Microsoft will focus on its security resources at the 2009 Black Hat conference this week, issuing a report card on its latest security programs, a new tool for IT security professionals and a guide to help administrators understand where to get vulnerability and patching information.
The software giant is releasing a new Microsoft Office Visualization Tool, OffVis, which gives a graphic visualization of the Office binary file format. The software is aimed at security researchers to help them understand attacks targeting Office files and develop protections for newly discovered vulnerabilities. The tool is attractive to security vendors, who have currently been testing it via the Microsoft Active Protections Program (MAPP). The free tool opens up a view of the file format enabling them to deconstruct .doc, .xls and .ppt-based targeted attacks by identifying malicious code that has been inserted by an attacker.
"It helps reduce the complexity of security," said Andrew Cushman, senior director of Microsoft Security Response Center strategy. "It has the knowledge of the Office file format built-in so that it's able to not only display the different pieces, but to validate the integrity of them and to identify pieces that shouldn't be there."
Microsoft adds security programs in 2008:
While Microsoft is trying to demonstrate that it is making continued progress locking down its software products, it is also trying to be more open about its security processes by providing multiple resources to consume vulnerability information. Most IT security professionals are not interested in the number of vulnerabilities, but rather, they're interested in ways to prioritize updates and assess the risk of a vulnerability, said Andrew Jaquith, a senior analyst at Forrester Research Inc.
"Microsoft has traditionally been a little over-focused on counting vulnerabilities and flaws and they were ignoring the broader impact that security changes had on their end users," Jaquith said. "Ultimately we shouldn't be asking whether the number of Microsoft vulnerabilities is up or down. It's about whether enterprises who face issues in every part of their infrastructure, have enough to information to make the right risk assessment."
To address the volume of data provided by Microsoft, the software giant is also releasing a Microsoft Security Update Guide, a document that outlines the Microsoft security update process and gives IT administrators an overview of where to get information about the latest updates to help assess risk and deploy updates based on priority. The guide gives an overview of the content, tools and best practices available from Microsoft and also introduces a risk management framework so an IT security pro can evaluate their own organization's policies and procedures, Cushman said.
"One of things we realized is that less mature organizations don't know where to begin," Cushman said. "This is a good starting point to help them tap into all the resources that Microsoft makes available."
Microsoft is also releasing a report card on three security programs it launched at Black Hat 2008.
The Microsoft Exploitability Index, which was introduced into Microsoft security bulletins to help IT admins develop a priority around patching. Microsoft ranks vulnerabilities based on the likelihood of someone developing working exploit code for the Microsoft flaws within 30 days immediately following the patch release. So far the program has a 99% success rate, with only one rank being changed since inception, Cushman said.
Microsoft said about 45 security vendors have been taking part in the MAPP program, which enables them to receive vulnerability information ahead of patches to develop signatures and exploit detection capabilities for their customers. In order to be in the program the vendor must provide defensive technology to a customer base of more than 10,000, such as antivirus (AV), intrusion detection system (IDS) and intrusion prevention system (IPS) technologies.
- Microsoft Vulnerability Research, a program is used to address blended threats against third party applications running on Microsoft Windows. From July 2008 to June 2009, the MSVR program identified software vulnerabilities affecting 32 software and hardware vendors; and in all cases, Microsoft said it offered assistance. Microsoft said 68% of third-party vulnerabilities found through the program were rated critical or important. So far 13% have been repaired.
Microsoft is also announcing the early stages of Project Quant, a new framework that sets out to quantify the cost of patch management processes. Project Quant is being conducted by former Gartner analyst and security consultant Rich Mogul of Securosis and Jeff Jones, strategy director in the Microsoft Security Technology Unit. The two experts are attempting to develop metrics around patching processes that could be used by IT security professionals and vendors.
Jon Oltsik, a senior analyst at the Enterprise Strategy Group said the programs have so far proven to be effective. Microsoft appears to be dedicating a lot of resources to security by reaching out to customers and competitors alike, he said. Security is a cost center for Microsoft, but despite shrinking budgets, it is important for Microsoft to continue to educate the market so people understand that it is no longer the company of 1996. They are proactively doing a tremendous amount for security, Oltsik said.
"There's proven advantages to working in collaboration and it's beneficial to Microsoft to help overcome some of these Windows-based threats," Oltsik said. "The only thing that they could do better is continue to make more people aware of these programs on a more regular basis."