challenging” is an understatement. We created the Microsoft Vulnerability Research Program (MSVR) to meet those challenges, learn from those experiences and strengthen the ties of our community of defenders across the industry in the process. As the state of software security matures beyond straightforward issues such as buffer overflows and elevation of privilege, we are working diligently towards a new level of cross-industry collaboration on a scale never seen before. We must do so in order to provide our mutual customers with the best possible experience on our platform.

Handle:
StoneZ

IRL:
Adrian Stone

Rank:
Senior Security Program Manager Lead

Likes:
Predictive Analytics, Game Theory, Databases, Sports Cars, NFL Football, Direct People

Dislikes:
Losing, Liars, Posers, No Talent Clowns

Handle:
k8e

IRL:
Katie Moussouris

Rank:
Senior Security Program Manager

Likes:
Cool vulns (responsibly disclosed of course), girls with soldering irons, Spanish tapas, quantum teleportation

Dislikes:
Rudeness, socks-n-sandals, licorice

The recent Active Template Library (ATL) issue required us to find a new and more collaborative manner to respond to the developing threats as more information about the vulnerability details became public. MSVR was at the heart of the response and coordination, along with MSRC, to find a solution. As MSRC focused on what it does regularly, which is driving change within Microsoft, MSVR kicked into high gear to coordinate and assist as many third-party affected vendors as possible to help resolve an industry-wide issue.

Several firsts and questions had to be met head-on by our relatively young MSVR program now celebrating its first birthday.

· How do we maintain and respect the overarching tenets of Responsible Disclosure while sharing the issue outside of Microsoft?

· How do we communicate openly and directly with multiple impacted parties while not putting customers at risk by a potential broad disclosure prior to the availability of mitigation?

· How do we translate an issue that we came to understand very well to third parties that may not have the same technical history or security response methodologies and practices that we do?

· Can we coordinate across the industry so that everyone is moving to the same goal of addressing the problem, despite differing development practices and engineering requirement timelines?

The talented security researchers that reported the issue to Microsoft had done so in a responsible manner with the goal of improving the ecosystem and helping us protect our customers. At the same time, it became clear to us that this was an industry-wide problem and that the best way to secure the ecosystem was to notify affected vendors while engineering efforts were underway here in Redmond. Microsoft is a supporter of Responsible Disclosure, which aims to allow affected vendors to understand and try to resolve their respective issues before discussing the details of the issue publicly. In this instance, MSVR’s actions demonstrated a variety of responsible disclosure recently dubbed "partial disclosure," when we alerted third-party vendors who we believed had controls compiled with our vulnerable ATL headers. In the past year of MSVR operations, we have acted in the Responsible Disclosure roles of Finder and Coordinator. The ATL issue required us to act in both of those roles, plus in the role of affected Vendor.

While we knew we had to disclose technical details to a broad group, the clock was also ticking as we began to see more and more details about this issue being discussed and discovered in the security community. The original security researchers that reported the issue to us worked with us diligently and patiently to continue acting responsibly with their understanding of the problem, while we began developing a process and technical tools to analyze our controls and look for a solution. At the same time, we began the process of identifying and analyzing the controls that are most commonly deployed but were developed by other vendors. It is at this point we felt that we had a viable way to individually engage as many of these affected vendors as possible to discuss the impact of the issue as it relates to their potentially vulnerable controls.

Due to their potential scope, library-related vulnerabilities can often stir uncertainty and concern in the industry, so we focused our efforts to understand the true depth and breadth of the impact. Our analysis indicated that the vast majority of controls that would impact our users could be addressed by a few key vendors in the ecosystem. With this in mind, MSVR reached out to vendors who had the broadest footprint in the ecosystem that we believed were affected by the issue. We also felt confident that the defense-in-depth engineering solutions being worked on here at Microsoft would help provide a safeguard against attacks and allow other vendors more time to modify and recompile their own controls.

Overall, our goals and objectives were straightforward, if not exactly effortless, and required us to also leverage many of the key lessons learned by the MSRC over the years. After we distilled the actions and goals down to their most elemental levels, it became clear we had to move quickly on several fronts, including:

· Coming up with our own defense-in-depth solution to help protect customers and mitigate the threat.

· Taking steps to identify quickly the affected third-party vendors who we thought had the broadest impact on our platform.

· Finding the right security contacts at the vendors who met those criteria.

· Packaging and disseminating the vulnerability information to them securely.

Our goals in doing so were to:

· Alert as many of the community of vendors who have affected controls as possible that there was an issue with ATL.

· Provide the third-party vendors with technical details necessary to perform the broad analysis of all of their controls to look for the vulnerability in their products.

· Support the third-party vendors in their analysis, answering their questions, and clarifying the issue when necessary.

· Coordinate with the major affected third parties in both the release of the updates, as well as with guidance for our mutual customers.

We learned a lot during this process. After all, evolution requires change in the way we think and in the way we act, which leads to growth. We will incorporate these lessons into MSVR processes moving forward. We have formed stronger relationships across organizations that MSVR has worked with on other issues in the past, and we have forged many new bonds with security teams across company boundaries. Overall, we are very pleased with the positive industry response, and we salute our counterparts in the security organizations of all the third-party vendors we have worked with during this historic collaboration, including but not limited to Adobe and Sun. We are also incredibly thankful and appreciative of Ryan Smith and David Dewey, the original security researchers that reported the issue to us responsibly, as it was a multidimensional challenge that required significant patience and understanding on their part as we determined how to best address the problem.

As we move forward toward the next challenges on the security horizon, we can anticipate deeper integration among the community of defenders, whether they work for Microsoft or a third-party vendor, whether they are security researchers or are members of a CERT – we can expect more collaboration. After all, progress towards securing our platform, as has been made with our own SDL, will naturally lead to attacks being more complex, more dependent on how applications interact with each other and with the underlying operating system, and therefore will require us all to look past our company logos and focus on that threat horizon.

I’m Adrian Stone, who ran the ATL coordination and is the new driver of the MSVR program since July 1, and I’m Katie Moussouris, founder of the MSVR program, and together with the security community, we look forward to advancing community-based defense and helping to usher in this new age of collaborative security for the good of all our customers.

A Brussels retrospective from Oahu

msrcecostrat — Fri, 12 Jun 2009 10:31:00 GMT

Handle:
Security Blanki

IRL:
Sarah Blankinship

Rank:
Senior Security Strategist Lead

Likes:
Vuln wrangling, teams of rivals, global climate change - the hotter the better

Dislikes:
Slack jawed gawkers (girls are geeks too!), customers @ risk, egos

Aloha from the Shakacon III, a security conference held each year in lovely Honolulu, Hawaii! Although I’m currently in a different region of the world, talking with a completely different segment of the security ecosystem, I wanted to take a few moments to reflect on the BlueHat Security Forum EU event recently held in Brussels, Belgium.

Celene’s EcoStrat blog post highlighted the collaborative nature of the event and described the amazing content that was presented to the group of key EU security stakeholders. While to be a part of building a new platform for technical information exchange was a success in itself, we all have different priorities. In order to effect change, we must understand each other and work together, across technologies, organizations, and country boundaries. With the building of better collaboration in this community, we all have taken one more step in helping to secure the planet as a collective.

I’ve mentioned in a previous EcoStrat post that the EcoStrat team strives to build bridges and help folks get over them. The BlueHat Security Forum EU event was an example of bridge-building in action. It was rewarding to introduce representatives from governments, industry, and enterprises, as well as individual participants to each other. Prior to the BlueHat Security Forum, this particularly diverse group had never been in the same room discussing current security threat landscapes, understanding together the realities of securing critical national infrastructures and corporate networks alike.

With such a diverse collection of attendees, participants naturally had a wide-range of security priorities. Concerns ranged from targeted attacks to ID theft, defending Web applications and supply chains, developing and deploying secure coding practices to policy development, political concerns within and outside of the EU, and the list goes on.

Certainly the message that there is no one magic solution to security was delivered. There is still so much work to be done. It will take defense-in-depth, secure coding, securing third-party applications and proprietary applications; it will take technology and people. We all understand that security can be likened to an arms race; every innovation we make in security is met by a very sophisticated collective of global malicious actors. We must be vigilant together; we must work together.

Mahalo for reading and here’s to another step towards achieving community-based defense.

Sarah

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Announcing the BlueHat Security Forum: EU Edition

msrcecostrat — Tue, 02 Jun 2009 11:30:00 GMT

Hey folks! I know this is typically the time of year when birds are chirping, the rain is supposed to be letting up, and those of you in the BlueHat network who are normally invited to attend the Spring BlueHat conference are asking yourselves, "Why did MSRC start doing the con only once a year?" The answer, of course, is pretty simple and complicated at the same time. Today marks the beginning of the next evolution of the BlueHat Security Briefings, with the launch of the BlueHat Security Forum taking place at the Microsoft Executive Briefing Center in Brussels, Belgium.

Following the success of the BlueHat Security Briefings, entering its 9^th iteration this October 22-23 at the Microsoft campus in Redmond, the BlueHat Security Forum EU event is an invitation-only gathering and network of select government and enterprise decision-makers from throughout the European Union. Attendee country representation includes Austria, Belgium, Denmark, Finland, France, Germany, Italy, Norway, Sweden, Switzerland, and the UK. Today’s Forum gathering in Brussels features lively presentations on the latest developments in information security from Microsoft leaders and external security researcher luminaries.

The primary objective of the BlueHat Security Forum is to build bridges between our Microsoft Security Leadership team, key Enterprise security stakeholders, and members of the security research community. The secondary objective is to participate in candid, actionable, and constructive dialogue with key enterprise customers that will help Microsoft produce enterprise-ready, value-laden products and services. The BlueHat Security Forum planning team formulates discussion topics for these meetings based on current security hot topics, new research and trends.

Today's BlueHat Security Forum EU event agenda will address:

· E-crime attacks, the vulnerability economy and the global threat landscape

· Security in the cloud, DNS security, and the malware landscape

· Microsoft Security Response Center (MSRC) processes and integrating a Security Development Lifecycle (SDL)

And did I mention our stellar line up? J Presenters from Microsoft Trustworthy Computing include Andrew Cushman, Director of Trustworthy Computing Security; David Pollington, Director of Security, Europe; Vinny Gullotto, General Manager, Microsoft Malware Protection Center; Alex Lucas, Principal Security Development Lead; Mike Reavey, Director of MSRC; and from Global Foundation Services, Martin Rues, Director for Cloud Security, Microsoft & Scott Oxley, Lead Architect for Cloud Security, Microsoft. External presenters include Iftach Amit, Director, Security Research, Aladdin; Dragos Ruiu, CEO SecWest Conferences, Security Technology Specialist; Dan Kaminsky, Director of Penetration Testing, IOActive; and Scott Stender, Principal, iSEC Partners, Inc.

We are seeking to build upon the momentum of past events by showcasing how individual strategies can intersect to offer substantial benefits and positive-sum outcomes. As with the local BlueHat conference, we are looking to demystify global and regional security threats, and to create channels for productive information exchange on common threats between the security industry, governments and researchers. Future regional BlueHat Security Forums are planned for Asia in 2010 and LATAM in 2011.

Next up: save the date for BlueHat v9 this October 22-23 in Redmond. Stay tuned for more updates and information to come here and on the BlueHat Blog. Be sure to check out Iftach Ian Amit’s post also coinciding with the Forum, Getting a business degree as part of Security Research?

Bon chance!

Celene

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Hack in the Box, and beyond…

msrcecostrat — Wed, 13 May 2009 11:00:00 GMT

Handle:
EcoStrat's All-Stars

IRL:
TwC Security All-Star Guest Bloggers

Likes:
Security, Vulnerability Research & Science, Defense and Responsible Disclosure

Dislikes:
0-day, FUD

Marhaban! Maarten Van Horenbeeck here from the Microsoft Security Response Center (MSRC). This is the first time I have blogged here on EcoStrat. As a Security Program Manager with MSRC, one of the roles I have is to work with security researchers, and this often involves attending security conferences to meet with you. Two weeks ago, a couple of us in Trustworthy Computing (TwC) attended the Hack in the Box (HITB) security conference in hot and sizzling Dubai, United Arab Emirates.

There is a saying that "every word in Arabic either means itself, its opposite, or a camel." Working in the information security industry, I often use this to illustrate to my clients how a piece of code that one person considers a vulnerability, can very well be seen as valid functionality by another. As such, my Microsoft colleagues and I were very interested in learning more about other Arabic sayings that could be applied to the information security industry as a whole.

Hack in the Box is a twice-annual conference, taking place in Dubai, UAE during April, and somewhat later in the year in Kuala Lumpur, Malaysia. Given our past experiences with the value of the talks at the conference, Microsoft was a Titanium sponsor of this event.

The Dubai conference is more intimate than the Malaysia one, but that is exactly what makes it a great way for local information security professionals to network and learn more about cutting edge security research that is taking place all across the world. Presenters ventured from as far as Indonesia, the United States, and Germany.

At Microsoft, I think we can safely admit that in order to pioneer security efforts, we were forced to make every single mistake in the book and learn from it. When I started with the company, I was fascinated to see that we are in fact very good at learning. When we deal with an issue, we like to understand how we can resolve similar issues more effectively in the future. As such, we don’t just attend conferences to learn, but to start up a conversation – we are interested in sharing our own experiences as well as touching base with others.

Microsoft employees had two presentations lined up for this event. Mark Curphey, the director of Microsoft's Information Security Tools team, had a keynote presentation on security tools and technology for effective risk management. Mark focused on how most security tools and technology available to effectively manage risk can only be described as primitive in comparison to those used in most other areas of risk management, such as online gaming or healthcare. From my own experience as a security consultant, I can echo his finding that Microsoft Office Excel is often the most effective tool risk managers have at their disposal.

This is a gloomy situation, given the amount of risk most organizations are exposed to, but a broad sigh of relief was voiced by the audience when Mark clarified his team is working here at Microsoft on solving just that issue.

After Mark's talk, Ian Hellen from Microsoft's Security Assurance team and I spoke to several attendees who wanted to learn more about how M

icrosoft deals with application security issues. We understood from them that there is a lot of internal software development taking place in Dubai to support business processes, and many of the attendees asked questions about how they could make their own applications more secure. We talked to them about the Microsoft Security Development Lifecycle (SDL), which is our standardized approach to software security. If you have similar interests, you can read more about it here.

Billy Rios, one of our resident security engineers, delivered a fascinating presentation on the concept of trust relationships in Web applications, and more specifically how a disparity exists between the security models implemented in Web applications, and those implemented by the browsers that host those applications. In addition, he collaborated with Chris Evans from Google to share with the audience some of their experiences with cross-domain issues and practical man-in-the-middle attacks on SSL.

While there was too much content at the conference for me to discuss in depth here, I will mention some of the other highlights.

Roberto Preatoni from WabiSabiLabi, one of our guests at BlueHat 6, presented on cyber warfare. He refuted Marcus Ranum’s 2007 statement at HITB Malaysia that cyber warfare is an overrated issue, by calling out several examples of contemporary cyber war. He illustrated how it may not just affect nation-states but its conflicts of interest can affect industries and individual corporations as well.

Reverse engineers in the audience welcomed Sebastian Porst from Zynamics. He spoke about REIL, their Reverse Engineering Intermediate Language, and more specifically how it can be used to optimize static binary code analysis. They actually used one of our vulnerabilities, the Windows Server Service vulnerability patched in MS08-067 (read more about it here and here) to illustrate how their tool works. This was definitely a topic many of our own engineers are deeply interested in.

Another well received talk came from Wes Brown of IOActive. He provided a good primer on analyzing malicious code, and gave it a twist by describing how languages, Unicode, and even culture all make a difference and make the reverse engineer’s work just a wee bit more difficult.

At the end of the conference, Microsoft sponsored the sunset Post-Conference Reception, which allowed for more valuable networking opportunities.

Sometimes dealing with security incidents and vulnerabilities can feel like marching across a desert. Confidentiality is an unspoken requirement, and often you can only rely on your own senses, knowledge and intuition. It is a great thing that just like in Dubai, there are watering holes where we can come together and rely on each other implicitly, sharing information and improving the state of the art in our business. Thanks, Hack in the Box, for a great conference, and we’ll see you next time. Ma’a salama.

[Editor's note: check out the BlueHat Blog for another Microsoft perspective on HITB-Dubai]

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Capt I.M. Hardened OS-Microsoft

msrcecostrat — Fri, 08 May 2009 14:00:00 GMT

Hey, Steve here. Just finally settling back in after traveling a bit, meeting up with different parts of the security ecosystem. It was good to get out and see firsthand events like CanSecWest, and most recently Black Hat Amsterdam where I met with security specialists in and around the EU. Now that I am back in the States, I have caught up on my reading. I came across this article about what the US Air Force did to ensure that every computer delivered to them was in a set and secure configuration. This is a great approach and, if you can do it, I highly recommend it because the alternative is to bolt on security at the end, and that is always costly and not fool-proof.

There is, however, a part of the article that is unclear. The article talks about how Microsoft was pressured into releasing special Windows XP versions for only the Air Force and government agencies. This is just not true.

Anyone can build their own “locked down” versions of Windows XP. They are available to anyone and everyone, not just government agencies or the Air Force. The security guidelines used as the basis of these configurations are publicly available as part of the Security Compliance Management Toolkit Series. By the way, I recently reviewed the section about securing Windows XP. These guides have been offered for some time and they are pretty good.

Regular home consumers and system administrators of enterprise IT shops can use these guides to help increase protections for themselves and their environment as part of a defense-in-depth strategy. If enterprise IT shops use these guides as a baseline for providing preconfigured workstations to their customers, or if they later configure the workstations via scripts or Group Policy Object (GPO)s to the secure baseline outlined in the guides, they would reduce a significant risk point to the enterprise by not introducing unsecure workstations to their secure environment.

A workstation can be adjusted or not adjusted depending on its use or need. This also helps with the task of configuration management as anything in the environment would be configured to an established, secure baseline that is current with security updates. Anything else is a deviation and should be segmented or investigated often to assess its security.

Another thought for Enterprise IT shops is that they use these publicly available guides to work with their procurement process, or directly with desktop hardware suppliers, to ensure that any workstation delivered or purchased comes preconfigured to this secure baseline. This saves time and worries for the IT staff because by following these guidelines, any machine joining a network is already in a semi-secure state. I say semi-secure because IT staffs would still need to ensure that the workstation has all the latest and greatest updates from Windows Update, or a corporate managed update provisioning server like WSUS..

By following these hardening guidelines, some of the security basics will be taken care of, like enforcing complex passwords by the operating system. This saves time and effort when trying to secure one's own systems. Every little bit does help.

As I said earlier, these security configuration guides are public and located here: Security Compliance Management Toolkit Series. We would love to hear feedback on the guides. You can contact the team that created them directly at secwish@microsoft.com.

'Till next time,

Steve

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

SOURCE, Not Your Usual Boston Tea Party

msrcecostrat — Mon, 23 Mar 2009 14:02:00 GMT

I recently returned from the second iteration of the SOURCE Boston computer security conference, and I must say, it was both an intimate conference of less than 250 folks and a high-caliber gathering. As with other conferences that the Microsoft Security Response Center (MSRC) co-sponsors, we see these forums as opportunities that highlight relevant research and showcase how individual strategies can intersect to offer substantial benefits and positive-sum outcomes.

Handle:
C-Lizzle

IRL:
Celene Temkin

Rank:
BlueHat Project Manager

Likes:
Culinary warfare, BlueHat hackers and responsible disclosure

Dislikes:
Acts of hubris, MySpace, orange mocha Frappaccinos!

For those of you not familiar with SOURCE, the conference combines business technology and application security tracks over three jam-packed days of presentations from experts in the field. This was the first time that a Security Start-Up Showcase (for all of you VCs/Start up folks out there not taking this economy to heart ;), Discussion Groups, and a Product Education Track were added to the already buff line-up. The attendee make up was approximately 35 percent Security Professionals, 30 percent Executives (Chief Officers), 10 percent Independent Security Researchers, 10 percent Administrators, 10percent Press, and the remainders were Students/Other.

Although there were more talks that sparked my interest than I was able to attend, I did attend some very insightful tracks. One such talk that appealed to me was a panel called The Partial Disclosure Dilemma hosted by Ryan Naraine with SME’s like Dan Kaminsky, Ivan Arce, Katie Moussouris, Dino Dai Zovi, and Alexander Sotirov. For a deeper dive on this subject from the only vendor on the panel, check out Katie’s blog and hear her stress how, "We need more collaboration between those who say the sky is falling, and those upon whom the sky will fall." Throughout this two hour showdown it was apparent that sometimes finding a vulnerability and creating an update is only part of the picture. Often, there has to be a coordinated fix with other vendors and the solution has to then be deployed to protect critical infrastructure. While folks could agree to disagree on the bulk of disputed points, for the most part everyone believed that the industry has got to move forward trusting each other with a more productive and transparent process, whether it be through more peer review among researchers or other communicative and joint mediums. I got a moment of pleasure hearing David Mortman speak out from the audience to say, "I apply MS Patches right away because I know they are going to work and not break anything." W00t!

An earlier talk on How Microsoft Fixes Security Vulnerabilities: Everything you wanted to know about the MSRC Security Update Engineering Process painted a clear picture of the different ways we find variants and work on mitigations and workarounds as part of the Microsoft response process. This talk answered the fascinating question of, "How come some of your in-band updates take a long time, but sometimes you can produce an out-of-band update in a matter of days?" Dave Midturi, Jonathan Ness, and Mark Wodrich dove into some great case studies that showcased in-band updates versus out-of-band updates to answer that ever popular question. For those of you that missed it, I strongly suggest checking it out in the next couple weeks, once it is available on the con site, so you can see first-hand what goes into a Microsoft Security Update, and how out of some 200,000 non-spam e-mails that come in to secure@microsoft.com per year result in approximately 70 bulletins.

All in all, there was a broad range of topics covered that left me simultaneously scared, inspired and contemplative–and I think that sums up exactly what I’m looking for in a security con. And as an added bonus, the con was hosted harbor side in Beantown, not far from Mike’s Pastry cannoli and some good old fashion American history; tea anyone?

-Celene Temkin

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

CanSecWest: Caution, Community at Play

msrcecostrat — Wed, 18 Mar 2009 15:20:00 GMT

CanSecWest, in beautiful Vancouver BC, is one of my favorite conferences each year. It’s a cozy little security con that brings together security researchers from all parts of the security ecosystem. Like a PhNeutral or a BlueHat, one never quite knows what to expect out of a CanSecWest, but we do know that Microsoft products and engineers will play a prominent role. We’ll be presenting new security innovations and new tools, we’ll be watching Pwn2Own closely for possible hacks, and we’ll be happy to discuss our industry best practices in the hallway track.

Security gatherings such as this allow the ecosystem to exchange information and awareness in order to become more secure. The more we know about the attacks, the better prepared we can be on defense. Presentations like Matt Miller’s “The Evolution of Microsoft's Exploit Mitigations” and Jason Shirk and Dave Weinstein’s “Automated Real-time and Post Mortem Security Crash Analysis and Categorization” demonstrate that as Microsoft learns more about an attack, we incorporate this information into techniques and tools that we share with our developer community. Stay tuned for more news and posts throughout the show.

Again this year, CanSecWest features the Pwn2Own contest – a contest that pits researchers against technologies to see whether technology or human wins. It’s also a contest that presents interesting challenges to Microsoft and a contest which you might think Microsoft opposes. Like many other issues in the security ecosystem – it’s not that simple. The contest exemplifies two basic tenets behind the TwC Security teams’ efforts. You can’t hide from the truth (wishing doesn’t make it so) and every issue is an opportunity to learn and improve.

We recognize that all vendors’ products may be found vulnerable and Microsoft welcomes the contest as another opportunity to engage the security community in productive dialogue around responsible disclosure and effective security engineering. We also see that Pwn2Own provides an opportunity to educate the public and we believe it can showcase Microsoft’s security engineering efforts, both relative to our competitors and in an absolute sense.

The security community is offering knowledge of attacks and defenses that consumers and other vendors can use to stay safe or create more secure products. The rest of the story – and an additional measure the security community could use to evaluate vendors’ products - is what happens after the content ends. Rest assured Microsoft will take this information and apply it towards securing our networks, platforms and applications (hopefully before they ship), and to create strong response process and engineering discipline that are necessary for our communal security. And as always, the MSRC are ready to work to investigate any vulnerabilities that researchers might find during the Pwn2Own contest.

By the end of the contest, co-sponsor Tipping Point will be the owners of many new vulnerabilities. They value the protection of their customers and will need to work with their partners in the security ecosystem to make sure everybody is protected as quickly as possible (one more way consumers benefit). One of the goals of responsible disclosure is for the vulnerability details to emerge at the same time that an update is available from the vulnerable vendor. The CanSecWest conference organizer also has a responsible disclosure policy, as do all of the conference organizers that the EcoStrat team is able to support worldwide each year.

Although innovative contests put some of us in a place that is not always comfortable, it’s valuable for the ecosystem to come together with contests like Pwn2Own and Iron Chef Black Hat, to better understand and solve common issues. It’s yet another example of the “team of rivals” strategy. Let the contest begin!

-Sarah

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Chills and Thrills at FIRST

msrcecostrat — Wed, 11 Feb 2009 09:00:00 GMT

Sveika! Hey Steve here, been a while since I posted on the EcoStrat blog. With all the security events that happened during the latter half of 2008, I have been very focused on working with the security update releases and Microsoft Active Protections Program (MAPP).

You are probably wondering what an EcoStrat guy has to do with security updates and other technical deliverables. Well, I want to take a moment to explain why this makes sense. Before taking on the role of working with the monthly security release team and the MAPP program team, I primarily worked with the partner outreach team, managing ecosystem changes through industry partnerships. The partner outreach team’s goals/focus, within the scope of the EcoStrat team, is to work with industry to establish partnerships and initiatives to protect consumers. One of the most visible results is the MAPP initiative. This is a program that works with the security industry ecosystem to create an effective conduit for inbound and outbound information flow.

This was a large effort to affect ecosystem change externally, but what about internally? Microsoft is a large company that has an interesting culture and ecosystem of its own with developers, technology evangelists, security engineers, program managers, marketers, etc...

It became very clear that external ecosystem changes weren’t going to be enough without an effort focused on internal ecosystem changes as well. We needed a number of ways to effectively drive internal change with information we were getting from the external ecosystem while still following one of our core tenets to focus primarily on efforts that protect customers. One way we can do that is by releasing monthly security updates. Within the Microsoft Security Response Center (MSRC), we have an exceptional security release team that manages this large and complex effort. The team’s main focus is to make sure quality security updates are delivered to customers in a consistent manner. We noticed that a way to accomplish this was to become what we call “change agents.” Change agents influence change on a large scale most of the time without the formal authority to do so. This made sense as the release team manages the monthly release via a process that doesn’t have them building/owning any binary packages for release. They effectively were driving ecosystem changes just internally. So it made sense to have someone bridge both the internal and external sides of ecosystem change efforts.

So I’m grateful, and excited, to be in a position to work on both sides of the coin to effect change. And, I get to work with folks currently managing MAPP and the security release every month to help make these changes possible. Their good work also makes it possible for me leave Redmond and engage directly with the community in crucial industry events. Just recently, I had the chance to jump back into my partner outreach role within the EcoStrat team and had the chance to travel.

I am starting to really understand the need to be multicultural in the job we do here on the EcoStrat team. Many times it’s the cultural differences that sometime make or break the security messages we are trying to get across. This is one reason why this team travels a lot to target every place that Microsoft technologies are prevalent. It’s also the number one reason why I pick myself up and out of the day-to-day operations to understand these differences.

Last month, I got to put back on my FIRST Steering committee hat, and I traveled to the beautiful but cold city of Riga, Latvia. The FIRST Steering Committee has four meetings a year to get work done for its members. We usually use the technical colloquiums (TC) as good times to get together and partake in the great “watering hole” activities described in Andrew Cushman’s last blog.

The TC is organized by a local host. The local host for this one was Trans-European Research and Education Network Association (TERENA) computer security incident response team (TF-CSIRT). TERENA is an organization that focuses on offering a forum to collaborate, innovate and share knowledge in order to foster the development of internet technology, infrastructure and services for the research and education communities. They present and train at the TC server to educate security teams, highlighting new techniques to deal with relevant computer security issues. Usually I get to just sit back and enjoy the presentations but his time was a little different. The majority of the presentations were centered on the latest Conficker worm. Not familiar to you? Well, cruise on down to the following Microsoft Conficker page and relevant posts on the MSRC and MMPC blogs.

Being the lone Microsoft guy and a member of the Steering Committee was very interesting to say the least. After this conference, I personally know almost every European CERT or CSIRT contact after fielding some good and frank questions about Conficker.

Like I said, I spent most of the day fielding questions about Conficker and Microsoft’s actions to help security teams in their effort to protect consumers from this threat. Microsoft has a robust process when it comes to our response to issues so I was well prepared with information that went above and beyond the out-of-band security update that was released for this issue back in October (MS08-067)

Although the frank questioning felt like on-the-spot cavity cleaning, I was extremely happy to have the chance to clear up some of the myths and give some actionable information to these important security stakeholders. It also allowed me to understand information that the MSRC usually doesn’t get a chance to receive first hand. Also, having a response guy from Microsoft at FIRST allowed the security teams to understand that we are taking the problem seriously. One internal ecosystem change that was supported came about from feedback from this trip. One clear feedback item was to make sure that we had a single authoritative source/place for Microsoft efforts on Conficker. This information added more key data points to indicate that the teams in Microsoft managing the Conficker efforts were doing the right thing in moving forward with creating a single place for outlining Conficker resources. This is just one example of using external information to aid in driving change to help the greater ecosystem at large.

My Trip wasn’t all fun J

There was the 3 ½ days worth of Steering Committee (SC) meeting to decide various organizational things. One major topic was the 2009 Annual FIRST conference (AGM) in Kyoto, Japan. The AGM gives us the opportunity to meet and share presentation on a number of security topics. The logistics of putting on a large conference are mind boggling in my opinion. I am glad to say, I will enjoy watching our own Andrew Cushman figure out some of these issues firsthand as he was named the 2010 Program chair for the 2010 Annual First conference.

I love the fact that Microsoft makes a point to work with the security community at large and truly values community-based defense. Our consistency and trusted relationships make it much easier to have the conversations at the proverbial “watering holes” to get messages across to the security ecosystem that we do care and take the job of securing customers at all level as our main priority.

Now that I am settling back into a groove, I look forward to heading out and doing more in my EcoStrat role. Stay tuned for more from me as I travel to CanSecWest and Black Hat Europe.

Later...

Steve “Capt Steve” Adegbite

Share this post :

*Posting is provided "AS IS" with no warranties, and confers no rights.*

New Year, New Security Foo

msrcecostrat — Fri, 23 Jan 2009 12:04:00 GMT

As we head into this new year, predictions abound in the security ecosystem for 2009. The security industry talking heads all have opinions; there are no shortage of issues to be concerned about; more malware, more targeted attacks, better phishers and more vulnerabilities in all software and hardware. The responsibility of trying to secure the planet (together) feels so massive when every region, every country, every platform, every browser has different issues.

I'll end this blog post with my own prediction, but first some catching up on some of what's happened since my last post.

At the close of 2008, I got to see some of our good friends and friendly rivals at the Vendor Security Information Exchange briefings in the UK. Thanks to the good folks there for including my presentation with CSS Shanghai colleague, Daniel Wang, on the realities of the Chinese security threat landscape. As with the rest of the world, China is experiencing a rise in malware and attacks from inside and outside the firewall.

From the UK we traveled to China for the XCon Security Conference in Beijing. We were delighted by the talent and the hospitality as we discovered new sights and new foods. We even explored back rooms of a hot pot restaurant with friends and colleagues in Beijing. Bravo for a great security confabulation in China. Many thanks for inviting Microsoft to participate with a Windows7 security overview by Chris Peterson, director of security assurance, Microsoft Trustworthy Computing (TwC).

I arrived back in Redmond just about the time there was a vulnerability discovery from some of our friends in China. This resulted in releasing out-of-band security update MS08-078. Mike Howard has a great write-up on his blog that goes into fantastic detail about why this vulnerability was so tricky and another reminder that multiple defenses are critical. As with all security updates, MS08-078 is a free download with no check for Windows Genuine Advantage. As much as we like to release our updates on a predictable cycle, we like to keep our customers and partners protected from publicly known vulnerabilities even more.

Please take the time to install this update.

And now back to my own prediction. For 2009, it's not gloom and doom. I predict that in 2009, the security community will pull together like never before.

While we know that vulnerability counts are increasing and malicious actors aren’t going anywhere – we also know that we have trust and community in our security ecosystem. With this foundation and awareness, we can work together, as a community of defenders, to limit our exposure and come together to discuss our alternatives. Small first steps include decreasing overall risk by deploying security updates in a timely manner, providing awareness and defense-in-depth mitigation measures, combined with meaningful technical information exchanges.

As the threats increase across the board, now more than ever, the Microsoft EcoStrat team is working to build and leverage our coalition of defenders. Microsoft has proven time and time again, the economic theory, that it costs less to get right the first time than to fix it later. In the MSRC, we see the cost to teams and the company when we have to ship a fix to hundreds of millions of users. We want to help others learn from our experiences.

Together, researchers, protection providers and governments are realizing that we are safer because we collectively know more, we talk more and trust more. We are participating in multi-vendor solutions, collective initiatives to unite and educate our security communities while actively listening to our partners in the ecosystem.

Here’s to a great 2009 and striving together to predict, to prevent, to protect.

Sarah

Release notes:

Have you seen the BlueHat SDL content up on Technet? Dennis Fisher, from TechTarget, says to “Think of it as the technical equivalent of those free online courses from MIT.”

Reality Check! More SDL goodness – Our own Steve Lipner was interviewed on Gary McGraw’s “Reality Check Security Podcast Series”

Upcoming – look for more ‘stories from the front lines’ from our TwC brothers and sisters who also travel to security conferences in the name of TwC Security.

Upcoming – Tool Release! Stay tuned for more information from CanSecWest Vancouver 2009.

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Observations from the EcoStrat-isphere

msrcecostrat — Thu, 30 Oct 2008 13:24:00 GMT

As part of the quest to help "secure the planet", our team travels over this planet a lot, and I wanted to highlight a few of the interesting security gatherings I've been to lately.

September brought sunshine and the Executive Women’s Forum (EWF). An all-women’s security event was completely refreshing and a great contrast to the usual technology scene. In addition to the great technical content, it’s always a treat to discourse with others who see computer science as a social science, Mary Anne Davidson’s blog post about synthesis had some great insights:

One of the things I have been doing some thinking and speaking about is the idea of synthesis. More specifically, the lessons we can learn in IT security from other disciplines, such as business, economics, history (especially military history and strategy) and biology.

Hey, those are social sciences (except for biology, although its neighbor epidemiology counts). She also mentions strategy which is a subject close to my heart. :-)

Additionally, I had a chance to break bread with former colleagues and friends from around the planet. I got to hear from women starting their own companies or in amazing roles at their organizations -- women whom I would want as mentors, colleagues and partners. It was also eye-opening in terms of the old school/new school debate among women decision makers, the parallels we see in the male-dominated environments, centered around the question of whether it's possible to solve security ecosystem problems through regulation. The security ecosystem is like the weather – you can’t predict or control it – but you want to be prepared for it. EWF presents an opportunity to continue educating and networking with this community about the risk environment and how to mitigate threats, concurrent to ongoing policy, privacy and regulation initiatives.

One of my personal goals is to (paraphrasing a line on a favorite greeting card) "build bridges and help people get over them." One of those goals was realized when, in October, the Microsoft Security Response Center (MSRC) and friends went down to the Southern hemisphere for some mmmm BA-Con. Even better than bacon, was the gathering of some mavericks, if you will, including Argentinean security superstars and underground up-and-comers. The conference was the culmination of years of conversations and grassroots community partnerships between traditional "rivals": Core Security, well-known in the attack tool community, in alignment with our team and other protection providers.

An interesting trend we’ve noted, alongside traditional security conferences, we are starting to see the development of "micro-communities" thriving around the world with different parts of the security ecosystem overlapping. Just as Black Hat has its Defcon, the security conferences worldwide are realizing the value of leveraging different and respected security communities. BA-Con has ekoparty Security Conference and Xcon has XKungfoo, both great examples of diverse communities collaborating. Mary Anne’s post talks about the risks of a lack of "biological diversity”. By contrast, the collaboration between these communities provides illustrations of diversity from a social science perspective: language, organizational affiliation, age.

Each year, we also have the pleasure of *not* traveling, and welcome members of the security community here to the Microsoft Corporate Campus for BlueHat. Ask the BlueHat network of past speakers or catch some great blog posts recently, one of the most interesting watering holes in software security is @BlueHat. Thanks to all who have helped us grow from a friendly little hacker con to a platform to educate the broader security community with the BlueHat: SDL Sessions, to give back to the developer population by releasing developer tools, and for building more relationships toward community-based defense.

A lot of people are surprised that we don't make a bigger deal out of BlueHat by inviting the press in. Even though BlueHat is a great story, that's not primarily how we see it. It is a network, a voice for the community, a platform to launch people, research and ideas. The interactions are different, somehow more open and sincere when folks don’t have a press audience or "preconditions". The good stuff and paradigm shifts that come out of BlueHat in the form of new awareness, collaborations and security innovations, will pay off for years to come. We aren’t willing to risk the platform for a press story.

There is a lot of excitement that we are making the BlueHat: SDL Sessions public! That's right; you don’t have to come to BlueHat to watch a great day of security content! Thanks for the feedback and stay tuned for BlueHat: SDL Sessions releasing on TechNet, we’re working on getting them up as soon as we can. And the rumors are true: TwC will release a tool to the public within the fiscal year.

As a part of the MSRC, a big part of our team life these days has been releasing MS08-067* out-of-band. With the update, we are all more secure. That means that a many of your security colleagues worked 24 by 7 to get this out to you as quickly as possible.

Throughout my travels, a common theme in these experiences are the opportunities for shared goals and cooperation from organizations and people usually seen on different sides: security researchers and software engineers, Macs and PCs, browser developers and browser hackers, vendors and competing vendors from the infrastructure to the cloud. BlueHat has demonstrated that well-chosen strategies, while easy to overlook, offer substantial benefits and positive outcomes. It is a great example of "reaching across the aisle" to create those multivendor solutions.

Next: around the world in 14 days. Really!

Sarah

Security EcoStrategist

* As with all security updates, MS08-067 is a free download with no check for Windows Genuine Advantage. For details and a link to the software for your operating system, click here to go to the Microsoft TechNet Security page.

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Leaving Las Vegas: A Black Hat Salute

msrcecostrat — Fri, 08 Aug 2008 12:00:00 GMT

Handle:
The Crushman

IRL:
Andrew Cushman

Rank:
Security Director

Likes:
Cranberry juice (thanks Jay!)

Dislikes:
Super helpful hotel desk clerks (thanks Raoul?)

What can I say? Once again, Black Hat did not disappoint. And that’s not just post-party speak. The conversations were good, the input was invaluable, and the support for the new programs we launched—well, it’s been overwhelming. The vibe in the MSRC “Helping Secure the Planet” presentation was great, the audience was engaged and had plenty of questions and Mike, Katie and Steve demonstrated the depth of talent and commitment in the MSRC. We’re excited to take that momentum and move it forward.

Our hats are off to the awesome Black hat team for putting on another great conference. I only wish I could have made it into more sessions. Among briefings with media on our news, reconnecting with old friends and making new ones, and fielding a steady flow of invite requests for the party, the time just flew by. But hey, I did manage to introduce Rod Beckstrom for his keynote and got a tweet in on that.

And how about Twitter? I didn’t imagine I would enjoy it so much and who'd have thought it would drive so much conversation at the show? We had fun participating and watching the discussions unfold. It’s been a great channel to share news and carry on further about some of the presentations and event happenings. I especially enjoyed Ryan Naraine’s play-by-play at the Pwnie Awards.

And about the Pwnie Awards, I want to echo my thanks for the “Most Epic Fail” Honorable Mention. Rest assured we’ll be back next year with the same commitment to security engineering!

I’m also really excited about our new EcoStrat blog (http://blogs.technet.com/ecostrat/). The team has written some great posts. The blog provides an opportunity for the EcoStrat team to “show our work” and provide a good look behind the scenes on what we’re doing and how we’re working with the broader security community. We will continue to take advantage of opportunities so as to continue a dialogue.

This week really has solidified a fundamental shift for Microsoft and it’s been refreshing to see that shift in perception and reception towards us at the conference—from what used to be a focus on free drinks and invites to a genuine interest in what we’re offering and how we’re engaged in the security community.

I’m sure good times were had by all here at the show, and our hope, and commitment, is that what happened in Vegas, particularly what we announced in Vegas, does not stay in Vegas.

- Andrew Cushman

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Welcome to the new MSRC Ecosystem Strategy (EcoStrat) Team Blog

msrcecostrat — Mon, 04 Aug 2008 11:50:00 GMT

One researcher, one community, one hacker at a time we are building a community-based defense to help secure our customers, our partners and the Internet.

The Microsoft EcoStrat (Ecosystem Strategy) team, part of Microsoft's Security Response Center (MSRC), operates at the intersection of technology and people. We strive to understand how vulnerabilities affect the Internet as a whole. This blog is our opportunity to talk about our work within some of these ecosystems, from the front lines.

As a member of the team, the thing I love most about this job is solving complex security issues with the people we get to engage with all across the world as part of the "security ecosystem," that is, the interconnected pool of security researchers, guidance providers, and some who would consider themselves hackers. Many of whom run the world's largest security software protection companies networks and infrastructures, and conduct research for fun and profit. These people find and report vulnerabilities, exploit vulnerabilities, fix vulnerabilities, protect customers and keep us on our toes.

A lot of what drives us is our aspirations, our hopes, if you will. Our hope that by bringing together people and policy within different organizations, we can increase trust, better defend our ecosystems and ultimately help secure our planet from malicious software threats.

Our hope is that, by being more transparent about our work in various security ecosystems and regions around the world, a message will be heard: Nobody can” secure the planet” on their own. No one product, no one company.

Knowing that, we work with a variety of communities around the world. Being a hub for many communities has its ups and downs - but the people and technology at these intersections are always interesting, Opportunities for collaboration abound – with fire drills that can polarize our internal and external security communities. Also these broad interactions expose us to all types of information and trends – improving our ability to be a harbinger of future threats, and to mitigate them by creating new intersections of technology and people.

The EcoStrat team’s next chance to interact with our security ecosystem is next week at Black Hat USA, we look forward to bringing commentaries and announcements from the Black Hat briefings.

- Sarah Blankinship

*Postings are provided "AS IS" with no warranties, and confers no rights.*