Bluehat 2014

Looking back and driving forward

Chris BetzSenior DirectorMicrosoft Security Response Center

Microsoft Security Response Center

Investigate Vulnerability Reports

Address vulnerabilities before they affect userssecure@Microsoft.com

Lead Security & Privacy Response

Company-wide response process

Cross-community Engagement

Partner with security industry and CERTsCreate community with vulnerability finders

Security TechnologyCapabilities that improve security, detections and response for our customers

Snapshots of the past year

A recap

A recap

A recap

A recap

A recap - Ransomware

Explo

ited M

icro

soft

rem

ote

code

exe

cuti

on C

VEs

Zero-day exploits have accounted for the bulk of Microsoft remote code execution vulnerabilities.

Microsoft RCE CVEs, by timing of first known exploit

After 30 days

Within 30 days

Zero day

2006 2007 2008 2009 2010 2011 2012 20130

10

20

30

40

50

60

70

80

CCM by OS and service pack

SP3 SP2 SP1 RTM RTM SP2 SP2 RTM SP1 RTMWindows XP Windows Vista Windows 7 Windows 8 Windows 8.1 Windows Server

2003Windows Server

2008Windows Server 2008 R2 Windows Server

2012

0.0

5.0

10.0

15.0

20.0

25.0

30.0

35.0

9.5

5.3 4.9

2.10.3

3.41.6 1.3

0.5

24.2

32.4

25.9

17.3

0.8

3.1 3.9

1.9 1.6 0.9

3Q13 4Q13

• This data is normalized; that is, the infection rate for each version of Windows is calculated by comparing an equal number of computers per version.

• Infection rates in 4Q13 were many times higher on all supported Windows client platforms than they were in 3Q13, because of the influence of Win32/Rotbrow.

Com

pute

rs c

leaned p

er

1,0

00

sca

nned

(CC

M)

What have we been thinking and talking about

• Use-after-free• UEFI and device

security• Post-exploitation &

persistence• Sandboxes• Botnets

Security technology and vulnerabilities

• Threat Intelligence• Privacy and Security• Credential Theft• Vulnerability-free

exploitation• Big data for security• Defending the cloud

The Defense Dialog

Beyond Protection

Protect

Detect

Respond

• Defender must defend entire attack surface

• Attacker must find (or make) one gap

• Defenses, defense-in-depth, resilience, detections, and response all reduce attack surface or limit damage

Attacker’s asymmetry

• Attackers advantage is a simplification – perhaps an oversimplification

• Mostly true at the engagement level• We are focusing at wrong level of conflict• Think campaign not engagement

Hanging together

“We must, indeed, all hang together or, most assuredly, we shall all hang separately.” – Benjamin Franklin

• A campaign isn’t a single target – attackers reuse resources and rely on secrecy

• An attacker’s success depends on their ability to keep defenders from detecting and defeating their campaign.

• Defenders take one gap in a defenders secrecy to detect, illuminate, and defeat an adversary.

• When defenders share and act on intelligence it can take only one slip in secrecy to defeat an attacker’s campaign.

Defenders’ advantage

http://sopadepato.com/wordpress/wp-content/uploads/2013/01/Chewbacca.jpg

An attacker’s campaign

Campaign types

Opportunistic

Regional target set

Specific target set

Single target

Capabilities

Infrastructure

Operations

Opportunity

Cost

per

targ

et

Am

ou

nt

of

Reu

se

Campaign types

Opportunistic

Regional target set

Specific target set

Single target

Capabilities

Infrastructure

Operations

Opportunity

Cost

per

targ

et

Traditional defense – affect on campaign

* Defense affects all adversaries

Campaign types

Opportunistic

Regional target set

Specific target set

Single target

Capabilities

Infrastructure

Operations

Opportunity

Cost

per

targ

et

Acting on Threat Intel – campaign impact

* Defense affects targeted adversary

A few thoughts on what’s next for us

If we needed a reminder – there’s no replacement for consistent secure development and operations• Requirements• Design• Development• Verification

Response to vulnerabilities is critical

Secure Development and Operations

• Protect, Detect, Respond

• Threat intelligence• Cooperative defense• Automated machine speed

sharing

• Privacy and credentials

• Services and defense networks• High security enclaves

• Not just devices, software, or services

Beyond Exploitation

ProtectDetect

Respond

© 2013 Microsoft. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.