This article can also be found in the Premium Editorial Download "Information Security magazine: IDSes takes aim: Emerging "target-based" systems improve intrusion defense."
Download it now to read this article plus other related content.
I think we have made a good start over the last two years, and I believe we will have made enormous progress 10 years from now.
CEO of Microsoft
Security practitioners may one day sit around extolling the virtues of Windows 2014. Microsoft will have decreased the number of OS vulnerabilities, made rare patch applications trivial, and improved functionality and performance. Worms like Blaster and Slammer will have been consigned to the history blogs.
It's a nice picture, but not one that's visible today -- at least to enterprise security practitioners and the people who sign their paychecks.
Trustworthy Computing, Microsoft's two-year-old security initiative, aims to reverse the company's abysmal security record through a combination of gradual, steady improvements and better security features and functionality.
"I think we have made a good start over the last two years, and I believe we will have made enormous progress 10 years from now," says Microsoft CEO Steve Ballmer, in an e-mail interview with Information Security. "But, as we've said many times, it really is a journey, not a destination."
Ten years isn't an unrealistic timeframe for Microsoft Trustworthy Computing. But Microsoft's customers say they don't have 10 years. They need security improvements now. Each worm and vulnerability erodes confidence in what Trustworthy Computing is trying to accomplish.
"They got way behind this issue, and now what I'm hearing is they're coming out with new secure products in 2005 or 2006 that have code names for saving the world," says Dan Lohrmann, CISO of the state of Michigan, "but we're still left circling the wagons and have to live with the existing problems for the next couple of years."
That's the paradox Microsoft lives with. It's trying hard to improve security, but it's always measured by its last mistake. And while people acknowledge that it will take time for Microsoft to clean up its security mess, they also decry the slow pace of Trustworthy Computing's progress.
Although it's not always apparent, Trustworthy Computing has made significant progress. Windows Server 2003 is significantly more secure out of the box than any of its predecessors. Service packs have retrofitted security improvements to Win2K. The patch and security advisory program has been refined. And other applications, such as SQL Server and Visual Basic, have benefited from the security lessons learned to date.
"We understand that Microsoft has a key role to play in improving computer security, and that we need to continue to invest and deliver against security at the highest level possible," Ballmer says.
Unfortunately for Microsoft, each Blaster-like worm erases much, if not all, of its perceivable gains.
That point isn't lost on Microsoft, which must reaffirm itself with each malware event. And, despite its effort, Microsoft's audience -- its customer base--loses more confidence with each passing event, adding to Microsoft's already monumental challenge.
They're coming out with new secure products in 2005 or 2006 that have code names for saving the world, but we're still left circling the wagons for the next couple of years.
Dan Lohrmann, CISO of the state of Michigan,
Security events in 2003 -- particularly the Blaster and Slammer worms -- took their toll on Microsoft's fragile security reputation.
According to a survey of Information Security/SearchSecurity.com readers, 34 percent of 465 practitioners polled believe Trustworthy Computing will eventually result in more secure software. That's down from a similar survey last year, which found 42 percent expressed confidence in Trustworthy Computing.
The survey also found a whopping 70 percent don't believe Microsoft is doing enough to improve software security.
"Microsoft has done vastly more than what they've done historically, but is the state of security any better?" says Lloyd Hession, CSO of Radianz, which operates extranets for 5,000 financial institutions. "What Microsoft has done hasn't had much of an impact. Because of the complexity of the code, you find more vulnerabilities once you start to tinker with the code."
Blaster robbed Microsoft of the credit it should have received for the litany of security initiatives unveiled in 2003: the release of the Security Management Server; the improving quality of security patches; the refined security guidance and information programs; and the reorganization of the security site, to name a few.
"They've put a lot of effort into security, but I'm looking at the effectiveness," says Barry Miracle, VP of Internet security at Automatic Data Processing. "I'm still looking at the number of attacks that I have to put fixes for."
Frustrations with Microsoft's chronic security problems have enterprises looking for alternatives to Windows systems. Miracle is pulling the bulk of the Windows machines -- somewhere in the neighborhood of 3,000 boxes -- from ADP's 35 data centers. The replacements: Linux and Solaris.
"My boss doesn't take the whole outage thing very lightly," Miracle says. "If we have viable alternatives that don't have the severity of problems, you make your choices."
Microsoft isn't oblivious to its critics or its shortcomings. But it insists that improvements being developed today will pay dividends in a distant tomorrow.
A hardened Windows 2014 isn't far-fetched. The basic mode of Trustworthy Computing is each generation of Windows -- or any Microsoft application -- will be markedly more secure than the previous version. Lessons learned from previous mistakes will translate into fixes and improvements in the next revision.
"Security and innovation walk hand in hand," Ballmer says. "We have to innovate to address security concerns, even as we move the ball forward in technology with new product releases. What's different is that we're much more deliberate about building security into products and releases."
For instance, the forthcoming service pack for XP (SP2) will come with many security improvements and fixes, including the addition of malware mitigation technology. Microsoft is pushing for uniformity for its automated patch services across all Microsoft applications. And each of the company's units is working to improve the quality and security of its code, which is often only seen with each new generation.
Microsoft postponed the release of Longhorn, the much anticipated desktop replacement for Windows XP, in part to incorporate more security improvements.
The slow progression of underlying code improvements has Microsoft adopting a interim strategy: defense-in-depth.
Last year, Microsoft bought antivirus technology from Romania-based GeCAD Software and purchased malware behavior-blocking vendor Pelican Software. It's already expended a lot of effort beefing up its Internet Security & Acceleration Server (ISA) to be comparable with enterprise firewalls. It released the Rights Management Server, giving enterprises control over content security and distribution. And it formed an alliance with the major antivirus vendors to provide early warnings of malware threats to users.
To some enterprise customers, a defense-in-depth strategy is Microsoft's way of grabbing more money out of their pockets. They also see it as a recipe for decreasing the overall state of security.
"The whole strategy isn't moving us forward," says Radianz's Hession. "We could have bought these solutions. What Microsoft is doing is dumbing down the solutions, giving us less-capable solutions. All it does is kill competition when we need innovation."
Until it can clean up its code, Microsoft believes it must provide layers of protection that either complement or replace existing commercial solutions.
"There's no one thing that's going to solve this," says Mike Nash, corporate VP of Microsoft's Security Business Unit, which is driving Trustworthy Computing. "Mitigation technology is part of it. In some sense, as the threats increase, we need to make sure our technology responds to that threat."
There's no one thing that's going to solve this. Mitigation technology is part of it.
Corporate VP of Microsoft's Security Business Unit
Following the Blaster outbreak last summer, Microsoft went on a publicity blitz to correct what it calls shortcomings in informing users on the security features and protections in Windows.
"One of the most important things we learned in the past year is that creating better security tools and resources is not enough," says Ballmer. "We need to do a better job raising awareness of our existing security resources and working more closely with customers to develop new solutions."
Microsoft's intention was to guide its customers on how to better secure their systems. The message was received as "Microsoft says it's the customer's fault for being insecure."
"We don't need advertising and marketing. What we need is results," says Patrick Heim, VP of enterprise security at health care IT services provider McKesson Corp. "I'm more interested in results than statements made by the company."
It's the paradox in which Microsoft is trapped. Microsoft responds to customers' requests for information, services and functionality. But customers revolt when outbreaks occur and Microsoft tries to reinforce its message.
Another example. Microsoft created a $5 million fund for information that leads to the arrest and prosecution of virus writers, of which $500,000 was earmarked for information on the creators of the Blaster worm and the Sobig.F virus. Microsoft says it was trying to help curb the growth in global cybercrime, but the community saw it as a way to distract attention from its software's security problems.
And, when Microsoft bought GeCAD, it talked about incorporating better antivirus protection in the Windows platform. Yet, enterprise users immediately braced for the resumption of the AV wars, this time with Microsoft undercutting the leading antivirus vendors to capture untold millions of dollars in support subscription contracts.
"They're making two types of moves: They're definitely throwing a lot of resources at trying to change the message that 'Microsoft means vulnerabilities and Linux means less vulnerabilities,' and Microsoft is trying to grow software revenue," says Gartner analyst John Pescatore.
Do the critics have a point? Should Microsoft devote more time, energy and resources toward improving its security and worry less about its reputation? And, does it matter if Microsoft makes money from its security effort?
"Let's not ignore the fact that it's a publicly traded company, which has to make money for the shareholders," says Howard Schmidt, Microsoft's former chief security officer. "It's not the only thing that they care about, but it's something that they should care about."
In the end, Microsoft could have the best of both -- security and revenue. A more secure Windows platform will benefit customers and provide Microsoft with more sales and market share. But that's only if Microsoft gets security right and survives frequent barbs.
"Microsoft will only continue to be successful if our customers are satisfied, so it's clearly in our interests, as well as our customers' interest, to wrestle the security challenges to the ground," Ballmer says.
Lawrence M. Walsh is executive editor of Information Security.
This was first published in January 2004