Advancing Security

By Jeffrey R. Jones, Senior Director - Microsoft Security Business Unit - Microsoft Security Business Unit

Jeffrey R. Jones

Computer and information security is an area that is both broad and deep. As the security industry has matured, it has made progress with point solutions, but always with the recognition that security strength is limited by the weakest element of protection. Operationally, each incremental step forward is dependent on progress in other areas of security risk. Network firewalls help illustrate this. Although they provide security and policy control for a large portion of a network’s perimeter, network firewalls do not by themselves protect the entire network from issues related to mobile computers, wireless networks, or even tunneling protocols. So, while firewall vendors work to improve network firewall capabilities, these improvements create higher visibility and priority for advances in related areas like wireless security because malicious attackers will seek the weakest point of entry.

At the recent RSA conference in San Francisco, Bill Gates described the evolving security threat and some of the challenges the industry faces, and then followed that discussion with Microsoft’s approach to advancing security for customers. In the rest of this article, I’ll share some of the highlights of the Microsoft approach and how that approach provides a framework for deep progress on a broad set of security issues.

First, both to understand current security industry priorities and to project what those priorities might be a few years from now, it is helpful to consider the security threat landscape and what motivates potential attackers. Attackers can be classified by technical capability, from script kiddies who primarily exploit others’ work to security specialists who are well educated. Similarly, motivations of attackers range across four categories: curiosity, personal fame, personal gain, and national interest.

Much of current public perception of security threats is driven by the impact of relatively low-skilled attackers who develop worms and viruses, motivated by curiosity or a desire for personal fame. The impact of these worms has been largely one of operational cost related to resource overload and cleanup. To further promote their goal for notoriety, worm writers tend to target the most widely used products, which can lead to a misperception that only the most widely used products are at risk of attack.

A potentially worse security threat comes from the opposite combination of skill and motivation—a well-funded security specialist (or specialist team) attacking for personal gain (theft) or national interest (terror). These types of attackers will do everything to avoid publicity and awareness of their success and will probably focus on specific targets such as important company servers or critical government systems. These attackers will tailor their attack to whatever software or hardware is running on these systems. These types of threats make security quality, resilience, and management key criteria for selection of security-critical software products. I predict that, over the next few years, this scenario will become more important for all customers and all vendors.

Microsoft’s approach to advancing security in this threat environment proposes technical security innovation supported by equally important socially focused security advances. Technically, we are focused on progressing in the areas of security quality, innovation, and updating. On the social front, Microsoft is acting to advance security in the area of policy and enforcement and in the area of education and training.

Security Quality An area I’ve discussed in the past to some degree, security quality is “table stakes” for Microsoft. Fundamentally, we have revised our process of designing, developing, releasing, and supporting our products to have better security when delivered and throughout their lifecycle. In its first 300 days of release, Windows Server 2003, our first enterprise product to ship under the improved process, has had a 78% reduction in the number of critical or important security bulletins (from 40 down to 9) when compared with its predecessor product. As new products go through release process and older products reach their end of life, we move steadily toward our goal of improved security quality for customers.

Innovation Building upon the base of improved Security Quality, Microsoft is focused upon several areas of technical innovation.

In the area of isolation and resiliency in the presence of worms and viruses, Microsoft is on track to deliver Windows XP Service Pack 2 (SP2), which is focused on enhancing the protective security mechanisms in the Windows XP operating system. Protected areas of focus include the network, memory, Web browsing, and e-mail. The new Windows Security Center interface provides a simple, centralized view for individual users to manage their security, while expansions for IT administrators will allow security policies to be managed centrally using Group Policy.

Windows Server 2003 SP1 will include a security configuration wizard reducing the administrative security skills needed to deploy and manage secure server workloads. Internet Security and Acceleration (ISA) Server 2004 includes enhanced security management and much deeper content inspection capabilities, as well as the ability to fortify remote VPN connections. Exchange Edge Services is a new technology that addresses evolving security problems associated with Internet junk mail, defending against e-mail server attacks and viruses while blocking incoming or outgoing malicious e-mail and junk mail. It also provides a foundation on which third-party developers can build technologies such as next-generation e-mail filters, e-mail encryption products, and e-mail policy compliance solutions.

In November 2003, Microsoft announced SmartScreen Technology, a spam filter used in our client and online e-mail programs. In February 2004, Microsoft unveiled a pilot implementation of Caller ID for E-Mail, a technology that authenticates the origin of e-mail messages to distinguish legitimate senders from spammers.

Future isolation and resiliency development will continue focusing on active protection technologies, client inspection, and securing Web services in conjunction with the WS-I Security Profile Working group.

Another key area of focus is in providing technology to help enable only authenticated access to resources. Passwords continue to be the most widely used mechanism for authenticating users, so we continue to develop improved password policy and management capabilities. Supplementing passwords are improved features and support for smart cards, public key infrastructure (PKI), biometric mechanisms, and security standards like IPSec for digitally signing and encrypting traffic.

Policy and Enforcement Security policy efforts are important both for the documented guidance provided to customers and as a mechanism for enabling the industry and customers to have working plans-of-record while discussing ways to improve those plans.

This past October, at the urging of customers, Microsoft updated our policy to a monthly, predictable schedule for releasing Security Bulletins. Similarly, as a member of the Organization for Internet Safety (OIS), Microsoft participates in industry discussions that help formulate guidance for disclosure of security issues and subsequently based our policy on the OIS responsible disclosure guidelines.

Microsoft is also working with law enforcement on a global basis to deter hackers from software sabotage. Last November, Microsoft established the Anti-Virus Rewards Program, which offers cash rewards for information provided to the FBI or Secret Service that results in the arrest and conviction of those responsible for illegally releasing malicious code to the Internet.

Education and Training Security technology is only effective if users know about it and use it appropriately to protect and enable, so, along with our technical investment, Microsoft is investing significantly to help customers understand how to make their networks and systems more secure.

By the end of the 2004, it is Microsoft’s goal to reach 500,000 business customers with prescriptive guidance for optimizing their systems and networks to be more secure and up to date. In conjunction with industry partners, we are driving a global effort to help customers protect their computers and networks, with seminars, publications, training via webcasts, self-paced learning, and Hands-On Labs.

Supplementing these efforts, Microsoft has created a Security Center for developers and IT professionals, where customers can find technical guidance, tools, and training to plan and manage security strategies.

Throughout the entire Microsoft approach to advancing security, technology partners are strategic in helping improve customer security. We've announced that the "Whidbey" release of Visual Studio will be a platform sharing many of our security development tools with our applications partners. We continue to help promote the concepts for "Writing Secure Code," both with Howard & LeBlanc's book of that name and with educational programs.

For protective security and enabling security features, many Microsoft partners provide valuable benefit to customers and continue to build on the platform to enable new security scenarios. Additionally, new partnerships have been formed like the Global Infrastructure Alliance for Internet Safety (GIAIS) and the Virus Information Alliance. The GIAIS came from the recognition that Internet service providers are the IT departments for home users and can have a tremendous positive impact on improving security for users worldwide.

Talk to 10 customers about security and it is possible that you will have 10 very different conversations. Topics might range from virus protection to biometric authentication for access to company assets to policies for advance notice of security issues. The one conclusion I can comfortably draw from discussions with numerous customers is that, to succeed at advancing security, customers require security progress that is both broad and deep. Microsoft is taking that approach and is committed to an evolutionary process of security improvement to enable people and businesses throughout the world to realize their full potential.

Best regards,