MSRC Ecosystem Strategy Team : MSRC

G’day mate, howsitgoing?

msrcecostrat — Mon, 14 Dec 2009 19:36:00 GMT

Handle:
Avatar

IRL:
Karl Hanmore

Rank:
Senior Security Strategist (aka Sergeant Grunt)

Likes:
Getting the job done, bringing the fight to the bad guys, good single malt whiskey

Dislikes:
Cowards, talkers not doers, red tape, humidity

G’day, or should I say howdy, y’all. As the newest member of the Microsoft EcoStrat team, I figured I would do a quick self-introduction before getting down to work. I am a Senior Security Strategist with the Microsoft Security Response Center (MSRC) based in Redmond. Prior to my big move to the USA, I was the Operations Manager of AusCERT in Australia (that’s the place that is famous for kangaroos and Tim Tams, to ensure you didn’t think I meant Austria!) My role here at Microsoft varies, but at the very top of my list is ensuring that Microsoft strengthens its relationship with the global community of national and government Computer Emergency Response Teams (CERTs).

It was in that capacity that I was privileged recently to attend the GovCERT.NL symposium, hosted by the Dutch Government CERT in the city of Rotterdam. What an event! The Dutch government CERT, GovCERT.NL, put on a truly world-class event. I cannot recall ever having been to an event so well-polished and professionally presented. The program was rich, varied, and robust, with a number of international and domestic speakers. But for me, the highlight was the interaction in the CERT community.

Although the symposium is primarily focused on meeting the needs of GovCERT.NL’s constituents, the attendance from much of the international CERT community makes the event all that much more dynamic. The national CERT community is a thriving and robust effort, allowing teams across national borders to work together and deliver collective results to provide more protection to the ecosystem. If you are in government, law enforcement, or industry and you don’t know your national CERT, you don’t know what you are missing! I was fortunate enough to meet with quite a number of national CERTs during this event from the European region and as far afield as Asia. This was most useful, as the MSRC is looking to engage more strongly with the community of national CERTs. In addition, Mike Reavey, Director of the MSRC, was also able to attend, and not only sat on a panel, but also spent time talking in depth with several CERTs about the issues facing the CERT community as well as how to develop better working relationships. It is this open dialogue and the coalescence of like-minded individuals that tends to be a hallmark of CERT-based events. In addition to formal meetings on the days before and after the symposium, it was clear that the global CERT representatives present were spending quality time sharing techniques, discussing common strategies, and building stronger interpersonal relationships. It is still the case that interpersonal relationships are the life-blood of this community, but there have also been some strong moves towards establishing organizational-level relationships with increasing bilateral and multilateral formal relations. I am keen to watch this grow, and will assist where I can.

I consider these groupings of CERTs to be invaluable. We have all heard that the Internet is a global thing, with no concept of borders or jurisdiction. While this may be the case, this also implies that there is no one responsible for looking after the problems on the Internet. I see the Internet as a global ecosystem, and in any ecosystem you need those who keep order. That is where I see the role for the National CERTs, tackling the problems of the Internet on a nation-by-nation basis. It is something that every country can do, take responsibility for their “own patch"; it is the Internet version of “think globally, act locally”. It is important also to realize that Internet security is not a problem that can be fixed by law enforcement, or any other group, alone. CERTs perform an important role, not only providing advice and guidance, but also assisting with coordination and remediation. A CERT from one country knows that they can reach out to a trusted partner in another country to resolve an issue and that means the CERT only needs to know their own constituents and their fellow CERTs. In the absence of such a network, every CERT would need to be able to communicate with every organization, and potentially every individual, to resolve issues.

For a great practical example of a CERT working locally to assist in protecting the global ecosystem, I would recommend that you look at the work being done by CERT-FI and their Autoreporter service. This service is a great example of a CERT, working with feeds from the globally community, taking responsibility for their constituency and working to remediate the threat within their own borders. This is the sort of work I feel all CERTs globally should be looking to when considering how to be an effective and contributing member in the global security community. This sort of activity has helped the Finnish IP space to become one of the “cleanest” in the world, as called out in the recent Microsoft Security Intelligence Report volume 7. Great work CERT-FI!

I hope to see those national CERTs, who are not already a part of Microsoft Security Cooperation Program for CERTs (SCPcert), look at joining this initiative, as a first step in building a deeper and more substantive operational relationship with Microsoft. It is from the bedrock of this program that I hope to find new and innovative ways to assist the CERT community in the shared responsibility of protecting the ecosystem.

In conclusion, the GovCERT.NL event was great to attend. It gave me a quick refresher on just how much potential there is within the CERT community globally to work together, and with industry, to increase the level of ecosystem-wide security. I am looking forward to my part in working with and helping foster this important community

-Karl Hanmore, Senior Security Strategist

*Postings are provided "AS IS" with no warranties, and confers no rights.*

BlueHat v9 Brings the Looking Glass To You...

msrcecostrat — Fri, 11 Dec 2009 18:02:00 GMT

Handle:
C-Lizzle

IRL:
Celene Temkin

Rank:
Program Manager 2 & BlueHat Project Manager

Likes:
Culinary warfare, BlueHat hackers and responsible disclosure

Dislikes:
Acts of hubris, MySpace, orange mocha Frappaccinos!

Celene here from the MSRC Ecosystem Strategy Team. BlueHat v9: Through The Looking Glass ended just over a month ago and the success of the con lives on due to the outstanding training and networking between Microsoft employees, external speakers, and guests. I'm happy to say that the speaker video interviews and selected recorded presentations are now live on the BlueHat TechNet Page. As promised, we have posted talks from every track block. The samples available are from the e-crime, cloud, mobile and fuzzing content blocks.

As you probably know by now, BlueHat is primarily about educating our own Microsoft population so we can better understand how to build more secure products. The more we know about the security ecosystem, the more we at Microsoft can truly comprehend and assess our security reality. Our secondary goals are to build bridges and bring transparency to the security community to facilitate positive information exchanges.

One way we measure how well are meeting our goals is through surveying our attendees. Here are some of the survey highlights from BlueHat v9 that I want to share with you.

Survey Results for BlueHat General Sessions:

92% of attendee respondents believed the overall quality of the event (speakers, venue, logistics, etc.) was good or excellent
92% of attendee respondents felt attending was a good use of their time
74% of attendee respondents say they will be able to apply knowledge they learned at the BlueHat general sessions to make their product(s) more secure

W00t! Strong numbers like those make it all worth it, I tell you! Big thanks to all our speakers and now new members of the BlueHat network, the BlueHat content review team, and Dana Hehl for making everything look so easy.

Mark your calendars! The next BlueHat is October 14-15, 2010. See you all there.

-Celene Temkin

BlueHat Project Manager

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Ahn-young-ha-seh-yo & Kon-ni-chi-wa

msrcecostrat — Mon, 23 Nov 2009 16:07:00 GMT

Handle:
Cap'n Steve

IRL:
Steve Adegbite

Rank:
Senior Security Program Manager Lead

Likes:
Reverse Engineering an obscene amount of code and ripping it up on a snowboard

Dislikes:
Not much but if you hear me growl…run

Hi! It's been a while since I've had a chance to blog about all the things we have been doing here. As travelling around to various security events is a big part of our mantra, I’ve been to Tokyo Japan for PacSec and Seoul, South Korea for POC 2009. Both were great conferences and had great security talks.

PacSec had a lot of the Japanese security scene in attendance (the local powerhouses are pretty sharp and savvy) along with international researchers and past BlueHat speakers, Charlie Miller and Alex Stamos. Take a minute to check out archived presentations from our own Tony Lee introducing the SIRv7 and Jason Shirk discussing fuzzing strategies. But the biggest interest concerned mobile code threats such as malware and how the perimeter defenses are fading away as a viable protection. This seems to be a hot topic everywhere, so hot that the just wrapped-up BlueHat v9 con had an entire track dedicated to mobile security, and in June 2010, at the annual FIRST Conference, how the perimeter defenses are fading away will be the theme for the whole conference.

It’s a cyclic state when it comes to the effectiveness of protections. I remember back in the 80s and 90s when the firewall was going to fix it all. But like everything in life, things evolve and the firewall became a part of a complex mesh of other technologies created to evolve with the threats.

This cyclic and evolving process is something we know a lot about here in Microsoft. The continued security evolution built the MSRC process and the Security Development Lifecycle (SDL). This is how we had to react to threats.

Visiting POC 2009 and PacSec, I got more of a sense of how people outside Microsoft evolve and react; most created either more complex processes or bought more technologies. As I was sitting at POC 2009 watching the presentations, I saw the same theme here as well. It seems that with the evolution of threats, security people everywhere are throwing up more complex processes and technologies. But what happens when the complexity we have created outstrips the problem? I can see that we are always going to have the technological challenges of new threats.

For instance, Conficker, a new threat that helped every security professional evolve due to the complex nature of the threat. However, something else happened with Conficker that really turned on a light in my head. Conficker took advantage of old threats and long-standing security best practices. The fact that Conficker used these old threats and was still widely successful in exploiting our complex processes and technologies is interesting.

I couldn't help asking myself this question, could it be that due to our complexity that we have failed to take into account past experiences? I don’t think so. I think what we may have done is forgotten one or two primary focus security factors. Those factors are “people” and “process”. People management for security is a key tenet of any type of security plan. This fact has been proven everywhere and in every topic including computer security.

If your plan does not take into account an understanding of the human factor and what it means to your security process, you are missing an important point. Understanding the “people” factor will help you in the next important part of the security plan, which is the process part.

Sitting down at PacSec and POC 2009, I see that we have a firm grip on the technological-advancement front. The presentations at both conferences were excellent technically and on the cusp of new developments. But I still believe that a more focused approach on the “people” factor of computer security would do more to enhance the security than technology advancements will.

Here at Microsoft we are looking in that direction as we look at the technological enhancements coming to the continent of Africa. Here is a place where we will have the chance to stress a focus on the ”people” aspect while building up the processes to take advantage of the new technologies afforded the populace. Hopefully you’ll be seeing more of this model in future posts from me as this new initiative develops. But for now make sure to look at the “people” factor as you create, modify or react to problems in the security landscape. It may surprise you what fresh new perspectives and solutions it gives you.

- -Steve

*Postings are provided "AS IS" with no warranties, and confers no rights.*

The year-end review – well, sort of :)

msrcecostrat — Mon, 27 Jul 2009 08:08:00 GMT

Hey!

It’s that time of year again for all of us to pack up and head out to the desert to reconnect, discuss, and plan for the future, or at least what we think will be the future of security. It’s hard to predict what the next year will bring as the security landscape is ever-changing. This is probably why most of us “grey beards” in the security industry mark the Black Hat/Defcon conferences as the de facto year in review/preview of the next year for the state of security. These conferences have defined a lot of security strategies for a number of people for years. But I digressJ; I started to talk about the year-end review for the security landscape.

Looking back over the year, I am pleased to see that we have executed nicely on a couple of strategies we put into place to change the security landscape. The ones I am talking about are the three programs listed below that we launched last year around this time.

I am going to talk about the first two programs as I have been working on both of them for a bit. MSVR has been worked by my colleague Adrian who will be blogging on MSVR in the near future. He will update you about all the exciting things they have been doing over there.

So let’s begin. I want to talk to you first about the Exploitability Index. Like I said, the one-year anniversary is right around the corner and we have been getting a lot of positive feedback from customers on this new program. Looking back, I am happy to see that out of the 140 ratings we provided so far that we only had to revise one rating. The one rating we did change went from a high severity to a lower one (1 to 3).

Let me give some of our reasons for this. We are extremely cautious when we rate things and when in doubt, will tend to go with the higher rating. We want to make sure that those who are using our ratings are protected against exploitation. This is kind of like putting a deadbolt lock on your door even though you live right next to the police station – I would rather be safe than sorry. However, we are always looking for ways to improve our ratings, and we tend to seek out the critical areas where we can or need to improve.

There is no better place, in our mind, to get good feedback than from the security ecosystem. So we were extremely happy when iDefense took up the charge to review our Exploitability Index ratings for the first 120 days. I am sure you are thinking, "Is 120 days really enough time?" Well, it definitely gave a decent snapshot into how the program is progressing. I think it’s also a good timeframe for catching early process deficiencies and other issues. So let me highlight a few things that were discovered during the iDefense review.

Overall assessment: iDefense concluded that the Microsoft Exploitability Index was a step in the right direction. They felt that the Index provides clear value to customers in providing more risk mitigation information. iDefense also felt that it helps system administrators with the prioritization of their system-updating efforts, because with the Index, they can use another piece of information to help set their update schedule.

Out of the fifty-seven vulnerabilities reviewed by iDefense, they considered that only fourteen should have been rated differently. This is a ~75% percent similarity between their analyses and our own.

As with all early efforts, they did find some areas where they had suggestions for improvement. One area is with the rating differences mentioned above. We will be reviewing the reasons for the differences and will be looking at our present process to take their suggestions into account. Check out the full report here.

Now let’s talk about the Microsoft Active Protections Program, or as we call it in the hallways of building 27, “MAPP”. The MAPP program goals were to find a way to shorten the attack window for consumers. We wanted to be able provide enough “just in time” technical information on the vulnerabilities that we were updating every month to help defenders provide software protections faster. It didn’t make sense in our eyes to have verified defenders in the same boat as malicious attackers trying to understand and reverse-engineer our updates to build defenses for our mutual customers.

I am glad to say that we have exceeded our goal. In the program to date, we have 47 companies from around the world, with new partners added in Central and South America, Europe, Middle East, Africa, India, South East Asia, China, Korea, Japan, Australia, and New Zealand. This partner network global reach represents software protections that cover a range from tens of thousands to hundreds of millions of consumers. That is nothing to sneeze at! J It doesn’t stop there; we will continue to add more partners to ensure that we arm the defenders with information they need to protect you, our mutual customers. We have some more proof points on how we are shrinking that attack window, but don’t take my word for it, check out the testimonials from the MAPP members themselves in the year-end progress report from MSRC here.

Well, that’s it. Don’t forget to check out the iDefense paper located here and the MAPP paper here. And keep an eye on www.microsoft.com/twc/blogs for more Black Hat blogs from the front lines.

Til next time….

Steve

Announcing the BlueHat Security Forum: EU Edition

msrcecostrat — Tue, 02 Jun 2009 11:30:00 GMT

Hey folks! I know this is typically the time of year when birds are chirping, the rain is supposed to be letting up, and those of you in the BlueHat network who are normally invited to attend the Spring BlueHat conference are asking yourselves, "Why did MSRC start doing the con only once a year?" The answer, of course, is pretty simple and complicated at the same time. Today marks the beginning of the next evolution of the BlueHat Security Briefings, with the launch of the BlueHat Security Forum taking place at the Microsoft Executive Briefing Center in Brussels, Belgium.

Following the success of the BlueHat Security Briefings, entering its 9^th iteration this October 22-23 at the Microsoft campus in Redmond, the BlueHat Security Forum EU event is an invitation-only gathering and network of select government and enterprise decision-makers from throughout the European Union. Attendee country representation includes Austria, Belgium, Denmark, Finland, France, Germany, Italy, Norway, Sweden, Switzerland, and the UK. Today’s Forum gathering in Brussels features lively presentations on the latest developments in information security from Microsoft leaders and external security researcher luminaries.

The primary objective of the BlueHat Security Forum is to build bridges between our Microsoft Security Leadership team, key Enterprise security stakeholders, and members of the security research community. The secondary objective is to participate in candid, actionable, and constructive dialogue with key enterprise customers that will help Microsoft produce enterprise-ready, value-laden products and services. The BlueHat Security Forum planning team formulates discussion topics for these meetings based on current security hot topics, new research and trends.

Today's BlueHat Security Forum EU event agenda will address:

· E-crime attacks, the vulnerability economy and the global threat landscape

· Security in the cloud, DNS security, and the malware landscape

· Microsoft Security Response Center (MSRC) processes and integrating a Security Development Lifecycle (SDL)

And did I mention our stellar line up? J Presenters from Microsoft Trustworthy Computing include Andrew Cushman, Director of Trustworthy Computing Security; David Pollington, Director of Security, Europe; Vinny Gullotto, General Manager, Microsoft Malware Protection Center; Alex Lucas, Principal Security Development Lead; Mike Reavey, Director of MSRC; and from Global Foundation Services, Martin Rues, Director for Cloud Security, Microsoft & Scott Oxley, Lead Architect for Cloud Security, Microsoft. External presenters include Iftach Amit, Director, Security Research, Aladdin; Dragos Ruiu, CEO SecWest Conferences, Security Technology Specialist; Dan Kaminsky, Director of Penetration Testing, IOActive; and Scott Stender, Principal, iSEC Partners, Inc.

We are seeking to build upon the momentum of past events by showcasing how individual strategies can intersect to offer substantial benefits and positive-sum outcomes. As with the local BlueHat conference, we are looking to demystify global and regional security threats, and to create channels for productive information exchange on common threats between the security industry, governments and researchers. Future regional BlueHat Security Forums are planned for Asia in 2010 and LATAM in 2011.

Next up: save the date for BlueHat v9 this October 22-23 in Redmond. Stay tuned for more updates and information to come here and on the BlueHat Blog. Be sure to check out Iftach Ian Amit’s post also coinciding with the Forum, Getting a business degree as part of Security Research?

Bon chance!

Celene

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Hack in the Box, and beyond…

msrcecostrat — Wed, 13 May 2009 11:00:00 GMT

Handle:
EcoStrat's All-Stars

IRL:
TwC Security All-Star Guest Bloggers

Likes:
Security, Vulnerability Research & Science, Defense and Responsible Disclosure

Dislikes:
0-day, FUD

Marhaban! Maarten Van Horenbeeck here from the Microsoft Security Response Center (MSRC). This is the first time I have blogged here on EcoStrat. As a Security Program Manager with MSRC, one of the roles I have is to work with security researchers, and this often involves attending security conferences to meet with you. Two weeks ago, a couple of us in Trustworthy Computing (TwC) attended the Hack in the Box (HITB) security conference in hot and sizzling Dubai, United Arab Emirates.

There is a saying that "every word in Arabic either means itself, its opposite, or a camel." Working in the information security industry, I often use this to illustrate to my clients how a piece of code that one person considers a vulnerability, can very well be seen as valid functionality by another. As such, my Microsoft colleagues and I were very interested in learning more about other Arabic sayings that could be applied to the information security industry as a whole.

Hack in the Box is a twice-annual conference, taking place in Dubai, UAE during April, and somewhat later in the year in Kuala Lumpur, Malaysia. Given our past experiences with the value of the talks at the conference, Microsoft was a Titanium sponsor of this event.

The Dubai conference is more intimate than the Malaysia one, but that is exactly what makes it a great way for local information security professionals to network and learn more about cutting edge security research that is taking place all across the world. Presenters ventured from as far as Indonesia, the United States, and Germany.

At Microsoft, I think we can safely admit that in order to pioneer security efforts, we were forced to make every single mistake in the book and learn from it. When I started with the company, I was fascinated to see that we are in fact very good at learning. When we deal with an issue, we like to understand how we can resolve similar issues more effectively in the future. As such, we don’t just attend conferences to learn, but to start up a conversation – we are interested in sharing our own experiences as well as touching base with others.

Microsoft employees had two presentations lined up for this event. Mark Curphey, the director of Microsoft's Information Security Tools team, had a keynote presentation on security tools and technology for effective risk management. Mark focused on how most security tools and technology available to effectively manage risk can only be described as primitive in comparison to those used in most other areas of risk management, such as online gaming or healthcare. From my own experience as a security consultant, I can echo his finding that Microsoft Office Excel is often the most effective tool risk managers have at their disposal.

This is a gloomy situation, given the amount of risk most organizations are exposed to, but a broad sigh of relief was voiced by the audience when Mark clarified his team is working here at Microsoft on solving just that issue.

After Mark's talk, Ian Hellen from Microsoft's Security Assurance team and I spoke to several attendees who wanted to learn more about how M

icrosoft deals with application security issues. We understood from them that there is a lot of internal software development taking place in Dubai to support business processes, and many of the attendees asked questions about how they could make their own applications more secure. We talked to them about the Microsoft Security Development Lifecycle (SDL), which is our standardized approach to software security. If you have similar interests, you can read more about it here.

Billy Rios, one of our resident security engineers, delivered a fascinating presentation on the concept of trust relationships in Web applications, and more specifically how a disparity exists between the security models implemented in Web applications, and those implemented by the browsers that host those applications. In addition, he collaborated with Chris Evans from Google to share with the audience some of their experiences with cross-domain issues and practical man-in-the-middle attacks on SSL.

While there was too much content at the conference for me to discuss in depth here, I will mention some of the other highlights.

Roberto Preatoni from WabiSabiLabi, one of our guests at BlueHat 6, presented on cyber warfare. He refuted Marcus Ranum’s 2007 statement at HITB Malaysia that cyber warfare is an overrated issue, by calling out several examples of contemporary cyber war. He illustrated how it may not just affect nation-states but its conflicts of interest can affect industries and individual corporations as well.

Reverse engineers in the audience welcomed Sebastian Porst from Zynamics. He spoke about REIL, their Reverse Engineering Intermediate Language, and more specifically how it can be used to optimize static binary code analysis. They actually used one of our vulnerabilities, the Windows Server Service vulnerability patched in MS08-067 (read more about it here and here) to illustrate how their tool works. This was definitely a topic many of our own engineers are deeply interested in.

Another well received talk came from Wes Brown of IOActive. He provided a good primer on analyzing malicious code, and gave it a twist by describing how languages, Unicode, and even culture all make a difference and make the reverse engineer’s work just a wee bit more difficult.

At the end of the conference, Microsoft sponsored the sunset Post-Conference Reception, which allowed for more valuable networking opportunities.

Sometimes dealing with security incidents and vulnerabilities can feel like marching across a desert. Confidentiality is an unspoken requirement, and often you can only rely on your own senses, knowledge and intuition. It is a great thing that just like in Dubai, there are watering holes where we can come together and rely on each other implicitly, sharing information and improving the state of the art in our business. Thanks, Hack in the Box, for a great conference, and we’ll see you next time. Ma’a salama.

[Editor's note: check out the BlueHat Blog for another Microsoft perspective on HITB-Dubai]

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

SOURCE, Not Your Usual Boston Tea Party

msrcecostrat — Mon, 23 Mar 2009 14:02:00 GMT

I recently returned from the second iteration of the SOURCE Boston computer security conference, and I must say, it was both an intimate conference of less than 250 folks and a high-caliber gathering. As with other conferences that the Microsoft Security Response Center (MSRC) co-sponsors, we see these forums as opportunities that highlight relevant research and showcase how individual strategies can intersect to offer substantial benefits and positive-sum outcomes.

Handle:
C-Lizzle

IRL:
Celene Temkin

Rank:
BlueHat Project Manager

Likes:
Culinary warfare, BlueHat hackers and responsible disclosure

Dislikes:
Acts of hubris, MySpace, orange mocha Frappaccinos!

For those of you not familiar with SOURCE, the conference combines business technology and application security tracks over three jam-packed days of presentations from experts in the field. This was the first time that a Security Start-Up Showcase (for all of you VCs/Start up folks out there not taking this economy to heart ;), Discussion Groups, and a Product Education Track were added to the already buff line-up. The attendee make up was approximately 35 percent Security Professionals, 30 percent Executives (Chief Officers), 10 percent Independent Security Researchers, 10 percent Administrators, 10percent Press, and the remainders were Students/Other.

Although there were more talks that sparked my interest than I was able to attend, I did attend some very insightful tracks. One such talk that appealed to me was a panel called The Partial Disclosure Dilemma hosted by Ryan Naraine with SME’s like Dan Kaminsky, Ivan Arce, Katie Moussouris, Dino Dai Zovi, and Alexander Sotirov. For a deeper dive on this subject from the only vendor on the panel, check out Katie’s blog and hear her stress how, "We need more collaboration between those who say the sky is falling, and those upon whom the sky will fall." Throughout this two hour showdown it was apparent that sometimes finding a vulnerability and creating an update is only part of the picture. Often, there has to be a coordinated fix with other vendors and the solution has to then be deployed to protect critical infrastructure. While folks could agree to disagree on the bulk of disputed points, for the most part everyone believed that the industry has got to move forward trusting each other with a more productive and transparent process, whether it be through more peer review among researchers or other communicative and joint mediums. I got a moment of pleasure hearing David Mortman speak out from the audience to say, "I apply MS Patches right away because I know they are going to work and not break anything." W00t!

An earlier talk on How Microsoft Fixes Security Vulnerabilities: Everything you wanted to know about the MSRC Security Update Engineering Process painted a clear picture of the different ways we find variants and work on mitigations and workarounds as part of the Microsoft response process. This talk answered the fascinating question of, "How come some of your in-band updates take a long time, but sometimes you can produce an out-of-band update in a matter of days?" Dave Midturi, Jonathan Ness, and Mark Wodrich dove into some great case studies that showcased in-band updates versus out-of-band updates to answer that ever popular question. For those of you that missed it, I strongly suggest checking it out in the next couple weeks, once it is available on the con site, so you can see first-hand what goes into a Microsoft Security Update, and how out of some 200,000 non-spam e-mails that come in to secure@microsoft.com per year result in approximately 70 bulletins.

All in all, there was a broad range of topics covered that left me simultaneously scared, inspired and contemplative–and I think that sums up exactly what I’m looking for in a security con. And as an added bonus, the con was hosted harbor side in Beantown, not far from Mike’s Pastry cannoli and some good old fashion American history; tea anyone?

-Celene Temkin

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

CanSecWest: Caution, Community at Play

msrcecostrat — Wed, 18 Mar 2009 15:20:00 GMT

CanSecWest, in beautiful Vancouver BC, is one of my favorite conferences each year. It’s a cozy little security con that brings together security researchers from all parts of the security ecosystem. Like a PhNeutral or a BlueHat, one never quite knows what to expect out of a CanSecWest, but we do know that Microsoft products and engineers will play a prominent role. We’ll be presenting new security innovations and new tools, we’ll be watching Pwn2Own closely for possible hacks, and we’ll be happy to discuss our industry best practices in the hallway track.

Handle:
Security Blanki

IRL:
Sarah Blankinship

Rank:
Senior Security Strategist Lead

Likes:
Vuln wrangling, teams of rivals, global climate change - the hotter the better

Dislikes:
Slack jawed gawkers (girls are geeks too!), customers @ risk, egos

Security gatherings such as this allow the ecosystem to exchange information and awareness in order to become more secure. The more we know about the attacks, the better prepared we can be on defense. Presentations like Matt Miller’s “The Evolution of Microsoft's Exploit Mitigations” and Jason Shirk and Dave Weinstein’s “Automated Real-time and Post Mortem Security Crash Analysis and Categorization” demonstrate that as Microsoft learns more about an attack, we incorporate this information into techniques and tools that we share with our developer community. Stay tuned for more news and posts throughout the show.

Again this year, CanSecWest features the Pwn2Own contest – a contest that pits researchers against technologies to see whether technology or human wins. It’s also a contest that presents interesting challenges to Microsoft and a contest which you might think Microsoft opposes. Like many other issues in the security ecosystem – it’s not that simple. The contest exemplifies two basic tenets behind the TwC Security teams’ efforts. You can’t hide from the truth (wishing doesn’t make it so) and every issue is an opportunity to learn and improve.

We recognize that all vendors’ products may be found vulnerable and Microsoft welcomes the contest as another opportunity to engage the security community in productive dialogue around responsible disclosure and effective security engineering. We also see that Pwn2Own provides an opportunity to educate the public and we believe it can showcase Microsoft’s security engineering efforts, both relative to our competitors and in an absolute sense.

The security community is offering knowledge of attacks and defenses that consumers and other vendors can use to stay safe or create more secure products. The rest of the story – and an additional measure the security community could use to evaluate vendors’ products - is what happens after the content ends. Rest assured Microsoft will take this information and apply it towards securing our networks, platforms and applications (hopefully before they ship), and to create strong response process and engineering discipline that are necessary for our communal security. And as always, the MSRC are ready to work to investigate any vulnerabilities that researchers might find during the Pwn2Own contest.

By the end of the contest, co-sponsor Tipping Point will be the owners of many new vulnerabilities. They value the protection of their customers and will need to work with their partners in the security ecosystem to make sure everybody is protected as quickly as possible (one more way consumers benefit). One of the goals of responsible disclosure is for the vulnerability details to emerge at the same time that an update is available from the vulnerable vendor. The CanSecWest conference organizer also has a responsible disclosure policy, as do all of the conference organizers that the EcoStrat team is able to support worldwide each year.

Although innovative contests put some of us in a place that is not always comfortable, it’s valuable for the ecosystem to come together with contests like Pwn2Own and Iron Chef Black Hat, to better understand and solve common issues. It’s yet another example of the “team of rivals” strategy. Let the contest begin!

-Sarah

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Making Sense of the Random & Mining For Gold

msrcecostrat — Thu, 12 Mar 2009 10:30:00 GMT

As the newest member to the EcoStrat Team, I guess I will start with the basics. I am Adrian Stone. I have now been in the Microsoft Security Response Center (MSRC) almost four years. My current job you ask? I work to make sense of the random and controlled chaos that is the MSRC. If my team and I do our jobs right, we often find nuggets of gold buried in the middle of it all. I have often joked that MSRC is like a box of chocolates. You never know what you’re going to get from one day to the next:

Handle:
StoneZ

IRL:
Adrian Stone

Rank:
Senior Security Program Manager Lead

Likes:
Predictive Analytics, Game Theory, Databases, Sports Cars, NFL Football, Direct People

Dislikes:
Losing, Liars, Posers, No Talent Clowns

A new 0-day released into the wild?

A hard engineering security issue that affects vendors throughout the ecosystem?

Someone “hacked” your password and stole your MSN Messenger Account?

Aliens are reading your e-mail from the planet Remulak?

Yeah, my team gets them all. And we engage the right people and the right parts of the MSRC process to handle the issue.

I manage the part of the team that is responsible for reading every e-mail that comes into the secure@microsoft.com e-mail address, which is usually the entry point for vulnerabilities that are responsibly disclosed to us by external security researchers. In 2008, we reached a new benchmark of 75% of the vulnerabilities we received being reported to us by responsible disclosure. The vast majority of those reports were sent to secure@microsoft.com. On average, we receive around 200,000 legitimate e-mails a year, including reports that range from the very real security issue to the absolutely bizarre. Of course, this number does not include the SPAM that still requires individual verification to make sure that filtering hasn’t caused us to miss a potential report, which can easily happen with foreign language Unicode based text.

If we grow complacent or aren’t digging into a report, we run the risk of missing a potential security issue. Often times we will engage with the security researcher to ensure we understand the concern or the type of issue from their point of view. There are no auto responders in our world. I can attest to the fact that a person with a qualified security background is sorting through it all 365 days a year. Mining these e-mail reports in all their various languages and the data contained within them is invaluable to help ensure, that like a field medic, we accurately assess and assign the right priority and engage the right product teams within the company to investigate the issue more deeply. As if all of that wasn’t enough to keep us focused, we also monitor various other resources for signs of issues that may impact the security of Microsoft’s customers.

Another component of my team is responsibility for the MSRC’s infrastructure and data analysis to make sure that what we learn about a vulnerability report, and the corresponding fix, can be leveraged to improve future products through the efforts of our colleagues in the Security Development Lifecycle (SDL) Team.

Ultimately my team serves as the bookends to the process driven by the Security PMs and the Release Team that starts with vulnerability disclosure and ends with what most of our customers see as the monthly security bulletin release.

I also serve as Editor and Chief of our security bulletins and advisories. It’s that part of my job that most of our customers see in the end result of in their day to day operations. The security bulletins and advisories serve as the vehicle by which we notify our customers of a newly uncovered vulnerability in our products and the steps that they can take to remediate the issue. Just as security vulnerabilities are an issue that span across the industry, so are the use of bulletins and advisories to communicate the issues. Sometimes though calling something a bulletin or an advisory is where the similarities in communication begin and end. The rest in between can be anyone’s guess.

Understanding the content of a security bulletin or advisory can vary wildly from one vendor to another. When comparing one vendor to another, the accuracy and the level of the depth about the underlying vulnerability and the potential mitigations and workarounds can vary relative to the vendor. The data sets and terminology may be completely different. For example what one vendor may call a remote code execution issue may be referred to as a remote elevation of privilege vulnerability by another. This could leave a customer asking: "Are these things the same or aren’t they? Which one is worse?"

As you can see this leaves the customer trying to decipher the different nuances in terminology, technical documentation, and the content itself. Eventually all of the information in its various forms is digested by customers to perform and execute on a Risk Analysis and Risk Remediation Plan. This is often a very manual task requiring cross referencing of vulnerability identification numbers and comparing differing and competing scoring systems. At best, it is time consuming; at worst, it can be a total pain if you are dealing with a heterogeneous computing environment supported by different vendors. We constantly leverage focus groups and mine the feedback on our security bulletin and advisory content that we receive from customers and partners to optimize and improve its usability. While this helps us and our customers with respect to the information we provide, it unfortunately does not address the various nuances from vendor to vendor for the customer.

This brings me to a project that I am involved in that has been started by ICASI members: to create an industry-wide Common Vulnerability Reporting Framework (CVRF) with regards to how we present vulnerability data and articulate security related issues. The CVRF end goal is to present a form of extensible XML framework that can be easily parsed by both humans and tools. The benefit for both vendors and customers is that some of the ambiguity is removed for consumers of the data. The structure can be leveraged by vendors to help streamline the data recording they need internally to help identify and develop updates to address security vulnerabilities. While the project is still in its infancy, it is awesome to see it getting traction and the various members working together to solve a problem that, prior to my coming to Microsoft, was the bane of my existence as a Security Analyst. I wish I could say I escaped it when I received my card key to the building, but the truth is it now occupies my thoughts as a member of the MSRC for a very different set of reasons. Now it regularly presents challenges for my team in how we manage the flow of our vulnerability data within the company and externally with partners like Microsoft Active Protections Program (MAPP) members. It is important to note that CVRF is not intended to replace various scoring methods to determine the impact of vulnerabilities, but rather to serve as a common framework to structure many of the data elements that can be used by such scoring systems. I can definitely see how CVRF will help us get even better and of course, through this process, we’ll continue our engagement in CVSS and the CVSS SIG. Hopefully, if we do it right, there will be a little more order and a little less chaos in the security ecosystem. That can be as valuable and as rare as refined gold on some days.

Later,

-A

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Chills and Thrills at FIRST

msrcecostrat — Wed, 11 Feb 2009 09:00:00 GMT

Sveika! Hey Steve here, been a while since I posted on the EcoStrat blog. With all the security events that happened during the latter half of 2008, I have been very focused on working with the security update releases and Microsoft Active Protections Program (MAPP).

You are probably wondering what an EcoStrat guy has to do with security updates and other technical deliverables. Well, I want to take a moment to explain why this makes sense. Before taking on the role of working with the monthly security release team and the MAPP program team, I primarily worked with the partner outreach team, managing ecosystem changes through industry partnerships. The partner outreach team’s goals/focus, within the scope of the EcoStrat team, is to work with industry to establish partnerships and initiatives to protect consumers. One of the most visible results is the MAPP initiative. This is a program that works with the security industry ecosystem to create an effective conduit for inbound and outbound information flow.

This was a large effort to affect ecosystem change externally, but what about internally? Microsoft is a large company that has an interesting culture and ecosystem of its own with developers, technology evangelists, security engineers, program managers, marketers, etc...

It became very clear that external ecosystem changes weren’t going to be enough without an effort focused on internal ecosystem changes as well. We needed a number of ways to effectively drive internal change with information we were getting from the external ecosystem while still following one of our core tenets to focus primarily on efforts that protect customers. One way we can do that is by releasing monthly security updates. Within the Microsoft Security Response Center (MSRC), we have an exceptional security release team that manages this large and complex effort. The team’s main focus is to make sure quality security updates are delivered to customers in a consistent manner. We noticed that a way to accomplish this was to become what we call “change agents.” Change agents influence change on a large scale most of the time without the formal authority to do so. This made sense as the release team manages the monthly release via a process that doesn’t have them building/owning any binary packages for release. They effectively were driving ecosystem changes just internally. So it made sense to have someone bridge both the internal and external sides of ecosystem change efforts.

So I’m grateful, and excited, to be in a position to work on both sides of the coin to effect change. And, I get to work with folks currently managing MAPP and the security release every month to help make these changes possible. Their good work also makes it possible for me leave Redmond and engage directly with the community in crucial industry events. Just recently, I had the chance to jump back into my partner outreach role within the EcoStrat team and had the chance to travel.

I am starting to really understand the need to be multicultural in the job we do here on the EcoStrat team. Many times it’s the cultural differences that sometime make or break the security messages we are trying to get across. This is one reason why this team travels a lot to target every place that Microsoft technologies are prevalent. It’s also the number one reason why I pick myself up and out of the day-to-day operations to understand these differences.

Last month, I got to put back on my FIRST Steering committee hat, and I traveled to the beautiful but cold city of Riga, Latvia. The FIRST Steering Committee has four meetings a year to get work done for its members. We usually use the technical colloquiums (TC) as good times to get together and partake in the great “watering hole” activities described in Andrew Cushman’s last blog.

The TC is organized by a local host. The local host for this one was Trans-European Research and Education Network Association (TERENA) computer security incident response team (TF-CSIRT). TERENA is an organization that focuses on offering a forum to collaborate, innovate and share knowledge in order to foster the development of internet technology, infrastructure and services for the research and education communities. They present and train at the TC server to educate security teams, highlighting new techniques to deal with relevant computer security issues. Usually I get to just sit back and enjoy the presentations but his time was a little different. The majority of the presentations were centered on the latest Conficker worm. Not familiar to you? Well, cruise on down to the following Microsoft Conficker page and relevant posts on the MSRC and MMPC blogs.

Being the lone Microsoft guy and a member of the Steering Committee was very interesting to say the least. After this conference, I personally know almost every European CERT or CSIRT contact after fielding some good and frank questions about Conficker.

Like I said, I spent most of the day fielding questions about Conficker and Microsoft’s actions to help security teams in their effort to protect consumers from this threat. Microsoft has a robust process when it comes to our response to issues so I was well prepared with information that went above and beyond the out-of-band security update that was released for this issue back in October (MS08-067)

Although the frank questioning felt like on-the-spot cavity cleaning, I was extremely happy to have the chance to clear up some of the myths and give some actionable information to these important security stakeholders. It also allowed me to understand information that the MSRC usually doesn’t get a chance to receive first hand. Also, having a response guy from Microsoft at FIRST allowed the security teams to understand that we are taking the problem seriously. One internal ecosystem change that was supported came about from feedback from this trip. One clear feedback item was to make sure that we had a single authoritative source/place for Microsoft efforts on Conficker. This information added more key data points to indicate that the teams in Microsoft managing the Conficker efforts were doing the right thing in moving forward with creating a single place for outlining Conficker resources. This is just one example of using external information to aid in driving change to help the greater ecosystem at large.

My Trip wasn’t all fun J

There was the 3 ½ days worth of Steering Committee (SC) meeting to decide various organizational things. One major topic was the 2009 Annual FIRST conference (AGM) in Kyoto, Japan. The AGM gives us the opportunity to meet and share presentation on a number of security topics. The logistics of putting on a large conference are mind boggling in my opinion. I am glad to say, I will enjoy watching our own Andrew Cushman figure out some of these issues firsthand as he was named the 2010 Program chair for the 2010 Annual First conference.

I love the fact that Microsoft makes a point to work with the security community at large and truly values community-based defense. Our consistency and trusted relationships make it much easier to have the conversations at the proverbial “watering holes” to get messages across to the security ecosystem that we do care and take the job of securing customers at all level as our main priority.

Now that I am settling back into a groove, I look forward to heading out and doing more in my EcoStrat role. Stay tuned for more from me as I travel to CanSecWest and Black Hat Europe.

Later...

Steve “Capt Steve” Adegbite

Share this post :

*Posting is provided "AS IS" with no warranties, and confers no rights.*