The year-end review – well, sort of :)

Handle:
Cap'n Steve

IRL:
Steve Adegbite

Rank:
Senior Security Program Manager Lead

Likes:
Reverse Engineering an obscene amount of code and ripping it up on a snowboard

Dislikes:
Not much but if you hear me growl…run

Hey!

It’s that time of year again for all of us to pack up and head out to the desert to reconnect, discuss, and plan for the future, or at least what we think will be the future of security. It’s hard to predict what the next year will bring as the security landscape is ever-changing. This is probably why most of us “grey beards” in the security industry mark the Black Hat/Defcon conferences as the de facto year in review/preview of the next year for the state of security. These conferences have defined a lot of security strategies for a number of people for years. But I digressJ; I started to talk about the year-end review for the security landscape.

Looking back over the year, I am pleased to see that we have executed nicely on a couple of strategies we put into place to change the security landscape. The ones I am talking about are the three programs listed below that we launched last year around this time.

• Exploitability Index
• Microsoft Active Protections Program (MAPP)
• Microsoft Vulnerability Research (MSVR)

I am going to talk about the first two programs as I have been working on both of them for a bit. MSVR has been worked by my colleague Adrian who will be blogging on MSVR in the near future. He will update you about all the exciting things they have been doing over there.

So let’s begin. I want to talk to you first about the Exploitability Index. Like I said, the one-year anniversary is right around the corner and we have been getting a lot of positive feedback from customers on this new program. Looking back, I am happy to see that out of the 140 ratings we provided so far that we only had to revise one rating. The one rating we did change went from a high severity to a lower one (1 to 3).

Let me give some of our reasons for this. We are extremely cautious when we rate things and when in doubt, will tend to go with the higher rating. We want to make sure that those who are using our ratings are protected against exploitation. This is kind of like putting a deadbolt lock on your door even though you live right next to the police station – I would rather be safe than sorry. However, we are always looking for ways to improve our ratings, and we tend to seek out the critical areas where we can or need to improve.

There is no better place, in our mind, to get good feedback than from the security ecosystem. So we were extremely happy when iDefense took up the charge to review our Exploitability Index ratings for the first 120 days. I am sure you are thinking, "Is 120 days really enough time?" Well, it definitely gave a decent snapshot into how the program is progressing. I think it’s also a good timeframe for catching early process deficiencies and other issues. So let me highlight a few things that were discovered during the iDefense review.

Overall assessment: iDefense concluded that the Microsoft Exploitability Index was a step in the right direction. They felt that the Index provides clear value to customers in providing more risk mitigation information. iDefense also felt that it helps system administrators with the prioritization of their system-updating efforts, because with the Index, they can use another piece of information to help set their update schedule.

Out of the fifty-seven vulnerabilities reviewed by iDefense, they considered that only fourteen should have been rated differently. This is a ~75% percent similarity between their analyses and our own.

As with all early efforts, they did find some areas where they had suggestions for improvement. One area is with the rating differences mentioned above. We will be reviewing the reasons for the differences and will be looking at our present process to take their suggestions into account. Check out the full report here.

Now let’s talk about the Microsoft Active Protections Program, or as we call it in the hallways of building 27, “MAPP”. The MAPP program goals were to find a way to shorten the attack window for consumers. We wanted to be able provide enough “just in time” technical information on the vulnerabilities that we were updating every month to help defenders provide software protections faster. It didn’t make sense in our eyes to have verified defenders in the same boat as malicious attackers trying to understand and reverse-engineer our updates to build defenses for our mutual customers.

I am glad to say that we have exceeded our goal. In the program to date, we have 47 companies from around the world, with new partners added in Central and South America, Europe, Middle East, Africa, India, South East Asia, China, Korea, Japan, Australia, and New Zealand. This partner network global reach represents software protections that cover a range from tens of thousands to hundreds of millions of consumers. That is nothing to sneeze at! J It doesn’t stop there; we will continue to add more partners to ensure that we arm the defenders with information they need to protect you, our mutual customers. We have some more proof points on how we are shrinking that attack window, but don’t take my word for it, check out the testimonials from the MAPP members themselves in the year-end progress report from MSRC here.

Well, that’s it. Don’t forget to check out the iDefense paper located here and the MAPP paper here. And keep an eye on www.microsoft.com/twc/blogs for more Black Hat blogs from the front lines.

Til next time….

Steve