Post on 23-Dec-2015
Bluehat 2014
Looking back and driving forward
Chris BetzSenior DirectorMicrosoft Security Response Center
Microsoft Security Response Center
Investigate Vulnerability Reports
Address vulnerabilities before they affect userssecure@Microsoft.com
Lead Security & Privacy Response
Company-wide response process
Cross-community Engagement
Partner with security industry and CERTsCreate community with vulnerability finders
Security TechnologyCapabilities that improve security, detections and response for our customers
Snapshots of the past year
A recap
A recap
A recap
A recap
A recap - Ransomware
Explo
ited M
icro
soft
rem
ote
code
exe
cuti
on C
VEs
Zero-day exploits have accounted for the bulk of Microsoft remote code execution vulnerabilities.
Microsoft RCE CVEs, by timing of first known exploit
After 30 days
Within 30 days
Zero day
2006 2007 2008 2009 2010 2011 2012 20130
10
20
30
40
50
60
70
80
CCM by OS and service pack
SP3 SP2 SP1 RTM RTM SP2 SP2 RTM SP1 RTMWindows XP Windows Vista Windows 7 Windows 8 Windows 8.1 Windows Server
2003Windows Server
2008Windows Server 2008 R2 Windows Server
2012
0.0
5.0
10.0
15.0
20.0
25.0
30.0
35.0
9.5
5.3 4.9
2.10.3
3.41.6 1.3
0.5
24.2
32.4
25.9
17.3
0.8
3.1 3.9
1.9 1.6 0.9
3Q13 4Q13
• This data is normalized; that is, the infection rate for each version of Windows is calculated by comparing an equal number of computers per version.
• Infection rates in 4Q13 were many times higher on all supported Windows client platforms than they were in 3Q13, because of the influence of Win32/Rotbrow.
Com
pute
rs c
leaned p
er
1,0
00
sca
nned
(CC
M)
What have we been thinking and talking about
• Use-after-free• UEFI and device
security• Post-exploitation &
persistence• Sandboxes• Botnets
Security technology and vulnerabilities
• Threat Intelligence• Privacy and Security• Credential Theft• Vulnerability-free
exploitation• Big data for security• Defending the cloud
The Defense Dialog
Beyond Protection
Protect
Detect
Respond
• Defender must defend entire attack surface
• Attacker must find (or make) one gap
• Defenses, defense-in-depth, resilience, detections, and response all reduce attack surface or limit damage
Attacker’s asymmetry
• Attackers advantage is a simplification – perhaps an oversimplification
• Mostly true at the engagement level• We are focusing at wrong level of conflict• Think campaign not engagement
Hanging together
“We must, indeed, all hang together or, most assuredly, we shall all hang separately.” – Benjamin Franklin
• A campaign isn’t a single target – attackers reuse resources and rely on secrecy
• An attacker’s success depends on their ability to keep defenders from detecting and defeating their campaign.
• Defenders take one gap in a defenders secrecy to detect, illuminate, and defeat an adversary.
• When defenders share and act on intelligence it can take only one slip in secrecy to defeat an attacker’s campaign.
Defenders’ advantage
http://sopadepato.com/wordpress/wp-content/uploads/2013/01/Chewbacca.jpg
An attacker’s campaign
Campaign types
Opportunistic
Regional target set
Specific target set
Single target
Capabilities
Infrastructure
Operations
Opportunity
Cost
per
targ
et
Am
ou
nt
of
Reu
se
Campaign types
Opportunistic
Regional target set
Specific target set
Single target
Capabilities
Infrastructure
Operations
Opportunity
Cost
per
targ
et
Traditional defense – affect on campaign
* Defense affects all adversaries
Campaign types
Opportunistic
Regional target set
Specific target set
Single target
Capabilities
Infrastructure
Operations
Opportunity
Cost
per
targ
et
Acting on Threat Intel – campaign impact
* Defense affects targeted adversary
A few thoughts on what’s next for us
If we needed a reminder – there’s no replacement for consistent secure development and operations• Requirements• Design• Development• Verification
Response to vulnerabilities is critical
Secure Development and Operations
• Protect, Detect, Respond
• Threat intelligence• Cooperative defense• Automated machine speed
sharing
• Privacy and credentials
• Services and defense networks• High security enclaves
• Not just devices, software, or services
Beyond Exploitation
ProtectDetect
Respond
© 2013 Microsoft. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.