supporting security - terena · supporting security inside fixing vulnerabilities at ... shipped...
Post on 14-May-2018
216 Views
Preview:
TRANSCRIPT
Supporting SecuritySupporting SecurityInside fixing vulnerabilities at Inside fixing vulnerabilities at
MicrosoftMicrosoft®®
Simon ConantSimon Conant MCSE CISSPMCSE CISSP
Security Program ManagerSecurity Program ManagerPSS SecurityPSS SecurityMicrosoft CorporationMicrosoft Corporationsconant@microsoft.comsconant@microsoft.com
Who’s who?Who’s who?
Product Groups• Program Managers• Developers• Test Engineers
PSS Security
MicrosoftSecurityResponseCenter
Field testingField testing
PackagingPackaging
DocumentationDocumentation
PublishingPublishing
ReleaseRelease
Fix is tested:Fix is tested:
--Fixes all of problemFixes all of problem
--Doesn’t break anything elseDoesn’t break anything else
--All products, versions, platforms, languagesAll products, versions, platforms, languages
Broken? Back to step one…Broken? Back to step one…
TestTest
Fix architected from step 1Fix architected from step 1
Fix built for all affected products, platforms, versions, languaFix built for all affected products, platforms, versions, languages.ges.FixFix
Issue first received.Issue first received.
Evaluated & acknowledged to reporter (all reports acknowledged).Evaluated & acknowledged to reporter (all reports acknowledged).
Sent to all possibly affected product group “SI” teams.Sent to all possibly affected product group “SI” teams.
Confirmation of problem (or not). Warteams, discussions, all theConfirmation of problem (or not). Warteams, discussions, all theexperts pulled in on it.experts pulled in on it.
Full info on problem, associated issues, workarounds, solutions.Full info on problem, associated issues, workarounds, solutions.
EvaluationEvaluation
ProcessProcess
Why does it take so long?Why does it take so long?§§ It’s all about It’s all about COMPLEXITYCOMPLEXITY§§ The products all are very featureThe products all are very feature--packed, and are packed, and are
therefore very complextherefore very complex
§§ We support multiple older versions of productsWe support multiple older versions of products
§§ On various platformsOn various platforms
§§ And for many languagesAnd for many languages
§§ It’s all about It’s all about QUALITYQUALITY§§ If the fix doesn’t fix ALL of the problem, it’s no goodIf the fix doesn’t fix ALL of the problem, it’s no good
§§ If the fix breaks something else along the way, it’s not If the fix breaks something else along the way, it’s not helping our customers eitherhelping our customers either
§§ We have to do our very best to get it We have to do our very best to get it right first timeright first time
§§ And we exhaustively test it all.And we exhaustively test it all.
WorkaroundsWorkarounds
No known / possible workaround
High impact orpartial workaround
Low-impactWorkaround
Fix
ImprovementsImprovements§§ No more “No more “Under InvestigationUnder Investigation” black hole” black hole§§ Milestones:Milestones:§§ Confirmation of vulnerability, fix in progressConfirmation of vulnerability, fix in progress§§ Know workarounds, mitigations, risk analysisKnow workarounds, mitigations, risk analysis§§ Fix completedFix completed§§ Fix in testing Fix in testing –– progressprogress§§ Fix in releaseFix in release
§§ Proactive communicationsProactive communications§§ PSSSec will own the cases & customer carePSSSec will own the cases & customer care
§§ Patch beta testingPatch beta testing§§ Local security supportLocal security support§§ Patch improvementsPatch improvements
Improve the Patching ExperienceImprove the Patching ExperienceNew Patch PoliciesNew Patch Policies
§§ Extending support to June 2004Extending support to June 2004§§ Windows 2000 SP2Windows 2000 SP2
§§ Windows NT SP6aWindows NT SP6a
§§ NonNon--emergency security patches on a emergency security patches on a monthly release schedule monthly release schedule §§ Allows for planning a Allows for planning a
predictable monthly test and predictable monthly test and deployment cycle deployment cycle
§§ Packaged as individual Packaged as individual patches that can be deployed patches that can be deployed together together
§§ Achieves benefits of security Achieves benefits of security rollup with increased flexibilityrollup with increased flexibility
Patches for emergency issues will still release immediatelyPatches for emergency issues will still release immediately
By 5/04: Consolidating to 2 patch installers By 5/04: Consolidating to 2 patch installers for W2K and higher, Office & Exchange. All for W2K and higher, Office & Exchange. All patches will behave the same way patches will behave the same way (SUS 2.0, (SUS 2.0, MSI 3.0)MSI 3.0)
Extend patch Extend patch automation to all automation to all
productsproducts
11/03: SMS 2003 offers capability to patch all 11/03: SMS 2003 offers capability to patch all supported Microsoft platforms and applications supported Microsoft platforms and applications
By end of 2004, all MS patches behave the same By end of 2004, all MS patches behave the same at installation (MSI 3.0 + SUS 2.0) and at installation (MSI 3.0 + SUS 2.0) and available in one place: MS Updateavailable in one place: MS Update
Reduce patch sizeReduce patch sizeNow: Reduced patch size by 35% or more. Now: Reduced patch size by 35% or more. Will have 80% reduction by 5/04. Will have 80% reduction by 5/04. (Delta (Delta patching technology and improved functionality patching technology and improved functionality with MSI 3.0)with MSI 3.0)
Reduce patch Reduce patch complexitycomplexity
Reduce risk of Reduce risk of patch deploymentpatch deployment
Now : Increased internal testing; customer Now : Increased internal testing; customer testing of patches pretesting of patches pre-- release.release.By 5/04: rollback capability for Windows, By 5/04: rollback capability for Windows, SQL, Exchange, OfficeSQL, Exchange, Office
Reduce downtimeReduce downtimeNow:Now: 10% fewer10% fewer reboots on W2K and higher reboots on W2K and higher By 5/04:By 5/04: 30% fewer30% fewer reboots on Win 2003 reboots on Win 2003 (starting in SP1). Up to(starting in SP1). Up to 70% 70% reduction for reduction for next servernext server
Your NeedYour Need Our ResponseOur Response
Improve the Patching ExperienceImprove the Patching ExperiencePatch EnhancementsPatch Enhancements
§§ Available NowAvailable Now
§§ 1717 prescriptive booksprescriptive books
§§ How Microsoft secures Microsoft How Microsoft secures Microsoft guidance & toolsguidance & tools
§§ Later this year and throughout 2004Later this year and throughout 2004§§ More prescriptive & howMore prescriptive & how--to guidesto guides§§ Tools & scripts to automate common Tools & scripts to automate common
taskstasks
§§ Focused on operating a secure environment Focused on operating a secure environment
§§ Patterns & practices for defense in depthPatterns & practices for defense in depth
§§ Enterprise security checklist Enterprise security checklist –– the single place the single place for authoritative security guidancefor authoritative security guidance
Security Guidance for IT ProsSecurity Guidance for IT ProsSecurity Guidance for IT Pros
Continue Improving QualityContinue Improving QualityTrustworthy Computing Release ProcessTrustworthy Computing Release Process
M1
M2
Mn
Beta
Design
Dev
elo
pm
ent
Release
Support
SecurityReview
SecurityReview
§§ Each component team develops Each component team develops threat models, ensuring that threat models, ensuring that design blocks applicable threatsdesign blocks applicable threats
Develop & Test
Develop & Test
§§ Apply security design & coding Apply security design & coding standardsstandards
§§ Tools to eliminate code flaws Tools to eliminate code flaws ((PREfixPREfix & & PREfastPREfast))
§§ Monitor & block new attack Monitor & block new attack techniquestechniquesSecurity
PushSecurity
Push
§§ TeamTeam--wide stand downwide stand down
§§ Threat model updates, code Threat model updates, code review, test & documentation review, test & documentation scrubscrub
Security Audit
Security Audit
§§ Analysis against current threatsAnalysis against current threats
§§ Internal & 3Internal & 3rdrd party penetration party penetration testingtesting
Security ResponseSecurity
Response
§§ Fix newly discovered issuesFix newly discovered issues
§§ Root cause analysis to Root cause analysis to proactively find and fix related proactively find and fix related vulnerabilitiesvulnerabilities
Design docs & specifications
Development, testing &
documentation
Product
Service Packs,QFEs
66 99
……90 days90 days ……150 days150 days
Critical or important vulnerabilities in the first…Critical or important vulnerabilities in the first…
1313 2323
TwC TwC release?release?
YesYes
NoNo
For some widelyFor some widely--deployed, existing products:deployed, existing products:
Mandatory for all new products:Mandatory for all new products:
Bulletins sinceBulletins sinceTwC releaseTwC release
Shipped Jan. 2003, 8 months agoShipped Jan. 2003, 8 months ago
11Service Pack 3Service Pack 3
Bulletins inBulletins inprior periodprior period
99
Bulletins sinceBulletins sinceTwC releaseTwC release
Shipped July 2002, 14 months agoShipped July 2002, 14 months ago
00Bulletins inBulletins inprior periodprior period
55 Service Pack 3Service Pack 3
Continue Improving QualityContinue Improving QualityContinue Improving Quality
2 patch 2 patch installers; installers; rollbackrollbackPatching Patching enhancementsenhancementsSUS 2.0SUS 2.0SMS 2003SMS 2003More guidance More guidance and trainingand training
Integrated Integrated host security host security technologiestechnologiesNGSCBNGSCBWindows Windows hardeninghardeningMore More guidance guidance and trainingand training
Tools & Tools & PatchingPatching
NextNext--Generation Generation SecuritySecurity
Monthly Monthly patch releasespatch releasesGuidance Guidance & training& trainingHow Microsoft How Microsoft runs Microsoftruns MicrosoftSupport for Support for W2K SP2 & W2K SP2 & NT4 SP6atNT4 SP6at
GuidanceGuidance
0 0 –– 9 9 monthsmonths
9 9 –– 12 12 monthsmonths FutureFuture
Security RoadmapSecurity Roadmap
TodayToday
Shield Shield technologies technologies for client for client and serverand server“MS Update”“MS Update”More More guidance and guidance and trainingtraining
ShieldsShields
Where else we’re involvedWhere else we’re involved
§§ Security patches & toolsSecurity patches & tools
§§ VirusVirus
§§ Crisis support Crisis support
§§ PrivacyPrivacy
§§ Hacking and IRHacking and IR
§§ Gov't & Law Enforcement LiaisonGov't & Law Enforcement Liaison
§§ AntiAnti--spam & computer crime, Legal spam & computer crime, Legal
§§ Press/PR/outreach/communicationsPress/PR/outreach/communications
top related