For more than a decade I was working for Microsoft. I saw all the progress Microsoft made with Trustworthy Computing since Blaster and the introduction of Windows XP SP2. I defended Microsoftâ€™s moves in the field as a Chief Security Advisor in Switzerland, afterwards EMEA and finally I was globally responsible for this outstanding community. For the whole decade I was proud of what the company did and the progress we were making on the security front. And was â€“ and still am â€“ convinced that Microsoft was setting the bar in a lot of areas:
- Windows XP and all the following Windows introduced a lot of technology which improved security tremendously (like DEP, ASLRâ€¦)
- The Security Development Lifecycle was really groundbreaking
- Microsoft Security Response Center was doing an outstanding job in improving the quality of the security updates. This led some customers to finally not testing updates anymore as the efforts for testing were bigger and potential roll-back cost
- One of the most complex process to manage was the process around Update Tuesday. And it improved step by step until advance notification service was introduced
- And there were a lot of other areasâ€¦
Just for full disclosure: When I left Microsoft about 18 months ago, I did not leave because I wanted to leave Microsoft but because I could (and still can) build the centralized security organization at Swisscom, working as a CSO directly for the CEO. An opportunity I could not let go â€“ and I enjoy every moment of it.
Back to Microsoft: There are signs which really worry me. The reorganization at Microsoft, where Trustworthy Computing was broken apart might make sense. I cannot and do not want to judge that from the outside â€“ that would be fairly arrogant. But I have seen a lot of really good security people leaving Microsoft before and after the reorganization. That by itself could be accounted to the reorganization.
But then, if we look at patch quality, this really gets worrisome. It dropped over months reaching a really challenging level recently. Patches need to be pulled, causing serious problems at production systems etc. And often these were patches, where we started an emergency patch process. So less testing and more trust on the vendor â€“ a strategy we will re-think – but this leaves us exposed for a longer period of time.
And now, the decision to â€œevolveâ€ Microsoft Advance Notification Service. Sorry, this is not an evolution (unless you call an evolution a significant step back). The official wording is:
ANS has always been optimized for large organizations. However, customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimized testing and deployment methodologies. While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically. More and more customers today are seeking to cut through the clutter and obtain security information tailored to their organizations. Rather than using ANS to help plan security update deployments, customers are increasingly turning to Microsoft Update and security update management tools such as Windows Server Update Service to help organize and prioritize deployment. Customers are also moving to cloud-based systems, which provide continuous updating.
For Premier customers who would still like to receive this information, Microsoft will continue to provide ANS through their Technical Account Manager support representatives. ANS will also continue to be provided to current organizations that are part of our security programs such as the Microsoft Active Protections Program. For customers without a Premier support contract, we recommend taking advantage of myBulletins, which enables customers to tailor security bulletin information based on only those applications running in their environment.
This is a quote from Evolving Microsoft’s Advance Notification Service in 2015.
Maybe I am biased at the moment but I do not get this:
- If customers are not using the service (based on the assessment), why not drop it altogether? But making it a â€œfor fee optionâ€ is kind of counter-intuitive to me.
- If you prepare ANS anyway (for Premier customers), why not just distribute it? The additional cost cannot be the issueâ€¦ (is there any additional cost?)
- As the patch quality drops, the requirements for testing increases, which means, the value of the ANS gets bigger.
To me, Microsoft set the bar in the future but step by step lowers it. This makes me very, very sad and I would appreciate if somebody with decision power would re-think the strategy. It took us approximately 10 years to really gain the trust of the customers in this space and currently you are working hard to lose it againâ€¦
The technology (and the public Cloud) will not be the only reason to choose a partner in the future.
- Microsoft Will Stop Sharing Advance Notification Service (ANS) On The Web (microsoft-news.com)
- Microsoft Ends Free Patch Tuesday Security Notices (packetstormsecurity.com)
- Pre-Patch Tuesday alerts no longer publicly available (net-security.org)
- Microsoft Ends Free Public Advance Security Notification Service (eweek.com)
- Evolving Microsoft’s Advance Notification Service in 2015 (blogs.technet.com)