1 / 37

Enhancing Customer Security: Ongoing Efforts to Help Customers

Enhancing Customer Security: Ongoing Efforts to Help Customers. Dave Sayers Technical Specialist Microsoft UK. Agenda. Impact of Security on Business Security as an Enabler Trustworthy Computing Improving Security Improving the Patching Experience Security Technologies for Clients

yael
Download Presentation

Enhancing Customer Security: Ongoing Efforts to Help Customers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enhancing Customer Security:Ongoing Efforts to Help Customers Dave Sayers Technical Specialist Microsoft UK

  2. Agenda • Impact of Security on Business • Security as an Enabler • Trustworthy Computing • Improving Security • Improving the Patching Experience • Security Technologies for Clients • Security Technologies for Servers • Commitment to Customers

  3. Industry Security Impact to Business 14B devices on the Internet by 20101 35M remote users by 20052 65% increase in dynamic Web sites3 90% detected security breaches4 75% have financial loss from breaches4 85% detected computer viruses4 80% insider abuse of network access4 95% of all breaches avoidable5 1 Source: Forrester Research 2 Source: Information Week, 26 November 2001 3 Source: Netcraft summary 4 Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2002 5 Source: CERT, 2002

  4. Source: Forrester (Mar 03), Can Microsoft Be Secure? Impact to Microsoft Customers

  5. ROI Connected Productive Dependable Best Economics Total Costs Security As An Enabler • Lower Total Cost of Ownership • Fewer vulnerabilities • Simplify patch management • Downtime is expensive • Increase Business Value • Connect with customers • Integrate with partners • Empower employees

  6. What is Trustworthy Computing? “Trustworthy Computing” means that users can trust computers and networks to be reliable, secure, and private. They can also trust those who provide products and services.

  7. Trustworthy Computing

  8. Days between patch and exploit 331 180 151 25 SQL Slammer Nimda Blaster Welchia/ Nachi Security is our #1 PriorityThere is no silver bulletChange requires innovation Improving SecurityResponding to the Crisis Patches proliferating Time to exploit decreasing Exploits are more sophisticated Current approach is not sufficient

  9. The Exploit Process Security Researchers Exploit Coders Worm Builders Discover vulnerabilities Reverse-engineer patches & post exploit code to the Web Hack together worms with posted exploit code & worm toolkits What Microsoft is doing Collaborating to fix vulnerabilities Disclosing responsibly Building community consensus that disclosure is not good Reaching out Anti-VirusReward Program Assisting with technical forensics work Results: Fewer researchers disclosing irresponsibly; continuing to improve More industry experts are speaking out against exploit code Two arrests around the Blaster worm

  10. You’ve Told Us Our Action Items “The quality of the patching process is low and inconsistent” Improve the Patching Experience “I need to know the right way to run a Microsoft enterprise” Provide Guidance and Training “I can’t keep up…new patches are released every week” Mitigate Vulnerabilities Without Patches “There are still too many vulnerabilities in your products” Continue Improving Quality

  11. SD3 + Communications • Security training for 11,000 engineers • Security code reviews of old source • Threat modeling • “Blackhat” test coverage • Buffer overrun detection in compile process Secure by Design • Office XP: Macros off by default • No sample code installed by default • IIS and SQL Server off by default in Visual Studio.NET Secure by Default • Deployment tools: MBSA, IIS Lockdown, SUS, WU, SMS Value Pack • Created STPP to respond to customers • PAG for Windows 2000 Security Ops Secure in Deployment • TAMs call Premier Customers proactively • MSRC severity rating system • Free virus hotline • MSDN security guidance for developers • www.microsoft.com/technet/security Communications Progress To Date

  12. Improve the Patching ExperienceNew Patch Policies • Extended security support to December 2004 • Windows NT4 Server • Security patches on a monthly predictable release cycle Allows for planning a predictable monthly test and deployment cycle Packaged as individual patches that can be deployed together NOTE: Exceptions will be made if customers are at immediate risk from viruses, worms, attacks or other malicious activities

  13. Customer Pain • Patch and update management is the #1 driver of dissatisfaction* among IT operations staff • #1 activity that requires work after hours and on weekends • #1 activity that’s a ‘waste of time’ *Based on results from survey of 462 IT Pros conducted in September 2003. Data shows % of total # of times the activity was listed as one of the top two drivers of 1) wasted time and 2) after hours or weekend work

  14. By late 2004: Consolidation to 2 patch installers for W2k and later, SQL 2000, Office & Exchange 2003; all patches will behave the same way (update.exe, MSI 3.0) Reduce patch complexity Now: Increased internal testing; customer testing of patches before release By mid-2004: Rollback capability for W2k generation products and later (MSI 3.0 patches) May 2004: Microsoft Update (MU) hosts patches for W2k server, and over time SQL 2000, Office & Exchange 2003 By mid-2004: SUS 2.0 receives content from MU & adds capabilities for targeting, basic reporting and rollback Reduce risk of patch deployment By late 2004: Substantially smaller patches for W2k generation and later OS & applications (Delta patching technology, next generation patching installers) Reduce patch size Now:Continued focus on reducing reboots By late 2004: 30% of critical updates on Windows Server 2003 SP1 installed w/o rebooting (“hot patching”) Reduce downtime Improved tools consistency By mid-2004: Consistent results from MBSA, SUS, SMS, Windows Update (will all use SUS 2.0 engine for detection) Improved tools capabilities Improve the Patching ExperiencePatch Enhancements Your Need Our Response

  15. Patching Technologies – SUS 1.0 • Internal Windows Update • Windows 2000 Professional, Windows 2000 Server, Windows XP, Windows Server 2003 • For critical updates, security updates and service packs • Administrators maintain control over which items are published

  16. Windows Update Services

  17. Providing Guidance and TrainingIT Professionals • Global Education Program • TechNet Security Seminars • Monthly Security Webcasts • www.microsoft.com/events • New Prescriptive Guidance • Patterns and practices • How-to configure for security • How Microsoft Secures Microsoft • Online Community • Security Zone for IT Professionals • Authoritative Enterprise Security Guidance • http://www.microsoft.com/technet/security/bestprac.asp

  18. Beyond Patching Make customer more resilient to attack, even when patches are not installed Help stop known & unknown vulnerabilities Goal: Make 7 out of every 10 patches installable on your schedule

  19. Delivering Security Technologies • Windows XP SP2 • Improved network protection • Safer email and Web browsing • Enhanced memory protection • RTM based on customer feedback • Windows Server 2003 SP1 • Role-based security configuration • Inspected remote computers • Inspected internal environment • RTM H2 CY04

  20. Security technologies for clients Security enhancements that protect computers, even without patches…included in Windows XP SP2; more to follow • Network protection: Improved ICF, DCOM, RPC protection turned on by default • Safer browsing: Pop-up blocking, protection from accidental installation of potentially malicious Web content • Memory protection: Improved compiler checks to reduce stack overruns, hardware NX support • Safer email: Improved attachment blocking for Outlook Express and IM What it is Helps stop network-based attacks, malicious attachments and Web content, and buffer overruns What it does Key Features

  21. Securing the Server Platform • Windows Server 2003 – Secure by Default • IIS 6.0 • Reduced Automatic Services • Smart card requirements for administrative operations • Limited use of blank passwords • Encrypting the offline files database • Software Restriction Policies • Internet Connection Firewall • IE Lockdown

  22. Securing Active Directory • Delegation of administration • Security Policies • Software Restriction Policies • GPMC • What-If Scenarios • Import GPOs • Cross-Forest Kerberos Trust • Authentication Firewall • SID Filtering • Quotas • Security Guides

  23. Security technologies for Enterprises Only clients that meet corporate security standards can connect…included in Windows Server 2003 SP1; more to follow • Role-based security configuration: Locks down servers for their specific task • Inspected remote computers and internal environment: • Enforce specific corporate security requirements such as patch level, AV signature level & firewall state • Ensure these standards are met when VPN and local wired or wireless connections are made What it is Protects enterprise assets from infected computers What it does Key Features

  24. Continue Improving QualityTrustworthy Computing Release Process Design docs & specifications Each component team develops threat models, ensuring that design blocks applicable threats SecurityReview Design Apply security design & coding standards Tools to eliminate code flaws (PREfix & PREfast) Monitor & block new attack techniques M1 Develop & Test M2 Development, testing & documentation Development Mn Team-wide stand down Threat model updates, code review, test & documentation scrub Security Push Beta Product Analysis against current threats Internal & 3rd party penetration testing Security Audit Release Service Packs, QFEs Fix newly discovered issues Root cause analysis to proactively find and fix related vulnerabilities Security Response Support

  25. 11 6 Service Pack 3 2 1 Service Pack 3 Bulletins sinceTwC release Bulletins in 10 month period prior to TwC release Bulletins in 16 month period prior to TwC release Bulletins sinceTwC release Shipped Jan. 2003, 10 months ago (as of Nov. 2003) Shipped July 2002, 16 months ago (as of Nov. 2003) …90 days …180 days TwC release? 8 21 No 3 6 Yes Continue Improving Quality For some widely-deployed, existing products: Mandatory for all new products: Critical or important vulnerabilities in the first…

  26. Commitment to Customers • Patch Investments • Extended Support for NT4 Server • Improved Patching Experience – Windows Update Services • Global Education Effort • 500,000 customers trained by June 2004 • New Security “Expert Zone” • PDC Security Symposium • Security Innovations • Security technologies for Windows client • Security technologies for Windows server

  27. Today H1 04 H2 04 Future Extended support Monthly patch releases Baseline guidance Community Investments Windows XP SP2 Patching enhancements SMS 2003 Windows Update Services Microsoft Update Broad training Windows Server 2003 SP1 Security technologies Next generation inspection NGSCB Windows hardening Continued OS-level security technologies

  28. Lockdown servers, workstations and network infrastructure Design and deploy a proactive patch management strategy Centralize policy and access management

  29. Resources • General • http://www.microsoft.com/security • Technical Resources for IT Professionals • http://www.microsoft.com/technet/security • Best Practices for Defense in Depth • http://www.microsoft.com/technet/security/bestprac.asp • How Microsoft Secures Microsoft • http://www.microsoft.com/technet/itsolutions/msit/ security/mssecbp.asp • MSDN Security Development Tools • http://msdn.microsoft.com/security/downloads/tools/ default.aspx

  30. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

  31. ResourcesEnterprise Security Guidance • Design and Deploy a Proactive Patch Management Strategy • Microsoft Guide to Security Patch Management: http://www.microsoft.com/technet/security/topics/patch • Lockdown Servers, Workstations and Network Infrastructure • Microsoft Windows XP Security Guide Overview - http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.asp • Threats and Countermeasures Guides for Windows Server 2003 and Windows XP: http://www.microsoft.com/technet/security/topics/hardsys/TCG/TCGCH00.asp • Windows Server 2003 Security: http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.asp • Securing your Network: http://msdn.microsoft.com/en‑us/dnnetsec/html/THCMCh15.asp • Perimeter Firewall Service Design: http://www.microsoft.com/technet/itsolutions/msa/msa20ik/VMHTMLPages/VMHtm57.asp • Network Access Quarantine for Windows Server 2003: http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx • Centralize Policy and Access Management • Microsoft Identity and Access Management Solution: http://www.microsoft.com/technet/security/topics/identity/idmanage • Architecture, Deployment, and Management: http://www.microsoft.com/technet/security/topics/architec

  32. Continue Improving QualityMaking Progress 23 Products In the TwC Release Process Office 2003 Rights Mgmt Client & Server 1.0 Services For Unix 3.0 SQL Server 2000 SP3 Visual Studio .NET 2002 Visual Studio .NET 2003 Virtual PC Virtual Server Windows CE (Magneto) Windows Server 2003 Windows Server 2003 ADAM .NET Framework (for 2002 & 2003) ASP.NET (for 2002 & 2003) Biztalk Server 2002 SP1 Commerce Server 2000 SP4 Commerce Server 2002 SP1 Content Management Server 2002 Exchange Server 2003 Host Integration Server 2002 Identity Integration Server 2003 Live Communications Server 2003 MapPoint.NET

  33. Improving Patching Experience Security Bulletin Severity Rating System Free Security Bulletin Subscription Service http://www.microsoft.com/technet/security/bulletin/notify.asp Revised November 2002 More information at http://www.microsoft.com/technet/security/policy/rating.asp

  34. The Forensics of a Virus July 1 July 16 July 25 Aug 11 Vulnerability reported to us / Patch in progress Bulletin & patch available No exploit Exploit code in public Worm in the world Report • Vulnerability in RPC/DDOM reported • MS activated highest level emergency response process Bulletin • MS03-026 delivered to customers (7/16/03) • Continued outreach to analysts, press, community, partners, government agencies Exploit • X-focus (Chinese group) published exploit tool • MS heightened efforts to get information to customers Worm • Blaster worm discovered –; variants and other viruses hit simultaneously (i.e. “SoBig”) Blaster shows the complex interplay between security researchers, software companies, and hackers

  35. Client Attack Vectors Malicious Web content Malicious e-mail attachments Buffer overrun attacks Port-based attacks

  36. Enterprise Attack Vectors Potentially infected remote client Potentially infected local client

  37. Security Guidance for IT Pros • Focused on operating a secure environment • Patterns & practices for defense in depth • Enterprise security checklist – the single place for authoritative security guidance • Available Now • 17 prescriptive books • How Microsoft secures Microsoft • Later this year and throughout 2004 • More prescriptive & how-to guides • Tools & scripts to automate common tasks

More Related