Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Design - Center

advertisement 
INDIA │ 22-24 November 2010
virtual techdays
Security @ Microsoft
Anirudh Singh Rautela │ Technology Specialist - Security
INDIA │ 22-24 November 2010
virtual techdays
Agenda
• The Microsoft TWC Initiative
• Security & Privacy Progress
• Windows Platform Security
Predictable,
consistent,
responsive
service
Commitment
Microsoft
to customer-centric
Security
Response
Microsoft
Interoperability
Center
Privacy
(MSRC)
Guidelines
for developing
Software
Maintainable, easy to
configureMalware
and
manage
Microsoft
Automated
Policy
Protection
based
solutions
Center
(MMPC)and Services
Resilient,
works
despite
changes
Microsoft
Data
Governance
Recognized
Microsoft
industry
Security
leader,
Engineering
world-class
Center
partner
(MSEC) Framework
Recoverable, easily restored
Open, transparentManaging and Protecting
Proven, ready to operate
Personal Information
Secure
Build solutions that protect privacy Microsoft Online Crash Analysis
Interop Vendor Alliance
SQL Server 2005
against attacks
Engineering Excellence Training and GuidelinesOpen Source Software Lab
Safe guard your corporateVisual
data
Studio 2005
Protects confidentiality,
Services with high
Protect Personal Privacy
Transparent Practices
WindowsMicrosoft
Server Online Windows
integrity and availability
reliability in multiple
data centers
(SDL,
Codeplex, etc.)
Defender
TWC
Windows
2003 SP1
Windows
Vista
Windows
of data and systems
Vendor
Engagement
and
Windows
Hardware
Quality
Lab
Windows
Windows
Announced
XP SP2
Malicious SW
Office 2007
Server 2008
Business
designed Forefront
Server 2003
Liveexplicitly
OneCare
Removal
ToolContinuity
SDL begins
DSI Launched
SQL Server 2008
in with prescriptive guidance
2002
2003
2004
2005
2006
2007
2008
TwC Security
Protecting Microsoft customers throughout the entire life cycle
(in development, deployment and operations)
Microsoft Security
Response Center
(MSRC)
Conception
EcoStrat
MSRC Ops
SDL
MSRC Engineering
Microsoft Malware
Protection Center
(MMPC)
Microsoft Security
Engineering Center
(MSEC)
Security Assurance
Security Science
Release
Conception
Protect Microsoft customers by
Reducing the
of vulnerabilities
Reducing the
of vulnerabilities
Release
Prescriptive yet
practical approach
Proactive – not just
“looking for bugs”
Eliminate security
problems early
Secure by design
At Microsoft, we believe that delivering secure software requires
Executive commitment  SDL a mandatory policy at Microsoft since 2004
Verification
Response
Release
Training
Core training
Requirements
Analyze
Implementation
Requirements
Training
Design
Design
Threat
security and
modeling
Dynamic/
Response
Response
privacy risk
Attack surface
Define
quality
Fuzz
testing analysis
plan
execution
gates
Verify threat
Final security
models/attack
review
surface
Release
archive
Implementation
Verification
Specify tools
Enforce banned
functions
Static analysis
Dynamic/Fuzz
testing
Verify threat
models/attack
surface
Release
Response plan
Response
Response
Specify
Analyze
Threat
tools execution
Final security
Core
training
review
security
modeling
and
Release banned
Enforce
archive
privacy
risk
functions
Attack surface
Define
analysis
quality
Static
analysis
gates
Ongoing Process Improvements  6 month cycle
Infrastructure
Optimization
Microsoft Security
Assessment Toolkit
Microsoft Windows Vista
Security Whitepapers
Microsoft Security
Intelligence Report
Microsoft IT
Showcase
Security
Tools & Papers
Security
Readiness
Learning Paths for
Security Professionals
Education
and Training
Global Phishing
Enforcement
Initiative
Digital PhishNet
Global
Infrastructure
Alliance for
Internet Safety
Virus Information
Alliance
Threats & Counter measures
Security Risk Management Guide
Fundamental Computer Investigation Guide
for Windows
Microsoft Security Assessment Tool 4.0
MBSA Tool & Scripts
Microsoft Security Compliance Manager
Security Awareness Toolkit
SysInternals Toolkit
Security Literature to read
Misc. Security Tools for Admins
SDL and SD3
Defense in Depth
Threat
Mitigation
Security Development
Lifecycle process
Engineered for security
Design threat modeling
SD3
Secure by Design
Secure by Default
Secure In Deployment
Automated patching and
update services
Malware Example
Consumer Education
Laws
Firewalls
Antivirus Products
Antispyware Products
Malicious Software
Removal Tool
Memory Management
(ASLR)
Law Enforcement
Microsoft Security
Response Center (MSRC)
Microsoft Malware
Protection Center (MMPC)
Windows Live OneCare and
Forefront Client Security,
powered by the Microsoft
Malware Protection Center
SPAM (Sender ID,
Phishing Filters)
Network Access Protection
(NAP/NAC)
Blaster
Sasser
Zotob
MS08-067
August 2003
April 2004
August 2005
October 2008
Alert and prescriptive
guidance
Within
1 day
Within
2 hours
2 days
prior
Before
publicly known
(MAPP)
Online guidance/
Webcast
Within
10 days
Within
2 days
Same day
3 times, 2x
Same day
Free worm
removal tool
Within
38 days
Within
3 days
Within
3 days
Didn’t
need one*
Days after the patch
we knew of 1st exploit
+11 days
+4 days
+2 days
-11 days
Products not affected
by attacks
none
none
XPSP2
Vista, Win7
Server 2008
By half year – industry wide
Vulnerability disclosures in 2H08 down 3% from 1H08
2008 as a whole down 12% from 2H07
Microsoft proportion only 5% of industry total
Industry-wide vulnerability
disclosures by half-year, 2H03-2H08
Vulnerability disclosures for Microsoft products,
by full year, 2004-2008
300
3500
3000
250
2500
200
2000
150
1500
1000
100
500
50
0
0
2004
2005
2006
2007
2008
“Why try to chase a difficult overflow out of Vista
when you have Acrobat Reader installed, some
antivirus software with shoddy file parsing, and the
latest iTunes?”
Halvar Flake
Security Researcher
Microsoft BlueHat Conference
September 2007
Given this situation, Microsoft deserves high praise
for creating, formalizing, and improving SDL as it
has led to better software for the masses.”
Jon Oltsik
Enterprise Strategy Group
September 2008
Core improvements to the Operating Systems
Security by Design, by Default and by Deployment
Freedom from intrusion
Social Engineering & Exploits
Reduce unwanted communications
Protection from harm
Browser & Web Server Exploits
Protection from deceptive websites,
malicious code, online fraud, identity theft
Control of information
Choice and control
Clear notice of information use
Provide only what is needed
International Domain Names
Pop-up Blocker
Increased usability
Secure Development Lifecycle
Extended Validation (EV) SSL certs
SmartScreen® Filter
Domain Highlighting
XSS Filter/ DEP/NX
ActiveX® Controls
User-friendly, discoverable notices
P3P-enabled cookie controls
Delete Browsing History
InPrivate™ Browsing & Filtering
Secure
Platform
Security Development Lifecycle (SDL)
Kernel Patch Protection
Kernel-mode Driver Signing
Secure Startup
Windows Service Hardening
x64 Hardware Integration
Rights Management Services (RMS)
Data
Protection
SharePoint, Exchange, Windows Mobile integration
Encrypting File System (EFS)
Bitlocker & Bitlocker To Go
Secure
Access
User Account Control
Network Access Protection (NAP)
IPv6
IPsec
Windows CardSpace
Malware
Protection
Windows Defender
IE Protected Mode
Address Space Layout Randomization (ASLR)
Data Execution Prevention (DEP)
Native smart card support
GINA Re-architecture
Certificate Services
Credential roaming
AppLockerTM
DirectAccess
Bi-directional Firewall /
multi profile Support
Windows Security Center
Secure
Platform
Security Development Lifecycle (SDL)
Windows Server Virtualization (Hypervisor)
Role Management Tool
OS File Integrity
Data
Protection
Rights Management Services (RMS)
Full volume encryption (Bitlocker)
USB Device-connection
rules with Group Policy
Improved Auditing
Windows Server Backup
EFS
DirectAccess
Network
Protection
Network Access Protection (NAP)
Server and Domain Isolation with IPsec
End-to-end Network Authentication
Windows Firewall With Advanced Security
On By Default
Identity
Access
Read-only Domain Controller (RODC)
Active Directory Federation
Services (ADFS)
Administrative Role Separation
PKI Management Console
Online Certificate
Status Protocol
Minimal installation option
Low surface area more secure
Command line interface
Less patching/Less downtime
DHCP
File/
Print
AD
(for example only)
TS
IAS
Web
Server
Share
Point
Etc…
Server
Server Core Server Roles
DNS
Server, Server Roles
Hyper
-V
Server Core
Security, TCP/IP, File Systems, RPC,
plus other Core Server Sub-Systems
Basic
Web
With WinFx, Shell, Tools, etc.
GUI, CLR,
Shell, IE,
Media, OE,
etc.
A well Managed Secure
Infrastructure is the key!
Services
Edge
Server
Applications
Information
Protection
Client and
Server OS
Active Directory
Federation
Services (ADFS)
Identity &
Access
Management
Certificate
Lifecycle
Management
Mobile Device
Data Manager 2008
Protection
Configuration Manager
Operations Manager 2007
Manager 2007
Systems
Management
TWC
SDL
INDIA │ 22-24 November 2010
virtual techdays
THANK YOU!
Related documents
Application software assignment
Application software assignment
Chapter 1Computer Concept
Chapter 1Computer Concept
Activities 1-5 - Classroom Websites
Activities 1-5 - Classroom Websites
MET 1103 Introduction to Computing
MET 1103 Introduction to Computing
Nichole Klocke de Rodriguez
Nichole Klocke de Rodriguez
Lecture Assignment 5 - Oakton Community College
Lecture Assignment 5 - Oakton Community College
Database Administration Fundamentals
Database Administration Fundamentals
Download
advertisement