Ahn-young-ha-seh-yo & Kon-ni-chi-wa

Cap’n Steve

Steve Adegbite

Senior Security Program Manager Lead

Reverse Engineering an obscene amount of code and ripping it up on a snowboard

Not much but if you hear me growl…run

Hi! It’s been a while since I’ve had a chance to blog about all the things we have been doing here. As travelling around to various security events is a big part of our mantra, I’ve been to Tokyo Japan for PacSec and Seoul, South Korea for POC 2009. Both were great conferences and had great security talks.


PacSec had a lot of the Japanese security scene in attendance (the local powerhouses are pretty sharp and savvy) along with international researchers and past BlueHat speakers, Charlie Miller and Alex Stamos. Take a minute to check out archived presentations from our own Tony Lee introducing the SIRv7 and Jason Shirk discussing fuzzing strategies. But the biggest interest concerned mobile code threats such as malware and how the perimeter defenses are fading away as a viable protection. This seems to be a hot topic everywhere, so hot that the just wrapped-up BlueHat v9 con had an entire track dedicated to mobile security, and in June 2010, at the annual FIRST Conference, how the perimeter defenses are fading away will be the theme for the whole conference.

It’s a cyclic state when it comes to the effectiveness of protections. I remember back in the 80s and 90s when the firewall was going to fix it all. But like everything in life, things evolve and the firewall became a part of a complex mesh of other technologies created to evolve with the threats.

This cyclic and evolving process is something we know a lot about here in Microsoft. The continued security evolution built the MSRC process and the Security Development Lifecycle (SDL). This is how we had to react to threats.

Visiting POC 2009 and PacSec, I got more of a sense of how people outside Microsoft evolve and react; most created either more complex processes or bought more technologies. As I was sitting at POC 2009 watching the presentations, I saw the same theme here as well. It seems that with the evolution of threats, security people everywhere are throwing up more complex processes and technologies. But what happens when the complexity we have created outstrips the problem? I can see that we are always going to have the technological challenges of new threats.

For instance, Conficker, a new threat that helped every security professional evolve due to the complex nature of the threat. However, something else happened with Conficker that really turned on a light in my head. Conficker took advantage of old threats and long-standing security best practices. The fact that Conficker used these old threats and was still widely successful in exploiting our complex processes and technologies is interesting.

I couldn’t help asking myself this question, could it be that due to our complexity that we have failed to take into account past experiences? I don’t think so. I think what we may have done is forgotten one or two primary focus security factors. Those factors are “people” and “process”. People management for security is a key tenet of any type of security plan. This fact has been proven everywhere and in every topic including computer security.

If your plan does not take into account an understanding of the human factor and what it means to your security process, you are missing an important point. Understanding the “people” factor will help you in the next important part of the security plan, which is the process part.

Sitting down at PacSec and POC 2009, I see that we have a firm grip on the technological-advancement front. The presentations at both conferences were excellent technically and on the cusp of new developments. But I still believe that a more focused approach on the “people” factor of computer security would do more to enhance the security than technology advancements will.

Here at Microsoft we are looking in that direction as we look at the technological enhancements coming to the continent of Africa. Here is a place where we will have the chance to stress a focus on the ”people” aspect while building up the processes to take advantage of the new technologies afforded the populace. Hopefully you’ll be seeing more of this model in future posts from me as this new initiative develops. But for now make sure to look at the “people” factor as you create, modify or react to problems in the security landscape. It may surprise you what fresh new perspectives and solutions it gives you.

– -Steve

*Postings are provided “AS IS” with no warranties, and confers no rights.*