New Year, New Security Foo


Security Blanki

Sarah Blankinship

Senior Security Strategist Lead

Vuln wrangling, teams of rivals, global climate change – the hotter the better

Slack jawed gawkers (girls are geeks too!), customers @ risk, egos

As we head into this new year, predictions abound in the security ecosystem for 2009. The security industry talking heads all have opinions; there are no shortage of issues to be concerned about; more malware, more targeted attacks, better phishers and more vulnerabilities in all software and hardware. The responsibility of trying to secure the planet (together) feels so massive when every region, every country, every platform, every browser has different issues.

I’ll end this blog post with my own prediction, but first some catching up on some of what’s happened since my last post.

At the close of 2008, I got to see some of our good friends and friendly rivals at the Vendor Security Information Exchange briefings in the UK. Thanks to the good folks there for including my presentation with CSS Shanghai colleague, Daniel Wang, on the realities of the Chinese security threat landscape. As with the rest of the world, China is experiencing a rise in malware and attacks from inside and outside the firewall.

From the UK we traveled to China for the XCon Security Conference in Beijing. We were delighted by the talent and the hospitality as we discovered new sights and new foods. We even explored back rooms of a hot pot restaurant with friends and colleagues in Beijing. Bravo for a great security confabulation in China. Many thanks for inviting Microsoft to participate with a Windows7 security overview by Chris Peterson, director of security assurance, Microsoft Trustworthy Computing (TwC).

I arrived back in Redmond just about the time there was a vulnerability discovery from some of our friends in China. This resulted in releasing out-of-band security update MS08-078. Mike Howard has a great write-up on his blog that goes into fantastic detail about why this vulnerability was so tricky and another reminder that multiple defenses are critical. As with all security updates, MS08-078 is a free download with no check for Windows Genuine Advantage. As much as we like to release our updates on a predictable cycle, we like to keep our customers and partners protected from publicly known vulnerabilities even more.

Please take the time to install this update.

And now back to my own prediction. For 2009, it’s not gloom and doom. I predict that in 2009, the security community will pull together like never before.

While we know that vulnerability counts are increasing and malicious actors aren’t going anywhere – we also know that we have trust and community in our security ecosystem. With this foundation and awareness, we can work together, as a community of defenders, to limit our exposure and come together to discuss our alternatives. Small first steps include decreasing overall risk by deploying security updates in a timely manner, providing awareness and defense-in-depth mitigation measures, combined with meaningful technical information exchanges.

As the threats increase across the board, now more than ever, the Microsoft EcoStrat team is working to build and leverage our coalition of defenders. Microsoft has proven time and time again, the economic theory, that it costs less to get right the first time than to fix it later. In the MSRC, we see the cost to teams and the company when we have to ship a fix to hundreds of millions of users. We want to help others learn from our experiences.

Together, researchers, protection providers and governments are realizing that we are safer because we collectively know more, we talk more and trust more. We are participating in multi-vendor solutions, collective initiatives to unite and educate our security communities while actively listening to our partners in the ecosystem.

Here’s to a great 2009 and striving together to predict, to prevent, to protect.


Release notes:

Have you seen the BlueHat SDL content up on Technet? Dennis Fisher, from TechTarget, says to “Think of it as the technical equivalent of those free online courses from MIT.”

Reality Check! More SDL goodness – Our own Steve Lipner was interviewed on Gary McGraw’s “Reality Check Security Podcast Series

Upcoming – look for more ‘stories from the front lines’ from our TwC brothers and sisters who also travel to security conferences in the name of TwC Security.

Upcoming – Tool Release! Stay tuned for more information from CanSecWest Vancouver 2009.

Share this post :

*Postings are provided “AS IS” with no warranties, and confers no rights.*