Enterprises invest a lot of time and money in protecting their organizations from Malware and other threats.  No doubt you've installed Microsoft Forefront Client Security or another anti-malware product on all of your managed PCs.  You probably also have deployed edge protection such as Microsoft Forefront Threat Management Gateway and protected malware-bearing email from entering your organization with a product such as Microsoft Forefront Protection for Exchange Server.  You even use network access control such as Microsoft NAP to insure that computers connecting to your corporate network through a VPN are up to date on patches and are running current anti-malware software.  Despite all this, do you lay awake at night worrying about Distributed Denial of Service (DDoS) attacks against your company's website, as happened to major eCommerce sites this past holiday season?   Or perhaps, despite your best efforts, the risk from your customers' accounts being penetrated and misused remains unacceptably high?  Whether it is their unwitting participation in Botnets used to launch DDoS attacks, or surreptitiously installed keyloggers and rootkits being used to capture passwords and other customer information, unprotected consumer PCs are a major threat to your Enterprise.  And that is where Microsoft Security Essentials (MSE) can help.

In my role as "tech support" for many relatives and friends one of my greatest frustrations has been discovering how many of them aren't running, or don't have current signatures for, anti-malware software.  Some never complete the installation of the trial anti-malware software that was loaded on the new PC they purchased.  Many fail to subscribe to updates once the trial period runs out.  A few have even uninstalled anti-malware products after finding the one that came with their PC too intrusive.  At one point I gifted subscriptions to Windows Live OneCare to a few people only to find the same pattern, once the subscription I paid for ran out they failed to renew it.  Finally I discovered that my brother-in-law had installed a free anti-malware product on my in-laws' PC, solving the problem that they might not renew a paid product's expiring subscription.  I followed suit, ensuring that everyone I knew had this basic protection in place.  Now imagine a world in which all consumer PCs were similarly protected.  Imagine that it was much more difficult for your customers' passwords and account information to be stolen or their PCs co-opted to attack your website.  Wouldn't that help you sleep at night?  

There are many high-quality consumer anti-malware products out there (both free and paid) and as IT professionals we should be encouraging all users to adopt one of them.  Being in a group that produces anti-malware products I've received some flack for saying that I care more about making sure consumers install quality anti-malware software and keep it up to date than I do about which specific product they choose.  But of course I favor Microsoft Security Essentials.  Over the years Microsoft has invested heavily to create a world class anti-malware engine and Research and Response (R&R) team.  We use the same anti-malware engine in both MSE and our Forefront products, and MSE users benefit from the same R&R efforts as do our Forefront customers.  With its low false positive rate, use of Microsoft Update for signature and engine update distribution, and general focus on being unobtrusive MSE stays out of the user's way.  A small download and fast installation ease the deployment burden.  With MSE, we've pretty much eliminated the inhibitors to consumers having up-to-date anti-malware software installed.  Now imagine that all your customers' currently unprotected PCs, indeed all the currently unprotected consumer PCs in the world, instead had MSE installed.  Imagine it, and you know why Microsoft Security Essentials is good for business.

As we all know, right now cloud computing holds center stage in the IT industry.  Vendors, service providers, press, analysts and customers are all evaluating and discussing the opportunities presented by the cloud. 

A very important part of the discussion is security.  While the benefits of cloud computing become clearer, it seems almost every day there is a new press article or analyst report indicating that cloud security and privacy are a top concern for customers.   Just one example:  A Microsoft survey revealed that while 86% of senior business leaders are excited about cloud computing, more than 75% are concerned about the security, access and privacy of data.

Customers are right to ask how cloud vendors can work to ensure the security of cloud applications, the protection of data and the privacy of individuals.  Our CEO Steve Ballmer told an audience at the University of Washington in early March that "This is a dimension of the cloud, and it's a dimension of the cloud that needs all of our best work.”

At Microsoft we want to address these concerns and even help customers understand the right questions to ask.  As part of our longstanding Trustworthy Computing efforts, we strive to be more transparent than anyone about how we help enable more secure cloud computing.

In his recent keynote at our TechEd North America conference, Server and Tools Business president Bob Muglia discussed this issue, too, saying, “The data that you have is in your organization is yours.  We’re not confused about that, and it’s incumbent on us to help you protect that information for you. Microsoft’s strategy is to deliver software, services and tools that enable customers to realize the benefits of a cloud-based model with the reliability and security of on-premises software.”

A great place to start learning about Microsoft’s cloud security efforts is on the Microsoft Global Foundations Services (GFS) site. The white papers “Securing Microsoft’s Cloud Infrastructure” and “Microsoft’s Compliance Framework for Online Services” are especially informative. 

GFS drives an exhaustive, centralized Information Security Program for all Microsoft cloud datacenters and the 200+ consumer and commercial services they deliver (which are all built using the Microsoft Security Development Lifecycle.)  This program covers everything from physical security to compliance, including Risk Management Process, Response, and work with law enforcement; Defense-in-Depth Security controls across physical, network, identity & access, host, application and data; A Comprehensive Compliance Framework to address standards and regulations such as PCI, SOX, HIPAA, and the Media Ratings Council; and third party auditing, validation and certification (ISO 27001, SAS 70.) 

If you watch the short video clip above, you’ll note Bob also calls out our focus on identity, saying “As you move to cloud services you will have a number of vendors, and you will need a common identity system.”  Identity is a cornerstone of security, in general, and especially cloud security.  Microsoft already provides technologies with Windows Server and our cloud offerings that customers can use to extend their existing investment in identity infrastructure (such as Active Directory) for simpler, more secure access to cloud services.  There is a good TechNet article about this here, part of a whole package of cloud security guidance here.

Of course, Microsoft is not working on cloud security alone.  As our chief privacy strategist Peter Cullen said in his keynote at the Computers, Freedom and Privacy (CFP) conference:  "These truly are issues that no one company, industry or sector can tackle in isolation. So it is important to start these dialogs in earnest and include a diverse range of stakeholders from every corner of the globe.”   Microsoft is working with customers, governments, law enforcement, partners and industry organizations, such as the Cloud Security Alliance, to collaborate on the best strategies and technologies to ensure more trustworthy cloud computing. 

We encourage you to explore some of the information provided via links above, and to let us know your comments! 

Joel

Microsoft and RSA, the Security Division of EMC, recently commissioned a Forrester Consulting survey of enterprise security managers about information protection.  The results are available in a white paper called "The Value of Corporate Secrets," available here on Microsoft.com - see Technical Resources.  We issued a joint press release about it, too, available here.  (Microsoft and RSA have a strategic partnership around information protection solutions, announced more than a year ago.)

The most interesting finding of the survey of 305 security decision makers around the world is that while enterprises are investing heavily in compliance and protection against accidental leaks of custodial data (such as customer information), they are under-investing in protection against theft of trade secrets (intellectual property)....which is much more valuable.

“Nearly 90% of enterprises we surveyed agreed that compliance with PCI-DSS, data privacy laws, data breach regulations, and existing data security policies is the primary driver of their data security programs. Significant percentages of enterprise budgets (39%) are devoted to compliance-related data security programs,” according to Forrester Consulting’s study. “But secrets comprise 62% of the overall information portfolio’s total value while compliance-related custodial data comprises just 38%, a much smaller proportion. This strongly suggests that investments are overweighed toward compliance.”

Below is a short video of RSA’s Sam Curry discussing the survey results.

The survey also revealed that while organizations focus on data security incidents related to accidental loss, information theft by employees or trusted outsiders is more costly. For example, based on responses received in the survey, employee theft of sensitive information is ten times costlier than accidental loss on a per-incident basis: hundreds of thousands of dollars versus tens of thousands.

Despite a wide range in security spending, views on the value of information and number of incidents, nearly every company rated its security controls to be equally effective.

“Most enterprises do not actually know whether their data security programs work or not, other than by raw incident counting,” according to Forrester Consulting. “‘Compliance’ in all its forms has helped CISOs buy more gear. But it has distracted IT security from its traditional focus: keeping company secrets secure.”

Read the white paper for recommendations from Forrester, Microsoft and RSA to better ensure your information security strategies are appropriately balanced, including:

• Identify the most valuable data assets in your company's portfolio.

• Create a "risk register" of data security risks that documents specific threat scenarios.

• Asses and re-prioritize your IT security program's balance between compliance and trade secrets

• Increase vigilance of external and third party business relationships

• Measure data security program effectiveness.

Awhile back I spoke with George Podolak, the IT director at Pei Cobb Freed & Partners.  They are one of the world’s best-known architectural firms, perhaps most recognized for the glass pyramid at the Louvre in Paris.  But, like all companies, they also have to be a security company, especially when it comes to protecting information about their clients’ projects.  For that, Pei Cobb Freed looks to Forefront. (continued below)

“Many of our largest or most public clients are very concerned about the security of their work,” said Podolak. “They don’t want to see their name or plans in print or out on the Internet before they’re ready.”

The company previously ran Symantec products for server and desktop security, but found them difficult to manage.  They couldn’t ensure that all of the firm’s PCs were up to date with security patches, too.  In addition, the Symantec products didn’t address security related to outgoing traffic – employees caught in phishing scams, inadvertently going to malicious Web sites, or downloading malicious software.

“We were worried about someone downloading a keystroke logger or other malicious software. We needed to fully protect our intellectual property from that sort of thing,” said Podolak.

Podolak now relies on Forefront Protection Suite.

“Having one set of security products—the Forefront suite—across our entire infrastructure makes security easier to implement, easier to update—and that by itself makes us more secure.  Our architects realize that the Forefront Security Suite is an essential element empowering their success,” he said.

They use Forefront Client Security for PC and server security and Forefront Security for Exchange and SharePoint to protect email and collaboration.  Additionally, Forefront Threat Management Gateway provides URL filtering and Web-access policies to safeguard employees from malicious Web sites, malware, phishing traps, and similar threats that can steal information and corrupt personal computers.

“We’re doing a better job of managing risk. With the Forefront Security Suite, we’ve solidified protection across the organization, and we’ve eliminated doubts about it.” says Podolak

Today on the Microsoft Blog Vinny Gullotto, general manager of MS Malware Protection Center, announced the release of the Microsoft Security Intelligence (SIR) Report version 8.  The SIR is a wide-ranging study of the evolving threat landscape, and addresses such topics as software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software. Microsoft creates the SIR to provides information that helps customers and partners better understand the problem of malicious software, so they can take appropriate action.

Volume 8 of the Security Intelligence Report (SIR v8) covers July 2009 through December 2009. It includes data derived from more than 500 million computers worldwide, each running Windows. It draws from a variety of sources, such as Forefront and some of the business Internet services, like Windows Live Hotmail and Bing. 

The full report and a great interactive summary is available here and here’s a video of Vinny and Frank Simorjay discussing the report.

A key finding of the latest SIR is that cybercrime continues to mature as criminals model their operations on conventional business processes. Enterprise networks continue to be susceptible to worms while home users are more exposed to malware and socially engineered threats.

And criminals continue to package online threats into “kits” to maximize potential impact. The Eleonore browser exploit kit, for example, employs different exploits for browsers from several different vendors as well as popular application software frequently found on systems.

SIRv8 further confirms that attackers are now largely motivated by financial gain and rarely act alone. For example, malware creators seldom conduct attacks themselves but instead work with other criminals in online black markets to buy and sell malware kits and botnet access. Bot herders are also at the core of the professional online threats, knitting together compromised machines into a dark version of a Cloud Computing network.

From Vinny’s blog post:

The telemetry data in SIR has shown consistently that the lowest infection rates are seen on computers running Windows Vista SP2 and Windows 7. Infection rates for both operating systems are less than half the infection rate for computers running Windows XP. Also, analyzing the attacks in affected Office program installations, we found that most attacks affected Office 2003 users who had not applied a single service pack or other security update since the original release of Office 2003 in October 2003.

So what can enterprises and individuals do to defend against the latest malware? Keeping current is essential. Use products developed with security in mind, install good anti-malware solutions, and make certain you are applying the latest software updates.

Finally, in this latest volume we introduced a section based on customer request called “Mitigation Strategies for Protecting Networks, Systems, and People.” This guidance section was developed by Bret Arsenault, Microsoft Chief Information Security Officer and it provides insight on how Microsoft implements our own defense in depth approach to security. We hope you find it valuable and applicable to your systems.