Driving a Collectively Stronger Security Community with Microsoft Interflow

Today, Microsoft is pleased to announce the private preview of Microsoft Interflow, a security and threat information exchange platform for analysts and researchers working in cybersecurity. Interflow uses industry specifications to create an automated, machine-readable feed of threat and security information that can be shared across industries and groups in near real-time. The goal of the platform is to help security professionals respond more quickly to threats. It will also help reduce cost of defense by automating processes that are currently performed manually. 

Microsoft’s ongoing active collaboration with the cybersecurity community has been a constant source of ideas and innovation for more than a decade. The Microsoft Active Protections Program (MAPP) was established in 2008 to provide security software providers with early access to software vulnerability information. Along the same lines, the inspiration for Interflow comes from the community. Today, data exchange difficulties – format mismatches, governance issues, and the complexity of data correlation – stand in the way of a more efficient incident response industry. Zheng Bu, VP of Security Research at FireEye, stated “what the cybersecurity community will benefit from is a more productive way to collaborate and take action. It is encouraging to see Microsoft invest in such a platform, and drive it forward for the greater good of the community.”

A collectively stronger cybersecurity ecosystem means better protection for consumers and businesses. There are many examples of alliances across industries, such as those established in the education and finance sectors. Recently, a similar cybersecurity alliance was formed in the retail industry. As retailers and others share threat indicators and take action rapidly, cyberattacks are either prevented, or their damage and spread are minimized. Interflow enables exactly this type of community and peer-based sharing, whether the communities are formed by the Computer Emergency Response Teams (CERTs) across the globe or by industry.

One may ask what exactly it means to share security and threat information using Interflow. The answer is simple: Interflow is a distributed system where users decide what communities to form, what data feeds to bring to their communities, and with whom to share data feeds. In addition, the use of open specifications STIX™ (Structured Threat Information eXpression), TAXII™ (Trusted Automated eXchange of Indicator Information), and CybOX™ (Cyber Observable eXpression standards) means that Interflow can integrate with existing operational and analytical tools through a plug-in architecture. This means there is no lock-in to proprietary data formats, appliances or subscriptions, all of which raise the cost of cybersecurity.

For many operating in the response community, reducing and managing the cost of defense in the face of exponentially increasing threat data is crucial. Running on Microsoft Azure public cloud, Interflow helps to reduce the cost of security infrastructure while allowing for rapid scale-out, a key premise of cloud computing. As Interflow automates the input and flow of security and threat data, organizations are able to prioritize analysis and action through customized watch lists, instead of bearing the cost of manual data compilation.

As early users of Interflow, various network security teams at Microsoft have experienced these kinds of benefits. Microsoft is planning to share the security and threat data used to protect our own products and services with the Interflow communities during the private preview. Organizations and enterprises with dedicated security incident response teams can inquire about the private preview through their Technical Account Managers or by emailing mappbeta@microsoft.com. Microsoft plans to make Interflow available to all members of MAPP in the future.

I said in the beginning that the cybersecurity community was the inspiration for Interflow. We look forward to working with the community to shape the roadmap forward. Today’s announcement is timed with the 26th annual FIRST Conference in Boston, Massachusetts.  Attendees at the conference can stop by the Microsoft booth #8, observe a demo and discuss participation in the private preview of Interflow.

Finally, you can find answers to most commonly asked questions here, and learn how Interflow enables a collectively stronger cybersecurity community at www.microsoft.com/interflow.


Jerry Bryant
Lead Senior Security Strategist, Microsoft Security Response Center (MSRC)