Since quite a while we run a program called MAPP – the Microsoft Active Protections Program, where we share vulnerability information with security vendors to help them to get signatures out to our joint customers the moment we release a security update.

Additionally, we know form our data (see the Security Intelligence Report) that PDF is the most exploited file format. Therefore I think it is a great signal that Adobe will join the MAPP program to tighten our joint collaboration.

It is another clear signal that we are up for action to address the security challenges in the ecosystem.

Roger

Related posts:

1. Security through Collaboration
2. International Collaboration on Policies for Cybersecurity and Data Protection
3. The Importance of International Collaboration–Even in Exercises

I know that there are numerous views on that and I do not want to debate them here and now. What I just want to do here, is to show Microsoft’s position:

Since a long time Microsoft is working with the researcher community in close collaboration and my understanding is that the researcher community is fairly impressed with what we do, once they get the opportunity to look behind the scenes. One of the outcomes of this outreach is Bluehat – a Microsoft internal event where the researcher talk to our developers. A very and interesting and insightful get together.

When it comes to handling vulnerabilities, I guess you know Microsoft Security Response Center – the group within Microsoft chartered with handling security vulnerabilities. The policies behind working with the researcher community is two-fold:

• We are not paying for security vulnerabilities, nor do we intend to do so. There was an article on ZDNet again a few days ago: Microsoft: No plans to pay for security vulnerabilities
• We just recently announced a slight change in strategy towards Coordinated Vulnerability Disclosure, an approach, where the collaboration between the finder and the vendor shall be deepened.

For me, the joint goal between researcher and vendors has to be to protect the ecosystem against the criminals. And with ecosystem I mean not only the big enterprises, having security teams which are able to work on detailed vulnerability information but small and medium businesses as well as the consumer like my mom and dad as well. Therefore we think that the point above help to meet the requirements.

What are your thoughts on that?

Roger

Related posts:

1. Vulnerability Disclosure to Compete?
2. Selling Vulnerabilities and Ethics
3. Attacks on the Windows Help and Support Center Vulnerability (CVE-2010-1885)

Welcome back Magnus!

Watch out, there are more to come

Roger

Related posts:

1. A new Chief Security Advisor in the UK
2. Infosec: Security community must work together
3. “Stacked against hacks” in World Finance

Have a good start!

Roger

Related posts:

1. Chief Security Advisor in Sweden: Magnus is back
2. About
3. Off to See the World

Roger

Related posts:

1. The Growth of the Tablet Market
2. Who needs a (vulnerable) iPad if you can get an nPad?
3. Welcome to reality: Apple Acknowledges OS X Malware

Roger

Related posts:

1. Security Compliance Management – Solution Accelerator Available
2. Security Compliance Management Toolkit
3. Best Practices for Microsoft PKI & Certificate Management

All the themes, which are important to me are in their list :

1. Scalable trustworthy systems (including system architectures and requisite development methodology)
2. Enterprise-level metrics (including measures of overall system trustworthiness)
3. System evaluation life cycle (including approaches for sufficient assurance)
4. Combating insider threats
5. Combating malware and botnets
6. Global-scale identity management
7. Survivability of time-critical systems
8. Situational understanding and attack attribution
9. Provenance (relating to information, systems, and hardware)
10. Privacy-aware security
11. Usable security

It is great to see that this goes in the right direction! The key will be, when the research will deliver results.

Roger

Related posts:

1. Researcher at Microsoft Research wins ACM award for Privacy Protection
2. Is Security Research Ethical?
3. Analysis of the Estonian Attacks

Trying to just prevent users accessing social networks from work could potentially increase the risk to an organization as users look for ways around computer security possibly increasing the chance of exposure to security threats.

False sense of security…

Roger

Related posts:

1. Safe Social Networking
2. Banning Social Media – a good idea?
3. The “KHOBE – 8.0 earthquake” – What’s behind it

But what does that really mean? You can find this information on the Windows website: What does it mean if my version of Windows is no longer supported?

Roger

Related posts:

1. End of Support for Windows 2000 and Windows XP SP2
2. Pre-warning: Windows Server 2003 SP1 Out of Support in April
3. Attacks on the Windows Help and Support Center Vulnerability (CVE-2010-1885)

Let me briefly line them out: When I talk to governments I often feel that there is a lack of internal coordination when Cybersecurity is addressed. No too many people in governments are trying to get a holistic view on their Cybersecurity agenda and the sequence things should be addressed. I am convinced that an effective program or agenda will drive the growth of an economy as there will be increased trust in the respective country. If I may give you an example of what I mean: I am often asked whether governments could get more intelligence from us. Therefore we recently launched a program called DISP (Defensive Intelligence Sharing Program) where we share vulnerability information with governments. This information is only useful to the government if they can do something with it like if they have a Critical Infrastructure Protection program in place where they have the technical people understanding the information, being able to aggregate it to the right level and distribute it to the critical infrastructure provider in due time.

The Cloud is the other big theme. You know that I am convinced that there is too much fuzz out there and not enough guidance. Therefore we published our Cloud Security Considerations paper to elevate the discussion and give a framework which works for high-level people. The framework has been very effective and I used it often with customers so far. However, to me there is a huge necessity to work closer with customers and governments on a very senior level on how to approach those challenges and what is needed to enable the customer to move to the cloud – from a technical, regulatory but from an emotional perspective as well.

All these points, made us re-think our strategy around the Chief Security Advisor (CSA) community, where I was responsible for EMEA (yes, was but I am coming back to that). Today we are covering in

• Americas Time Zone: Brazil, LATAM, US
• Asia Time Zone: APAC, Australia, Korea, Greater China Region, India, Japan
• EMEA Time Zone: EMEA, Russia, France, Germany, Austria, Finland, the Netherlands, Norway

This is simply not enough for the work to be done. Therefore, we decided to significantly invest in Chief Security Advisors around the Globe to get closer to the businesses of our customers and governments and to help to leverage security as an enabler, rather than a disabler. Therefore we will broaden the coverage and end up with the following countries (the underlined countries/regions are the ones we are in the process of hiring or will kick the hiring process off):

• Americas Time Zone: Americas Time Zone Lead, LATAM, Brazil
• Asia Time Zone: Asia Time Zone Lead, Australia, Korea, Greater China Region, India, Japan
• EMEA Time Zone: EMEA Time Zone Lead, Poland, Russia, France, Germany, UK, Austria, Denmark, Finland, Italy, the Netherlands, Norway, Spain, Sweden, Switzerland, South Africa, Turkey

These will be very senior security people being able to work on eye’s level with CxOs, government elites and policy maker – if you think that you suit this high-level description and are interested, get in touch with me and I could link you to the relevant people.

This is a huge investment in time and an investment I am convinced is needed to drive the market and support governments in their initiatives.

Finally, I have the great pleasure to move on – well, partly. I will move away from my EMEA position to take over the worldwide Chief Security Advisor role, being responsible for Microsoft’s global CSA community. This is a great challenge, which I am looking forward to. To remain close to the field and close to the customer’s need, I decided to stay in Switzerland and not to move to the headquarters (well, there are some family reasons as well ).

I will continue my blog but will broaden the scope from EMEA to the world.

Roger

Related posts:

1. About
2. Insider Threat of Cloud Computing
3. Cloud Computing: Benefits and Risks of Moving Federal IT into the Cloud