580 likes | 748 Views
Beyond Patching. Dean Iacovelli Chief Security Advisor – State and Local Government Microsoft Corporation deaniac@microsoft.com. Objectives Address your concerns about security Update on current trends Current initiatives at Microsoft Future security product/solution roadmap Agenda
E N D
Beyond Patching Dean Iacovelli Chief Security Advisor – State and Local Government Microsoft Corporation deaniac@microsoft.com
Objectives Address your concerns about security Update on current trends Current initiatives at Microsoft Future security product/solution roadmap Agenda Defining and managing the risk System Integrity Identity management Trustworthy Identity Client protection Server protection Network protection Summary, Q&A
My Role as SLG CSA Overall security policy and strategy for MS SLG MS spokesperson to/from SLG customers Information broker – resources, best practices, programs Coordinator for incident response communication, security readiness Not goaled on revenue Basically: Help ensure SLG customers have a good experience dealing with security on the MS platform
Your Feedback ? Challenges Worms / viruses Spyware Spam Patch management Network access control Identity management Best practices / guidance Looking at Linux for security reasons ?
Understanding Your Adversary National Interest Personal Gain Personal Fame Curiosity Spy Fastest growing segment Thief Tools created by experts now used by less skilled attackers and criminals Trespasser Vandal Author HobbyistHacker Script-Kiddy Expert Specialist
State and Local Security Trends Attacks becoming less numerous, more nasty Viruses/worms still lead in financial cost BUT 6x increase in $ lost from unauthorized information access from 2004 to 2005 (FBI/CSI) 2x increase in $ lost from theft of proprietary information from 2004 to 2005 (FBI/CSI) Botnets (used for cyber extortion) have jumped from average of 2500 machines in 2004 to 85,000 in 2006 Why sniff the net when you can hack the site or the password? 95% reported 10+ website incidents last year (FBI/CSI) 15% of enterprise hosts have had keystroke loggers detected, 3x in 1 year (Webroot and Sophos) Major NT4/Win 98 supportability issues Enterprise patching and management still not under control What your neighbor isn’t doing IS your problem Real cost is lost of trust
Closer Look at Malware Data (MSRT) Source: Microsoft
#3 in previous chart Video game cheats Celebrities Song lyrics
Trends in Security Spending $497 per employee $354 operations $143 capital Even worse for smaller agencies - as much as $650 No economies of scale SLG spends ~10x Federal and most of private sector Lack of centralized strategy / tools Getting worse Federal trending down from CY05 SLG trending up Various new state infosec laws may be impacting costs but still serious issue
MS Security Statistical Snapshot 263M downloads of XP SP2 75M downloads of Microsoft Anti-Spyware beta 9.7M consumers using SP2 Firewall 332M machines using Automatic Update or Windows Update 135 legal actions against spammers worldwide 121 phishing sites sued 578 Microsoft CISSPs (and counting…)
Microsoft Security Strategy Overview Threat and Vulnerability Mitigation Client Protection Server Protection Network Protection Protect PCs & devices from malicious software Protect servers from malicious software Protect network from malicious software & inappropriate access Identity and Access Management Allow legitimate users secure access to machines, applications and data System Integrity Make systems inherently safer and more secure
Security Development Lifecycle • Security Development Lifecycle • Security Response Center • Better Updates And Tools
Threat Modeling ExampleMS03-007 The underlying DLL (NTDLL.DLL) not vulnerable Code made more conservative during Security Push IIS 6.0 not running by default on Windows Server 2003 Even if it was vulnerable IIS 6.0 doesn’t have WebDAV enabled by default Even if it was running Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it did have WebDAV enabled Even if the buffer was large enough Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS) Even if it there was an exploitable buffer overrun Would have occurred in w3wp.exe which is now running as ‘network service’
Focus Yielding Results 16 89 Service Pack 3 3 Bulletins sinceTwC release Bulletins inperiod prior to release 50 SQL Server 2000 SP3 released 1/17/2003 11 7 Released05/31/2001 Released11/17/2003 Released09/28/2003 Released11/29/2000 1027 Days After Product Release Bulletins 820 Days After Product Release 2003 * As of February 14, 2006
Case StudyHow We Tested WMF Patch 415 apps (ms & third party) 6 supported version of the o/s in 23 languages 15k print variations, 2800 print pages verified 2000 wmf’s analyzed, 125 malicious wmf’s tested 12k images verified for regressions 22,000 hours of stress testing 450k total test cases
Patch Management InitiativeProgress to Date • Better security bulletins and KB articles • IT SHOWCASE: How Microsoft IT Does Patch Management • Standardized patch and update terminology • Moved from 8 installers to 2 (update.exe and MSI) • Standardized patch naming and switch options • Improved patch testing process and coverage • Expanded test process to include customers • Reduced reboots by 10%, targeting 50% in Vista Informed & Prepared Customers Consistent & Superior Update Experience Superior Patch Quality • Microsoft Update • WSUS • SMS 2003 Best Patch & Update Management Solutions
Update Impact AnalyzerDetermine How Patches Will Affect Critical Apps
Fundamentals “You can only manage what you can measure” …and you can only secure what you can manage (and find ) Decentralization may be a reality but it’s not a best practice Set policy Active Directory Central policy, local defense Delegate back business-specific policy control Audit policy Turning it on AFTER the incident much less useful Don’t wait for the incident to look at the logs Standardize builds, supported applications Enterprise assets are not toys Vista will make this easier, possible in XP too: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx
Beyond Patching: The Problem • Patching is no longer strategic • Moving from security to operations like backups • New threats require new models • Internal network is NOT trusted • Medieval castle model is the only response • Automated attacks require automated defenses
Microsoft Security Strategy Overview Threat and Vulnerability Mitigation Client Protection Server Protection Network Protection Protect PCs & devices from malicious software Protect servers from malicious software Protect network from malicious software & inappropriate access Identity and Access Management Allow legitimate users secure access to machines, applications and data System Integrity Make systems inherently safer and more secure
Provide access based on policy Protect datathroughout its lifecycle Ensure users are who they claim to be; manage identity lifecycle Allow only legitimate users secure, policy-based access to machines, applications and data Trustworthy Identity Access Policy Management InformationProtection Directory Services Lifecycle Management Strong Authentication Federated Identity Certificate Services Rights Management Services Encryption Services Secure Protocols and Channels Back-up and Recovery Services Role-based Access Control Audit Collections Services Group Policy Management Console
Fundamentals Reduce Consolidate to fewer identity stores Leverage metadirectories to simplify sign on, automate/standardize identity business rules Reuse Leverage globally relevant attributes across all applications Place non-globally relevant attributes in app-coupled LDAP stores Recycle Leverage federation to use your credentials on business partner networks
Microsoft Security Strategy Overview Threat and Vulnerability Mitigation Client Protection Server Protection Network Protection Protect PCs & devices from malicious software Protect servers from malicious software Protect network from malicious software & inappropriate access Identity and Access Management Allow legitimate users secure access to machines, applications and data System Integrity Make systems inherently safer and more secure
Fundamentals Medieval castle model The internal network is NOT trusted Central policy, local defense Leverage tools you already own Windows firewall Active Directory group policy Phishing filters Encrypting file system IPSec logical segmentation Isolate what you can’t defend
Helps protect the system from attacks from the network Enables more secure Email and Instant Messaging experience Enables more secure Internet experience for most common Internet tasks Provides system-level protection for the base operating system
Internet Explorer 7 Social Engineering Protections • Phishing Filter and Colored Address Bar • Dangerous Settings Notification • Secure defaults for all settings Protection from Exploits • Protected Mode to prevent malicious software • Code quality improvements • ActiveX Opt-in
Application Compatibility Toolkit V5.0 Analyze your portfolio of Applications, Web Sites, and Computers Evaluate operating system deployments or impact of operating system updates Rationalize and Organize by Applications, Web Sites, and Computers Prioritize compatibility efforts with filtered reporting Add and manage issues and solutions for your personal computing environment Deploy automated mitigations to known compatibility issues Send/Receive compatibility information to Online Compatibility Exchange
Windows Live Safety Center Windows OneCare Live Microsoft Client Protection MSRT Windows Defender Remove most prevalent viruses Remove all known viruses Real-time antivirus Remove all known spyware Real-time antispyware Central reporting and alerting Customization IT Infrastructure Integration FOR INDIVIDUAL USERS FOR BUSINESSES
Shared Computer Toolkit for Windows XP Windows Disk Protection Prevent unapproved changes to the Windows partition Allow critical updates and antivirus updates User Restrictions Restrict untrusted users from files and settings Lock user profiles for protection and privacy Profile Manager Create “persistent” user profiles on unprotected partitions Delete locked user profiles Accessibility Accessibility settings & utilities when restricted Quick access for repeat use • Getting Started • Use and learn about the Toolkit • Quick access toolbar Tools are scriptable. Additional command-line tools included. Comprehensive Help and Handbook with supplemental security guidance.
Enable secure access to information Information Protection Protect against malware and intrusions Next Generation Security and Compliance Threat & Vulnerability Mitigation Fundamentals Identity & Access Control Engineered for the future User Account Control Plug and Play Smartcards Granular auditing Simplified Logon architecture Code Integrity IE Protected Mode Windows Defender IPSEC/Firewall integration Network Access Protection Security Development Lifecycle Threat Modeling Code Scanning Service Hardening BitLocker Drive Encryption EFS Smartcard key storage RMS client Control over removable device installation XPS Document + WPF APIs
InfoCard OverviewSecure sharing of your info online Simple user abstraction Manage compartmentalized versions of your identity Strong computer generated keys instead of human generated passwords Relates to familiar models Gov’t ID card, driver’s license, credit card, membership card, … Flexible issuance Self-issued – eBay, Amazon Issued by external authority – Visa, Government Implemented as secure subsystem Protected UI, anti-spoofing techniques, encrypted storage Built on WS-Federation web standards
Microsoft Security Strategy Overview Threat and Vulnerability Mitigation Client Protection Server Protection Network Protection Protect PCs & devices from malicious software Protect servers from malicious software Protect network from malicious software & inappropriate access Identity and Access Management Allow legitimate users secure access to machines, applications and data System Integrity Make systems inherently safer and more secure
Security Configuration Wizard Windows Server 2003 SP1 Security lockdown tool for Windows Server 2003 Roles-based paradigm Focused on Attack Surface Reduction Disables unnecessary services Disables unnecessary web extensions Blocks unnecessary ports Configures audit SACLs Operational infrastructure Client-Server deployment infrastructure Support for Group Policy-based deployment Compliance Analysis Rollback support
Microsoft Antigen Line of Products Threat & Vulnerability Mitigation • Highlights • Unique multi-engine approach for faster detection and broader protection • Integrated virus and spam protection • Integrated Microsoft AV engine RTM in Q2 2006
Microsoft Security Strategy Overview Threat and Vulnerability Mitigation Client Protection Server Protection Network Protection Protect PCs & devices from malicious software Protect servers from malicious software Protect network from malicious software & inappropriate access Identity and Access Management Allow legitimate users secure access to machines, applications and data System Integrity Make systems inherently safer and more secure
Policy Validation Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed “healthy.” Network Restriction Restricts network access to computers based on their health. Remediation Provides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions are removed. Ongoing Compliance Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions. Network Access ProtectionLonghorn Server (2007)
Network Access Protection Walkthrough System Health Servers Corporate Network Restricted Network Remediation Servers Here you go. Can I have updates? Ongoing policy updates to IAS Policy Server May I have access? Here’s my current health status. Should this client be restricted based on its health? Requesting access. Here’s my new health status. Client According to policy, the client is up to date. Grant access. According to policy, the client is not up to date. Quarantine client, request it to update. You are given restricted access until fix-up. Network Access Device (DHCP, VPN) IAS Policy Server Client is granted access to full intranet. Play video
Beta available now Preparing for NAP will take effort and time! Deployment preparation tasks: Health Modeling Health Policy Zoning IAS (RADIUS) Deployment Zone Enforcement Selection Exemption Analysis Change Process Control Phased rollout Rollout VPN solution to test health policy Rollout IPSec segmentation to test wired enforcement Getting Started
Roadmap Frontbridge hosted services for anti-virus and anti-spam filtering(for businesses) Windows Live OneCare(for consumers) Next generation of services Services Microsoft Client Protection Microsoft Antigen Anti-virus and Anti-spam for messaging and collaboration servers ISA Server 2006 ISA Server 2004 Sybari Antigen anti-spam and anti-virus for Email, IM and SharePoint Content filtering services Next generation of security products Products Windows XPSP2 Windows Server 2003 SP1 Anti-malware tools Microsoft Update Windows Server UpdateServices Network Access Protection IPSec Enhancements Audit Collection Services • Windows AntiSpyware • Windows Vista • Firewall • Services Hardening Platform
Summary It’s all one network. Period. Need to be securing for tomorrow’s threats, not yesterday’s Defense in depth is and has always been the only effective strategy Enterprise patch management will free us for more strategic work Every machine deserves a good defense
Contact info: Dean Iacovelli Chief Security Advisor - State and Local Government Microsoft Corporation deaniac@microsoft.com Slides available at: www.iacovelli.info/work/secgtc.ppt
Tools / Products Application Compatibility Toolkit 5.0 beta sign up http://connect.microsoft.com/ Network Access Protection http://www.microsoft.com/nap Microsoft Baseline Security Analyzer (MBSA) http://www.microsoft.com/mbsa Windows Server Update Services (WSUS) http://www.microsoft.com/wsus Windows Server Update Services (WSUS) http://www.microsoft.com/wsus IE 7 http://www.microsoft.com/windows/ie/default.mspx Client Protection http://www.microsoft.com/windowsserversystem/solutions/security/clientprotection/default.mspx Vista security http://www.microsoft.com/technet/windowsvista/security/default.mspx Security Configuration Wizard http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx
Guidance and Training MICROSOFT Security Development Lifecycle: http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp Security Guidance Centers http://www.microsoft.com/security/guidance Security Online Training https://www.microsoftelearning.com/security/ XP SP2 deployment training: https://www.microsoftelearning.com/xpsp2 Microsoft IT Security Showcase http://www.microsoft.com/technet/itsolutions/msit/default.mspx#EDBAAA Security Newsletter http://www.microsoft.com/technet/security/secnews/default.mspx Security Events and Webcasts http://www.microsoft.com/seminar/events/security.mspx Security Notifications via e-mail http://www.microsoft.com/technet/security/bulletin/notify.mspx MS Security blogs: http://www.microsoft.com/technet/security/community/articles/art_malwarefaq.mspx Security Bulletin Search Page http://www.microsoft.com/technet/security/current.aspx Security Bulletin Webcast http://www.microsoft.com/technet/security/bulletin/summary.mspx Writing Secure Code, 2nd edition http://www.microsoft.com/mspress/books/5957.asp Building and Configuring More Secure Web Sites http://msdn.microsoft.com/library/en-us/dnnetsec/html/openhack.asp Windows XP Security Guide, includes SP2 http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.mspx Security Risk Management Guide http://go.microsoft.com/fwlink/?LinkId=30794 Windows NT 4.0 and Windows 98 Threat Mitigation Guide http://go.microsoft.com/fwlink/?linkid=32048 Microsoft Identity and Access Management Series http://go.microsoft.com/fwlink/?LinkId=14841 OTHER FBI / CSI 2005 security survey: http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml;jsessionid=KPE5WYV1ICYNCQSNDBECKH0CJUMEKJVN
As of 6 March 2006:Tracking 13053 bot-nets of which 8524 are activeAverage size is 85,000 computers
Reduce size of high risk layers Segment the services Increase # of layers Windows Service HardeningDefense In Depth – Factoring/Profiling D D D D D D D D Service … Service 1 Service… Service 2 Service A Service 3 Service B Kernel Drivers User-mode Drivers