Archive

Archive for the ‘Microsoft Active Protections Program (MAPP)’ Category

The Next Leap Forward in Cyber Defense: Taking Action to Help Defeat Adversaries

April 2nd, 2014 No comments

It is often said that attackers have an advantage, because the defenders have to protect every part of their systems all the time, while the attacker only has to find one way in.

This argument oversimplifies the security landscape and the real strength that defenders can achieve if they work together. While it’s true that it is difficult to defend against an adversary that targets a single victim, this isn’t the way most malicious actors work. It is easier and cheaper for malicious actors to reuse techniques, infrastructure and tools. Most malicious actors build capabilities that work across many targets and modify and reuse them.

This is where the industry has the most opportunity to evolve. Industry collaboration and information sharing is part of the solution, but the real key is finding a way to coordinate action. When an attack targeting dozens, hundreds, or thousands of systems occurs, identifying a similar aspect of that attack can begin to unravel it everywhere. The fact that attackers use the same or similar methodologies in many places can actually put them at a disadvantage.

Think of how different animals in the wild respond to attacks. Some respond as individuals and scatter in all directions. This allows predators to focus their attack on an individual and give chase. Yet this same attack unravels against animals who respond by forming a circle and standing their ground as a group. As long as they stick together, the predators are at a disadvantage – unable to separate and run down an individual.

This kind of coordinated defense, and more crucially action, is the key to our industry taking the next big leap in the fight against cyber-attacks. It’s not enough to share threat indicators such as yara signatures, IP addresses and malware hashes. What we really want to do is move defenders to take action that defends them and undermines an adversary’s attack. As an industry, we have to come together and decide on a set of standards or principles by which we’re going to not just share information, but use it.

So why hasn’t the industry moved towards actionable information sharing? In my opinion, we need to advance the current class of information sharing tools, processes, and technologies. Think of the Traffic Light Protocol. TLP tells us how sensitive the information is, and whether we can share it. What it doesn’t say is whether it’s ok to incorporate an IP address into a network defense system, or to ping the address, or to try and have the address taken down.

As an industry, we must work to design and adopt technologies and programs that facilitate a two-way conversation and enable actionable information sharing. This should be the start of partnerships, not where things end. Our tools can no longer just be streams of after-the-fact data that flow from one place to another in varied forms and formats. Appropriate action needs to be part of the dialog, and part of us working together.

Part of this transformation is happening today at Microsoft with our Microsoft Active Protections Program (MAPP). While MAPP initially started as an information-sharing effort amongst security vendors, it’s moving to a place where it provides a set of guidance for defenders to protect themselves. To truly evolve to the next level, it will mean shifting from sharing information one way to taking coordinated action. The Microsoft Malware Protection Center (MMPC) has recently talked about the concept and called for a coordinated malware eradication approach at this blog post.

When we get to that point, it won’t just be security vendors who are working to keep everyone safe. It will be the networks, the service providers, the government entities, the retailers, the banks, all enterprises of the world pulling together and sharing actionable threat information necessary for defeating the adversaries — consistently and permanently.

This will take a greater degree of trust than just information sharing. But to take that next big leap in enhancing our defense against cyber-attacks, it’s where we must begin.

Chris Betz
Senior Director
Microsoft Security Response Center (MSRC)

August 2013 Security Bulletin Webcast, Q&A, and Slide Deck

August 19th, 2013 No comments

Today we’re publishing the August 2013 Security Bulletin Webcast Questions & Answers page.  We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Exchange Server (MS13-061) and Windows Kernel (MS13-063).  There were 3 additional questions during the webcast that we were unable to answer on air, and we have also answered those on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, September 11, 2013, at 11 a.m. PDT (UTC -8), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, September 11, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register:
Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

 

 

August 2013 Security Bulletin Webcast, Q&A, and Slide Deck

August 19th, 2013 No comments

Today we’re publishing the August 2013 Security Bulletin Webcast Questions & Answers page.  We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Exchange Server (MS13-061) and Windows Kernel (MS13-063).  There were 3 additional questions during the webcast that we were unable to answer on air, and we have also answered those on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, September 11, 2013, at 11 a.m. PDT (UTC -8), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, September 11, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register:
Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

 

 

Announcing the 2013 MSRC Progress Report featuring MAPP expansions

July 29th, 2013 No comments

Over the years, our customers have come to expect a certain regularity and transparency in both our security updates and the guidance that goes with them. One regular piece of communication about our work is a yearly progress report, which provides a look into the program updates and bulletin statistics from the Microsoft Security Response Center (MSRC). Our report covering July 2012 through June 2013 is available, and it provides a great look back over the past year and includes some exciting new program updates that will help enhance customer protections in the years to come. Here’s a few highlights…

Going Behind the Scenes

Over the last 12 months, we released 92 security bulletins, two of which, MS12-063 and MS13-008, were released out-of-band. In the report, MSRC’s own William Peteroy provides a rare behind-the-scenes look at the Software Security Incident Response Process (SSIRP) and making of MS13-008. As William puts it, “Being pulled into a SSIRP feels about the same as a friend signing you up for a marathon and letting you know the night before.” It isn’t all doom and gloom though. Within the first couple days of availability, the update was downloaded around 286 million times. William concluded, “Ultimately it was very rewarding to be able to put so much time and effort toward something good for so many people over the holiday.”

The latest MAPP enhancements

Collaborating on defense through the Microsoft Active Protections Program (MAPP) community currently helps protect more than 1 billion customers and significantly reduces the time it takes security vendors to create protections. This year, we’re enhancing our existing MAPP offerings in some exciting new ways that will result in more robust customer protections and better guidance for those helping to secure systems around the world.

MAPP for Security Vendors is our traditional MAPP program with some new enhancements. As part of our monthly security bulletin release process, we will engage certain members of the MAPP community to help validate our guidance prior to final release. Working with the community in this way helps to ensure our guidance works for the widest possible set of partners. In addition, we will share detections earlier to select MAPP partners who meet stringent criteria. We will work to provide these partners with information three business days before Update Tuesday to help them create better quality solutions for our common customers.

MAPP for Responders is a new way to share technical information and threat indicators to organizations focused on incident response and intrusion prevention. Getting this information into the hands of those closest to the events can be invaluable in detecting and disrupting attacks. Many attackers share information amongst themselves, and defenders should share knowledge to help prevent and contain issues as they occur. MAPP for Responders will work to build a community for information exchange to counter the activities of those who wish to do harm.

MAPP Scanner is a cloud-based service that allows Office documents, PDF files, and URLs to be scanned for threats, which increases the likelihood of us learning about new attacks and attack vectors sooner rather than later. This service leverages our own product knowledge and is what we use internally to kick off new investigations. This service is currently in pilot with a limited number of partners.

Over on the BlueHat blog, Jerry Bryant provides additional information about these changes and how they fit into our larger security strategy.

These new programs, along with the bounty programs we launched last month, are part of a broader end-to-end strategy to help protect customers. The goal is to eliminate entire classes of attacks by working closely with partners to build up defenses, making it increasingly difficult to target Microsoft’s platform.

On to Black Hat 2013

Later this week, we’ll be at the Black Hat USA conference at Caesars Palace in Las Vegas, NV. I hope you take a few moments to read the progress report and come by to discuss the finding with us at our booth – and at our Researcher Appreciation party. I always enjoy speaking with people face-to-face about our latest programs and all the work we do throughout Trustworthy Computing to help ensure they have the safest computing experience possible.

Thanks, and I’ll see you in Vegas.

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Announcing the 2013 MSRC Progress Report featuring MAPP expansions

July 29th, 2013 No comments

Over the years, our customers have come to expect a certain regularity and transparency in both our security updates and the guidance that goes with them. One regular piece of communication about our work is a yearly progress report, which provides a look into the program updates and bulletin statistics from the Microsoft Security Response Center (MSRC). Our report covering July 2012 through June 2013 is available, and it provides a great look back over the past year and includes some exciting new program updates that will help enhance customer protections in the years to come. Here’s a few highlights…

Going Behind the Scenes

Over the last 12 months, we released 92 security bulletins, two of which, MS12-063 and MS13-008, were released out-of-band. In the report, MSRC’s own William Peteroy provides a rare behind-the-scenes look at the Software Security Incident Response Process (SSIRP) and making of MS13-008. As William puts it, “Being pulled into a SSIRP feels about the same as a friend signing you up for a marathon and letting you know the night before.” It isn’t all doom and gloom though. Within the first couple days of availability, the update was downloaded around 286 million times. William concluded, “Ultimately it was very rewarding to be able to put so much time and effort toward something good for so many people over the holiday.”

The latest MAPP enhancements

Collaborating on defense through the Microsoft Active Protections Program (MAPP) community currently helps protect more than 1 billion customers and significantly reduces the time it takes security vendors to create protections. This year, we’re enhancing our existing MAPP offerings in some exciting new ways that will result in more robust customer protections and better guidance for those helping to secure systems around the world.

MAPP for Security Vendors is our traditional MAPP program with some new enhancements. As part of our monthly security bulletin release process, we will engage certain members of the MAPP community to help validate our guidance prior to final release. Working with the community in this way helps to ensure our guidance works for the widest possible set of partners. In addition, we will share detections earlier to select MAPP partners who meet stringent criteria. We will work to provide these partners with information three business days before Update Tuesday to help them create better quality solutions for our common customers.

MAPP for Responders is a new way to share technical information and threat indicators to organizations focused on incident response and intrusion prevention. Getting this information into the hands of those closest to the events can be invaluable in detecting and disrupting attacks. Many attackers share information amongst themselves, and defenders should share knowledge to help prevent and contain issues as they occur. MAPP for Responders will work to build a community for information exchange to counter the activities of those who wish to do harm.

MAPP Scanner is a cloud-based service that allows Office documents, PDF files, and URLs to be scanned for threats, which increases the likelihood of us learning about new attacks and attack vectors sooner rather than later. This service leverages our own product knowledge and is what we use internally to kick off new investigations. This service is currently in pilot with a limited number of partners.

Over on the BlueHat blog, Jerry Bryant provides additional information about these changes and how they fit into our larger security strategy.

These new programs, along with the bounty programs we launched last month, are part of a broader end-to-end strategy to help protect customers. The goal is to eliminate entire classes of attacks by working closely with partners to build up defenses, making it increasingly difficult to target Microsoft’s platform.

On to Black Hat 2013

Later this week, we’ll be at the Black Hat USA conference at Caesars Palace in Las Vegas, NV. I hope you take a few moments to read the progress report and come by to discuss the finding with us at our booth – and at our Researcher Appreciation party. I always enjoy speaking with people face-to-face about our latest programs and all the work we do throughout Trustworthy Computing to help ensure they have the safest computing experience possible.

Thanks, and I’ll see you in Vegas.

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

News from MAPP, and Advance Notification Service for the December 2011 Bulletin Release

December 8th, 2011 No comments

Hello all. Before we look at next week’s bulletin release, we’d like to point out an update to our Microsoft Active Protections Program (MAPP) that should provide customers with greater transparency as to how MAPP partners use the information we share with them when we release security advisories.

As you know, we work closely with our MAPP partners to share information on issues as they arise, thus extending protections to the greatest possible number of computers on the Internet. As of our most recent Security Advisory, we’ve started a new process of listing the partners who have confirmed that they released protection within 96 hours after the advisory release on a special Web page.   Naturally not every Advisory applies to every partner, so we do not expect them all to report protections in place for every individual Advisory.   

Meanwhile, in a minor procedural note, those of you who prefer to print out the bulletins and have missed that functionality in recent months will be pleased to hear it’s back. Look for the small grey printer icon at the upper right corner of the bulletin.

Today we’re releasing our advance notification for the December security bulletin release, which is scheduled for Tuesday, December 13. This month’s release comprises 14 bulletins addressing 20 vulnerabilities in Microsoft Windows, Office, Internet Explorer, Microsoft Publisher, and Windows Media Player. All 14 bulletins will be released on Tuesday, December 13 at around 10 a.m. PST. Revisit this blog on Tuesday for our official risk and impact analysis, along with deployment guidance and a video overview of the release. We’ll also be looking at some interesting trends in bulletin releases over the course of 2011, with insight on those from MSRC Senior Director Mike Reavey.

As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

Please join Jonathan Ness and Jerry Bryant for our public webcast on Wednesday. They’ll go into detail about the bulletins and answer questions live on the air. Register at the link below:

Date: Wednesday, December 14
Time: 11:00 a.m. PST (UTC –8)
Registration:  https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032487961&culture=en-us

Thanks,

Angela Gunn
Trustworthy Computing.

Follow us on Twitter: @MSFTSecResponse