MSRC Ecosystem Strategy Team : Microsoft Active Protections Program

Making Sense of the Random & Mining For Gold

msrcecostrat — Thu, 12 Mar 2009 07:30:00 GMT

As the newest member to the EcoStrat Team, I guess I will start with the basics. I am Adrian Stone. I have now been in the Microsoft Security Response Center (MSRC) almost four years. My current job you ask? I work to make sense of the random and controlled chaos that is the MSRC. If my team and I do our jobs right, we often find nuggets of gold buried in the middle of it all. I have often joked that MSRC is like a box of chocolates. You never know what you’re going to get from one day to the next:

Handle:
StoneZ

IRL:
Adrian Stone

Rank:
Senior Security Program Manager Lead

Likes:
Predictive Analytics, Game Theory, Databases, Sports Cars, NFL Football, Direct People

Dislikes:
Losing, Liars, Posers, No Talent Clowns

A new 0-day released into the wild?

A hard engineering security issue that affects vendors throughout the ecosystem?

Someone “hacked” your password and stole your MSN Messenger Account?

Aliens are reading your e-mail from the planet Remulak?

Yeah, my team gets them all. And we engage the right people and the right parts of the MSRC process to handle the issue.

I manage the part of the team that is responsible for reading every e-mail that comes into the secure@microsoft.com e-mail address, which is usually the entry point for vulnerabilities that are responsibly disclosed to us by external security researchers. In 2008, we reached a new benchmark of 75% of the vulnerabilities we received being reported to us by responsible disclosure. The vast majority of those reports were sent to secure@microsoft.com. On average, we receive around 200,000 legitimate e-mails a year, including reports that range from the very real security issue to the absolutely bizarre. Of course, this number does not include the SPAM that still requires individual verification to make sure that filtering hasn’t caused us to miss a potential report, which can easily happen with foreign language Unicode based text.

If we grow complacent or aren’t digging into a report, we run the risk of missing a potential security issue. Often times we will engage with the security researcher to ensure we understand the concern or the type of issue from their point of view. There are no auto responders in our world. I can attest to the fact that a person with a qualified security background is sorting through it all 365 days a year. Mining these e-mail reports in all their various languages and the data contained within them is invaluable to help ensure, that like a field medic, we accurately assess and assign the right priority and engage the right product teams within the company to investigate the issue more deeply. As if all of that wasn’t enough to keep us focused, we also monitor various other resources for signs of issues that may impact the security of Microsoft’s customers.

Another component of my team is responsibility for the MSRC’s infrastructure and data analysis to make sure that what we learn about a vulnerability report, and the corresponding fix, can be leveraged to improve future products through the efforts of our colleagues in the Security Development Lifecycle (SDL) Team.

Ultimately my team serves as the bookends to the process driven by the Security PMs and the Release Team that starts with vulnerability disclosure and ends with what most of our customers see as the monthly security bulletin release.

I also serve as Editor and Chief of our security bulletins and advisories. It’s that part of my job that most of our customers see in the end result of in their day to day operations. The security bulletins and advisories serve as the vehicle by which we notify our customers of a newly uncovered vulnerability in our products and the steps that they can take to remediate the issue. Just as security vulnerabilities are an issue that span across the industry, so are the use of bulletins and advisories to communicate the issues. Sometimes though calling something a bulletin or an advisory is where the similarities in communication begin and end. The rest in between can be anyone’s guess.

Understanding the content of a security bulletin or advisory can vary wildly from one vendor to another. When comparing one vendor to another, the accuracy and the level of the depth about the underlying vulnerability and the potential mitigations and workarounds can vary relative to the vendor. The data sets and terminology may be completely different. For example what one vendor may call a remote code execution issue may be referred to as a remote elevation of privilege vulnerability by another. This could leave a customer asking: "Are these things the same or aren’t they? Which one is worse?"

As you can see this leaves the customer trying to decipher the different nuances in terminology, technical documentation, and the content itself. Eventually all of the information in its various forms is digested by customers to perform and execute on a Risk Analysis and Risk Remediation Plan. This is often a very manual task requiring cross referencing of vulnerability identification numbers and comparing differing and competing scoring systems. At best, it is time consuming; at worst, it can be a total pain if you are dealing with a heterogeneous computing environment supported by different vendors. We constantly leverage focus groups and mine the feedback on our security bulletin and advisory content that we receive from customers and partners to optimize and improve its usability. While this helps us and our customers with respect to the information we provide, it unfortunately does not address the various nuances from vendor to vendor for the customer.

This brings me to a project that I am involved in that has been started by ICASI members: to create an industry-wide Common Vulnerability Reporting Framework (CVRF) with regards to how we present vulnerability data and articulate security related issues. The CVRF end goal is to present a form of extensible XML framework that can be easily parsed by both humans and tools. The benefit for both vendors and customers is that some of the ambiguity is removed for consumers of the data. The structure can be leveraged by vendors to help streamline the data recording they need internally to help identify and develop updates to address security vulnerabilities. While the project is still in its infancy, it is awesome to see it getting traction and the various members working together to solve a problem that, prior to my coming to Microsoft, was the bane of my existence as a Security Analyst. I wish I could say I escaped it when I received my card key to the building, but the truth is it now occupies my thoughts as a member of the MSRC for a very different set of reasons. Now it regularly presents challenges for my team in how we manage the flow of our vulnerability data within the company and externally with partners like Microsoft Active Protections Program (MAPP) members. It is important to note that CVRF is not intended to replace various scoring methods to determine the impact of vulnerabilities, but rather to serve as a common framework to structure many of the data elements that can be used by such scoring systems. I can definitely see how CVRF will help us get even better and of course, through this process, we’ll continue our engagement in CVSS and the CVSS SIG. Hopefully, if we do it right, there will be a little more order and a little less chaos in the security ecosystem. That can be as valuable and as rare as refined gold on some days.

Later,

-A

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Chills and Thrills at FIRST

msrcecostrat — Wed, 11 Feb 2009 06:00:00 GMT

Sveika! Hey Steve here, been a while since I posted on the EcoStrat blog. With all the security events that happened during the latter half of 2008, I have been very focused on working with the security update releases and Microsoft Active Protections Program (MAPP).

Handle:
Cap'n Steve

IRL:
Steve Adegbite

Rank:
Senior Security Program Manager Lead

Likes:
Reverse Engineering an obscene amount of code and ripping it up on a snowboard

Dislikes:
Not much but if you hear me growl…run

You are probably wondering what an EcoStrat guy has to do with security updates and other technical deliverables. Well, I want to take a moment to explain why this makes sense. Before taking on the role of working with the monthly security release team and the MAPP program team, I primarily worked with the partner outreach team, managing ecosystem changes through industry partnerships. The partner outreach team’s goals/focus, within the scope of the EcoStrat team, is to work with industry to establish partnerships and initiatives to protect consumers. One of the most visible results is the MAPP initiative. This is a program that works with the security industry ecosystem to create an effective conduit for inbound and outbound information flow.

This was a large effort to affect ecosystem change externally, but what about internally? Microsoft is a large company that has an interesting culture and ecosystem of its own with developers, technology evangelists, security engineers, program managers, marketers, etc...

It became very clear that external ecosystem changes weren’t going to be enough without an effort focused on internal ecosystem changes as well. We needed a number of ways to effectively drive internal change with information we were getting from the external ecosystem while still following one of our core tenets to focus primarily on efforts that protect customers. One way we can do that is by releasing monthly security updates. Within the Microsoft Security Response Center (MSRC), we have an exceptional security release team that manages this large and complex effort. The team’s main focus is to make sure quality security updates are delivered to customers in a consistent manner. We noticed that a way to accomplish this was to become what we call “change agents.” Change agents influence change on a large scale most of the time without the formal authority to do so. This made sense as the release team manages the monthly release via a process that doesn’t have them building/owning any binary packages for release. They effectively were driving ecosystem changes just internally. So it made sense to have someone bridge both the internal and external sides of ecosystem change efforts.

So I’m grateful, and excited, to be in a position to work on both sides of the coin to effect change. And, I get to work with folks currently managing MAPP and the security release every month to help make these changes possible. Their good work also makes it possible for me leave Redmond and engage directly with the community in crucial industry events. Just recently, I had the chance to jump back into my partner outreach role within the EcoStrat team and had the chance to travel.

I am starting to really understand the need to be multicultural in the job we do here on the EcoStrat team. Many times it’s the cultural differences that sometime make or break the security messages we are trying to get across. This is one reason why this team travels a lot to target every place that Microsoft technologies are prevalent. It’s also the number one reason why I pick myself up and out of the day-to-day operations to understand these differences.

Last month, I got to put back on my FIRST Steering committee hat, and I traveled to the beautiful but cold city of Riga, Latvia. The FIRST Steering Committee has four meetings a year to get work done for its members. We usually use the technical colloquiums (TC) as good times to get together and partake in the great “watering hole” activities described in Andrew Cushman’s last blog.

The TC is organized by a local host. The local host for this one was Trans-European Research and Education Network Association (TERENA) computer security incident response team (TF-CSIRT). TERENA is an organization that focuses on offering a forum to collaborate, innovate and share knowledge in order to foster the development of internet technology, infrastructure and services for the research and education communities. They present and train at the TC server to educate security teams, highlighting new techniques to deal with relevant computer security issues. Usually I get to just sit back and enjoy the presentations but his time was a little different. The majority of the presentations were centered on the latest Conficker worm. Not familiar to you? Well, cruise on down to the following Microsoft Conficker page and relevant posts on the MSRC and MMPC blogs.

Being the lone Microsoft guy and a member of the Steering Committee was very interesting to say the least. After this conference, I personally know almost every European CERT or CSIRT contact after fielding some good and frank questions about Conficker.

Like I said, I spent most of the day fielding questions about Conficker and Microsoft’s actions to help security teams in their effort to protect consumers from this threat. Microsoft has a robust process when it comes to our response to issues so I was well prepared with information that went above and beyond the out-of-band security update that was released for this issue back in October (MS08-067)

Although the frank questioning felt like on-the-spot cavity cleaning, I was extremely happy to have the chance to clear up some of the myths and give some actionable information to these important security stakeholders. It also allowed me to understand information that the MSRC usually doesn’t get a chance to receive first hand. Also, having a response guy from Microsoft at FIRST allowed the security teams to understand that we are taking the problem seriously. One internal ecosystem change that was supported came about from feedback from this trip. One clear feedback item was to make sure that we had a single authoritative source/place for Microsoft efforts on Conficker. This information added more key data points to indicate that the teams in Microsoft managing the Conficker efforts were doing the right thing in moving forward with creating a single place for outlining Conficker resources. This is just one example of using external information to aid in driving change to help the greater ecosystem at large.

My Trip wasn’t all fun J

There was the 3 ½ days worth of Steering Committee (SC) meeting to decide various organizational things. One major topic was the 2009 Annual FIRST conference (AGM) in Kyoto, Japan. The AGM gives us the opportunity to meet and share presentation on a number of security topics. The logistics of putting on a large conference are mind boggling in my opinion. I am glad to say, I will enjoy watching our own Andrew Cushman figure out some of these issues firsthand as he was named the 2010 Program chair for the 2010 Annual First conference.

I love the fact that Microsoft makes a point to work with the security community at large and truly values community-based defense. Our consistency and trusted relationships make it much easier to have the conversations at the proverbial “watering holes” to get messages across to the security ecosystem that we do care and take the job of securing customers at all level as our main priority.

Now that I am settling back into a groove, I look forward to heading out and doing more in my EcoStrat role. Stay tuned for more from me as I travel to CanSecWest and Black Hat Europe.

Later...

Steve “Capt Steve” Adegbite

Share this post :

*Posting is provided "AS IS" with no warranties, and confers no rights.*

Constants and Change

msrcecostrat — Tue, 03 Feb 2009 08:00:00 GMT

Microsoft has been talking about community-based defense for some time now. This week, I want to provide a personal dimension to the campaign, and give an update on recent activities. Curiously, as I started to write this post, a couple of phrases popped up, which despite being somewhat trite, seemed appropriate – "change is constant" and "the more things change the more they stay the same."

Handle:
The Crushman

IRL:
Andrew Cushman

Rank:
Security Director

Likes:
Cranberry juice (thanks Jay!)

Dislikes:
Super helpful hotel desk clerks (thanks Raoul?)

Over the last years my outreach efforts expanded beyond the security researcher part of the security ecosystem to include CERTs and other guidance providers, as well as security organizations and companies. My most recent past and future activities give a view.

Before we get into the trip report, though, I want to spend just a second on a couple of guiding principles and introduce some vocabulary.

I attend a lot of conferences around the world. A number of years ago, I started referring to them as “watering holes” – like watering holes security conferences are the places in the ecosystem that attract a diverse population focused on a common need. The most interesting conferences are the ones with the best “hallway track” – the ones that attract the most diverse and most interesting attendees also typically generate the most interesting hallway (or after hours) discussions.

My objective in attending conferences is twofold. I want to foster community support, help make connections between Microsoft and different parts of the ecosystem, and make bridging connections between parts of the ecosystem that might not otherwise mingle. Secondly, I want to stimulate conversation about shared problems, ensure attendees understand what Microsoft is doing and promote discussion about collaborative solutions.

In December, I was in Sao Paulo at the DISI 2008 – Dia Internacional de Segurança em Informática; an event co-hosted the Brazilian Army and FIESP – the Industry Federation of the State of Sao Paulo. This conference was interesting because of the community it brings together and the challenges unique to Brazil. I presented last year and delivered an embryonic call to action for community-based defense. I was very pleased to be able to return a year later and give an update that showed Microsoft’s progress. I pointed to programs like the Microsoft Active Protections Program (MAPP), the Industry Consortium for Advancement of Security on the Internet (ICASI), the Exploitability Index and Microsoft Vulnerability Research (MSVR) to demonstrate that we are walking the walk.

January found me in California at a Bay Area security confabulation whose theme was “Partnerships: finding ways to energize a common defense.” The attendees came from across the industry and the security ecosystem. I found the hallway track(s) exceptionally valuable and especially enjoyed the discussion and presentations on cloud computing security. I presented on ICASI, and gave a behind the scenes look at its goals, formation, and current state. Microsoft, along with Cisco, IBM, Intel, and Juniper formed ICASI in 2008 to drive excellence and innovation in security response and to promote effective industry collaboration to address the rising tide of multi-vendor security issues.

Also in January, I volunteered (and was accepted J) to be the Program Chair for the 2010 conference organized by the Forum for Incident Response and Security Teams (FIRST). I’m a relative newcomer to the FIRST family and realize I have a fair amount to learn – the education starts at the next Steering Committee meeting in Miami and continues at the FIRST 2009 conference this June in Kyoto. I am very pleased by the warm reception and the opportunities this group has to influence and drive positive ecosystem change.

I also took on a new role within TwC Security in January. I handed over responsibility for the monthly security update releases to Mike Reavey in order to better focus on understanding and addressing emerging security threats. The new job is completely different, yet very much still the same. You’ll continue to see me at conferences around the world, I’ll continue to be active in the industry and ecosystem and I’ll continue to promote dialog about the changing threat landscape and what Microsoft can and should do to strengthen Community Based Defense.

-Andrew

One Month Analysis: Exploitability Index

msrcecostrat — Thu, 13 Nov 2008 09:01:00 GMT

Handle:
Silver Surfer

IRL:
Mike Reavey

Rank:
Director, MSRC

Likes:
Warm weather, Battlestar Galactica, and responsibly reported vulnerabilities

Dislikes:
Rain, Rain without end, Clouds with potential for rain, reality TV, and unpatched vulns

Hey folks –

We’ve just released the November Security Bulletins and that also marks the one-month point after the release of the initial Exploitability Index in October. As a result, we’ve had a several questions from customers on “how’s it working?” Well, so far, based off the results from October, and feedback from Microsoft Active Protections Program (MAPP) partners who help check our work before release – it seems to be going pretty well.

October was a large release, with 12 Security Bulletins resolving 21 vulnerabilities, one of those being an out-of-band release.

First – our main measure for success is to make sure we avoid rating something in the index “lower” than it actually should be once under full public review. This is our main concern because it means that customers would be at an increased level of risk than we communicated by the index. The good news is, one month after release, we’ve not had any issues that fall into this category. This also means, that for the four vulnerabilities we gave our lowest ratings, we haven’t seen functioning exploit code in the first 30 days. These include:

- MS08-058 - CVE-2008-3474 - Cumulative Security Update for Internet Explorer

- MS08-058 - CVE-2008-3476 - Cumulative Security Update for Internet Explorer

- MS08-061 - CVE-2008-2251 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege

- MS08-065 - CVE-2008-3479 - Vulnerability in Message Queuing Could Allow Remote Code Execution

There were also four security vulnerabilities where we anticipated consistent and functioning exploit code would be released publicly (excluding CVE-2008-2947, which was public at bulletin release), and for which this prediction came true. These include:

- MS08-059 – CVE-2008-3466 – Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution

- MS08-062 – CVE-2008-1446 – Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution

- MS08-066 – CVE-2008-3464 – Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege

- MS08-067 – CVE-2008-4250 – Vulnerability in Server Service Could Allow Remote Code Execution (this was the out-of-band-release)

For each of the aforementioned issues, functioning exploit code was released publicly within the first two weeks. Customers using the index to help make deployment decisions would have been able to anticipate this, prioritize these updates over others, and roll them out within their environment. Before we had the Exploitability Index and providing this additional layer of analysis, these security bulletins would have had no special indication that attacks were likely.

This is probably the most significant impact the index can have, as we’ve always said it’ll never be 100% accurate, but that the goal is to give valuable information to help customers make prioritization decisions.

For the remaining five issues that were rated “1 – Consistent Exploit Code Likely,” we’ve not seen functioning exploit code posted publicly. While this may seem like we’re wrong in the prediction, we actually feel pretty good about this.

Let me explain: Some customers express concern that when we released the Exploitability Index, by observing the environment, we’d be changing it. Basically, they were worried that we’d raise the amount of exploit code present in the ecosystem by highlighting the issues most likely to have exploit code developed.

So even though we think it’s likely that functioning exploit code could be released for the remaining seven, the fact it hasn’t means that we’ve not significantly changed the threat environment in a negative way. And we haven’t told customers to worry less about a given vulnerability when in fact, they should have. In fact, it may even be that the increased attention led to faster deployments to protect against these vulnerabilities and that in turn made these less attractive.

A full list of all the vulnerabilities, Bulletin Severity Ratings, and Exploitability Index ratings, along with “how we’ve done” is listed below. As always, you can find the Exploitability Index on the Security Bulletin Summary page each month. You can even find additional supplemental information by referencing our Frequently Asked Questions and How to Use the Exploitability Index on several Microsoft Web sites.

We’ll continue to watch how we’re doing in providing this information, make an effort to engage more with the community to help us check our work.

However, one month in, based on the data and feedback from customers, it looks like the Exploitability Index is panning out to be a very helpful tool for customers.

- Mike Reavey

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

MS08-067: Example of Need for Increased Collaboration

msrcecostrat — Thu, 23 Oct 2008 14:05:00 GMT

You've probably heard that we released an out-of-band Security Bulletin for a vulnerability in Windows (MS08-067). By now you have probably also heard of the Microsoft Active Protections Program (MAPP). Let me take a moment to talk to you about how they worked in concert for this issue. As announced at Black Hat in August, prior to release of the monthly security updates, MAPP members receive technical details on vulnerabilities in order to speed the development of protections. Due to the unique threat from this vulnerability and because the issue was released out-of-band, we decided to not only share the information in advance but to also make our security engineers behind the SVRD Blog available for questions with MAPP partners.

During this meeting, we outlined technical details on this update and allowed for more in-depth questions on the information provided. We did this to ensure full understanding of the issue so that timely protections could be provided. We are happy to say it worked nicely, and that most MAPP partners had protections out shortly after the bulletin published and the rest should have their protection available by end of day. If you have questions about which partners have protection, see the links to their pages here.

This is a great example of the kind of community-based defense we discussed at Black Hat and I’m pleased to see us working together to collaboratively protect the ecosystem.

For more information about this release see the MSRC Blog here: http://blogs.technet.com/msrc/default.aspx

Steve “Capt Steve” Adegbite

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Black Hat Follow Up: Answering the Hard Questions

msrcecostrat — Tue, 14 Oct 2008 09:01:00 GMT

It’s October! And for those who remember Black Hat 2008 in Las Vegas, this means the programs we announced have launched. These programs include the Microsoft Active Protections Program and the Microsoft Exploitability Index, which begin with today's October Security Bulletin Release. Microsoft Vulnerability Research is also continuing to run a formalization of our ongoing efforts as responsible researchers in the community.

Following the announcement, there was a discussion on the Daily Dave security mailing list, where folks wanted to ask us more questions than were asked after we announced our three security programs at Black Hat 2008. We responded, asking folks to send their questions our way.

We didn’t answer some questions from the thread about future product development and our relationships with specific researchers. However, below are answers to questions about the three specific programs announced at Black Hat to make sure folks understand them fully.

We appreciate the feedback on these programs. They are all focused on increasing collaboration and information sharing to tilt the advantage in the favor of the defenders of networks as they combat attackers.

So, here are the questions, and the answers:

Questions about Microsoft Active Protections Program (MAPP)

1. Can you fully define 'offensive' or 'attack' software? Is a security assessment tool that does not exploit categorized as such? Consider a tool like nmap or Nessus, would that discount Fyodor or Tenable?

Of course, absolute definitions in this space are challenging. However, an example of pure offensive or attack software is any software that weakens for a prolonged or permanent state, the security integrity of a system to either exploit it or pilfer it (steal data, credentials, toe holds for further exploitation (rootkits)). Tools like MPack would be one example I would categorize as pure attack tool. With that said Nessus or Nmap (tools many of us here have used when doing security consulting) would not be considered pure offensive/attack tools.

2. What if a company makes multiple products, some aggressive and some passive? eEye or Tenable would be examples, where each has defensive products designed to act as IDS/IPS as well as assessment tools.

We would still allow such a company, provided they met the criteria, in the MAPP. They would still have to abide by the criteria that states that "protections" built with MAPP data must be held until the security update is publicly released. This ensures that someone doesn't get the signature and reverse engineers it to discover the issue being updated then releases Proof-of-Concept (PoC) on it. Now, I think where you are going is that there is a potential that the same company can use this information in their assessment products prior to the release of the security update. This is correct but it would be a violation of the MAPP agreement, and if discovered, we would terminate their membership. However, early on we realized that assessment tools play a big role in the enterprise and consumer security space. We will continue to work on this area. Right now, we’re focused on giving customers better active protections as they work to deploy our security updates.

3. What about companies that clearly make defensive products, but also have other questionable activities? Consider TippingPoint which has an IPS solution, but also does the ZDI Initiative, where they share (sell) vulnerability information to their clients.

We would evaluate their defensive business first and do a risk analysis of other activities to ensure that it does not harm the same customers we are trying to protect. This is not a "pure" solution but it is a real world one due to the nature of some security firm’s business practices. If at any point any MAPP member is found engaging in activities that hurt our customers, they will be removed immediately.

4. If an organization is found to have leaked information inappropriately, what are the consequences? Being kicked out of the cartel seems like a given, but by potentially putting millions of computers at risk prematurely, would Microsoft also pursue the company legally?

The company would be removed from the MAPP immediately. I can't speak on any legal action but I can imagine our legal department would review the matter. Also, please remember that one of the key operational goals of MAPP is to provide information “just-in-time.” Therefore, any negative actions only have a short window before the updates themselves are released for customers.

5. Would Microsoft comment and give a rough number of companies that have been accepted into MAPP to demonstrate the interest?

The MAPP has been receiving a fair amount of application as you can guess. We are still processing and getting people officially in, so no definitive numbers are available yet. Rough guesses are still matching up to what I said on the stage of about 20 to 40 companies by launch.

Questions about Microsoft Vulnerability Research (MSVR)

6. Are these people finding third-party vulnerabilities also looking at Microsoft products?

Yes. The people looking for third-party vulnerabilities are primarily in our security engineering teams, and they do look for vulnerabilities in our own products, along with conducting other security research and response activities. Some vulnerability finders within Microsoft are in other teams with other responsibilities, such as in various product teams.

7. Is this done using automated tools (proprietary or otherwise), by hand or a mix?

A mix. An overall goal of MSVR would be to not only help increase security by finding instances of vulnerabilities that are present in third-party software, but also in sharing methods we’ve learned in how to uncover these vulnerabilities. So if we can identify an opportunity, we will also share the principles and methodology we’ve developed as part of the Microsoft Security Development Lifecycle (SDL), which can include tools and manual techniques.

8. What disclosure policy do you adhere to, and is it published?

Our goal is to follow the OIS guidelines, found here: http://oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf .

9. Once the vulnerability is fixed, vendors frequently issue advisories or mention the fix in a changelog and credit the person/company who reported it. Can you cite a single example of this? If not, why not?

Yes we can. Engineers at Microsoft had been reporting vulnerabilities to third-party vendors long before MSVR was founded. MSVR is both a formalization of how we handle vulnerabilities that are casually found during the course of someone's normal work (as was the case for years), as well as an expansion of research focus to third-party software specifically to look for vulnerabilities. Before MSVR, finders at Microsoft either reported the issues they found to the vendor directly, or asked the MSRC to help them do so. They are individually credited in the affected vendor's advisories. Try searching for Tom Gallagher in some ISVs security bulletins.

Question about Microsoft Exploitability Index

10. If there are only a handful of people who can make a reliable exploit for a particular vulnerability (or not) and none of them work for Microsoft, how can Microsoft accurately determine whether an exploit for a particular vulnerability will be somewhat reliable or totally reliable (or not possible at all)?

This question makes a good point, and that is, much of the Exploitability Index accuracy is based off of who is doing the work versus a strict scientific methodology. We realize there’s a chance we might not be 100% right all the time. However, we’ve done a few things to try and make sure this index is accurate enough to help realize its goal of giving more actionable information to customers to prioritize their deployment.

First, it’s most relevant for the first two weeks to 30 days after release. Meaning, exploitation science may change, and there may be private methods under discussion, but for customers making deployment decisions, it should provide enough information to help make a more informed prioritization than before. Second, we do have the folks from the Security Vulnerability Research and Defense (SVRD) team working on the vulnerability from its initial report, until the release, and they’ll be assessing exploitability as part of their normal process.

That’s not all, as we’ll also be following methodologies discussed at BlueHat conferences so using similar approaches which the community uses when analyzing our updates. And finally, we’ll leverage the community established through MAPP to check our work before we release the index. With three layers of people and processes, we expect Exploitability Index to provide valuable information to customers in their decision making.

- Mike Reavey

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Leaving Las Vegas: A Black Hat Salute

msrcecostrat — Fri, 08 Aug 2008 09:00:00 GMT

Handle:
The Crushman

IRL:
Andrew Cushman

Rank:
Security Director

Likes:
Cranberry juice (thanks Jay!)

Dislikes:
Super helpful hotel desk clerks (thanks Raoul?)

What can I say? Once again, Black Hat did not disappoint. And that’s not just post-party speak. The conversations were good, the input was invaluable, and the support for the new programs we launched—well, it’s been overwhelming. The vibe in the MSRC “Helping Secure the Planet” presentation was great, the audience was engaged and had plenty of questions and Mike, Katie and Steve demonstrated the depth of talent and commitment in the MSRC. We’re excited to take that momentum and move it forward.

Our hats are off to the awesome Black hat team for putting on another great conference. I only wish I could have made it into more sessions. Among briefings with media on our news, reconnecting with old friends and making new ones, and fielding a steady flow of invite requests for the party, the time just flew by. But hey, I did manage to introduce Rod Beckstrom for his keynote and got a tweet in on that.

And how about Twitter? I didn’t imagine I would enjoy it so much and who'd have thought it would drive so much conversation at the show? We had fun participating and watching the discussions unfold. It’s been a great channel to share news and carry on further about some of the presentations and event happenings. I especially enjoyed Ryan Naraine’s play-by-play at the Pwnie Awards.

And about the Pwnie Awards, I want to echo my thanks for the “Most Epic Fail” Honorable Mention. Rest assured we’ll be back next year with the same commitment to security engineering!

I’m also really excited about our new EcoStrat blog (http://blogs.technet.com/ecostrat/). The team has written some great posts. The blog provides an opportunity for the EcoStrat team to “show our work” and provide a good look behind the scenes on what we’re doing and how we’re working with the broader security community. We will continue to take advantage of opportunities so as to continue a dialogue.

This week really has solidified a fundamental shift for Microsoft and it’s been refreshing to see that shift in perception and reception towards us at the conference—from what used to be a focus on free drinks and invites to a genuine interest in what we’re offering and how we’re engaged in the security community.

I’m sure good times were had by all here at the show, and our hope, and commitment, is that what happened in Vegas, particularly what we announced in Vegas, does not stay in Vegas.

- Andrew Cushman

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Helping Secure the Planet: New Strategic Initiatives from Microsoft

msrcecostrat — Wed, 06 Aug 2008 09:02:00 GMT

Tomorrow, Steve Adegbite, Katie Moussouris and I will give the first ever Microsoft Security Response Center (MSRC) talk at Black Hat, Las Vegas. Yes, Microsoft has presented at Black Hat before, and actually has a pretty long history of participating in this con, but this is the first time the MSRC itself has hosted a talk.

So what’s the big deal?

Well, as you may have heard, we’ve announced a couple new programs this week (See Microsoft’s Virtual Press Room) that mark a real shift in how we approach the issue of security. This talk will disclose all the juicy details of all three programs (yes, there’s a third program...Katie will tell you all about it!), include demos of the vulnerability information we will share as part of the Microsoft Active Protections Program Steve’s created, show you what our “Exploitability Index” looks like, and give you all the context you’ll need to understand the how’s, why’s, and where’s that led us up to this stage!

While saying we want to help “secure the planet” is a bit assuming, the reality is that we realize no one can address evolving security threats alone. One of the key themes of the talk, and indeed one of the key themes of our continued commitment to taking Trustworthy Computing to the Internet, is that through collaboration and shared intelligence, the security industry can better anticipate, respond and work together to address threats. This talk will illustrate how these innovative programs come together to help enhance security through collaboration and information sharing.

So if you’re here on the ground, come join us tomorrow at 3:15 in Roman Ballroom. And, of course, if you’re unable to catch us at the conference, the best bet is to follow us on Twitter:

http://twitter.com/mreavey

http://twitter.com/SteveAdegbite

http://twitter.com/k8em0

- Mike Reavey

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Update: Room #.

Security through Collaboration: Microsoft Active Protections Program

msrcecostrat — Tue, 05 Aug 2008 09:01:00 GMT

Yut!!! Nothing like a motivating US Marine Corps yell to get your attention. Hey Steve Adegbite here, just wanted to drop some words and give you my perspective on some of the News we (Microsoft) announced this morning.

You may have seen already we launched a trusted information sharing program for security software providers. It’s a program we created in hopes of actually helping the defenders get a leg up on protecting consumers. The Microsoft Active Protections Program will allow vetted security software providers early access to the technical details on the vulnerabilities we are addressing with each monthly security update. Microsoft is doing this in hopes that we can give the defenders more time to produce timely signatures. Basically, in doing this, we’re betting that cutting out the time to reverse engineer our security updates will give valuable time back to the defenders to focus on protection enhancement and faster delivery.

Most of the security community knows me from my work with the military and government before coming to Microsoft (i.e. founder of the USMC Information Assurance Red Team). One thing I harped on was that I believe security has to take a community-based focus. One aspect of this community-based approach is the establishment of a "trusted information sharing" program. As a red teamer, my job was to find the vulnerable points and feed that information to the defenders via trusted information channels. This helped the defender shore up their defenses or at least let them know where weak spots existed.

Microsoft Active Protections Program is doing a similar thing, just in a "commercial" way, and without me looking for vulnerable spots in code/networks at 3:45am. It’s not enough to point the finger at one entity and say “Fix it.” Those of us who belong to the security ecosystem must own the problem, and share in the solution.

I believe in this so much that when the opportunity arose to run for the steering committee at FIRST, I couldn’t miss it. I am glad Microsoft saw the same value, as they have allowed me to do this as a two-year commitment. That shows tremendous dedication to the idea that security at large is an ecosystem problem. But more on that in another time on this blog.

The point here is that everything can be addressed with the right collaborative effort. Microsoft gets that and is doing its part. The next upcoming year you’re going to see a lot of that action shining through in all arenas we engage on for security. Stay tuned and remember it takes a village to raise a child...but the digital village is where I live, and we are working together to raise a great and safe cyber ecosystem for consumers to enjoy.

For more of my insight live from Vegas check me out on twitter at www.twitter.com\SteveAdegbite

- Steve Adegbite

*Postings are provided "AS IS" with no warranties, and confers no rights.*