Microsoft's Scott Charney on fighting botnets, rogue antimalwareDate: Feb 25, 2011
In the final segment of SearchSecurity.com's exclusive RSA Conference 2011 video interview with Scott Charney, Microsoft's Corporate Vice President of Trustworthy Computing, he discusses a variety of concerns on the enterprise threat landscape, including fighting botnets and rogue antimalware.
More Scott Charney videos:
- Scott Charney: Microsoft security policy and collective defense
- Scott Charney: Cloud computing and privacy
- Scott Charney Q&A: The state of the Microsoft Trustworthy Computing initiative in 2011
Read the full transcript from this video below:
Microsoft's Scott Charney on fighting botnets, rogue antimalware
Eric Parizo: Hi, I'm Eric Parizo. Great to have you with us. Joining us today is Scott Charney, Corporate Vice President for Trustworthy Computing at Microsoft. Scott, thanks so much for joining us today.
Scott Charney: Thanks for having me.
Eric Parizo: A vexing security problem that has only gotten worse in the last couple of years is rogue antimalware. These programs avoid detection, disable legitimate antimalware, and often with astounding success trick both enterprise and consumer users into thinking they're legitimate programs. What is Microsoft doing to fight against rogue antimalware?
Scott Charney: This is one of the reasons I come back to this notion of a trusted stack. One of the challenges, of course, is where does antivirus load, and how easy is it to manipulate it. You might have even seen on February 11th, NIST issued some draft guidance around the security of bios, for example. So, we have to be cognizant that criminals are adaptive. They'll go up the stack, as they've done with social engineering, and potentially down the stack as well. What we really have to do is make sure that from the hardware up, the boot process is trusted, that the security elements, whether it's turning on the firewall or running the antivirus are in the right place in that trusted stack, so it's really hard to tamper with it.
We're going to have to do the same thing with these health certificates. So, if consumers could produce health certificates to any website that requested one, the bad guys will say, "OK, how do I fake a health certificate on an infected machine?" We have to be prepared for that, and the answer again comes back, how is that health certificate generated? How is it signed and created through a route of trust? It makes it very hard for the bad guys to do that.
Eric Parizo: Just briefly, Scott Charney, talk about the recent NIST BIOS documentation and what that means for enterprises.
Scott Charney: I think for a long time, people were focused on operating system security, and then as Windows got more secure, attacks started moving up the stack. We had it with Office, and Adobe had issues. We went up to the application layer, of course. Then, as those got better, while the attacks still continue, of course, you see this rise in social engineering, where the bad guys go, "OK. If it's harder to find a vulnerability, can I just trick the user into clicking on an attachment?"
We've kind of been focused on the operating system up, but the question is: what about the operating system down? There's firmware, there's a lot of software actually running on chips, and so you have to think about the security of the entire stack. I think the NIST document starts to point people in that direction.
Eric Parizo: There's an increasing debate in the industry about whether traditional antimalware is worth the time, trouble, and investment it takes? Do you believe enterprises should decrease their emphasis on traditional antimalware and instead focus on other technologies, like intrusion detection, log analysis and code review?
Scott Charney: No, I think they have to exist together. The reason I say that is there's been a lot of study of intrusion detection over the years. There's always this difference between intrusion detection, which is signature based, and anomaly detection that looks for anomalies. Of course, the more you move to anomaly detection, the more likely you'll find something new, but there's also a higher risk of false positive, because the anomaly could just be some new business application or user doing something completely appropriate but in a new way. Those things won't make antivirus or malware go away. I think you still have to think about risk management in a holistic sense.
Eric Parizo: Scott, a year ago when you and I talked, we talked about operation B49, the Microsoft led takedown of the Waledac botnet. It was a significant blow at the time, but 12 months later, botnet activity is still as virulent as ever. Why should enterprises be concerned about that, and what specifically is Microsoft doing to combat botnets today?
Scott Charney: When we did the B49 Waledac botnet, we said, "This is another tool in the arsenal," but it doesn't solve the problem. The Waledac botnet was amenable to that kind of response in part because a lot of it was centralized within countries where you could get legal assistance. We did get some international assistance as well, but part of this public health model that we just discussed is very much about addressing the botnet problem.
As you know, the botnets are successful because the bot-herders take over consumer machines and then use those consumer machines and give them instructions. So, we need to look at this from multiple angles. One is we do try to cut off the head of the botnet where we can, and that's what Waledac was, in part, about, but we also have to make the consumer machine less prone to takeover. That's where the public health model comes in.
Eric Parizo: Now, despite industry efforts to take down all or part of at least seven different botnets in 2010, botnet activity is still a major problem. Is an industry-wide offensive against botnets still a priority, or should the emphasis shift to defenses?
Scott Charney: I think it's worth the effort. We're capable of doing more than one thing at a time. There's no silver bullet to these problems. What you really have to do is match the response to the problem. In the Waledac case, because of the way that botnet was configured, a legal response was actually fairly effective in disabling it. In other botnets that might be more global in reach where law enforcement cannot quickly work across borders to help disable the botnet, you're going to need other approaches like a more comprehensive defensive approach.
Eric Parizo: Scott Charney, Corporate Vice President for Trustworthy Computing at Microsoft. Thanks so much for joining us today.
Scott Charney: Thank you.