Microsoft Expands MAPP Program to Incident Response Teams

Microsoft is expanding its MAPP program that shares attack and protection information with other security vendors and will now be sharing some data with incident responders, as well. The new system will enable organizations such as CERTs and internal IR teams to exchange information on specific attacks and general threats.

Microsoft is expanding its MAPP program that shares attack and protection information with other security vendors and will now be sharing some data with incident responders, as well. The new system will enable organizations such as CERTs and internal IR teams to exchange information on specific attacks and general threats.

The Microsoft Active Protection Program has been ongoing for several years and until now has involved the company sharing some information on upcoming patches with security companies ahead of patch releases each month. Microsoft will give antimalware, IDS and other security vendors advance data about the Patch Tuesday fixes so that they can have protection signatures ready when the patches are released.

Now, Microsoft is expanding and changing the MAPP program so that more people will have access to some of the data and the information will be available earlier. Until now, MAPP members get access to patch data 24 hours before the release. Microsoft will be giving that information to MAPP companies three business days before Patch Tuesday going forward. The new MAPP for Responders program is an extension of the existing system and is designed to allow incident response teams to share information among themselves and to benefit from the threat intelligence that Microsoft has, as well.

“We have information that will benefit those IR organizations, the CERTs, enterprises and government agencies,” said Jerry Bryant, a senior security strategist for Trustworthy Computing at Microsoft. “We’re trying to facilitate the exchange of threat indicators and knowledge. We’re contributing our own threat data, malicious URLs and file hashes for Windows and Office products for whitelisting purposes.”

The new portion of MAPP also will require that participants contribute their own data and not just benefit from the work of others. Bryant said that the idea is to gather and disseminate as much data as possible in order to protect as many machines as they can.

“In MAPP for Responders we’re going to require that people report telemetry back to us, which is important for things like out-of-band patches,” he said. “The more information we have internally, the better. We can aggregate that data and send it back out so that they can see where they have gaps.”

In addition to the expansion of MAPP to IR teams, Microsoft also is starting a pilot service that will allow members to send in potentially malicious files and URLs to have Microsoft check them for content-based attacks. MAPP members can submit any Office document, PDF or URL and Microsoft will run it through a scanner that will open the document or page in a virtual machine and see whether it’s trying to exploit a vulnerability.

Image from flickr photos of Robert Scoble.

Suggested articles