What Microsoft knows about cybersecurity might surprise you
2001 was a turning point for the company that brought the world Windows and arguably, the most popular office suite of productivity applications in history. Microsoft Corp. was under attack from cyber-criminals, and it was losing. In fact, internally there were questions about the company’s ability to survive.
“Microsoft was in the press every day. We were getting killed by the adversary,” recalled David Aucsmith, senior director at the Microsoft Institute for Advanced Technology in Governments. “In fact, we thought we might very well lose the company over this issue.”
That was, after all, a time when headlines were filled with warnings about global outbreaks of malicious worms and viruses that went by the names of I Love You, Sircam, CodeRed and Nimda, which hit the Internet just weeks after the Sept. 11, 2001 terrorist attacks. These and other attacks all targeted Microsoft software.
Microsoft’s response to the onslaught was to completely rethink how it developed its products. On Jan. 15, 2002, Microsoft employees received an email from the company’s founder and then-CEO Bill Gates in which he characterized the company’s new Trustworthy Computing Initiative as “more important than any other part of our work” and directed developers to focus on security.
However, more than a decade later, that effort has not led — as many hoped it would — to developing a 100 percent secure computer. On the contrary, it taught Microsoft that designing completely secure systems is impossible. Security, the company quickly realized, would take a lot more than simply writing better code.
“I do not believe you can create secure computer systems,” said Aucsmith, who spoke March 4 at the Microsoft Federal Forum in Washington, D.C. “Most systems don’t do much of anything, quite frankly. Most systems don’t even have basic protections.”
The two mega trends Aucsmith blames for the current state of cybersecurity are the increasing complexity of the systems developed and deployed, and what he described as “disintermediation” — the process of removing the middlemen in online transactions.
“We are building systems that are far more complex than our ability to understand their behaviors,” Aucsmith said. In addition, the Internet has directly connected “criminal organizations to your bank account,” he said. “We’ve completely removed all the people in the middle.”
To overcome these challenges, Microsoft has focused its efforts on designing software and systems capable of defending themselves in near-real-time. Aucsmith likens the effort to maneuver warfare, in which commanders are able to take actions and move their forces based on what the enemy is doing. Maneuver warfare is about keeping your adversaries off balance and disrupting their decision cycle through rapid changes to your own security posture.
One of the easiest ways to do that is to keep up to date on software patches, Aucsmith said. Another way is to use signature-based defenses such as anti-virus and intrusion detection systems. You can also leverage adaptive networking, which changes the Dynamic Host Configuration Protocol addresses frequently and avoids reusing the same address and “keeps your adversary guessing as to what your network looks like,” Aucsmith said.
But to really change the economics of cyber-attacks in your favor by recognizing an attack at the earliest possible moment in the process requires intelligence. You have to know what your enemy is doing. And you don’t have a lot of time. According to Aucsmith, it takes only five days from the time Microsoft issues a patch to the time malicious code starts to appear, designed to attack organizations that have not yet deployed the patch.
In 2002, when Microsoft was first launching the Trustworthy Computing Initiative, it had an idea about how it could learn what hackers were doing before the attacks became a problem. The company simply turned all of its products and the components of its own massive corporate IT infrastructure into sensors.
“To us, every product is a sensor,” Aucsmith said. “Essentially, we embedded sensors in our products.” Over time, “we instrumented all of our products. Not about the who or the where, but the what. What we do is look for malicious software.”
Today, that sensor network is huge. More than a billion computers around the world report to Microsoft every month through Windows Error Reporting. Bing conducts billions of Web page scans per month. More than 100 million users around the world send information to Microsoft security professionals through the Windows Defender program. And this is in addition to the company’s own 25,000 data center servers and more than 600,000 networked devices.
But the company recently came up with yet another idea to stay ahead of cyber-criminals. It established the Microsoft Cybercrime Center to work directly with government agencies and law enforcement agencies to track down cyber-criminals and take them off the cyber-streets.
“We are helping law enforcement track down malicious software — bots — and we’re hammering them,” Aucsmith said, showing a slide depicting a laundry list of major criminal botnets the company helped law enforcement dismantle.
But what is most interesting about how the company works directly with law enforcement is the “rather curious” legal justification Microsoft relies upon to do the work.
Known as “exploitation of chattel,” the legal mechanism allows Microsoft to work closely with law enforcement in the same way the law gives a building owner the right to enter a renter’s apartment to help law enforcement solve a crime that occurred there.
“It turns out you don’t own the software you get from us; you are leasing it and therefore have a contractual relationship with us,” Aucsmith said. “And that is like renting an apartment in an apartment block.”
Aucsmith ended his keynote presentation at the Microsoft Federal Forum with an important insight into the true meaning of defense-in-depth. Everybody says they have a defense in depth strategy. But what most organizations have is a bunch of different products running at different logical levels on the network, he said.
“It’s defense in depth when those systems tip and queue each other,” he said.