Microsoft at Black Hat: Community-based defense in force

Microsoft at Black Hat: Community-based defense in force

Summary: Microsoft's Matt Thomlinson argues that community-based defense is important to fight cybercrime and stay ahead of malicious hacker attacks.


Guest editorial by Matt Thomlinson (Microsoft)

Something caught my eye as I was driving home from work the other night. On the side of the street, on the street corner, was a “One Way” sign (we can talk about the irony of that on another day) and beneath it a smaller sign. I’d not noticed it for some reason, even after passing this way for several years. I just never paid it any attention. But there it was, black and white border, the very familiar all-seeing eye logo in blue blocking in the center of the sign and then the text: large letters saying “WARNING - NEIGHBORHOOD WATCH PROGRAM IN FORCE,” and then smaller type reading “WE IMMEDIATELY REPORT ALL SUSPICIOUS ACTIVITIES.”

As I reflected on the sign, I envisioned the community separated by gates and picket fences; by green yards and friendly blocks; some friends, many likely total strangers—bound together by a common purpose: protecting their neighborhoods from criminal activity. It struck me that there were amazing parallels between that and the journey of online security the past couple years, as we’ve focused closely on the increasing criminal element we are up against, and the moves we’ve made to shift advantage to defenders and users in the fight against online crime.

Crime Watch: From the Neighborhood to the Internet

The parallels between the origins and execution of Neighborhood Watch and the realities of computer security and today’s threats really are uncanny. I looked it up after I got home that night. Nearly 40 years ago, the Neighborhood Watch program was born in response to growing national recognition that burglaries were growing out of control and there was a need to incorporate citizen involvement into crime prevention. With respect to online crime, Microsoft’s Security Intelligence Report clearly reflects how criminal activity on the Internet continues to increase, threatening our very foundational rights of security and privacy. Initially, Neighborhood Watch focused on driving education on the nature and volume of crime and providing information on how to better secure residential property and reduce vulnerabilities. That sounds a lot like the purpose of the Security Development Lifecycle - to reduce the number and severity of software vulnerabilities - as well as many of our initiatives to improve online safety education.

From there, Neighborhood Watch evolved to the formation of watch groups where citizens would work together with each other and law enforcement to reduce crime.  And it worked… statistics have put crime reduction between 40-70% nationally in communities that have adopted this community-based defense approach.

It’s clear amidst today’s online criminal activity that achieving security for users isn’t something that can always be delivered by a single company or technology.  I can think of a number of collective efforts as examples - like when we came together to solve the DNS vulnerability back in July 2008, when we formed the Conficker Working Group in 2009, and in our more recent botnet takedown efforts like Waledac, which was coordinated by Microsoft’s Digital Crimes Unit but involved law enforcement, researchers and IT and security vendors. Two years ago, we issued a call to the industry to adopt a community-based defense approach, emphasizing that it was time come together and use the combined strength of the industry, partners and public organizations, and act in unison to build a more secure environment for everyone. As part of that call, we launched industry collaboration programs that share information with partners and customers. These tried and proven programs have helped spur a more unified approach to security, resulting in better protections for customers.

Microsoft Active Protections Program gives partners vulnerability information early so they can build enhanced software protections for customers. Through our 65 global MAPP partners, we are able to reduce risk to hundreds of millions of customers worldwide by sharing information that allows partners to build and deploy protections often before or shortly after a threat emerges. Sourcefire reports that MAPP has helped reduce the attack window by 75 percent.

Microsoft Vulnerability Research works with software and hardware vendors to help address vulnerabilities in their products. Since July 2009, MSVR has identified 35 different software vulnerabilities -- 97 percent rated as Critical or Important -- affecting a total of 19 vendors. Fifty-five percent of the vulnerabilities continue to await the release of a security update from the vendor. And per our philosophy on vulnerability disclosure, we will continue to coordinate disclosure timing with these vendors, so that the broadest customer base can be protected before vulnerability details are released.

Security is a Shared Responsibility

Community-Based Defense is only half of the equation; a shared sense of responsibility for everyone using the Internet must exist to protect the broader community. Much like Neighborhood Watch, each individual bears a responsibility to secure their home, their business and belongings, but in order to help ensure a more secure community—each individual (be they researchers, vendors or customers) must look beyond themselves and share in the responsibility to look out for the broader community.

Recently, we shared our philosophy on Coordinated Vulnerability Disclosure (CVD) which should resonate with those who have the same sense of shared responsibility that we do. The meaning of CVD is that newly-discovered vulnerabilities in hardware, software, and services are disclosed directly to the vendors of the affected product, where the finder allows the vendor an opportunity to diagnose and offer fully tested patches, workarounds, or other corrective measures before detailed vulnerability or exploit information is shared publicly. If attacks are underway in the wild, earlier public vulnerability detail disclosure can occur with both the finder and vendor working together to provide consistent messaging and guidance to customers on how to best protect themselves.

We recognize that the debate around full disclosure vs. responsible disclosure may never be resolved. However, it is evident from listening to those on both sides of the argument, that there is one thing that we are all trying to do: help keep the Internet safe. Going forward, we're asking the broader community -- from bug finders to software vendors -- to shift the mindset from “responsible” to “coordinated vulnerability disclosure” -- which is ultimately about getting the job done in the safest manner possible

Coordinated Vulnerability Disclosure requires coordination and collaboration to resolve issues in a way that minimizes disruption for customers. This kind of collaboration is a shared responsibility across the broad community -- from security researchers to security product providers to other software vendors.

Maximize Criminal Disruption, Minimize Customer Disruption

When MAPP was first announced in August 2008, many throughout the industry, including analysts, customers and partners, referred to the new program as game-changing. For the first time ever, a major software vendor was sharing vulnerability details with protection providers ahead of security update releases.

Today, at the Black Hat USA 2010 conference, Microsoft Corp. announced that it will extend MAPP to include communicating vulnerability information sharing from Adobe Systems Inc.  Considering the ubiquity of Adobe’s product footprint, we believe this will be another disruptive move giving an upper hand to a global network of defenders in the battle against online criminals.

Even with increased community collaboration and information sharing, online criminals are constantly casing systems and applications for vulnerabilities. So how do you protect your system from exploitation when fixes aren’t available? One option we’ve been pursuing is building exploit mitigations into our products.

Today at Black Hat, Microsoft is announcing the Enhanced Mitigation Experience Toolkit (EMET), providing customers with a way to add new security mitigation technologies (such as Data Execution Prevention and Address Space Randomization Layout) to existing software in order to help protect against successful exploitation of vulnerabilities without available fixes. The tool will be available in August.

Resolve to Get Involved

While they may not be tangibly affixed to posts, I am encouraged by the signs I see across the industry of individuals who accept the onus of responsibility and are working to realize the benefits of community-based defense. As an industry and community, philosophical differences or competition aside, we should be in this together. The stakes are just too high – the good guys need to collaborate.

In closing, here are some thoughts on how we can take the principles of Neighborhood Watch to the through community-based defense

  1. Recognize your role and responsibility. Regardless of whether you’re a home user, an IT professional or a security researcher, make a commitment to reduce risk—not amplify it—and help improve the broader security ecosystem. For example, home users should follow the guidance at, vendors and security researchers should embrace and practice the principles of coordinated vulnerability disclosure, and IT professionals should make sure that updates to systems and software are deployed in a timely manner.
  2. Join the Community “Watch.” We are better together – initiatives like Microsoft Active Protections Program are proving effective and models like the Conficker Working group have been established to help individuals and organizations work together to defend customers and partners against the online criminal threat. If you’re a vendor or security researcher, get involved in such community-based defense efforts.
  3. Stop the FUD. Perhaps the greatest enemy to our success in protecting internet users is fear-mongering - it can quickly lead to sensationalism and draw critical attention and resources away from the real issues. It’s imperative that we as a community stick to the facts and provide information on the risk posed by software vulnerabilities and emerging threats.
  4. Leverage and drive innovation. Use Microsoft’s freely available resources like EMET and the Exploitability Index to help enhance risk management and improve security defenses, and inject new tools and ideas into the community that we can all collectively benefit from.

I’d like to thank everyone that has supported and worked so closely with my team, and Microsoft, over the years to improve security on the Internet. The global security community and network of defenders have come together, and together we’ve tackled problems bigger than we could individually. Coming together for a purpose – to fight crime and protect our community – we’ve proven that the principles of Neighborhood Watch model can work in the online world.

* Matt Thomlinson leads engineering for both the Microsoft Security Engineering Center (MSEC) and Microsoft Security Response Center (MSRC). He is responsible for proactively implementing tools and processes to secure products, like the Security Development Lifecycle (SDL), and reacting to the technical aspects of security response for Microsoft products.

Topics: Microsoft, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Microsoft at Black Hat: Community-based defense in force

    Great article--However, it was said that Win 7 would be the first truly secure Windows OS...? I don't buy it and I still say the viability of a move to either FOSS or Mac should be considered by both the enterprise as well as the home user.

    • RE: Microsoft at Black Hat: Community-based defense in force

      @wallace_marke@... Wasn't Windows NT the first truly secure Windows OS? Heck you've got ACLs on every OS object(file handles, threads, user accounts, group accounts, folders, registry key, etc...) Stop the FUD.
      • RE: Microsoft at Black Hat: Community-based defense in force

        Very true! Microsoft Windows offers a finer grain of control over security than some other FOSS software.
        Loverock Davidson
      • RE: Microsoft at Black Hat: Community-based defense in force

        @LD ... when you say "some other FOSS software", note that you are not talking about Linux, which with mandatory access control tools like SELinux and AppArmor goes well beyond the Microsoft security model.

        I'm agreeing with you, btw. "Some" just needed that one qualification, lest your comment be interpreted as FUD.
      • RE: Microsoft at Black Hat: Community-based defense in force

        Actually I am talking about linux, it does not offer fine grain control like Microsoft Windows does. AppArmor and SELinux are not installed by default and are add-on products thus increasing the risk of a vulnerability. Now you have FOSS operating systems like OpenBSD and pretty much any BSD that have stood the test of time for security. Seems like linux is the only one in the bunch that can't get security right. Too busy gawking over Microsoft Windows to worry about securing their own OS I guess.
        Loverock Davidson
      • BSD Secure? Really?


        "Now you have FOSS operating systems like OpenBSD and pretty much any BSD that have stood the test of time for security"

        Last time I looked, OS X was based on BSD, and OS X is anything but secure.
      • Weren't ACLs compromised for some years....

        @MSFTWorshipper the name of application compatibility? The irony is that the layering of Vista/7 is closer to the original vision of how NT should operate than were the NT releases up to and including XP. Microsoft dug themselves out of the hole - after they dug themselves into it.
        Lester Young
    • RE: Microsoft at Black Hat: Community-based defense in force


      No such thing as a truly secure OS. Not one in existence now, or in the future has been or ever will be.
  • Check your facts LD

    Selinux or AppArmor are installed and enabled by default on virtually all modern Linux Distros. I think it's time you throw that 1992 Linux CD you have been using and download a Linux from this century.
    BTW: At least Linux distros don't open the Telnet port on thier firewalls and install the telnet server by default like Win 2008 does.
    • Stop using hacked versions of Windows Server 2008

      Telnet Server isn't installed by default, and neither is the port opened on the firewall, sorry to say.

      BTW: AppArmor looks good on paper, but Novell doesn't even explain how it works. The goal is process isolation through some form of ACL. However, they fail to say how they achieve this. It all falls flat the moment someone is able to break in through an insecure application and rewrites AppArmors security policies for locked-down applications and gains total access to the system, and don't say it'll never happen, cuz Mactards said the same thing about OS X being bulletproof and CanSecWest made liars out of them over the past several years.
      • RE: Microsoft at Black Hat: Community-based defense in force

        @Joe_Raby So you know more? Where are apparmor Policies? HMM UNDER ROOT! So though (Or around as your example) Then what is next??? hmm I need a pass! SUDO!
        end of attack,,,,,Hmm SNORT saw you!! And maybe Denyhost gave me a call???? You know what Yoou want to see! Sigh MORE FUD!!
    • RE: Microsoft at Black Hat: Community-based defense in force


      Wake up. Even on Ubuntu, apparmor is NOT ENABLED for firefox by default.
    • RE: Microsoft at Black Hat: Community-based defense in force

      @anothercanuck Thank you! The new Mint Kde came (to my shock!) with apparmor installed! But in complain And not real interface to put in enforce! This needs to be taken care of!! The program is there but it just complains!! HMM
    • RE: Microsoft at Black Hat: Community-based defense in force


      <i>BTW: At least Linux distros don't open the Telnet port on thier firewalls and install the telnet server by default like Win 2008 does.</i>

      You have been swallowing some of Dietrichs kool-aid. Go back and read your source. Win 2008 <b>does not open telnet port by default</b>. Instead some malware did. (downloaded by the user along with his illegal, cracked version of w2k8).
  • When MS released XP SP2

    and for free to boot, it took a big and well overdue step in the right direction. It may have cost the company in certain tangential ways (including creating an unintended benchmark by which its subsequent OS releases are still being compared), but it proved to many a doubting Thomas - myself included* - that Microsoft was coming to their senses and finally getting serious about improving core security.

    It was as timely a move as focusing energies and inertia on the browser a decade earlier. It also prefaced the arrival and acceptance of Windows 7 (after that premature burp known as Vista junior), in that it set the proper tone. I applaud any efforts MS makes to build on Allchin's security initiative. Vista and Win7 are welcomed steps in the right direction when it comes to improving platform protections.

    [* If it hadn't been for the arrival and ultimate impact of the SP2 initiative, I was prepared to advise clients to consider throwing in the towel and seeking more secure operating platforms with the growing "threatscape" that was emerging circa 2003-2004. Up to that point the Swiss brick known as Windows coupled with IE was simply no match for comprimization and pwnage, even when locked down].
  • Do I smell a rat?

    MS wants help with security, but does not want to pay for it?
  • RE: Microsoft at Black Hat: Community-based defense in force

    That's rich - the Redman gang calling for an end to FUD and participating at Black Hat. The acronym and conference are largely the result of their abusive, arrogant business practices.