It’s been just over a year since we experienced our last major network worm outbreak, Sasser, which exploited a vulnerability in the LSASS component of Windows in April 2004.
On the security response team at Microsoft, it is part of our process to do post mortems after incidents or outbreaks and review how we can better manage these incidents more effectively for customers. We did that after Slammer, which actually prompted the development of our Software Security Incident Response Plan; we did it exhaustively for months after Blaster; and again after Sasser.
It’s interesting to chart how much more effective we’ve become after each incident. When Blaster happened in August 2003, we were just in the implementation stages of a security incident response process – and it is fair to say that we did not have all the pieces in place yet when that worm attacked millions of customers around the world. Consequently, it took 38 long and painful days for our customers and for us before recovery. After Blaster, we spent many, many hours in post mortem and to learn how to refine our processes. We also spent many hours throughout the company drilling on our incident response process – making sure that we were prepared and able to mobilize worldwide – across product groups, subsidiaries – through all parts of the company if a significant outbreak occurs. So when Sasser broke out we fully exercised our worldwide mobilization process – paging and waking up stakeholders and account managers around the world to get critical remediation information and tools to customers immediately. Because of the improvements in our processes, time to recover for Sasser was 5 days compared to 38 days for Blaster. And of course, through our work with law enforcement – sharing our forensic analytics – we were able to assist in the arrest of the individual responsible for unleashing Sasser just 7 days after the attack.
Our response process continues to evolve and has reached still a new level of maturity in the last year since Sasser. We regularly review and refine as part of our ongoing commitment – which is deeply felt by everyone on the team – to help keep customers secure.
I was pleased to read Ryan Naraine’s retrospective on the anniversary of Sasser in eWeek. I encourage folks to take a look: http://www.eweek.com/article2/0,1759,1816530,00.asp.