Microsoft Security Incident Response. Roberto Arbeláez Security Program Manager for LATAM Microsoft Corporation

Microsoft Security Incident Response Roberto Arbeláez Security Program Manager for LATAM Microsoft Corporation roberto.arbelaez@microsoft.com

Agenda Microsoft Security Stakeholders Threat Landscape Security Response Security Intelligence Report Partnerships CSS Security Services Resources & Blogs

Microsoft Security Stakeholders Security Advisors & Leads MSRC MMPC CSS Security Security Advisors & Security Leads Lead Security and Privacy Initiatives Focused on Customers and Partners MSRC - Microsoft Security Response Center: End to End Ownership Of Protection of Microsoft Products from Vulnerabilities MMPC - Malware Protection Center: Antimalware Research and Response Capabilities Customer Service & Support Security: Customer Support, Education & Awareness, Voice of Customer

Evolving Threat Local Area Networks First PC virus Boot sector viruses Create notoriety or cause havoc Slow propagation 16-bit DOS 1986 Internet Era Macro viruses Script viruses Key loggers Create notoriety or cause havoc Faster propagation 32-bit Windows 1995 Broadband prevalent Spyware, Spam Phishing Botnets & Rootkits War Driving Financial motivation Internet wide impact 32-bit Windows 2000 Hyper jacking Peer to Peer Social engineering Application attacks Financial motivation Targeted attacks Network device attacks 64-bit Windows 2007+

Microsoft Malware Protection Global Response Focus on customers Local visibility Industry experts Microsoft partnership programs (MAPP, MSRA, VIA, MVI) Additional industry partnerships Broad Insight Microsoft Malicious Software Removal Tool Windows Defender Anti-Malware Technology Customer submissions Semi-annual Security Intelligence Report www.microsoft.com/security/portal Customer Guidance MMPC portal Search/browse malware encyclopedia Top threat telemetry Submission tool Daily telemetry Alternative signature download location

World-Class Security Experience and dedication Monitoring and managing vulnerabilities 10 years and counting Providing guidance and education Expertise Vulnerability reporting Responding to security incidents Industry-leading Free malware support

Vulnerability Reporting Process nearly 150,000 emails a year (411/ day) Vulnerabilities Sources secure@microsoft.com Direct Contact with MSRC Industry Security Events Honey-pots Security Community Partners Review Every Report 24-hour Service Level Agreement 7-day support All reports triaged by security specialist

Security Incident Response SSIRP Software Security Incident Response Plan Company-wide process to manage critical security threats Mobilizes Microsoft resources worldwide Goals: Gain quick and thorough understanding of problem Provide customers with timely, relevant, consistent information Deliver tools, security updates and other assistance to restore normal operation MSR MM PC Customer Service & Support C SSIR P Product Teams Corporate Protection Teams

Phases of an Incident Watch Default stage; ongoing Teams watching for possible incidents Alert & Mobiliz e Crisis leads alerted Incident triaged Global security response and support teams mobilized: Emergency Engineering Team Emergency Comms Team Assess Stabiliz e& Recove r Resolv e Assess situation and available technical information Conduct investigatio n Watch partners monitor signs of activity Plan of record established Product teams execute plan of record Internal & external comms prepared Insurance package may be released Appropriate solution is provided to customers, such as a security update, tool or fix Conduct internal process reviews and gather lessons learned

Releasing a Security Update Vulnerabilit y Reporting MSRC receives incoming vulnerability reports through: Secure@Microsoft.com Direct contact with MSRC Microsoft TechNet Security Site anonymous reporting Triagin g Assess the report and the possible impact on customers Understand the severity of the vulnerability Rate the vulnerability according to severity and likelihood of exploit, and assign it a priority MSRC responds to all reports: 24 hour response Service Level Agreement to finder Internal response can be immediate when required Investigatio n MSRC-Engineering Reproduce the Vulnerability Locate variants Investigate surrounding code and design Managing Finder Relationship Establish communications channel Quick response Regular updates Build the community Encourage responsible reporting Fix Validat MSRC Engineering and Product Team: ion Test against reported issue Test against variants Conten t Security bulletin: Affected Creatio software/components Technical description n FAQs Acknowledgments Techni cal MSRC Engineering: Workarounds and guidan Mitigations SVRD Blog ce MAPP Detection Guidance Releas e Security bulletins second Tuesday of every month Coordinate all content and resources Information and guidance to customers Monitor customer issues and press Update Dev Tools and Practices Update best practices Update testing tools Update development and design process

Major sections cover Software Vulnerability Disclosures Software Vulnerability Exploits Privacy and Security Breach Notifications Malicious Software and Potentially Unwanted Software Email, Spam and Phishing Threats www.microsoft.com/sir Microsoft Security Intelligence Report

Malicious and Potentially Unwanted Software Global Infection The 25 locations with thecounts most computers cleaned by Microsoft anti-malware desktop products in 2H08 Country/Region United States Computers Cleaned in 2H08 13,245,712 Country/Region Computers Cleaned in 2H08 Netherlands 641,053 China 3,558,033 Russia 604,598 United Kingdom 2,225,016 Taiwan 466,929 France 1,815,639 Australia 464,707 Brazil 1,654,298 Japan 417,269 Spain 1,544,623 Poland 409,532 Korea 1,368,857 Portugal 337,313 Germany 1,209,461 Sweden 287,528 Italy 978,870 Belgium 267,401 Canada 916,263 Denmark 224,021 Mexico 915,605 Norway 203,952 Turkey 768,939 Colombia 164,986 Switzerland 163,156

Malicious And Potentially Unwanted Software Geographic trends by location Significant differences in threat patterns worldwide Threat categories worldwide and in the eight locations with the most infected computers, by incidence, among all computers cleaned by Microsoft desktop antimalware products, 2H08 10 9 8 7 6 5 4 3 2 1 0

Malicious And Potentially Unwanted Software Infection rates by country/region in 2H08

Microsoft Malicious Software Removal Tool (MSRT) Helps remove specific, prevalent malicious software from computers Windows 7, Windows Vista, Windows Server 2003, Windows Server 2008, Windows XP, or Windows 2000 W2K will be out of support in July, 2010 and will no longer receive MSRT updates Updated monthly on 2nd Tuesday Currently targeting Rogue Anti-virus software families 450 million installs per month Country/Re Threat Count Machine Count gion US 8,750,628 2,183,166 China 1,085,140 383,378 Brazil 737,322 282,152 UK 1,078,540 278,207 Korea 601,646 262,539 France 412,115 156,566 Taiwan 236,047 140,283 Spain 328,829 133,264 Canada 433,770 119,885 Mexico 447,841 117,845

Enterprise and Home Computer Users Differing Patterns of Infection Patterns of infection follow patterns of usage Enterprise users encounter more worms, home users more trojans 10 9 8 7 6 5 4 3 2 1 0

Security Vulnerability Disclosures Microsoft vulnerability disclosures Microsoft vulnerability disclosures mirror the industry totals, though on a much smaller scale Vulnerability disclosures for Microsoft and non-microsoft products, 2H03-2H08 N o M n i - 10 9 8 7 6 5 4 3 2 1 0

Strategic Partnerships Microsoft Security Response Alliance (MSRA) Internet Service Providers Governmen ts Security Researcher s Law Enforcement Educational Institutions Security SCP GIAI Experts & S Advocates LE Partnerships SAF Financial I Institutions M VI VI MVP Security A Vendors Build strong alliances with partners in the security response ecosystem

Strategic Partnerships Microsoft Security Response Alliance (MSRA) Governments Law Enforcement Internet Service Provider Share Financial Information Institutions ü Protect Educational Customers Institutions ü Security Alert on Critical Vendors & Most Issues Researchers Valuable Partners ü Build strong alliances with partners in the security response ecosystem

MSRA Partnerships Goals Ø Respond more efficiently and effectively to computer security incidents and to minimize the impact of attacks on users and critical IT infrastructure through cooperative communications and user education. Ø Enables global partners to share information to improve computer incident response processes and user outreach. Ø Combine resources to help improve safety by providing consistent and accurate security-critical information and actions. Ø Improve computer security incident response, better the computer threat and attack information sharing, and strengthen the outreach with critical segments Ø Ensure a secure and healthy computing ecosystem. Ø Provide security partners with information that helps best detect and remove malicious software from customer computers.

CSS Security Americ as EME A Indi a Japa n Kore APG a C Austral ia Ensure Microsoft Field Support and Key Partners, Internally and Externally are Prepared to Respond to any Security Event, Update, or Emergency Represent customers during security crises driving rapid and accurate information flow Assist MSRC with Bulletin Readiness / Handle Escalations / Deliver Post Release Reports on key issues and support volumes Manage Partner Programs, Provide support, Provide education and awareness 21

Microsoft Security Customer Support Help customers deploy security updates Help stop spread of malware Respond to Denial of Service (DoS) attacks and intrusions (hacking) Troubleshoot deployment issues on security updates Share information concerning exploits and Proof of Concept (PoC) code www.microsoft.com/contactus

Understanding the Severity Critic Impor Bulletin ratings assume a determined and skilled attacker al tant Mode rate Low Exploitability Index provides context {0750B9B3-6DE6-4C7F-AD42-A38824D0CF45} ctioning Exploit Code Unlikely nsistent Exploit 1- Consistent Code Likely Exploit Code Likely {10E2FDE1-FEE8-476D-A96B-472401FD0574} {23892BC5-6E90-4167-B13C-EECCBF519373}

Exploitability Index and Bulletin Severity ratings Provides customers with guidance on the likelihood of functional exploit code being developed Developed in response to customer requests for additional information to further evaluate risk Published as part of the monthly Microsoft security bulletin summary

Stay Connected / Stay Microsoft Security Slate Informed Provides a weekly review of key security articles and concerns from around the world Online Threat Information Sharing (OTIS) Free, Microsoft managed, information sharing forum uniting security professionals around the world to share security threat information Share information about new and existing security threats and vulnerabilities, along with best practices for securing environments Participate in an early warning system for new and spreading threats, malware, vulnerabilities, and exploits Requires a standard NDA with Microsoft

Microsoft free security support policy Free support for Security incidents Malware Security-bulletin related issues If you have a support contract with Microsoft, the support will still be free, but with the same SLAs your support contract provides! Obtain support here: http:// support.microsoft.com/gp/contactenos/es-la

We Can HELP ü Determine if an attack or compromise ü ü ü ü ü occurred Determine the extent of the damage Help the customer recover from an attack Determine how the attack occurred (best effort) Determine how to prevent future attacks Determine how the customers machines can be made more secure

Microsoft Blogs MSRC http://blogs.technet.com/msrc Security Research & Defense (SRD) Team http://blogs.technet.com/srd MMPC Team http://blogs.technet.com/mmpc MSRC Ecosystem Strategy http://blogs.technet.com/ecostrat Microsoft Update http://blogs.technet.com/mu/default.aspx Microsoft Privacy Team http://blogs.technet.com/privacyimperative/default.aspx Windows Team http://windowsteamblog.com/blogs/windowsvista/default.aspx Consolidated and Built in Language Translator with RSS Feed www.microsoft.com/twc/blogs LATAM Security Blog http://blogs.technet.com/seguridad

Resources Microsoft Security Web sites: www.microsoft.com/security and www.microsoft.com/technet/security Sign up to receive notifications on security updates: www.microsoft.com/security/bulletins/alerts.mspx Sign up for the Security Bulletin Web cast: www.microsoft.com/technet/security/bulletin/summary.mspx RSS Feeds for Security Bulletins: www.microsoft.com/technet/security/bulletin/secrssinfo.mspx Security Bulletins Search: www.microsoft.com/technet/security/current.aspx Security Advisories: www.microsoft.com/technet/security/advisory Security Guidance Center for Enterprises: www.microsoft.com/security/guidance Protect Your PC: www.microsoft.com/protect Microsoft Security Response Center: www.microsoft.com/msrc Microsoft Malware Protection Portal: http://www.microsoft.com/security/portal/

2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/ or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.