Microsoft at Black Hat: Community-based defense in force

Guest editorial by Matt Thomlinson (Microsoft)

Something caught my eye as I was driving home from work the other night. On the side of the street, on the street corner, was a “One Way” sign (we can talk about the irony of that on another day) and beneath it a smaller sign. I’d not noticed it for some reason, even after passing this way for several years. I just never paid it any attention. But there it was, black and white border, the very familiar all-seeing eye logo in blue blocking in the center of the sign and then the text: large letters saying “WARNING - NEIGHBORHOOD WATCH PROGRAM IN FORCE,” and then smaller type reading “WE IMMEDIATELY REPORT ALL SUSPICIOUS ACTIVITIES.”

As I reflected on the sign, I envisioned the community separated by gates and picket fences; by green yards and friendly blocks; some friends, many likely total strangers—bound together by a common purpose: protecting their neighborhoods from criminal activity. It struck me that there were amazing parallels between that and the journey of online security the past couple years, as we’ve focused closely on the increasing criminal element we are up against, and the moves we’ve made to shift advantage to defenders and users in the fight against online crime.

Crime Watch: From the Neighborhood to the Internet

The parallels between the origins and execution of Neighborhood Watch and the realities of computer security and today’s threats really are uncanny. I looked it up after I got home that night. Nearly 40 years ago, the Neighborhood Watch program was born in response to growing national recognition that burglaries were growing out of control and there was a need to incorporate citizen involvement into crime prevention. With respect to online crime, Microsoft’s Security Intelligence Report clearly reflects how criminal activity on the Internet continues to increase, threatening our very foundational rights of security and privacy. Initially, Neighborhood Watch focused on driving education on the nature and volume of crime and providing information on how to better secure residential property and reduce vulnerabilities. That sounds a lot like the purpose of the Security Development Lifecycle - to reduce the number and severity of software vulnerabilities - as well as many of our initiatives to improve online safety education.

From there, Neighborhood Watch evolved to the formation of watch groups where citizens would work together with each other and law enforcement to reduce crime.  And it worked… statistics have put crime reduction between 40-70% nationally in communities that have adopted this community-based defense approach.

It’s clear amidst today’s online criminal activity that achieving security for users isn’t something that can always be delivered by a single company or technology.  I can think of a number of collective efforts as examples - like when we came together to solve the DNS vulnerability back in July 2008, when we formed the Conficker Working Group in 2009, and in our more recent botnet takedown efforts like Waledac, which was coordinated by Microsoft’s Digital Crimes Unit but involved law enforcement, researchers and IT and security vendors. Two years ago, we issued a call to the industry to adopt a community-based defense approach, emphasizing that it was time come together and use the combined strength of the industry, partners and public organizations, and act in unison to build a more secure environment for everyone. As part of that call, we launched industry collaboration programs that share information with partners and customers. These tried and proven programs have helped spur a more unified approach to security, resulting in better protections for customers.

Microsoft Active Protections Program gives partners vulnerability information early so they can build enhanced software protections for customers. Through our 65 global MAPP partners, we are able to reduce risk to hundreds of millions of customers worldwide by sharing information that allows partners to build and deploy protections often before or shortly after a threat emerges. Sourcefire reports that MAPP has helped reduce the attack window by 75 percent.

Microsoft Vulnerability Research works with software and hardware vendors to help address vulnerabilities in their products. Since July 2009, MSVR has identified 35 different software vulnerabilities -- 97 percent rated as Critical or Important -- affecting a total of 19 vendors. Fifty-five percent of the vulnerabilities continue to await the release of a security update from the vendor. And per our philosophy on vulnerability disclosure, we will continue to coordinate disclosure timing with these vendors, so that the broadest customer base can be protected before vulnerability details are released.

Security is a Shared Responsibility

Community-Based Defense is only half of the equation; a shared sense of responsibility for everyone using the Internet must exist to protect the broader community. Much like Neighborhood Watch, each individual bears a responsibility to secure their home, their business and belongings, but in order to help ensure a more secure community—each individual (be they researchers, vendors or customers) must look beyond themselves and share in the responsibility to look out for the broader community.

Recently, we shared our philosophy on Coordinated Vulnerability Disclosure (CVD) which should resonate with those who have the same sense of shared responsibility that we do. The meaning of CVD is that newly-discovered vulnerabilities in hardware, software, and services are disclosed directly to the vendors of the affected product, where the finder allows the vendor an opportunity to diagnose and offer fully tested patches, workarounds, or other corrective measures before detailed vulnerability or exploit information is shared publicly. If attacks are underway in the wild, earlier public vulnerability detail disclosure can occur with both the finder and vendor working together to provide consistent messaging and guidance to customers on how to best protect themselves.

We recognize that the debate around full disclosure vs. responsible disclosure may never be resolved. However, it is evident from listening to those on both sides of the argument, that there is one thing that we are all trying to do: help keep the Internet safe. Going forward, we're asking the broader community -- from bug finders to software vendors -- to shift the mindset from “responsible” to “coordinated vulnerability disclosure” -- which is ultimately about getting the job done in the safest manner possible

Coordinated Vulnerability Disclosure requires coordination and collaboration to resolve issues in a way that minimizes disruption for customers. This kind of collaboration is a shared responsibility across the broad community -- from security researchers to security product providers to other software vendors.

Maximize Criminal Disruption, Minimize Customer Disruption

When MAPP was first announced in August 2008, many throughout the industry, including analysts, customers and partners, referred to the new program as game-changing. For the first time ever, a major software vendor was sharing vulnerability details with protection providers ahead of security update releases.

Today, at the Black Hat USA 2010 conference, Microsoft Corp. announced that it will extend MAPP to include communicating vulnerability information sharing from Adobe Systems Inc.  Considering the ubiquity of Adobe’s product footprint, we believe this will be another disruptive move giving an upper hand to a global network of defenders in the battle against online criminals.

Even with increased community collaboration and information sharing, online criminals are constantly casing systems and applications for vulnerabilities. So how do you protect your system from exploitation when fixes aren’t available? One option we’ve been pursuing is building exploit mitigations into our products.

Today at Black Hat, Microsoft is announcing the Enhanced Mitigation Experience Toolkit (EMET), providing customers with a way to add new security mitigation technologies (such as Data Execution Prevention and Address Space Randomization Layout) to existing software in order to help protect against successful exploitation of vulnerabilities without available fixes. The tool will be available in August.

Resolve to Get Involved

While they may not be tangibly affixed to posts, I am encouraged by the signs I see across the industry of individuals who accept the onus of responsibility and are working to realize the benefits of community-based defense. As an industry and community, philosophical differences or competition aside, we should be in this together. The stakes are just too high – the good guys need to collaborate.

In closing, here are some thoughts on how we can take the principles of Neighborhood Watch to the through community-based defense

1. Recognize your role and responsibility. Regardless of whether you’re a home user, an IT professional or a security researcher, make a commitment to reduce risk—not amplify it—and help improve the broader security ecosystem. For example, home users should follow the guidance at www.Microsoft.com/Protect, vendors and security researchers should embrace and practice the principles of coordinated vulnerability disclosure, and IT professionals should make sure that updates to systems and software are deployed in a timely manner.
2. Join the Community “Watch.” We are better together – initiatives like Microsoft Active Protections Program are proving effective and models like the Conficker Working group have been established to help individuals and organizations work together to defend customers and partners against the online criminal threat. If you’re a vendor or security researcher, get involved in such community-based defense efforts.
3. Stop the FUD. Perhaps the greatest enemy to our success in protecting internet users is fear-mongering - it can quickly lead to sensationalism and draw critical attention and resources away from the real issues. It’s imperative that we as a community stick to the facts and provide information on the risk posed by software vulnerabilities and emerging threats.
4. Leverage and drive innovation. Use Microsoft’s freely available resources like EMET and the Exploitability Index to help enhance risk management and improve security defenses, and inject new tools and ideas into the community that we can all collectively benefit from.

I’d like to thank everyone that has supported and worked so closely with my team, and Microsoft, over the years to improve security on the Internet. The global security community and network of defenders have come together, and together we’ve tackled problems bigger than we could individually. Coming together for a purpose – to fight crime and protect our community – we’ve proven that the principles of Neighborhood Watch model can work in the online world.

* Matt Thomlinson leads engineering for both the Microsoft Security Engineering Center (MSEC) and Microsoft Security Response Center (MSRC). He is responsible for proactively implementing tools and processes to secure products, like the Security Development Lifecycle (SDL), and reacting to the technical aspects of security response for Microsoft products.