Beyond Patching

1
Beyond Patching

• Dean Iacovelli
• Chief Security Advisor State and Local
  Government
• Microsoft Corporation
• deaniac_at_microsoft.com

2

• Objectives
• Address your concerns about security
• Update on current trends
• Current initiatives at Microsoft
• Future security product/solution roadmap
• Agenda
• Defining and managing the risk
• System Integrity
• Identity management
• Trustworthy Identity
• Client protection
• Server protection
• Network protection
• Summary, QA

3
My Role as SLG CSA

• Overall security policy and strategy for MS SLG
• MS spokesperson to/from SLG customers
• Information broker resources, best practices,
  programs
• Coordinator for incident response communication,
  security readiness
• Not goaled on revenue
• Basically Help ensure SLG customers have a good
  experience dealing with security on the MS
  platform

4
Your Feedback ?

• Challenges
• Worms / viruses
• Spyware
• Spam
• Patch management
• Network access control
• Identity management
• Best practices / guidance
• Looking at Linux for security reasons ?

5
Understanding Your Adversary
Spy
Fastest growing segment
Thief
Tools created by experts now used by less skilled
attackers and criminals
Trespasser
Vandal
Author
Script-Kiddy
HobbyistHacker
Expert
Specialist
6
State and Local Security Trends

• Attacks becoming less numerous, more nasty
• Viruses/worms still lead in financial cost BUT
• 6x increase in lost from unauthorized
  information access from 2004 to 2005 (FBI/CSI)
• 2x increase in lost from theft of proprietary
  information from 2004 to 2005 (FBI/CSI)
• Botnets (used for cyber extortion) have jumped
  from average of 2500 machines in 2004 to 85,000
  in 2006
• Why sniff the net when you can hack the site or
  the password?
• 95 reported 10 website incidents last year
  (FBI/CSI)
• 15 of enterprise hosts have had keystroke
  loggers detected, 3x in 1 year (Webroot and
  Sophos)
• Major NT4/Win 98 supportability issues
• Enterprise patching and management still not
  under control
• What your neighbor isnt doing IS your problem
• Real cost is lost of trust

7
Closer Look at Malware Data (MSRT)
Source Microsoft
8
3 in previous chart
Video game cheats
Celebrities
Song lyrics
9
Trends in Security Spending

• 497 per employee
• 354 operations
• 143 capital
• Even worse for smaller agencies - as much as 650
• No economies of scale
• SLG spends 10x Federal and most of private
  sector
• Lack of centralized strategy / tools
• Getting worse
• Federal trending down from CY05
• SLG trending up
• Various new state infosec laws may be impacting
  costs but still serious issue

10
MS Security Statistical Snapshot

• 263M downloads of XP SP2
• 75M downloads of Microsoft Anti-Spyware beta
• 9.7M consumers using SP2 Firewall
• 332M machines using Automatic Update or Windows
  Update
• 135 legal actions against spammers worldwide
• 121 phishing sites sued
• 578 Microsoft CISSPs (and counting)

11
Microsoft Security Strategy Overview
12
Security Development Lifecycle

• Security Development Lifecycle
• Security Response Center
• Better Updates And Tools

13
Threat Modeling ExampleMS03-007
Even if the buffer was large enough
Process halts rather than executes malicious
code, due to buffer-overrun detection code (-GS)
Even if it there was an exploitable buffer overrun
Would have occurred in w3wp.exe which is now
running as network service
14
Focus Yielding Results

2003
As of February 14, 2006
15
Case StudyHow We Tested WMF Patch

• 415 apps (ms third party)
• 6 supported version of the o/s in 23 languages
• 15k print variations, 2800 print pages verified
• 2000 wmfs analyzed, 125 malicious wmfs tested
• 12k images verified for regressions
• 22,000 hours of stress testing
• 450k total test cases

16
Patch Management InitiativeProgress to Date
Informed Prepared Customers
Consistent Superior Update Experience
Superior Patch Quality

• Microsoft Update
• WSUS
• SMS 2003

Best Patch Update Management Solutions
17
Update Impact AnalyzerDetermine How Patches Will
Affect Critical Apps
18
Fundamentals

• You can only manage what you can measure
• and you can only secure what you can manage (and
  find ?)
• Decentralization may be a reality but its not a
  best practice
• Set policy
• Active Directory
• Central policy, local defense
• Delegate back business-specific policy control
• Audit policy
• Turning it on AFTER the incident much less useful
• Dont wait for the incident to look at the logs
• Standardize builds, supported applications
• Enterprise assets are not toys
• Vista will make this easier, possible in XP too
  http//www.microsoft.com/technet/prodtechnol/winxp
  pro/maintain/luawinxp.mspx

19
Beyond Patching The Problem

• Patching is no longer strategic
• Moving from security to operations like backups
• New threats require new models
• Internal network is NOT trusted
• Medieval castle model is the only response
• Automated attacks require automated defenses

20
Microsoft Security Strategy Overview
21
Allow only legitimate users secure, policy-based
access to machines, applications and data
Access Policy Management
Trustworthy Identity
InformationProtection

• Directory Services
• Lifecycle Management
• Strong Authentication
• Federated Identity
• Certificate Services

• Rights Management Services
• Encryption Services
• Secure Protocols and Channels
• Back-up and Recovery Services

• Role-based Access Control
• Audit Collections Services
• Group Policy Management Console

22
Fundamentals

• Reduce
• Consolidate to fewer identity stores
• Leverage metadirectories to simplify sign on,
  automate/standardize identity business rules
• Reuse
• Leverage globally relevant attributes across all
  applications
• Place non-globally relevant attributes in
  app-coupled LDAP stores
• Recycle
• Leverage federation to use your credentials on
  business partner networks

23
Microsoft Security Strategy Overview
24
Fundamentals

• Medieval castle model
• The internal network is NOT trusted
• Central policy, local defense
• Leverage tools you already own
• Windows firewall
• Active Directory group policy
• Phishing filters
• Encrypting file system
• IPSec logical segmentation
• Isolate what you cant defend

25
Helps protect the system from attacks from the
network
Enables more secure Email and Instant Messaging
experience
Enables more secure Internet experience for most
common Internet tasks
Provides system-level protection for the base
operating system
26
Internet Explorer 7
Social Engineering Protections

• Phishing Filter and Colored Address Bar
• Dangerous Settings Notification
• Secure defaults for all settings

Protection from Exploits

• Protected Mode to prevent malicious software
• Code quality improvements
• ActiveX Opt-in

27
Application Compatibility Toolkit V5.0

• Analyze your portfolio of Applications, Web
  Sites, and Computers
• Evaluate operating system deployments or impact
  of operating system updates
• Rationalize and Organize by Applications, Web
  Sites, and Computers
• Prioritize compatibility efforts with filtered
  reporting
• Add and manage issues and solutions for your
  personal computing environment
• Deploy automated mitigations to known
  compatibility issues
• Send/Receive compatibility information to Online
  Compatibility Exchange

28
Microsoft Client Protection
Windows Live Safety Center
Windows OneCare Live
MSRT
Windows Defender
Remove most prevalent viruses
Remove all known viruses
Real-time antivirus
Remove all known spyware
Real-time antispyware
Central reporting and alerting
Customization
IT Infrastructure Integration
FOR INDIVIDUAL USERS
FOR BUSINESSES
29
Shared Computer Toolkit for Windows XP

• Windows Disk Protection
• Prevent unapproved changes to the Windows
  partition
• Allow critical updates and antivirus updates
• User Restrictions
• Restrict untrusted users from files and settings
• Lock user profiles for protection and privacy

• Profile Manager
• Create persistent user profiles on unprotected
  partitions
• Delete locked user profiles
• Accessibility
• Accessibility settings utilities when
  restricted
• Quick access for repeat use

• Getting Started
• Use and learn about the Toolkit
• Quick access toolbar

Tools are scriptable. Additional command-line
tools included. Comprehensive Help and Handbook
with supplemental security guidance.
30
Next Generation Security and Compliance
Threat Vulnerability Mitigation
Fundamentals
Identity Access Control
Engineered for the future

• User Account Control
• Plug and Play Smartcards
• Granular auditing
• Simplified Logon architecture

• Code Integrity
• IE Protected Mode
• Windows Defender
• IPSEC/Firewall integration
• Network Access Protection

• Security Development Lifecycle
• Threat Modeling
• Code Scanning
• Service Hardening

• BitLocker Drive Encryption
• EFS Smartcard key storage
• RMS client
• Control over removable device installation
• XPS Document WPF APIs

31
InfoCard OverviewSecure sharing of your info
online

• Simple user abstraction
• Manage compartmentalized versions of your
  identity
• Strong computer generated keys instead of human
  generated passwords
• Relates to familiar models
• Govt ID card, drivers license, credit card,
  membership card,
• Flexible issuance
• Self-issued eBay, Amazon
• Issued by external authority Visa, Government
• Implemented as secure subsystem
• Protected UI, anti-spoofing techniques, encrypted
  storage
• Built on WS-Federation web standards

32
Microsoft Security Strategy Overview
33
Security Configuration Wizard Windows Server
2003 SP1

• Security lockdown tool for Windows Server 2003
• Roles-based paradigm
• Focused on Attack Surface Reduction
• Disables unnecessary services
• Disables unnecessary web extensions
• Blocks unnecessary ports
• Configures audit SACLs
• Operational infrastructure
• Client-Server deployment infrastructure
• Support for Group Policy-based deployment
• Compliance Analysis
• Rollback support

34

• Microsoft Antigen Line of Products

• Highlights
• Unique multi-engine approach for faster
  detection and broader protection
• Integrated virus and spam protection
• Integrated Microsoft AV engine

RTM in Q2 2006
35
Microsoft Security Strategy Overview
36
Network Access ProtectionLonghorn Server (2007)

• Policy Validation
• Determines whether the computers are compliant
  with the companys security policy. Compliant
  computers are deemed healthy.
• Network Restriction
• Restricts network access to computers based on
  their health.
• Remediation
• Provides necessary updates to allow the computer
  to get healthy. Once healthy, the network
  restrictions are removed.
• Ongoing Compliance
• Changes to the companys security policy or to
  the computers health may dynamically result in
  network restrictions.

37
Network Access Protection Walkthrough
Corporate Network
Restricted Network
Remediation Servers
Here you go.
Can I have updates?
Ongoing policy updates to IAS Policy Server
May I have access? Heres my current health
status.
Should this client be restricted based on its
health?
Requesting access. Heres my new health status.
Client
According to policy, the client is not up to
date. Quarantine client, request it to update.
According to policy, the client is up to date.
Grant access.
You are given restricted access until fix-up.
Network Access Device (DHCP, VPN)
IAS Policy Server
Client is granted access to full intranet.
Play video
38
NAP - Enforcement Options
39
NAP Partner Community
40
Getting Started

• Beta available now
• Preparing for NAP will take effort and time!
• Deployment preparation tasks
• Health Modeling
• Health Policy Zoning
• IAS (RADIUS) Deployment
• Zone Enforcement Selection
• Exemption Analysis
• Change Process Control
• Phased rollout
• Rollout VPN solution to test health policy
• Rollout IPSec segmentation to test wired
  enforcement

41
Roadmap

• Frontbridge hosted services for anti-virus and
  anti-spam filtering(for businesses)

• Windows Live OneCare(for consumers)

• Next generation of services

Services

• Microsoft Client Protection
• Microsoft Antigen Anti-virus and Anti-spam for
  messaging and collaboration servers
• ISA Server 2006

• ISA Server 2004
• Sybari Antigen anti-spam and anti-virus for
  Email, IM and SharePoint

• Content filtering services
• Next generation of security products

Products

• Windows XPSP2
• Windows Server 2003 SP1
• Anti-malware tools
• Microsoft Update
• Windows Server Update Services

• Network Access Protection
• IPSec Enhancements
• Audit Collection Services

• Windows AntiSpyware
• Windows Vista
• Firewall
• Services Hardening

Platform
42
Summary

• Its all one network. Period.
• Need to be securing for tomorrows threats, not
  yesterdays
• Defense in depth is and has always been the only
  effective strategy
• Enterprise patch management will free us for more
  strategic work
• Every machine deserves a good defense

43
Contact info Dean Iacovelli Chief Security
Advisor - State and Local Government Microsoft
Corporation deaniac_at_microsoft.com Slides
available at www.iacovelli.info/work/secgtc.ppt
44
Appendix
45
Tools / Products

• Application Compatibility Toolkit 5.0 beta sign
  up
• http//connect.microsoft.com/
• Network Access Protection
• http//www.microsoft.com/nap
• Microsoft Baseline Security Analyzer (MBSA)
• http//www.microsoft.com/mbsa
• Windows Server Update Services (WSUS)
• http//www.microsoft.com/wsus
• Windows Server Update Services (WSUS)
• http//www.microsoft.com/wsus
• IE 7
• http//www.microsoft.com/windows/ie/default.mspx
• Client Protection
• http//www.microsoft.com/windowsserversystem/solut
  ions/security/clientprotection/default.mspx
• Vista security
• http//www.microsoft.com/technet/windowsvista/secu
  rity/default.mspx
• Security Configuration Wizard
• http//www.microsoft.com/windowsserver2003/technol
  ogies/security/configwiz/default.mspx

46
Guidance and Training

• MICROSOFT
• Security Development Lifecycle
  http//msdn.microsoft.com/security/default.aspx?pu
  ll/library/en-us/dnsecure/html/sdl.asp
• Security Guidance Centers http//www.microsoft.com
  /security/guidance
• Security Online Training https//www.microsoftelea
  rning.com/security/
• XP SP2 deployment training https//www.microsofte
  learning.com/xpsp2
• Microsoft IT Security Showcase http//www.microsof
  t.com/technet/itsolutions/msit/default.mspxEDBAAA
  
• Security Newsletter http//www.microsoft.com/techn
  et/security/secnews/default.mspx
• Security Events and Webcasts http//www.microsoft.
  com/seminar/events/security.mspx
• Security Notifications via e-mail
  http//www.microsoft.com/technet/security/bulletin
  /notify.mspx
• MS Security blogs http//www.microsoft.com/techne
  t/security/community/articles/art_malwarefaq.mspx
  
• Security Bulletin Search Page http//www.microsoft
  .com/technet/security/current.aspx
• Security Bulletin Webcast http//www.microsoft.com
  /technet/security/bulletin/summary.mspx
• Writing Secure Code, 2nd edition
  http//www.microsoft.com/mspress/books/5957.asp
• Building and Configuring More Secure Web Sites
  http//msdn.microsoft.com/library/en-us/dnnetsec/h
  tml/openhack.asp
• Windows XP Security Guide, includes SP2
  http//www.microsoft.com/technet/security/prodtech
  /winclnt/secwinxp/default.mspx
• Security Risk Management Guide http//go.microsoft
  .com/fwlink/?LinkId30794
• Windows NT 4.0 and Windows 98 Threat Mitigation
  Guide http//go.microsoft.com/fwlink/?linkid32048
  
• Microsoft Identity and Access Management Series
  http//go.microsoft.com/fwlink/?LinkId14841
• OTHER

47
As of 6 March 2006Tracking 13053 bot-nets of
which 8524 are activeAverage size is 85,000
computers
48
(No Transcript)
49
Windows Service HardeningDefense In Depth
Factoring/Profiling

• Reduce size of high risk layers
• Segment the services
• Increase of layers

Service 1
Service
Service 2
Service
Service A
Service 3
Service B
Kernel Drivers
User-mode Drivers
50
Vista Service ChangesServices common to both
platforms
51
Windows Vista Firewall

• Combined firewall and IPsec management
• New management tools Windows Firewall with
  Advanced Security MMC snap-in
• Reduces conflicts and coordination overhead
  between technologies
• Firewall rules become more intelligent
• Specify security requirements such as
  authentication and encryption
• Specify Active Directory computer or user groups
• Outbound filtering
• Enterprise management feature not for
  consumers
• Simplified protection policy reduces management
  overhead

52
User Account Control (UAC)

• Previously known as LUA
• Users will logon as non-administrator by default
• Protects the system from the user
• Enables the system to protect the user
• Consent UI allows elevation to administrator
• Applications and administrator tools should be
  UAP aware
• Differentiate capabilities based on UAP
• Apply correct security checks to product features
• Start testing your software against Vista now!

53
Standard UAC Prompt
54
Application Installation as a Standard User
55
Group Policy Device Restriction
56
BitLocker Drive Encryption

• Designed specifically to prevent malicious users
  from breaking Windows file and system protections
• Provides data protection on Windows systems, even
  when the system is in unauthorized hands or is
  running a different or exploiting Operating
  System
• A Trusted Platform Module (TPM) or USB flash
  drive is used for key storage

BitLocker
57
Trusted Platform ModuleSmartcard-like module on
system motherboard

• Helps protect secrets
• Performs cryptographic functions
• Can create, store and manage keys
• Performs digital signature operations
• Holds Platform Measurements (hashes)
• Anchors chain of trust for keys and credentials
• Protects itself against attacks

• TPM 1.2 spec www.trustedcomputinggroup.org

58
(No Transcript)