Baking in security, the Microsoft way
By Benjamin Cher March 18, 2016
- Software released only after security development lifecycle complete
- Security need not be expensive, list of top 35 strategies companies can use
SECURITY vendors always tout the amount of threat intelligence they collect or the number of incidents they detect, but almost none has an overview into an entire ecosystem quite like Microsoft Corp, says one senior executive.
With the Windows operating system still the market leader in the personal computing space, the view that Microsoft has into the threat landscape is immense, according to Pierre Noel (pic above), chief security officer, Asia, Microsoft.
And it has learned some lessons along the way, which have shaped its stance on security today, he admits in a recent conversation with Digital News Asia (DNA) in Singapore.
“Bolting on security on top of a system not designed for security is a recipe for failure, it doesn’t work.
“We learned it the hard way – I usually have this moment when I tell people that Microsoft has not always been a company focused much on security, we have got to be blunt about that,” he adds.
The Microsoft of yore had issues with security, with any of its software being compromised a few days after release. Microsoft was, in essence, a security punching bag.
“14 years ago, Microsoft would release a piece of software and four days later, the software would be hacked to death,” says Noel.
“The big difference between Microsoft 14 years ago and Microsoft today is that we have taken stock of the problem.
“We can no longer afford any piece of software within Microsoft to be released unless the software is under the security development lifecycle programme,” he adds.
The Microsoft security development lifecycle mandates that the developer understand the threats and what could go wrong even before coding begins.
“You ensure that your piece of code is made increasingly more secure as you put it through the lifecycle,” says Noel. “When someone identifies a weakness in your code, you can fix it through the cycle.”
READ ALSO: Dirty, dirty boy: Malaysians lack ‘cyber-hygiene’
The key turning point for Microsoft was the ‘Trustworthy Computing’ memo sent by cofounder and then chief executive officer Bill Gates (pic) on Jan 15, 2002, which acknowledged that the company was being battered by the user and security communities over the vulnerability of its ubiquitous software.
It called for a new way of developing software at the company, where security isn’t just patched on.
“So now, when we face a choice between adding features and resolving security issues, we need to choose security,” wrote Gates. “Our products should emphasise security right out of the box, and we must constantly refine and improve that security as threats evolve.”
The idea of developing software with security in mind should be an essential practice today, but few organisations do it, laments Noel.
“The reality however, and it is especially true in Asia, is that few organisations including software houses build a system or application with security in mind.
“There is an ISO (International Standards Organisation) standard that defines the security development lifecycle, but few organisations mandate that applications be written according to that standard,” he says.
This is worrying when application security is now more important than ever, since cybercriminals are targeting apps as the easiest point of entry.
“In the past, the bad guys would attack your environment through your OS (operating system), but OSes have got way better from a security point of view,” says Noel.
“They then started attacking things like Java and Acrobat, but even those got better, so the bad guys today are attacking applications because they know applications don’t have that level of security that infrastructure has,” he adds.
The Windows OS includes an easy-to-use antivirus software called Windows Defender, but even Noel warns that being 100% effective is not the mark of a good antivirus software.
“People think that a good antivirus can catch all the viruses you send at it – if it can catch 90% of all viruses, it’s a good antivirus software; if it can catch only 40%, it’s a bad antivirus software.
“Windows Defender was designed as a simple, easy-to-use antivirus; it was not designed to be something that can catch every single virus that has been generated over the last 20 years – because some of these are totally irrelevant,” he says.
“Having the best antivirus in the world does not mean you are 100% protected from any form of attack,” he adds.
Which is why Microsoft, like many security vendors, is advocating a ‘defence in depth’ strategy that relies on different types of protection at different layers.
And this is where Microsoft’s reach comes into play, with its ability to gather data in real time to see trends and react accordingly, Noel declares.
“The difference between Microsoft and anyone else on the planet is that we’ve got data, we’ve got billions of computers running our stuff, we know where the viruses are, we know which viruses are prevalent.
“I know exactly what viruses are in Singapore and I can show you the trend and evolution of attacks in Singapore for the last 10 years,” he adds.
Microsoft is taking the data collected from the billions of computers running Windows to make Windows Defender more effective, but Noel stresses that “our Windows Defender is just another layer in this defence.”
The company is also tapping the cloud for defence.
“With the cloud, we can build machine intelligence,” says Noel. “We have a huge amount of information we can extract from in order to be more reactive and intelligent about the reality of attacks.
“What we are doing now is beefing up Windows Defender with cloud machine intelligence.
“Windows Defender is becoming exponentially more clever, and our overall security approach is becoming more clever as it has all the power of the cloud sifting through the information in real-time,” he adds.
And this is a revolution for cybersecurity: Collecting information to better understand what is going on, according to Noel.
“Building intelligence and knowing where to look, this is the path we have chosen – collecting as much information from as many sources as possible, and making the intelligence actionable,” he says.
“Not only are we using it inside Microsoft, increasingly we are creating solutions that have this intelligence embedded, and that’s what you see with Windows Defender,” he adds.
Threat intelligence shared is security effectiveness doubled: Microsoft is not averse to sharing the information it collects because it does not have the same business model as a cybersecurity company.
“We are not in the business of selling intelligence, we have no interest in selling our intelligence – we don’t think this is what Microsoft should be doing, and we don’t think it is the right thing to do either,” says Noel.
Microsoft also collaborates with various governments’ Computer Emergency Response Teams (CERTs), and offers the intelligence it gathers for free.
“We give them that information for free, because we believe doing this will increase the security of the community,” says Noel.
The Windows vs Windows issue
Windows has been around for about 30 years now, but really only started its mainstream market dominance with the release of Windows 95 in – when else? – 1995.
Since then, the various iterations have created a disparate ecosystem of Windows versions, from the hugely popular Windows XP to the hiccup that was Windows Vista. It’s hard to keep track of them all.
In terms of security, it doesn’t help that Windows XP – first released in 2001– was so popular that when Microsoft ended support for the OS in 2014, some users refused to budge. Security company Trend Micro Inc found that even one month after support had ended, 32% of the world’s PCs were still running Windows XP.
No surprise that Noel recommends users upgrade to Windows 10 (pic below), its latest. Beyond the obvious commercial dimension, there is the security aspect, especially given that the company is approaching Windows development very differently now.
“At Microsoft, we have taken a decision that Windows 10 is going to be the last release of Windows,” he says.
“We are changing the scheme – instead of coming up with a new version every three years that affect the compatibility of applications, we will do subtle changes almost on a daily basis, and those changes are so minor they would not affect applications,” he adds.
Microsoft has been facing a history of people using outdated Windows OSes, and the company is unable to protect these systems adequately anymore, Noel argues.
Microsoft has decided to draw a line in the sand and make Windows 10 the last upgrade a user ever has to make.
“If you move to Windows 10 it will be a smooth ride, especially from a security angle – we have significantly and exponentially changed the security infrastructure,” he declares.
The cost issue, and the Top 35
Beefing up cybersecurity usually means spending money on new technologies. This need not be the case, as companies can start with initiatives that do not suck up half the entire IT budget, Noel argues.
“To be more secure does not necessarily mean you need to invest more money,” he says, citing the example of an Australian Government initiative.
The country’s administration was facing the same problem many organisations face, with the various agencies at the federal and state level having different levels of cybersecurity readiness.
There was a need to achieve a baseline and come up with a set of rules to impose across agencies for a ‘good enough’ security posture, according to Noel.
Working with Microsoft, the Australian Government came up with a document detailing the Top 35 Strategies to Mitigate Targeted Cyber Intrusions.
“The Top 35 lists, in priority order, the 35 things you have to do to ensure your environment is truly effective against cybersecurity incidents,” says Noel.
These include simple strategies such as application whitelisting, and patching applications and operating systems, nothing that is “rocket science,” he argues.
“None of them will require the customer to buy expensive licences or consulting, most of it is just common sense.
“For example, one of the top four is that every employee needs to have a standard user account.
“If you are a system administrator, you can use your privileged account to do sysadmin activities, but day-to-day activities like sending an email or browsing the Internet should be from your standard account,” he adds.
For companies unsure how to begin their cybersecurity efforts, Noel suggests Australia’s Top 35 list, which can be downloaded, as a good start.
Plugging the gaps in today’s threat landscape
Microsoft sees 'resistance to change' improving
Why you shouldn’t upgrade to Windows 10 just yet
Microsoft's Katie Moussouris: Humans still the weakest link in security chain
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.