Organizing for Resilient Operational Response Click to edit Master text styles – Second level Third level – Fourth level Fifth level Jerry Cochran, CISSP, CISM Director jerry.cochran@microsoft.com Global Security Strategy and Diplomacy Trustworthy Computing Security Ecosystem Trends Horizontal Integration Click to edit Master text styles – Second level Third level – Fourth level Fifth level Global Security Strategy and Diplomacy Trustworthy Computing Security Response Interactions Reverse Engineer Click to edit Master text styles – Second level Actors ¾Understand decision making process Third level ¾Engage all segments – Fourth level ¾Follow the “herds” Fifth level Technology ¾Identify attack & research trends ¾Extinguish classes of issues Bug Miner POC Coder IDS/AV Expert Software Vendor Botnet Herder Economics ¾Promote legitimate business models ¾Change the Equation: 9Increase the cost of malicious activities 9Reduce malicious actor ROI Malware Coder Exploit Writer Payload Coder Global Security Strategy and Diplomacy Trustworthy Computing Diverse Response Ecosystem Security Click to edit Master text Vendors – Second Securitylevel Researchers Third level – Fourth level Fifth level CERTs Microsoft styles Customers Microsoft Partners Microsoft Security Response Government Agencies Law Enforcement Press & Analysts Microsoft Product Groups Microsoft Field Global Security Strategy and Diplomacy Trustworthy Computing Responding to a Security Incident Microsoft Software Security Incident Response Plan Click to edit Master Alerttext styles and Watch – Second level Mobilize Third level – Fourth level Observe Convene and Fifth level environment to detect any potential issues Leverage existing relationships with: Partners Security researchers and finders Monitor customer requests and press inquiries evaluate severity Mobilize security response teams and support groups into two main groups: Emergency Engineering Team Emergency Communications Team Start monitoring WW press interest and customer support lines for this issue Assess and Stabilize Assess the situation and the technical information available Start working on solution Communicate initial guidance and workarounds to customers, partners and press Notify and inform Microsoft sales and support field Resolve Provide information and tools to restore normal operations Appropriate solution is provided to customers, such as a security update, tool or fix Conduct internal process reviews and gather lessons learned Global Security Strategy and Diplomacy Trustworthy Computing Microsoft Response Program Areas Click toCommunity‐based defense – edit Master text stylesMicrosoft Active Protection Program – Second level Third level Rapid response communications – SCPCert – Fourth level Fifth level Defensive security knowledge – Exploitability Index Isolate malicious software – MS Vulnerability Research Support of worldwide law enforcement and legislatures Global Security Strategy and Diplomacy Trustworthy Computing Coordinating Multi-vendor response Click to edit Master text styles International Consortium for Advancement of Security – Second level (ICASI) on the Internet Thirdexcellence level Drive and innovation in security response – Fourth level practices; and Fifth level Enable ICASI collaboration to proactively analyze, mitigate, and resolve multi-vendor, global security challenges Five Industry Members: Cisco, IBM, Intel, Juniper, Microsoft Operational Response Coordination Unified Security Incident Response Plan www.icasi.org Global Security Strategy and Diplomacy Trustworthy Computing A Security and Resiliency Continuum Click to edit Master text styles – Second level Third level – Fourth level Fifth level Global Security Strategy and Diplomacy Trustworthy Computing Resilient Operational Framework Click to edit Master text styles – Second level Third level – Fourth level Fifth level Global Security Strategy and Diplomacy Trustworthy Computing Click to edit Master text styles – Second level Third level – Fourth level Fifth level Global Security Strategy and Diplomacy Trustworthy Computing