Advancing Security Progress and Commitment Stuart Okin Chief Security Advisor – Microsoft UK Delivering on security (an update on progress)
Leaving Messages We are at an inflection point in the internet – the companies that will succeed will be those that can show trust as a business advantage Security can only be achieved through partnership & teamwork Do you have security policies, architecture and processes?
The Forensics of a Virus Blaster shows the complex interplay between security researchers, software companies, and hackers Vulnerability reported to us / Patch in progress Bulletin & patch available No exploit Exploit code in public Worm in the world July 1July 16July 25Aug 11 Report Vulnerability in RPC/DDOM reported Vulnerability in RPC/DDOM reported MS activated highest level emergency response process MS activated highest level emergency response processBulletin MS delivered to customers (7/16/03) MS delivered to customers (7/16/03) Continued outreach to analysts, press, community, partners, government agencies Continued outreach to analysts, press, community, partners, government agenciesExploit X-focus (Chinese group) published exploit tool X-focus (Chinese group) published exploit tool MS heightened efforts to get information to customers MS heightened efforts to get information to customersWorm Blaster worm discovered –; variants and other viruses hit simultaneously (i.e. “SoBig”) Blaster worm discovered –; variants and other viruses hit simultaneously (i.e. “SoBig”)
The Forensics of a Virus Blaster shows the complex interplay between security researchers, software companies, and hackers Vulnerability reported to us / Patch in progress Bulletin & patch available No exploit Exploit code in public Worm in the world July 1July 16July 25Aug 11 Report Vulnerability in RPC/DDOM reported Vulnerability in RPC/DDOM reported MS activated highest level emergency response process MS activated highest level emergency response processBulletin MS delivered to customers (7/16/03) MS delivered to customers (7/16/03) Continued outreach to analysts, press, community, partners, government agencies Continued outreach to analysts, press, community, partners, government agenciesExploit X-focus (Chinese group) published exploit tool X-focus (Chinese group) published exploit tool MS heightened efforts to get information to customers MS heightened efforts to get information to customersWorm Blaster worm discovered –; variants and other viruses hit simultaneously (i.e. “SoBig”) Blaster worm discovered –; variants and other viruses hit simultaneously (i.e. “SoBig”) Patch QB33330 Download Over 5.5 Million (~ 5%)
What do I get asked? Why are there so many vulnerabilities? Why do people write worms / virus?, i.e. what are people’s motivations Why is this happening now How do I protect myself? What do you worry about? What is Microsoft doing to help?
Individual control of personal data Products, online services adhere to fair information principles Protects individual’s right to be left alone Resilient to attack Protects confidentiality, integrity, availability of data and systems Engineering Excellence Dependable, performs at expected levels Available when needed Open, transparent interaction with customers Address issues with products and services Help customers find appropriate solutions
Security Enabled Business Reduce Security Risk Assess the environment Improve isolation and resiliency Develop and implement controls Increase Business Value Connect with customers Integrate with partners Empower employees Risk Level Impact to Business Probability of Attack ROI Connected Productive
“Give us better access control” “Simplify critical maintenance” “Reduce impact of malware” Advanced Updating Expanded Authentication, Authorization, Access Control Isolation and Resiliency “Provide better guidance” Security Guidance, Tools, Responsiveness “Develop reliable and secure software” Engineering Excellence You’ve Told Us
Communicate and collaborate in a more secure manner without sacrificing information worker productivity Isolation and Resiliency Reducing the Modes of Attack
Advanced Isolation Clients who do not pass can be blocked and isolated Isolated clients can be given access to updates to get healthy Health Checkup Check update level, antivirus, and other plug in and scriptable criteria Isolation and Resiliency Client Inspection
Today Future Windows, SQL, Exchange, Office… Windows, SQL, Exchange, Office… Office Update Download Center SUS SMS “Microsoft Update” (Windows Update) VS Update Windows Update Windows only WindowsUpdateServices Updating: Roadmap Windows, SQL, Exchange, Office… AutoUpdate
Authentication, Authorization And Access Control Simplify adoption of robust security management Integrated secure single sign-on experience New factors of authentication Seamless data protection across layers Enable business solutions with integrated platform security technologies
Authentication, Authorization and Access Control Enabling Security Critical Scenarios Windows IPSec integration SSL, RPC over HTTP ISA Server 2004 Deep Windows integration WPA, 802.1x, PEAP Single sign-on, smartcards, biometrics Provision for multiple credential types Rights Management Services Comprehensive Authorization Infrastructure (AD, EFS, ACLs…)
Quality & Engineering Excellence Improved Development Process Threat modeling Code inspection Penetration testing Unused features off by default Reduce attack surface area Least Privilege Prescriptive Guidance Security Tools Training and Education Community Engagement Transparency Clear policy
Critical or important vulnerabilities in the first… Bulletins since TwC release Shipped Jan. 2003, 17 months ago 3 Service Pack 3 Bulletins in prior period 13 Bulletins since TwC release Shipped July 2002, 23 months ago Bulletins in prior period 7 Service Pack 3 1 Continued Progress …270 days …365 days TwC release? Yes No
Guidance, Tools & Response Accelerate compliance to security best practices Seminars and publications Alliances and information exchanges Corporation with law enforcement Help customers through prescriptive guidance, training, partnership and policy
Microsoft Baseline Security Analyzer (MBSA) v1.2 Virus Cleaner Tools Systems Management Server (SMS) 2003 Software Update Services (SUS) SP1 Internet Security and Acceleration (ISA) Server 2004 Standard Edition Windows XP Service Pack 2 ISA Server 2004 Enterprise Edition Patching Technology Improvements (MSI 3.0) Systems Management Server 2003 SP1 Microsoft Operations Manager 2005 Windows Server 2003 Service Pack 1 Audit Collection Services (ACS) Security Configuration Wizard (SCW) Windows Update Services Windows Rights Management Services SP1 System Center 2005 Windows Server 2003 “R2” Network Access Protection (“Quarantine v2”) Vulnerability Assessment and Remediation Active Protection Technologies Visual Studio “Whidbey” Longhorn Security Timeline Today H2 04 Future 2005
Learn: Take training, read guidance, help educate users Connect: Participate in community. Subscribe to security newsletters Manage Risk: Implement a security plan and risk management process Plan: Prepare to upgrade laptops and remote systems to Windows XP SP2 Standardize: Deploy Windows Server 2003 on edge servers Integrate: Adopt a defense-in-depth security approach Suggested call to action
Resources General Consumers Security Guidance Center Tools How Microsoft IT Secures Microsoft E-Learning Clinics Events and Webcasts
Leaving Messages We are at an inflection point in the internet – the companies that will succeed will be those that can show trust as a business advantage Security can only be achieved through partnership & teamwork Do you have security policies, architecture and processes?
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.