Older Entries »

10 Years of Trustworthy Computing at Microsoft

By Roger Halbheer, on January 12th, 2012

TwC Next

Before joining Microsoft a little bit more than 10 years ago, I ran a team at PricewarehoureCoopers on e-Business Risk Management – classical security consulting in the Internet bubble time. When I announced that I will leave PwC and join Microsoft, I got interesting reactions (and remember, this was 2001). Mainly they were along two lines:

  • Oh, you are joining a desktop company? Why?
  • A security guy? Joining Microsoft? hmm…

So, these reactions came from the time immediately before we launched Windows XP (you are not on XP today, are you? If you are, read this article). Microsoft was not perceived as an enterprise player and was not seen as secure – they were wrong back then in the first case but right in the second one I guess. I joined being part of the consulting organization but soon met the country manager and I was having a chat with him about the perception on Microsoft’s security in the market. We (say: he Smile) then decided that we need to work on that and that I shall draw a job description – the job then was called Chief Security Officer and Chief Security Advisor later on. And then Nimda hit! And then Blaster hit! And then Slammer hit! I had the “privilege” back then to run the incident response team in Switzerland and had the privilege to have customers screaming at me, tell me that we fucked up (that was a quote).

Interestingly in the meantime the famous Bill Gates’ Memo hit the streets, saying:

There are many changes Microsoft needs to make as a company to ensure and keep our customers’ trust at every level – from the way we develop software, to our support efforts, to our operational and business practices. As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers’ view of us as a company.

and even more important:

In the past, we’ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We’ve done a terrific job at that, but all those great features won’t matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.

This memo led to the creation of Trustworthy Computing with Scot Charney running the organization since it’s beginning and Scott then created the Chief Security Advisor community, the community I was in since the beginning and have the honor to run today globally.

Coming back to the beginning: I remember the first keynote I did for Microsoft was on Trustworthy Computing immediately after this announcement. People approached me in the breaks and asked me whether I really believe what I just said: that Microsoft is going to change. And I confirmed that. I have never seen (not before nor after) a company stopping development for almost four months to address issues and then change the way the company operates – that radically. I would never ever put my name and my credibility at risk if I would not have believed back then and I am still convinced that we did and still do an outstanding job and that we are leading the industry today. Interestingly I do not get these questions anymore…

So, what happened over these 10 years of Trustworthy Computing? What were significant achievements? Well, there are numerous and I have to apologize to the teams I am not mentioning here upfront…

  • Immediately after SQL Slammer in 2003 we span up a process called Software Security Incident Response Process (SSIRP), a process which is still in place today and we constantly adapt it to new threats and especially new challenges. This was a huge effort as we needed to be able to ramp up an incident organization all across the globe 24*7 – and we still are today.
  • Probably the biggest and most fundamental change was the way we develop software. We introduced the Security Development Lifecycle (SDL) and constantly keep it updated. Not only did we change the development process internally, we make this information available to the industry for free. Others shall be able to learn from our learning from the past. What concerns me is the slow adoption of such methodologies from a vendor side as well as from a customer side. Who really asks for a process? Typically customers ask for product certification but not for a sound process – something we as an industry need to continue on changing.
  • Different teams were spun up to address security re-actively like the Microsoft Security Response Center and the Malware Protection Center.
  • Since 2006 we publish our Security Intelligence Report – the most comprehensive report in the market.
  • Our Digital Crimes Unit is fighting cybercrime from a legal as well as from a technology perspective. We are working closely with the Council of Europe and other organizations improving the legal situation. We are taking down botnets like Waledac, Rustock and Kelhios in close collaboration with the authorities.  We are providing technology to fight sexual exploitation of children like PhotoDNA.

A lot of things happened over the course of the years and there is still a lot to do. These are just some highlights (besides the creation of the Chief Security Advisor community).

If you want to see a condensed version of the “life” of Trustworthy Computing”, here you go:

And the official story on the news center: At 10-Year Milestone, Microsoft’s Trustworthy Computing Initiative More Important than Ever

Sometimes I am asked how many people work at Microsoft on security. And the answer is "everybody” (well, almost Smile). It is not something we separate and put into a team labeled security. It is part of all our lives to one extent or another and this is the way it should be.

If I would have a wish for 2012, it would be that the industry would stand together much closer to address the issues of today and the future. I do not see that security is something the industry should compete on – rather collaborate to fight the criminals – together with the governments and the governments together with us. I was already fairly vocal about this in the Octopus Conference and will continue to ask for it. To help with this dialogue, we published a model called Cybersecurity Agenda for Governments and will soon publish a book on it as well.

In parallel, the teams internally will continue their great work to bring Trustworthy Computing to the next level. All of this is needed, when we think that there will be a third billion devices added to the Internet in the next five years!

Roger

One comment   Featured, Industry, Microsoft, Processes, Products, Strategy, Trends   , , , , , , , , , , ,  

10 Reasons to migrate off Windows XP

By Roger Halbheer, on December 22nd, 2011

I would like you to sit back, close your eyes and think about the year 2001. Think about how you used technology back then, how you used the Internet. Now, let’s take it a little bit further back in history and think of the year 2000. Just after we realized that the Year-2000-Problem was handled . . . → Read More: 10 Reasons to migrate off Windows XP

Leave a comment   Featured, Microsoft, Products   , ,  

Office 365 Becomes First and Only Major Cloud Productivity Service to Comply With Leading EU and U.S. Standards for Data Protection and Security

By Roger Halbheer, on December 16th, 2011

A long title but this was the title of the official press statement yesterday. Compliance is always a key question in the public cloud space. Therefore it is very important for us that we now achieved three things:

Office 365 is compliant with EU Model Clauses, Data Processing Agreements and ISO 27001 among other standards. . . . → Read More: Office 365 Becomes First and Only Major Cloud Productivity Service to Comply With Leading EU and U.S. Standards for Data Protection and Security

2 comments   Cloud Computing, Cloud Computing, Featured, Industry, Microsoft   , ,  

Implementing the Top 4 Defense Strategies

By Roger Halbheer, on December 13th, 2011

The Australian Defense Signals Directorate maintains a list of the Top 35 Mitigation Strategies against targeted intrusions. This is just a reference to the top strategies:

Patch Applications Patch the Operating System Minimize the use of local admin Application whitelisting …

Looking at these 35 strategies, the DSD claims that

While no single strategy can . . . → Read More: Implementing the Top 4 Defense Strategies

Leave a comment   Critical Infrastructure Protection, Government, Microsoft, Products   , , , ,  

Council of Europe Octopus Conference- Some Thoughts

By Roger Halbheer, on November 23rd, 2011

l am still sitting in the parliament room of the Council of Europe at the celebration event for the Budapest Convention. It was another very good event advancing the challenges fighting Cybercrime. Let me try to summarize a few thoughts:

The Budapest Convention is probably the best convention out there allowing a wide adoption of . . . → Read More: Council of Europe Octopus Conference- Some Thoughts

2 comments   General, Government, Incidents, Industry, Law Enforcement, Legislation   , , ,  

Cooperation against Cybercrime- Octopus Conference

By Roger Halbheer, on November 21st, 2011

lt is time again! The Council of Europe Octopus Conference on Cooperation against Cybercrime is taking place this week. This year it is even the 10th anniversary of the Budapest Convention. Therefore a broad country of legal, law enforcement and private sector organizations are discussing the current state and the future of the collaboration to . . . → Read More: Cooperation against Cybercrime- Octopus Conference

Leave a comment   Associations, Events/Trainings, Government, Industry   , ,  

Cyber War Will Not Take Place

By Roger Halbheer, on November 17th, 2011

I have to admit – it is not my title but it caught my attention. Over the course of the last few years, the term “Cyberwar” came up all over the place. I was recently reading a book on it, where there was a chapter called “Definition of Cyberwar” and I thought that finally somebody . . . → Read More: Cyber War Will Not Take Place

Leave a comment   Crime, Critical Infrastructure Protection, Cybercrime, Government, Terrorism   ,  

How to manage “Bring your own device”

By Roger Halbheer, on November 10th, 2011

A few years back a customer’s CSO left the room when I said that this customer should start thinking about a scenario, where selected users bring their own devices – he called me “nuts”. Well, I think the smartphone area proofed me right. Basically the smartphones were the first Bring Your Own Device (BYOD) as . . . → Read More: How to manage “Bring your own device”

2 comments   Consumerization of IT, Industry, Trends   , , , , ,  

Finally I have the app: TouchMountain–a “must have” (at least for me)

By Roger Halbheer, on November 8th, 2011

As I said in one of my recent posts Comparing Windows Phone 7 and iPhone, there are very few apps I am (and now was) missing on my Windows Phone 7 compared to what I know of the iPhone Apps. Actually the one which I was really missing was something like Peaks on the iPhone . . . → Read More: Finally I have the app: TouchMountain–a “must have” (at least for me)

One comment   Consumer, Microsoft   , ,  

Connecting with your Windows Phone 7

By Roger Halbheer, on November 4th, 2011

I tried to convince my wife that using the Windows Phone 7 to keep track of the shopping to do is a cool idea. Well, she is not there (yet). And now I saw the latest commercial…

Probably I should convince my kids, not my wife

Roger

. . . → Read More: Connecting with your Windows Phone 7

Leave a comment   Consumer, Microsoft   , ,  
 
  Older Entries »

Calendar

January 2012
M T W T F S S
« Dec    
 1
2345678
9101112131415
16171819202122
23242526272829
3031