MSRC Ecosystem Strategy Team : Watering Hole

Ahn-young-ha-seh-yo & Kon-ni-chi-wa

msrcecostrat — Mon, 23 Nov 2009 16:07:00 GMT

Handle:
Cap'n Steve

IRL:
Steve Adegbite

Rank:
Senior Security Program Manager Lead

Likes:
Reverse Engineering an obscene amount of code and ripping it up on a snowboard

Dislikes:
Not much but if you hear me growl…run

Hi! It's been a while since I've had a chance to blog about all the things we have been doing here. As travelling around to various security events is a big part of our mantra, I’ve been to Tokyo Japan for PacSec and Seoul, South Korea for POC 2009. Both were great conferences and had great security talks.

PacSec had a lot of the Japanese security scene in attendance (the local powerhouses are pretty sharp and savvy) along with international researchers and past BlueHat speakers, Charlie Miller and Alex Stamos. Take a minute to check out archived presentations from our own Tony Lee introducing the SIRv7 and Jason Shirk discussing fuzzing strategies. But the biggest interest concerned mobile code threats such as malware and how the perimeter defenses are fading away as a viable protection. This seems to be a hot topic everywhere, so hot that the just wrapped-up BlueHat v9 con had an entire track dedicated to mobile security, and in June 2010, at the annual FIRST Conference, how the perimeter defenses are fading away will be the theme for the whole conference.

It’s a cyclic state when it comes to the effectiveness of protections. I remember back in the 80s and 90s when the firewall was going to fix it all. But like everything in life, things evolve and the firewall became a part of a complex mesh of other technologies created to evolve with the threats.

This cyclic and evolving process is something we know a lot about here in Microsoft. The continued security evolution built the MSRC process and the Security Development Lifecycle (SDL). This is how we had to react to threats.

Visiting POC 2009 and PacSec, I got more of a sense of how people outside Microsoft evolve and react; most created either more complex processes or bought more technologies. As I was sitting at POC 2009 watching the presentations, I saw the same theme here as well. It seems that with the evolution of threats, security people everywhere are throwing up more complex processes and technologies. But what happens when the complexity we have created outstrips the problem? I can see that we are always going to have the technological challenges of new threats.

For instance, Conficker, a new threat that helped every security professional evolve due to the complex nature of the threat. However, something else happened with Conficker that really turned on a light in my head. Conficker took advantage of old threats and long-standing security best practices. The fact that Conficker used these old threats and was still widely successful in exploiting our complex processes and technologies is interesting.

I couldn't help asking myself this question, could it be that due to our complexity that we have failed to take into account past experiences? I don’t think so. I think what we may have done is forgotten one or two primary focus security factors. Those factors are “people” and “process”. People management for security is a key tenet of any type of security plan. This fact has been proven everywhere and in every topic including computer security.

If your plan does not take into account an understanding of the human factor and what it means to your security process, you are missing an important point. Understanding the “people” factor will help you in the next important part of the security plan, which is the process part.

Sitting down at PacSec and POC 2009, I see that we have a firm grip on the technological-advancement front. The presentations at both conferences were excellent technically and on the cusp of new developments. But I still believe that a more focused approach on the “people” factor of computer security would do more to enhance the security than technology advancements will.

Here at Microsoft we are looking in that direction as we look at the technological enhancements coming to the continent of Africa. Here is a place where we will have the chance to stress a focus on the ”people” aspect while building up the processes to take advantage of the new technologies afforded the populace. Hopefully you’ll be seeing more of this model in future posts from me as this new initiative develops. But for now make sure to look at the “people” factor as you create, modify or react to problems in the security landscape. It may surprise you what fresh new perspectives and solutions it gives you.

- -Steve

*Postings are provided "AS IS" with no warranties, and confers no rights.*

心の会合: The Gathering

msrcecostrat — Fri, 17 Jul 2009 15:00:00 GMT

Konnichiwa!

I guess you are wondering why I said hello in Japanese. I have just recently returned from attending the 21^st Forum of Incident Handling and Security Teams (FIRST) annual conference hosted in the awesome city of Kyoto in Japan. The city of Kyoto is beautiful. I was amazed at all the interesting palaces and temples located right in the middle of a modern city. It was truly awesome. What was even more awesome was the 21^st FIRST Annual Conference. You have heard us here at Microsoft talk a lot lately about community-based defense initiatives. These initiatives drive the security ecosystem to work in a coordinated fashion to address security issues. This works best by creating a community that is built on trust and common goals. The common goal here is to build coordinated defense from attacks. FIRST is one such trusted, security-focused community. This is one reason why Microsoft supports their efforts. As a community of incident and security response teams, FIRST provides a trusted network to share information and provide coordination efforts that is all member-driven.

Most members work for larger companies but their efforts in the FIRST organization are at times above and beyond the duties of their jobs. FIRST relies on its member community to do a lot of work since it is a not-for-profit organization. The conferences are no different. This year the Japanese local teams of FIRST had the task of assisting the conference organizers set things up. Let me say they did an excellent job. It was surreal from the banquet to the mixer session; it was, in a word, “exquisite.” I personally loved the entertainment by a troupe of local taiko drummers. Check them out here.

It wasn’t all fun and games, though some of it was. Check out the picture above. As you can see, we got the rare chance to interact with the potential future security community thanks to Ziv Mador, a Microsoft security professional from the Microsoft Malware Protection Center (MMPC) group, who brought his family along to the conference. Thanks to Eyal and Ofer Mador who provided us a wonderful chance to show them how cool security professionals can be.

Back to business. As a member of the Steering Committee (SC), we meet year round. However, we usually conduct most annual business at the conference. That business can range from giving status updates on projects to providing the organization’s financial numbers. We also hold elections for the committee when an SC member’s term is up. This year, we elected two new members to the SC, joining the three current members of the committee.

Speaking of elections, I am glad that Microsoft views our participation in FIRST as a key thing. This is extremely good, as it seems I will be spending a fair bit more time working on the FIRST Steering Committee and Board of Directors. At this annual general meeting (AGM), I was elected to be the Chairman of the Steering Committee and President of the Board of Directors for FIRST. I look forward to stepping into these roles to help steer the organization toward its goals.

The conference tracks presented were great and focused on relevant problems faced by incident handling teams, from network monitoring to malware analysis.

We also conducted meetings of special interest groups (SIG) to cover in-depth problems and issues faced by members in the same interest and focus areas. These sessions are really great because you get to meet like-minded peers who are facing the same problems you face. The Law Enforcement SIG and Network Monitoring SIG were well attended this year.

You have heard Andrew Cushman talk about “Hallway Tracks” as a way to label all connections and conversations taking place outside of the presented tracks. The hallway tracks at the conference were golden. The amount of focused security discussion I had out in the hallway will have me set for a month with action items.

Well, that’s it for now. But before I go I wanted to take the time to introduce a new member to the EcoStrat Team. I want to welcome Karl Hanmore to the team. He comes to us from Auscert with a strong CERT background. He will be with us in Vegas at Black Hat… so see ya there!

-Steve

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Announcing the BlueHat Security Forum: EU Edition

msrcecostrat — Tue, 02 Jun 2009 11:30:00 GMT

Handle:
C-Lizzle

IRL:
Celene Temkin

Rank:
Program Manager 2 & BlueHat Project Manager

Likes:
Culinary warfare, BlueHat hackers and responsible disclosure

Dislikes:
Acts of hubris, MySpace, orange mocha Frappaccinos!

Hey folks! I know this is typically the time of year when birds are chirping, the rain is supposed to be letting up, and those of you in the BlueHat network who are normally invited to attend the Spring BlueHat conference are asking yourselves, "Why did MSRC start doing the con only once a year?" The answer, of course, is pretty simple and complicated at the same time. Today marks the beginning of the next evolution of the BlueHat Security Briefings, with the launch of the BlueHat Security Forum taking place at the Microsoft Executive Briefing Center in Brussels, Belgium.

Following the success of the BlueHat Security Briefings, entering its 9^th iteration this October 22-23 at the Microsoft campus in Redmond, the BlueHat Security Forum EU event is an invitation-only gathering and network of select government and enterprise decision-makers from throughout the European Union. Attendee country representation includes Austria, Belgium, Denmark, Finland, France, Germany, Italy, Norway, Sweden, Switzerland, and the UK. Today’s Forum gathering in Brussels features lively presentations on the latest developments in information security from Microsoft leaders and external security researcher luminaries.

The primary objective of the BlueHat Security Forum is to build bridges between our Microsoft Security Leadership team, key Enterprise security stakeholders, and members of the security research community. The secondary objective is to participate in candid, actionable, and constructive dialogue with key enterprise customers that will help Microsoft produce enterprise-ready, value-laden products and services. The BlueHat Security Forum planning team formulates discussion topics for these meetings based on current security hot topics, new research and trends.

Today's BlueHat Security Forum EU event agenda will address:

· E-crime attacks, the vulnerability economy and the global threat landscape

· Security in the cloud, DNS security, and the malware landscape

· Microsoft Security Response Center (MSRC) processes and integrating a Security Development Lifecycle (SDL)

And did I mention our stellar line up? J Presenters from Microsoft Trustworthy Computing include Andrew Cushman, Director of Trustworthy Computing Security; David Pollington, Director of Security, Europe; Vinny Gullotto, General Manager, Microsoft Malware Protection Center; Alex Lucas, Principal Security Development Lead; Mike Reavey, Director of MSRC; and from Global Foundation Services, Martin Rues, Director for Cloud Security, Microsoft & Scott Oxley, Lead Architect for Cloud Security, Microsoft. External presenters include Iftach Amit, Director, Security Research, Aladdin; Dragos Ruiu, CEO SecWest Conferences, Security Technology Specialist; Dan Kaminsky, Director of Penetration Testing, IOActive; and Scott Stender, Principal, iSEC Partners, Inc.

We are seeking to build upon the momentum of past events by showcasing how individual strategies can intersect to offer substantial benefits and positive-sum outcomes. As with the local BlueHat conference, we are looking to demystify global and regional security threats, and to create channels for productive information exchange on common threats between the security industry, governments and researchers. Future regional BlueHat Security Forums are planned for Asia in 2010 and LATAM in 2011.

Next up: save the date for BlueHat v9 this October 22-23 in Redmond. Stay tuned for more updates and information to come here and on the BlueHat Blog. Be sure to check out Iftach Ian Amit’s post also coinciding with the Forum, Getting a business degree as part of Security Research?

Bon chance!

Celene

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Hack in the Box, and beyond…

msrcecostrat — Wed, 13 May 2009 11:00:00 GMT

Handle:
EcoStrat's All-Stars

IRL:
TwC Security All-Star Guest Bloggers

Likes:
Security, Vulnerability Research & Science, Defense and Responsible Disclosure

Dislikes:
0-day, FUD

Marhaban! Maarten Van Horenbeeck here from the Microsoft Security Response Center (MSRC). This is the first time I have blogged here on EcoStrat. As a Security Program Manager with MSRC, one of the roles I have is to work with security researchers, and this often involves attending security conferences to meet with you. Two weeks ago, a couple of us in Trustworthy Computing (TwC) attended the Hack in the Box (HITB) security conference in hot and sizzling Dubai, United Arab Emirates.

There is a saying that "every word in Arabic either means itself, its opposite, or a camel." Working in the information security industry, I often use this to illustrate to my clients how a piece of code that one person considers a vulnerability, can very well be seen as valid functionality by another. As such, my Microsoft colleagues and I were very interested in learning more about other Arabic sayings that could be applied to the information security industry as a whole.

Hack in the Box is a twice-annual conference, taking place in Dubai, UAE during April, and somewhat later in the year in Kuala Lumpur, Malaysia. Given our past experiences with the value of the talks at the conference, Microsoft was a Titanium sponsor of this event.

The Dubai conference is more intimate than the Malaysia one, but that is exactly what makes it a great way for local information security professionals to network and learn more about cutting edge security research that is taking place all across the world. Presenters ventured from as far as Indonesia, the United States, and Germany.

At Microsoft, I think we can safely admit that in order to pioneer security efforts, we were forced to make every single mistake in the book and learn from it. When I started with the company, I was fascinated to see that we are in fact very good at learning. When we deal with an issue, we like to understand how we can resolve similar issues more effectively in the future. As such, we don’t just attend conferences to learn, but to start up a conversation – we are interested in sharing our own experiences as well as touching base with others.

Microsoft employees had two presentations lined up for this event. Mark Curphey, the director of Microsoft's Information Security Tools team, had a keynote presentation on security tools and technology for effective risk management. Mark focused on how most security tools and technology available to effectively manage risk can only be described as primitive in comparison to those used in most other areas of risk management, such as online gaming or healthcare. From my own experience as a security consultant, I can echo his finding that Microsoft Office Excel is often the most effective tool risk managers have at their disposal.

This is a gloomy situation, given the amount of risk most organizations are exposed to, but a broad sigh of relief was voiced by the audience when Mark clarified his team is working here at Microsoft on solving just that issue.

After Mark's talk, Ian Hellen from Microsoft's Security Assurance team and I spoke to several attendees who wanted to learn more about how M

icrosoft deals with application security issues. We understood from them that there is a lot of internal software development taking place in Dubai to support business processes, and many of the attendees asked questions about how they could make their own applications more secure. We talked to them about the Microsoft Security Development Lifecycle (SDL), which is our standardized approach to software security. If you have similar interests, you can read more about it here.

Billy Rios, one of our resident security engineers, delivered a fascinating presentation on the concept of trust relationships in Web applications, and more specifically how a disparity exists between the security models implemented in Web applications, and those implemented by the browsers that host those applications. In addition, he collaborated with Chris Evans from Google to share with the audience some of their experiences with cross-domain issues and practical man-in-the-middle attacks on SSL.

While there was too much content at the conference for me to discuss in depth here, I will mention some of the other highlights.

Roberto Preatoni from WabiSabiLabi, one of our guests at BlueHat 6, presented on cyber warfare. He refuted Marcus Ranum’s 2007 statement at HITB Malaysia that cyber warfare is an overrated issue, by calling out several examples of contemporary cyber war. He illustrated how it may not just affect nation-states but its conflicts of interest can affect industries and individual corporations as well.

Reverse engineers in the audience welcomed Sebastian Porst from Zynamics. He spoke about REIL, their Reverse Engineering Intermediate Language, and more specifically how it can be used to optimize static binary code analysis. They actually used one of our vulnerabilities, the Windows Server Service vulnerability patched in MS08-067 (read more about it here and here) to illustrate how their tool works. This was definitely a topic many of our own engineers are deeply interested in.

Another well received talk came from Wes Brown of IOActive. He provided a good primer on analyzing malicious code, and gave it a twist by describing how languages, Unicode, and even culture all make a difference and make the reverse engineer’s work just a wee bit more difficult.

At the end of the conference, Microsoft sponsored the sunset Post-Conference Reception, which allowed for more valuable networking opportunities.

Sometimes dealing with security incidents and vulnerabilities can feel like marching across a desert. Confidentiality is an unspoken requirement, and often you can only rely on your own senses, knowledge and intuition. It is a great thing that just like in Dubai, there are watering holes where we can come together and rely on each other implicitly, sharing information and improving the state of the art in our business. Thanks, Hack in the Box, for a great conference, and we’ll see you next time. Ma’a salama.

[Editor's note: check out the BlueHat Blog for another Microsoft perspective on HITB-Dubai]

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Chills and Thrills at FIRST

msrcecostrat — Wed, 11 Feb 2009 09:00:00 GMT

Sveika! Hey Steve here, been a while since I posted on the EcoStrat blog. With all the security events that happened during the latter half of 2008, I have been very focused on working with the security update releases and Microsoft Active Protections Program (MAPP).

You are probably wondering what an EcoStrat guy has to do with security updates and other technical deliverables. Well, I want to take a moment to explain why this makes sense. Before taking on the role of working with the monthly security release team and the MAPP program team, I primarily worked with the partner outreach team, managing ecosystem changes through industry partnerships. The partner outreach team’s goals/focus, within the scope of the EcoStrat team, is to work with industry to establish partnerships and initiatives to protect consumers. One of the most visible results is the MAPP initiative. This is a program that works with the security industry ecosystem to create an effective conduit for inbound and outbound information flow.

This was a large effort to affect ecosystem change externally, but what about internally? Microsoft is a large company that has an interesting culture and ecosystem of its own with developers, technology evangelists, security engineers, program managers, marketers, etc...

It became very clear that external ecosystem changes weren’t going to be enough without an effort focused on internal ecosystem changes as well. We needed a number of ways to effectively drive internal change with information we were getting from the external ecosystem while still following one of our core tenets to focus primarily on efforts that protect customers. One way we can do that is by releasing monthly security updates. Within the Microsoft Security Response Center (MSRC), we have an exceptional security release team that manages this large and complex effort. The team’s main focus is to make sure quality security updates are delivered to customers in a consistent manner. We noticed that a way to accomplish this was to become what we call “change agents.” Change agents influence change on a large scale most of the time without the formal authority to do so. This made sense as the release team manages the monthly release via a process that doesn’t have them building/owning any binary packages for release. They effectively were driving ecosystem changes just internally. So it made sense to have someone bridge both the internal and external sides of ecosystem change efforts.

So I’m grateful, and excited, to be in a position to work on both sides of the coin to effect change. And, I get to work with folks currently managing MAPP and the security release every month to help make these changes possible. Their good work also makes it possible for me leave Redmond and engage directly with the community in crucial industry events. Just recently, I had the chance to jump back into my partner outreach role within the EcoStrat team and had the chance to travel.

I am starting to really understand the need to be multicultural in the job we do here on the EcoStrat team. Many times it’s the cultural differences that sometime make or break the security messages we are trying to get across. This is one reason why this team travels a lot to target every place that Microsoft technologies are prevalent. It’s also the number one reason why I pick myself up and out of the day-to-day operations to understand these differences.

Last month, I got to put back on my FIRST Steering committee hat, and I traveled to the beautiful but cold city of Riga, Latvia. The FIRST Steering Committee has four meetings a year to get work done for its members. We usually use the technical colloquiums (TC) as good times to get together and partake in the great “watering hole” activities described in Andrew Cushman’s last blog.

The TC is organized by a local host. The local host for this one was Trans-European Research and Education Network Association (TERENA) computer security incident response team (TF-CSIRT). TERENA is an organization that focuses on offering a forum to collaborate, innovate and share knowledge in order to foster the development of internet technology, infrastructure and services for the research and education communities. They present and train at the TC server to educate security teams, highlighting new techniques to deal with relevant computer security issues. Usually I get to just sit back and enjoy the presentations but his time was a little different. The majority of the presentations were centered on the latest Conficker worm. Not familiar to you? Well, cruise on down to the following Microsoft Conficker page and relevant posts on the MSRC and MMPC blogs.

Being the lone Microsoft guy and a member of the Steering Committee was very interesting to say the least. After this conference, I personally know almost every European CERT or CSIRT contact after fielding some good and frank questions about Conficker.

Like I said, I spent most of the day fielding questions about Conficker and Microsoft’s actions to help security teams in their effort to protect consumers from this threat. Microsoft has a robust process when it comes to our response to issues so I was well prepared with information that went above and beyond the out-of-band security update that was released for this issue back in October (MS08-067)

Although the frank questioning felt like on-the-spot cavity cleaning, I was extremely happy to have the chance to clear up some of the myths and give some actionable information to these important security stakeholders. It also allowed me to understand information that the MSRC usually doesn’t get a chance to receive first hand. Also, having a response guy from Microsoft at FIRST allowed the security teams to understand that we are taking the problem seriously. One internal ecosystem change that was supported came about from feedback from this trip. One clear feedback item was to make sure that we had a single authoritative source/place for Microsoft efforts on Conficker. This information added more key data points to indicate that the teams in Microsoft managing the Conficker efforts were doing the right thing in moving forward with creating a single place for outlining Conficker resources. This is just one example of using external information to aid in driving change to help the greater ecosystem at large.

My Trip wasn’t all fun J

There was the 3 ½ days worth of Steering Committee (SC) meeting to decide various organizational things. One major topic was the 2009 Annual FIRST conference (AGM) in Kyoto, Japan. The AGM gives us the opportunity to meet and share presentation on a number of security topics. The logistics of putting on a large conference are mind boggling in my opinion. I am glad to say, I will enjoy watching our own Andrew Cushman figure out some of these issues firsthand as he was named the 2010 Program chair for the 2010 Annual First conference.

I love the fact that Microsoft makes a point to work with the security community at large and truly values community-based defense. Our consistency and trusted relationships make it much easier to have the conversations at the proverbial “watering holes” to get messages across to the security ecosystem that we do care and take the job of securing customers at all level as our main priority.

Now that I am settling back into a groove, I look forward to heading out and doing more in my EcoStrat role. Stay tuned for more from me as I travel to CanSecWest and Black Hat Europe.

Later...

Steve “Capt Steve” Adegbite

Share this post :

*Posting is provided "AS IS" with no warranties, and confers no rights.*