Andrew Cushman Senior Director Trustworthy Computing Security Microsoft Corporation

Who Am I?

Joined Microsoft in 1990

Worked on MSMoney, IIS, & now Security

Also Worked on “Patch Tuesday” & BlueHat

New-ish Job this Year –

Seeking Non-Technical Security Solutions

Why Am I Here?

Discuss Changes and Suggest Responses

Adaptive Challenge Facing Us

Microsoft & Andrew are committed Brasil

Brasil is Special & Unique

Product Life Cycle

Conception

Release

Policy and Ecosystem

Creation

Alignment

Tru

sted

Sta

ck

Iden

tity

Management

Secu

rity

/Pri

v.

Fu

nd

am

en

tals

Secure

Development

Standards

Law Enforcement

Training and

Collaboration

Intelligence

Training and

Collaboration

Defense Training

and

Collaboration

Partnerships with

Private Sector

Incident

Preparedness

National Risk

Management

Cybersecurity

Legislation

Supply Chain Security

Infra-

structure Critical National Infrastructure

(CoreIO)

Trusted Government

Infrastructure (CoreIO)

So

luti

on

s

For Government

Employees

Public

Safety

National

Security Health

Information/Data Protection

People Awareness and Know-How (Citizen, Children, Government Employees…)

For Citizens For the Supply Chain

Security

Community

Engagement

Intelligence (incl.

CERT)

Collaboration with

Critical

Infrastructure

Incident Response

eGovernment

Privacy

Legislation

Enable Secure

Innovation

Cyberwarefare

Doctrine

Education

7th largest IT market WW

6th country in PC Shipments WW

3rd in online time per user – 22h50min/month

5th largest cell phone market - 147M units

60% of all 3G Cell Phones in Latin America

2nd largest WW in number of Companies (620k new Companies only in 2010)

In the last 5 years, internet active users in total Population grew from 24% to 43% in 2009

10th in broadband (256 kb) users - 9.1M users (4.8% of total 190M population)

People Friendly, Smart, Hard-working, Creative, Stylish!, Proud & Humble at the same time

Culture Diverse Society and a Rich History

Di Cavalcanti, Vinicius, Jorge Amado

Land of Opportunity Geography – Huge country that is rich in resources (and people)

Government - Foundational Principles Rule of Law

It Works There is a Brazilian Way

Rapid Evolution and Adoption of Technology

People Internet users estimated to reach 3 Billion by 2015 w/ bulk of

users coming from Brazil, Russia, India, China and Indonesia

Devices The number of internet connected devices is predicted to

exceed over 15 billion - twice the world's population by 2015

and will likely 50 Billion by 2020.

Data It’s estimated that 1 billion new Web pages are created daily

and about 32 million domain names are added to the Web

every year with this number expected to rise dramatically in

2010.

25 million Facebook users in the country of 1.16 billion people, an increase of 1.78 million from the start of last month.

Indian Internet to grow from 81 M to 237 M Internet users by 2015

Cybercrime Economic Espionage

Cyber Warfare Military

Espionage

Usage

Every aspect of our lives is now dependent on computers

Food, Energy, Finances, Entertainment, Clothing, Government

Future

Connectivity is like Oxygen

Data, Data, Data

Every aspect of our lives is now dependent on computers

Within a decade, more than 50 billion everyday objects could be collecting data and making it available online A growing amount of Internet traffic is originating with non-PC devices. In 2010, only 3 percent of Internet traffic originated with non-PC devices, but by 2015 the non-PC share of Internet traffic will grow to 15 percent. PC-originated traffic will grow at a CAGR of 33 percent, while TVs, tablets, smartphones, and machine-to-machine (M2M) modules will have growth rates of 101 percent, 216 percent, 144 percent, and 258 percent, respectively.

Non-traditional data sources Sensors GPS tracks Web click streams

Non-traditional processing Massive processing over semi-structured data Less formal structural schemata Machine learning grows up

Probabilistic Ranking Correlation

Novel use cases Historical mining to create real-time models Saving and processing “all-data”

1 billion new Web pages are created daily and about 32 million domain names are added to the Web yearly with this sharp increases expected in 2011.

The “terabyte club” will reach 6 million by 2015. In 2015, there will be 6 million Internet households worldwide generating over a terabyte per month in Internet traffic, up from just a few hundred thousand in 2010. There will be over 20 million households generating half a terabyte per month in 2015.

The amount of data created, captured, and replicated in the world is growing at a compounded rate of 60% a year. By 2011, the digital universe will be 10 times the size it was in 2006. (IDC)

Threats

No longer just attacks on infrastructure

Attacks against Intellectual Property

And Attacks against the foundations

Attacks against business models

Recent Attacks & News

Anonymous & Lulz

Comodo, DigiNotar

Location issues w/ smart phones

Facial Recognition Talk from Black Hat http://www.face-to-facebook.net/hacking-monopolism-

trilogy.php

Hacking Microcontrolers - Don Bailey’s BH Europe

Borrowing Concept from Harvard Business Review Article 1997

Key Concept – We need Technical Solutions && we need to Adapt (change) our thinking

Get On the Balcony

Identify the Adaptive Challenge

Adaptive Solutions – often from bottom up Ronald Heifetz & Donald Laurie – HBR article

http://hbr.org/2001/12/the-work-of-leadership/ar/1

Proactive

Understood Risk

Threat Aware

Structured

Consistency

Awareness and Training

Tactical

Undefined Risk

Threat Ignorance

Unpredictable

Ad-Hoc and Manual

Unaware

Basic

Standardized

Rationalized

Dynamic

Holistic and Operational

Controlled Risk

Threat Intelligence

Integrated Security

Quantitatively Managed

Service-Oriented

Strategic and Optimal

Continuous Risk Management

Threat Management

Robust Governance

Automated

Culture of Security

Defend

Protect Detect

Respond Recover

Asset Classification

Identity Mgmt

- Users

- Devices

Access Control

- Network

- Machine & Data

Training

Monitor

- Baseline

- Intrusions

Assessment

- Vulnerabilities

- Configurations

Reporting

Incident Response

Emergency response

Communicate

Remediate

- Quarantine

- Clean

- Patch

Update

- Software

- Hardware

- Procedures

- Training

- Defenses

Restore

- Data & Facilities

Proactive

Understood Risk

Threat Aware

Structured

Consistency

Awareness and Training

Tactical

Undefined Risk

Threat Ignorance

Unpredictable

Ad-Hoc and Manual

Unaware

Basic

Standardized

Rationalized

Dynamic

Holistic and Operational

Controlled Risk

Threat Intelligence

Integrated Security

Quantitatively Managed

Service-Oriented

Strategic and Optimal

Continuous Risk Management

Threat Management

Robust Governance

Automated

Culture of Security

2

1

Basic Standardized Rationalized Dynamic

- Desktop Image Engineering

- Active Directory Design &

Deployment

- BitLocker Full-Volume Encryption

- Desktop Optimization and

Configuration Management

- Security for Wireless Services

- Secure Public Key Infrastructure

Solutions

- Strong Authentication using

Smartcards

- Application Lifecycle Management

Services 2010

- Network Access Protection with

802.1x Enforcement

- Desktop Virtualization Solutions

- Server Virtualization with Advanced

Management - Virtual Desktop

Infrastructure

- Network Access Protection with

IPSec Enforcement

- Network Isolation Services

- Secure Web & Remote Access using

Forefront TMG

- Enterprise Identity Lifecycle

Management

- Data Protection using Active

Directory Rights Management

- Server Virtualization with Advanced

Management - High Availability

Solution

- Seamless Access using DirectAccess

and TMG

- Enterprise Federated Identity using

ADFS

- Application Backup using System

Center Data Protection Manager

- Client Anti-Malware Solutions - Enterprise Configuration

Management

- IT Enterprise Management: End-to-

End Cross-Platform Monitoring

- Enterprise Mobile Device

Management

- Client and Server Anti-Malware

Solutions

- Windows Error Reporting

Deployment Services

- IT Compliance and Reporting: End-

to-End Monitoring

- Audit Collection Services

- System Error Reporting & Analysis

Services

- Server Virtualization with Advanced

Management - Centralized, Policy-

driven Management

- Premier IR Support and Training

- Secure Development Lifecycle

Training and Assessment Services

- Internet Crime and Forensics

Investigations Education and

Training Services

- Enterprise Recovery Services

Respond

Convergence – SSL Trust Agility

Moxie Marlinspike – BH USA

https://www.blackhat.com/html/bh-us-11/bh-us-11-archives.html#Marlinspike

DARPA RA-11-52 - The Defense Advanced Research Projects Agency's Cyber Fast Track program

https://www.blackhat.com/html/bh-us-11/bh-us-11-archives.html#Zatko

Dan Kaminsky’s NetNoob

First BlueHat Prize Challenge: Design a novel runtime mitigation technology that is capable of preventing the exploitation of memory safety vulnerabilities

Entry Period: Aug 3, 2011 – Apr 1, 2012

Winners announced: BlackHat USA August 2012

IP remains the property of the inventor, with a license for Microsoft to use the technology

• $200,000 in cash Grand Prize:

• $50,000 in cash Second Prize:

• MSDN subscription ($10,000 value) Third Prize:

Microsoft Confidential

Things that give me pause…

Technical Solutions On the Fast Track

Army CDCiber

Big Events – 2014 & 2016

RIC

Broadband

Urgent Need for Adaptive Solutions Too

But few Adaptive Solution Ideas &

Environment continues to favor Technical Solutions

Cloud Transformation Move to the Cloud is permanent – like concrete over farmland

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or

trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft

Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a

commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.