virtual techdays india │ 22-24 november 2010 security @ microsoft anirudh singh rautela │...
TRANSCRIPT
virtual techdaysINDIA │ 22-24 November 2010
Security @ Microsoft
Anirudh Singh Rautela │ Technology Specialist - Security
virtual techdaysINDIA │ 22-24 November 2010
Agenda
• The Microsoft TWC Initiative • Security & Privacy Progress• Windows Platform Security
Microsoft Privacy Guidelines for developing Software and Services
Microsoft Data Governance FrameworkManaging and Protecting
Personal Information
Trustworthy Computing
Secure against attacks
Protects confidentiality, integrity and
availability of data and systems
Microsoft Security Response Center (MSRC)Microsoft Malware Protection Center
(MMPC)Microsoft Security Engineering Center
(MSEC)
Build solutions that protect privacy
Safe guard your corporate dataProtect Personal Privacy
Microsoft Online Crash AnalysisEngineering Excellence Training and Guidelines
Microsoft Online Services with high reliability in multiple data centers
Vendor Engagement and Windows Hardware Quality Lab
Business Continuity explicitly designed in with prescriptive guidance
Interop Vendor AllianceOpen Source Software
LabTransparent Practices (SDL, Codeplex, etc.)
Predictable, consistent, responsive service
Maintainable, easy to configure and manage
Resilient, works despite changesRecoverable, easily restored
Proven, ready to operate
Commitment to customer-centric Interoperability
Automated Policy based solutionsRecognized industry leader, world-class partner
Open, transparent
SQL Server 2005
Visual Studio 2005
Windows Server 2003 SP1
Malicious SW Removal Tool
Windows XP SP2
DSI Launched
TWC AnnouncedSDL begins
Windows Server 2003
Windows DefenderWindows
Live OneCare
2002
Windows VistaOffice 2007
Forefront
2003 2004 2005 2006 20082007
Windows Server 2008SQL Server
2008
Centers Supporting TwC Security TwC Security
Protecting Microsoft customers throughout the entire life cycle
(in development, deployment and operations)
Microsoft Security
Engineering Center (MSEC)
Security Assurance
Security Science
SDL
Microsoft Malware Protection Center
(MMPC)
Microsoft Security
Response Center(MSRC)
MSRC Engineering
MSRC Ops
EcoStrat
Conception
Release
Product Life Cycle
The Microsoft Security Development Lifecycle
GoalsProtect Microsoft customers by
Reducing the number of vulnerabilitiesReducing the severity of vulnerabilities
Key PrinciplesPrescriptive yet practical approachProactive – not just “looking for bugs”Eliminate security problems earlySecure by design
Conception
Release
Training
Core training
Requirements
Analyze security and privacy risk Define quality gates
Design
Threat modelingAttack surface analysis
Implementation
Specify toolsEnforce banned functions Static analysis
Verification
Dynamic/Fuzz testing Verify threat models/attack surface
Release
Response planFinal security reviewRelease archive
Response
Response execution
Verification
Dynamic/Fuzz testing Verify threat models/attack surface
Release
Response planFinal security reviewRelease archive
Response
Response execution
Training
Core training
Requirements
Analyze security and privacy risk Define quality gates
Design
Threat modelingAttack surface analysis
Implementation
Specify toolsEnforce banned functions Static analysis
Embedding Security Into Software And CultureAt Microsoft, we believe that delivering secure software requires
Executive commitment SDL a mandatory policy at Microsoft since 2004
Technology and Process
Education
Accountability
Ongoing Process Improvements 6 month cycle
Microsoft Security Strategy
Prescriptive Guidance
Security Tools & Papers
Microsoft SecurityAssessment Toolkit
Infrastructure Optimization
Microsoft IT Showcase
Microsoft Windows VistaSecurity Whitepapers
Microsoft SecurityIntelligence Report
SecurityReadiness Education
and Training
Learning Paths forSecurity Professionals
Security and Privacy Industry PartnershipsPublic
PolicyLaw
Enforcement
Industry Partnership
Consumer Awareness
Virus InformationAlliance
Global InfrastructureAlliance for
Internet Safety
Digital PhishNetGlobal Phishing
Enforcement Initiative
Handy Admin tools & resourcesThreats & Counter measures
Security Risk Management GuideFundamental Computer Investigation Guide for WindowsMicrosoft Security Assessment Tool 4.0MBSA Tool & ScriptsMicrosoft Security Compliance ManagerSecurity Awareness ToolkitSysInternals ToolkitSecurity Literature to readMisc. Security Tools for Admins
Security And Privacy Progress
Microsoft Security Response Center (MSRC)Microsoft Malware Protection Center (MMPC)Windows Live OneCare and Forefront Client Security, powered by the Microsoft Malware Protection CenterSPAM (Sender ID, Phishing Filters)Network Access Protection (NAP/NAC)
Security Development Lifecycle process
Engineered for securityDesign threat modeling
SD3Secure by DesignSecure by DefaultSecure In Deployment
Automated patching and update services
SDL and SD3
Malware ExampleConsumer EducationLawsFirewallsAntivirus ProductsAntispyware ProductsMalicious Software Removal ToolMemory Management (ASLR)Law Enforcement
Defense in Depth ThreatMitigation
Comparing Incidents
Alert and prescriptive
guidance
SasserApril 2004
BlasterAugust 2003
ZotobAugust 2005
Within1 day
Within 2 hours
2 daysprior
Within 10 days
Within2 days Same
day
Within38 days
Within3 days
Within 3 days
Online guidance/ Webcast
Free worm removal tool
Days after the patch we knew of
1st exploit
Products not affected by
attacks
MS08-067October 2008
Before publicly known (MAPP)
3 times, 2x Same
day
Didn’t need one*
+11 days
+4 days +2 days -11 days
none none XPSP2Vista, Win7
Server 2008
*at the time of the security update release and the immediate aftermath
2004 2005 2006 2007 2008
0
50
100
150
200
250
300
Software Vulnerability DisclosuresBy half year – industry wide
Vulnerability disclosures in 2H08 down 3% from 1H082008 as a whole down 12% from 2H07Microsoft proportion only 5% of industry total
Industry-wide vulnerabilitydisclosures by half-year, 2H03-2H08
2H03
1H04
2H04
1H05
2H05
1H06
2H06
1H07
2H07
1H08
2H08
0
500
1000
1500
2000
2500
3000
3500
Vulnerability disclosures for Microsoft products, by full year, 2004-2008
What Are Experts Saying?
“Why try to chase a difficult overflow out of Vista when you have Acrobat Reader installed, some antivirus software with shoddy file parsing, and the latest iTunes?”
Halvar Flake Security Researcher
Microsoft BlueHat ConferenceSeptember 2007
Given this situation, Microsoft deserves high praise for creating, formalizing, and improving SDL as it has led to better software for the masses.”
Jon Oltsik Enterprise Strategy Group
September 2008
WINDOWS PLATFORM SECURITYCore improvements to the Operating Systems
Security by Design, by Default and by Deployment
Social Engineering & ExploitsReduce unwanted communications
Freedom from intrusionInternational Domain NamesPop-up BlockerIncreased usability
Choice and controlClear notice of information useProvide only what is needed
Control of information User-friendly, discoverable noticesP3P-enabled cookie controlsDelete Browsing HistoryInPrivate™ Browsing & Filtering
Browser & Web Server ExploitsProtection from deceptive websites, malicious code, online fraud, identity theft
Protection from harm Secure Development LifecycleExtended Validation (EV) SSL certsSmartScreen® FilterDomain HighlightingXSS Filter/ DEP/NXActiveX® Controls
Internet Explorer 8 SecurityBuilding on IE7 and addressing the evolving threat landscape
SecurePlatform
MalwareProtection
SecureAccess
Data Protection
Rights Management Services (RMS) SharePoint, Exchange, Windows Mobile integration
Encrypting File System (EFS)Bitlocker & Bitlocker To Go
User Account ControlNetwork Access Protection (NAP)IPv6IPsec Windows CardSpace
Native smart card supportGINA Re-architectureCertificate ServicesCredential roamingAppLockerTM
DirectAccess
Security Development Lifecycle (SDL)Kernel Patch ProtectionKernel-mode Driver Signing
Secure StartupWindows Service Hardeningx64 Hardware Integration
Windows DefenderIE Protected ModeAddress Space Layout Randomization (ASLR)Data Execution Prevention (DEP)
Bi-directional Firewall / multi profile SupportWindows Security Center
SecurePlatform
NetworkProtection
Data Protection
IdentityAccess
Security Development Lifecycle (SDL)Windows Server Virtualization (Hypervisor)Role Management ToolOS File Integrity
Read-only Domain Controller (RODC)Active Directory Federation Services (ADFS)Administrative Role Separation
PKI Management ConsoleOnline CertificateStatus Protocol
Network Access Protection (NAP)Server and Domain Isolation with IPsecEnd-to-end Network AuthenticationWindows Firewall With Advanced Security
On By Default
Rights Management Services (RMS) Full volume encryption (Bitlocker)USB Device-connection rules with Group Policy
Improved AuditingWindows Server BackupEFS
DirectAccess
Windows Server Core
Minimal installation optionLow surface area more secureCommand line interfaceLess patching/Less downtime
Server CoreSecurity, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems
ServerWith WinFx, Shell, Tools, etc.
TS IAS WebServer
SharePoint Etc…
Server, Server Roles (for example only)
GUI, CLR, Shell, IE, Media, OE, etc.
Server Core Server Roles
DNS DHCP File/ Print AD Hype
r-V
BasicWeb
TWC
SDL
SystemsManagement
Operations Manager 2007
Configuration Manager 2007
Data Protection Manager
Mobile Device Manager 2008
Active Directory Federation
Services (ADFS)
Identity & AccessManagement
Certificate Lifecycle
Management
Services
Information Protection
Encrypting File System (EFS)
BitLocker™
Client and Server OS
Server Applications
Edge
Network Access Protection (NAP)
Client and
Server OS
Server
Applications
Edge
A well Managed Secure Infrastructure
is the key!
Microsoft Security: Defense In Depth
virtual techdaysINDIA │ 22-24 November 2010
THANK YOU!