Organizing for Resilient
Operational Response
Click to edit Master text styles
– Second level
Third level
– Fourth level
Fifth level
Jerry Cochran, CISSP, CISM
Director
jerry.cochran@microsoft.com
Global Security Strategy and Diplomacy
Trustworthy Computing
Security Ecosystem Trends
Horizontal Integration
Click to edit Master text styles
– Second level
Third level
– Fourth level
Fifth level
Global Security Strategy and Diplomacy
Trustworthy Computing
Security Response Interactions
Reverse
Engineer
Click to edit Master text styles
– Second level
Actors
¾Understand
decision
making process
Third
level
¾Engage all segments
– Fourth level
¾Follow the “herds”
Fifth level
Technology
¾Identify attack & research trends
¾Extinguish classes of issues
Bug
Miner
POC
Coder
IDS/AV
Expert
Software
Vendor
Botnet
Herder
Economics
¾Promote legitimate business models
¾Change the Equation:
9Increase the cost of malicious activities
9Reduce malicious actor ROI
Malware
Coder
Exploit
Writer
Payload
Coder
Global Security Strategy and Diplomacy
Trustworthy Computing
Diverse Response Ecosystem
Security
Click to edit Master
text
Vendors
– Second
Securitylevel
Researchers
Third level
– Fourth level
Fifth level
CERTs
Microsoft
styles Customers
Microsoft
Partners
Microsoft
Security
Response
Government
Agencies
Law
Enforcement
Press &
Analysts
Microsoft
Product
Groups
Microsoft
Field
Global Security Strategy and Diplomacy
Trustworthy Computing
Responding to a Security Incident
Microsoft Software Security Incident Response Plan
Click to edit Master
Alerttext styles
and
Watch
– Second level
Mobilize
Third level
– Fourth level
Observe
Convene
and
Fifth
level
environment to
detect any potential
issues
Leverage existing
relationships with:
Partners
Security
researchers
and finders
Monitor customer
requests and press
inquiries
evaluate severity
Mobilize security
response teams and
support groups into
two main groups:
Emergency
Engineering Team
Emergency
Communications
Team
Start monitoring
WW press interest
and customer support
lines for this issue
Assess
and
Stabilize
Assess the
situation and the
technical
information
available
Start working
on solution
Communicate
initial guidance and
workarounds to
customers, partners
and press
Notify and inform
Microsoft sales and
support field
Resolve
Provide information
and tools to restore
normal operations
Appropriate solution
is provided to
customers, such as a
security update, tool
or fix
Conduct internal
process reviews
and gather
lessons learned
Global Security Strategy and Diplomacy
Trustworthy Computing
Microsoft Response Program
Areas
Click toCommunity‐based defense –
edit Master text stylesMicrosoft Active Protection Program – Second level
Third level
Rapid response communications –
SCPCert
– Fourth
level
Fifth level
Defensive security knowledge – Exploitability Index
Isolate malicious software – MS Vulnerability Research
Support of worldwide law enforcement and legislatures
Global Security Strategy and Diplomacy
Trustworthy Computing
Coordinating Multi-vendor
response
Click
to edit Master
text styles
International
Consortium
for Advancement of Security
– Second
level (ICASI)
on
the Internet
Thirdexcellence
level
Drive
and innovation in security response
– Fourth
level
practices;
and
Fifth level
Enable ICASI collaboration to proactively analyze,
mitigate, and resolve multi-vendor, global security
challenges
Five Industry Members: Cisco, IBM, Intel, Juniper, Microsoft
Operational Response Coordination
Unified Security Incident Response Plan
www.icasi.org
Global Security Strategy and Diplomacy
Trustworthy Computing
A Security and Resiliency
Continuum
Click to edit Master text styles
– Second level
Third level
– Fourth level
Fifth level
Global Security Strategy and Diplomacy
Trustworthy Computing
Resilient Operational Framework
Click to edit Master text styles
– Second level
Third level
– Fourth level
Fifth level
Global Security Strategy and Diplomacy
Trustworthy Computing
Click to edit Master text styles
– Second level
Third level
– Fourth level
Fifth level
Global Security Strategy and Diplomacy
Trustworthy Computing
0
