Before joining Microsoft a little bit more than 10 years ago, I ran a team at PricewarehoureCoopers on e-Business Risk Management – classical security consulting in the Internet bubble time. When I announced that I will leave PwC and join Microsoft, I got interesting reactions (and remember, this was 2001). Mainly they were along . . . → Read More: 10 Years of Trustworthy Computing at Microsoft]]>

Before joining Microsoft a little bit more than 10 years ago, I ran a team at PricewarehoureCoopers on e-Business Risk Management – classical security consulting in the Internet bubble time. When I announced that I will leave PwC and join Microsoft, I got interesting reactions (and remember, this was 2001). Mainly they were along two lines:

• Oh, you are joining a desktop company? Why?
• A security guy? Joining Microsoft? hmm…

So, these reactions came from the time immediately before we launched Windows XP (you are not on XP today, are you? If you are, read this article). Microsoft was not perceived as an enterprise player and was not seen as secure – they were wrong back then in the first case but right in the second one I guess. I joined being part of the consulting organization but soon met the country manager and I was having a chat with him about the perception on Microsoft’s security in the market. We (say: he ) then decided that we need to work on that and that I shall draw a job description – the job then was called Chief Security Officer and Chief Security Advisor later on. And then Nimda hit! And then Blaster hit! And then Slammer hit! I had the “privilege” back then to run the incident response team in Switzerland and had the privilege to have customers screaming at me, tell me that we fucked up (that was a quote).

Interestingly in the meantime the famous Bill Gates’ Memo hit the streets, saying:

There are many changes Microsoft needs to make as a company to ensure and keep our customers’ trust at every level – from the way we develop software, to our support efforts, to our operational and business practices. As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers’ view of us as a company.

and even more important:

In the past, we’ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We’ve done a terrific job at that, but all those great features won’t matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.

This memo led to the creation of Trustworthy Computing with Scot Charney running the organization since it’s beginning and Scott then created the Chief Security Advisor community, the community I was in since the beginning and have the honor to run today globally.

Coming back to the beginning: I remember the first keynote I did for Microsoft was on Trustworthy Computing immediately after this announcement. People approached me in the breaks and asked me whether I really believe what I just said: that Microsoft is going to change. And I confirmed that. I have never seen (not before nor after) a company stopping development for almost four months to address issues and then change the way the company operates – that radically. I would never ever put my name and my credibility at risk if I would not have believed back then and I am still convinced that we did and still do an outstanding job and that we are leading the industry today. Interestingly I do not get these questions anymore…

So, what happened over these 10 years of Trustworthy Computing? What were significant achievements? Well, there are numerous and I have to apologize to the teams I am not mentioning here upfront…

• Immediately after SQL Slammer in 2003 we span up a process called Software Security Incident Response Process (SSIRP), a process which is still in place today and we constantly adapt it to new threats and especially new challenges. This was a huge effort as we needed to be able to ramp up an incident organization all across the globe 24*7 – and we still are today.
• Probably the biggest and most fundamental change was the way we develop software. We introduced the Security Development Lifecycle (SDL) and constantly keep it updated. Not only did we change the development process internally, we make this information available to the industry for free. Others shall be able to learn from our learning from the past. What concerns me is the slow adoption of such methodologies from a vendor side as well as from a customer side. Who really asks for a process? Typically customers ask for product certification but not for a sound process – something we as an industry need to continue on changing.
• Different teams were spun up to address security re-actively like the Microsoft Security Response Center and the Malware Protection Center.
• Since 2006 we publish our Security Intelligence Report – the most comprehensive report in the market.
• Our Digital Crimes Unit is fighting cybercrime from a legal as well as from a technology perspective. We are working closely with the Council of Europe and other organizations improving the legal situation. We are taking down botnets like Waledac, Rustock and Kelhios in close collaboration with the authorities.  We are providing technology to fight sexual exploitation of children like PhotoDNA.

A lot of things happened over the course of the years and there is still a lot to do. These are just some highlights (besides the creation of the Chief Security Advisor community).

If you want to see a condensed version of the “life” of Trustworthy Computing”, here you go:

And the official story on the news center: At 10-Year Milestone, Microsoft’s Trustworthy Computing Initiative More Important than Ever

Sometimes I am asked how many people work at Microsoft on security. And the answer is "everybody” (well, almost ). It is not something we separate and put into a team labeled security. It is part of all our lives to one extent or another and this is the way it should be.

If I would have a wish for 2012, it would be that the industry would stand together much closer to address the issues of today and the future. I do not see that security is something the industry should compete on – rather collaborate to fight the criminals – together with the governments and the governments together with us. I was already fairly vocal about this in the Octopus Conference and will continue to ask for it. To help with this dialogue, we published a model called Cybersecurity Agenda for Governments and will soon publish a book on it as well.

In parallel, the teams internally will continue their great work to bring Trustworthy Computing to the next level. All of this is needed, when we think that there will be a third billion devices added to the Internet in the next five years!

Roger

One of the interesting data points we always publish is the Malware Infection Rate. Remember, there is a huge amount of data we . . . → Read More: Microsoft Security Intelligence Report – What it means for EMEA]]> “Unfortunately” I have been on vacation when we released the Security Intelligence Report last week. Nevertheless I would like to take the opportunity and look at it more from a EMEA perspective.

One of the interesting data points we always publish is the Malware Infection Rate. Remember, there is a huge amount of data we can collect from different like the Malicious Software Removal Tool, Microsoft Security Essentials, Defender, etc. given you agreed to share your data with us.

If we look at the heat map in EMEA, this is the picture you will see:

So, there are different countries which are red (highly infected) and green (not very infected). Now, obviously we do not have the same amount of data for all the countries. If we take the countries with more than 100’000 average executions per month of the Malicious Software Removal Tool, we see this ranking for the best and the worst countries worldwide (the bold countries have an execution rate with more then a million average executions per month):

Let’s take the EMEA countries in this list and see how they developed over the last three reports. The best countries first:

It is actually good to see that with the exception of Senegal all the EMEA countries in the top list could reduce their infection rate. Often this is based on a good collaboration between the public and the private sector.

But what about the other end of the ranking? Let’s see:

Here the picture is not as clear. Some countries like Serbia and Montenegro, Turkey etc. have a very bad 1H09 but then came back to their “normal” level. Unfortunately we cannot see a clear trend here but there are some countries, which are slowly improving (e.g. Russia). There is definitely coordinated activity needed in these countries. Turkey for example is working on pulling people together to address the issue.

If we turn it around and look at it from an Operating System perspective, we definitely see that newer Operating Systems are better than older (which was to be expected):

From the malware we can turn to the vulnerabilities. Since quite a while we are talking about having the problem moving up the stack, which is reflected in the picture on the industry-wide vulnerabilities:

This means as well, that you definitely should cover all your applications when you think about patch management and you have to do this for all your vendors:
When it comes to patching, we see a fairly good coverage with Windows Update, Microsoft Update and WSUS. Especially if you are looking at the relative growth compared to the Windows installed base:

So, you see: There is a lot of great information in the Security Intelligence Report – go and look at it.

Even though I did not go into the details here but Rogue Security Software is still a huge a problem out there and there is a chapter again on this theme as well!

Finally, if I could have three take-away, this would be it:

• Get a coordinated approach to fight malware between the public and private sector
• Move to the latest version of software, wherever you can
• Cover all the products you have with your Patch Management processes

Roger

Now it is time to look back and try to understand what we learned so far. sudosecure traces the Waledac infections and give a good view of new infections by the . . . → Read More: Results of Operation b49 (Botnet Takedown)]]> On February 24th we announced the work we did on taking down Waledac – read Tim Cranton’s blog post called Cracking Down on Botnets.

Now it is time to look back and try to understand what we learned so far. sudosecure traces the Waledac infections and give a good view of new infections by the bot:

But I guess to better understand, what really happened and what the impact was, you should read the post by the Microsoft Malware Protection Center What we know (and learned) from the Waledac takedown

Really good reading

Roger