Observations from the EcoStrat-isphere


Security Blanki

Sarah Blankinship

Senior Security Strategist Lead

Vuln wrangling, teams of rivals, global climate change – the hotter the better

Slack jawed gawkers (girls are geeks too!), customers @ risk, egos

As part of the quest to help “secure the planet”, our team travels over this planet a lot, and I wanted to highlight a few of the interesting security gatherings I’ve been to lately.

September brought sunshine and the Executive Women’s Forum (EWF). An all-women’s security event was completely refreshing and a great contrast to the usual technology scene. In addition to the great technical content, it’s always a treat to discourse with others who see computer science as a social science, Mary Anne Davidson’s blog post about synthesis had some great insights:

One of the things I have been doing some thinking and speaking about is the idea of synthesis. More specifically, the lessons we can learn in IT security from other disciplines, such as business, economics, history (especially military history and strategy) and biology.

Hey, those are social sciences (except for biology, although its neighbor epidemiology counts). She also mentions strategy which is a subject close to my heart. 🙂

Additionally, I had a chance to break bread with former colleagues and friends from around the planet. I got to hear from women starting their own companies or in amazing roles at their organizations — women whom I would want as mentors, colleagues and partners. It was also eye-opening in terms of the old school/new school debate among women decision makers, the parallels we see in the male-dominated environments, centered around the question of whether it’s possible to solve security ecosystem problems through regulation. The security ecosystem is like the weather – you can’t predict or control it – but you want to be prepared for it. EWF presents an opportunity to continue educating and networking with this community about the risk environment and how to mitigate threats, concurrent to ongoing policy, privacy and regulation initiatives.

One of my personal goals is to (paraphrasing a line on a favorite greeting card) “build bridges and help people get over them.” One of those goals was realized when, in October, the Microsoft Security Response Center (MSRC) and friends went down to the Southern hemisphere for some mmmm BA-Con. Even better than bacon, was the gathering of some mavericks, if you will, including Argentinean security superstars and underground up-and-comers. The conference was the culmination of years of conversations and grassroots community partnerships between traditional “rivals”: Core Security, well-known in the attack tool community, in alignment with our team and other protection providers.

An interesting trend we’ve noted, alongside traditional security conferences, we are starting to see the development of “micro-communities” thriving around the world with different parts of the security ecosystem overlapping. Just as Black Hat has its Defcon, the security conferences worldwide are realizing the value of leveraging different and respected security communities. BA-Con has ekoparty Security Conference and Xcon has XKungfoo, both great examples of diverse communities collaborating. Mary Anne’s post talks about the risks of a lack of “biological diversity”. By contrast, the collaboration between these communities provides illustrations of diversity from a social science perspective: language, organizational affiliation, age.

Each year, we also have the pleasure of *not* traveling, and welcome members of the security community here to the Microsoft Corporate Campus for BlueHat. Ask the BlueHat network of past speakers or catch some great blog posts recently, one of the most interesting watering holes in software security is @BlueHat. Thanks to all who have helped us grow from a friendly little hacker con to a platform to educate the broader security community with the BlueHat: SDL Sessions, to give back to the developer population by releasing developer tools, and for building more relationships toward community-based defense.

A lot of people are surprised that we don’t make a bigger deal out of BlueHat by inviting the press in. Even though BlueHat is a great story, that’s not primarily how we see it. It is a network, a voice for the community, a platform to launch people, research and ideas. The interactions are different, somehow more open and sincere when folks don’t have a press audience or “preconditions”. The good stuff and paradigm shifts that come out of BlueHat in the form of new awareness, collaborations and security innovations, will pay off for years to come. We aren’t willing to risk the platform for a press story.

There is a lot of excitement that we are making the BlueHat: SDL Sessions public! That’s right; you don’t have to come to BlueHat to watch a great day of security content! Thanks for the feedback and stay tuned for BlueHat: SDL Sessions releasing on TechNet, we’re working on getting them up as soon as we can. And the rumors are true: TwC will release a tool to the public within the fiscal year.

As a part of the MSRC, a big part of our team life these days has been releasing MS08-067* out-of-band. With the update, we are all more secure. That means that a many of your security colleagues worked 24 by 7 to get this out to you as quickly as possible.

Throughout my travels, a common theme in these experiences are the opportunities for shared goals and cooperation from organizations and people usually seen on different sides: security researchers and software engineers, Macs and PCs, browser developers and browser hackers, vendors and competing vendors from the infrastructure to the cloud. BlueHat has demonstrated that well-chosen strategies, while easy to overlook, offer substantial benefits and positive outcomes. It is a great example of “reaching across the aisle” to create those multivendor solutions.

Next: around the world in 14 days. Really!


Security EcoStrategist

* As with all security updates, MS08-067 is a free download with no check for Windows Genuine Advantage. For details and a link to the software for your operating system, click here to go to the Microsoft TechNet Security page.

*Postings are provided “AS IS” with no warranties, and confers no rights.*