350 likes | 522 Views
Microsoft Security from Code to the Cloud Seoul, Korea. May 16, 2012. Eric T. Ashdown Asia Chief Security Advisor Microsoft Operations Pte. Ltd. e ric.ashdown@microsoft.com. Agenda. Introduction. Security Intelligence. Security Intelligence – Korea trends .
E N D
Microsoft Security from Code to the CloudSeoul, Korea May 16, 2012 Eric T. Ashdown Asia Chief Security Advisor Microsoft Operations Pte. Ltd. eric.ashdown@microsoft.com
Agenda Introduction Security Intelligence Security Intelligence – Korea trends Microsoft and Security, the internal view Cloud Security Considerations Our goal : Microsoft security is the trusted cornerstone of a safe, connected society
Source of Threat Intelligence Malicious Software Removal Tool–downloaded and executed over 4.1 billion times in the second half of 2011 alone. Over 280 million active Hotmail accounts with billions of emails scanned. Microsoft Security Essentials–operating globally in more than 30 languages. Billions of web pages scanned by Bing each day. Microsoft Security Intelligence Report: Threat intelligence from over 600 million systems in 100+ countries/regions.
Targeted Attacksvs. Broad-Based Attacks • Targeted Attacks • Focus on individuals or organizations. A specific target in mind. • Attack Motives • Targets are chosen because of who they are or what they represent. • Common Tactics • Weak passwords • Unpatched vulnerabilities • Social engineering The majority of individuals are unlikely to encounter such a threat. • Broad-Based Attacks • Broad-based attacks reach a large number of people. • Attack Motives • Typically this tactic is used to steal identities and money. • Common Tactics • Weak passwords • Unpatched vulnerabilities • Social engineering • The majority of cybercriminal activity conducted through broad-based attacks.
Protecting Users with Security Fundamentals • Implementing security fundamentals is a critical first step in protecting yourself against targeted and broad-based attacks, like Conficker. • Use strong passwords • Regularly apply available updatesfor all software installed • Use antivirus software from a trusted source • Invest in newer products that have a higher quality of software protection • Consider the cloud as business resource
Holistic Approach to Risk Management Prevention Detection Containment Recovery
Malware Trends in South Korea Security Intelligence Report v12 – April 2012
THREAT CATEGORIESKorea • The most common category in Korea in 4Q11 was Adware, which affected 57.5 percent of all infected computers, up from 47.8 percent in 3Q11 • The second most common category in Korea in 4Q11 was Miscellaneous Trojans, which affected 33.7 percent of all infected computers, down from 47.0 percent in 3Q11 • The third most common category in Korea in 4Q11 was Miscellaneous Potentially Unwanted Software, which affected 21.1 percent of all infected computers, up from 13.8 percent in 3Q11
THREAT FAMILIES IN 4Q11Korea • Win32/Onescan (24.2% of cleaned computers) • A Korean-language rogue security software family distributed under the names One Scan, Siren114, EnPrivacy, PC Trouble, My Vaccine, and others. • Win32/SideTab (19.5% of cleaned computers) • Win32/Wizpop (15.6% of cleaned computers) • Is potentially unwanted software that may track user search habits and download executable programs without user consent. • Win32/Bonuscash (11.9% of cleaned computers) • Is the multi-component detection for an adware that installs a Browser Helper Object (BHO) that may redirect the browser to certain websites and display advertisements for certain products.
ADDITIONAL OBSERVATIONS • In Korea, the Korea Information Security Agency (KISA) has instituted a two-part remediation effort. The first part is a joint malware notification program developed in cooperation with major ISPs in Korea. KISA provides the participating ISPs with information about computers that are determined to be infected with malware families that are widespread within Korea. When the user of an infected computer logs in, a pop-up window displays with a link to a web page that contains instructions for removing the infection. The second part of the remediation effort consists of a program to develop and distribute free vaccine software that targets specific malware families that are widespread in Korea. Responding to a series of serious distributed denial-of-service (DDoS) attacks that have affected Korea recently, KISA contracted with major domestic AV vendors to develop the vaccine, which is available for download from www.boho.or.kr.
Security Intelligence Report v12Resources • Website: www.microsoft.com/sir • Press Room: http://www.microsoft.com/en-us/news/presskits/security • Blog: http://blogs.technet.com/b/security/ • Twitter: @MSFTSecurity
Top Strategies to Mitigate Targeted Cyber Intrusions CYBER SECURITY OPERATIONS CENTRE – Australia DoD Intelligence & Security 21-7-2011 Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications. Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version. Minimise the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing. Application whitelisting to help prevent malicious software and other unapproved programs from running e.g. by using Microsoft Software Restriction Policies or AppLocker.
The Internal View: Microsoft and Security A structured approach to secure products
Reducing Software Risk What is it: The industry-leading security and privacy assurance process (mandatory for releasing software at Microsoft) Objectives:Protecting Microsoft customers by reducing the number and severity of vulnerabilities in software prior to release • SDL • (Process) What is it: A group of security experts that support Microsoft product teams with building secure software and implementing SDL requirements Objectives:Protecting Microsoft customers by assuring that products/services are compliant with or go beyond the SDL prior to release • Security Assurance • (People) • What is it: A world class R&D group which identifies new classes of vulnerabilities and develops proactive defenses against them • Objectives: Protecting Microsoft customers by creating • Cutting-edge security features for Microsoft products • Cutting-edge security diagnostic tools to improve the SDL • Security Science • (Technology)
Embedding security into software and culture Microsoft believes that delivering secure software requires Executive commitment SDL a mandatory policy at Microsoft since 2004 Education Process Accountability Ongoing Process Improvements
Embedding security into software and culture Tactics for Vulnerability Reduction Remove entire classes of vulnerabilities • Security Tooling • Additional product features Remove all currently findable vulnerabilities • Complete automation of tooling • SDL tools, Threat Modeling tool • Fuzzing toolsets + ways to streamline & improve triage • Tool overlays to increase signal-to-noise and focus attention on the right code • Verification & enforcement • Audit individual tool usage via process tools • Process tools required for SDL signoff - policy enforcement Ongoing Process Improvements
Impact: Newer is Better Vulnerabilities • OS and browser vulnerability counts remain low • Microsoft 3% - 6.5% of total industry vuln disclosures • More people updating than ever before Windows • Less malware found on newer versions Internet Explorer • Fewer drive-by attacks on newer versions • Fewer Microsoft vulnerabilities used in browser based exploits Office • Fewer attacks on newer versions of Office
Identifying Cloud Opportunities Batch and Data Intensive Applications • One-off applications that don’t rely on real-time response • Data and high performance intensive applications (financial risk modeling, simulation, data compression, graphics rendering…) • New back-office applications Business Continuity (Storage) • Extensive storage • Backup and recovery Easy Software Development and Testing • Software development and testing environment • Performance Testing • Non production projects • R&D activities • Reduced time to market Ease of Implementation Desktop Productivity • Web 2.0 applications • Workgroup applications • Office suites • Email and calendaring Peak Load Demands • New business activities • Applications w/ peak-loads • Seasonal websites • Applications with • scalability needs Sensitivity • Mission critical applications • Regulation-protected data (HIPAA, SOX, PCI…) Legacy • Specific existing infrastructure • Complex legacy systems Hard High Value Value to the Enterprise
Demand Side Economies of ScaleIndustry Variability •target.com•walmart.com •toysrus.com•barnesandnoble.com •turbotax.com•taxcut.com •hrblock.com•taxact.com ~10x normal load (Tax season) ~4x normal load (Holiday shopping) Jan 2009 Jan 2010 Jan 2009 Jan 2010 Source: Alexa Source: Alexa
Compliance and Risk Management Cloud Security Considerations • Identity and Access Management • Service Integrity • Endpoint Integrity • Information Protection
Cloud Information Protection • Data Classification is the foundation • Requirements • Legal Needs • Persistent Data Protection needed • Encryption/Rights Management • Has to cover the whole transaction • Data in transit • «New» Challenges • Data Sovereignty • Access to Information • Data Partitioning and Processing Implemented Data Classification helps to decide which data is ready for the cloud, under which circumstances, and with which controls.
Cloud Security Recommendations • Well-Functioning Risk and Compliance Programs are a must • Data classification is the base • Choose the right Deployment Model (Private, Community, or Public) • Strong, cloud trained, Internal Team still needed • Process Transparency, Compliance Controls, and Auditability by the Provider • Implement a Secure Development Lifecycle and evaluate the Provider and their vendors as well • Stronger federated identity and access controls • Information Lifecycle Controls • General strategy around use of encryption, establish criteria • Access controls to operate across organisational boundaries without surrendering identity ownership
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.