It seems like just yesterday when I was at Black Hat. Now as I get ready to fly to Las Vegas again, I look forward to seeing a lot of security researchers, hearing their latest exploits and how they fared over the last 352 days. At the same time, it is a great opportunity to look back at the past year in security and ask myself, “was it a good year or a bad year?”
What comes immediately to mind when I think of the past year? The rise of rogue security software, Conficker, two out-of-band security updates (thanks to the MSRC for the great work!) and of course the fact that cyber security has garnered national attention fueling the search for a cyber czar. Security researchers and analysts have said that security investments like the security development lifecycle (SDL) are making products harder to crack. More people are interested in secure development, as seen by the uptick in downloads of Microsoft !exploitable and Threat Modeling tools. More companies – Adobe comes to mind – are clearly demonstrating their commitment to protecting customers through security fundamentals. And really, the collaborative spirit was obvious across the industry over the past year.
Collaboration is Key
Last year I said that it was time for community-based defense and I am genuinely encouraged by the community collaboration that I’ve seen:
- ICASI – Microsoft joined with leading IT vendors to create the Industry Consortium for Advancement of Security on the Internet (ICASI), a trusted forum for addressing global, multi-vendor security challenges.
- DNS Vulnerability Collaboration – the historic collaboration of companies impacted by the DNS cache poisoning issue discovered last July by security researcher Dan Kaminsky.
- Conficker Working Group – a collaborative effort with technology industry leaders and academia to implement a coordinated, global approach to combating the Conficker worm. The Conficker Working Group exemplifies how the security ecosystem can come together to combat issues that threaten all Internet users and the importance of broad collaboration spanning public and private sectors.
Similarly, the programs launched last year by the Microsoft Security Response Center have been successful in helping to create a community of defenders who through shared information and guidance are better able to protect customers, while also moving towards the goal of creating a safer and more trusted Internet.
With application vulnerabilities on the rise, Microsoft launched the Microsoft Vulnerability Research (MSVR) program. Over the last year, the program has helped improve the security of third party applications running on Microsoft software by responsibly reporting cases to external vendors and ISVs.
The Microsoft Active Protections Program (MAPP) — a program for advanced sharing of vulnerability information — has grown to 47 global partners sharing threat information to better coordinate the quickest delivery of information, signatures, protections and mitigations to customers. Sourcefire, for example, reports that prior to MAPP, it generally took around eight hours to reverse engineer, develop proof-of-concept (PoC) code, and then to build the exploit detection for a vulnerability. Now, the process takes about two hours—a 75 percent decrease—and Sourcefire developers only need to write the detection code, since everything else is provided.
Strengthening the Customer Strengthens the Community
In a world of limited resources, customers are under immense pressure to make the right security decisions. Microsoft’s Exploitability Index has proven to be an effective, reliable resource to help customers evaluate and make better risk decisions when prioritizing security updates than they were a year ago. Of the last 140 Exploitability Index ratings provided for vulnerabilities resolved by Microsoft, only one has had to be modified—that’s a 99% reliability rate, which we consider a success when evaluating complex threats. More importantly, the one that was modified was downgraded in severity – indicating that Microsoft erred conservatively in terms of risk.
Another thing we experienced this past year was the general economic downturn, with many companies tightening budgets even as security remained a top priority. This underscores the need for information and tools that help IT professionals achieve security goals as efficiently as possible.
To help customers better manage risk related to security updates, Microsoft is releasing content from two projects this week at Black Hat. The first is the Microsoft Security Update Guide, a manual that outlines and explains Microsoft’s resources, processes, communications and best practices surrounding its security update process. In the guide, customers will find comprehensive information that helps them manage security update deployment. Customers will be able to reference the guide’s proposed risk management framework and align this to their organization’s risk management process, resulting in more efficient deployment and minimized disruption to their IT environment.
Project Quant is an open community effort sponsored by Microsoft and coordinated with Securosis analyst Rich Mogull, including survey results and the first draft of a patch management cost model. IT departments can leverage the model to refine their update process and establish key metrics to improve each area of the patch management process. It is encouraging to see how the communities of vendors and security professionals have worked to drive the creation of this model. The project survey also yielded some data with actionable implications. Though a majority of companies rate their processes as mature, over half of them say they have no formal patch management process in place for application software. From the most recent version of the Microsoft Security Intelligence Report, we know that application software is a growing target for malicious attackers. Taken together, these findings indicate that IT departments should prioritize a review of their patch management capabilities for their common applications.
Continuing to Progress
So, good or bad? Overall, I think it was a year of great progress for security collaboration — in fact, a shift in acknowledgment and action like we’ve never seen before — but continued malicious security incidents remind us that now is not the time to pull back and congratulate ourselves. We need to stay ahead of whatever awaits us in the coming year. Let me close by sharing my wish list for us all to pursue:
- Focus on fundamentals. If we can build the next generation of software on the foundation of security and privacy fundamentals, we will continue to raise the bar against malicious attackers.
- Stop the fear mongering. As security professionals, let’s stick to the facts and, most importantly, provide specific and helpful information that enables users to protect themselves.
- Expand collaboration. Start communications now, so we will be better prepared later. As blended threats arise that affect multiple software vendors, we will be positioned better to respond if strong working relationships are already in place and siloes are removed.
- Think beyond technology. The Internet continues to grow under the sponsorship and influence of social, political and economic forces. As a community, we must lead the efforts to engage with all of those forces to ensure that security and privacy interests are protected on behalf of everyone.
Thanks to all of you who collaborated closely with my team this year. For everyone else, I look forward to working with you soon.
* George Stathakopoulos is General Manager, Microsoft Product Security and Security Engineering and Communications Group, Trustworthy Computing Group.