A Long History of Building Trust and Engagement

By Jerry Bryant, Principal Security Program Manager, Microsoft Security Response Center

Wednesday, March 28th, 2018

When most people think about the Microsoft Security Response Center (MSRC), they think about “Patch Tuesday”, the monthly security update process we implemented back in 2003. What you may not know, is the depth and breadth of engagement across the industry that it takes to protect more than a billion systems worldwide and how every customer, partner, and security researcher is part of that effort. To extend our engagements even further, the MSRC partners with organizations such as FIRST where a global community of defenders works together to educate, create standards, and generally strive to improve the overall state of the ecosystem.

Microsoft joined the FIRST community around the same year our monthly update process started, 2003. For those working in security back then, you are all too familiar with the age of the self-propagating worm. Code Red, Nimda, SQL Slammer, Blaster, were some of the big ones that drove a major refocus on security. A refocus that centered around the famous Bill Gates Trustworthy Computing memo and for the work that went into Windows XP Service Pack 2 and the creation of our Security Development Lifecycle. As one can imagine, entering into a global community as a representative of Microsoft at that time, would have been somewhat of a challenge.

The Microsoft employee stepping up to that challenge was Robert Hensing who started posting incident response and vulnerability related information to the FIRST mailing lists. Despite getting flamed here and there, he kept at it and slowly built up trust in the community. Providing consistent and reliable information is critical to building trust as is the opportunity to meet face to face at the various FIRST events every year.

Many others from Microsoft have participated in the FIRST community over the years but probably none more notable than Cap’n Steve (Steve Adegbite) and Maarten Van Horenbeeck. Both have long since moved on to other adventures but left behind a legacy of collaboration with FIRST that I get the privilege to carry on today.

Our engagement with the FIRST community has enabled some high impact collaboration over the years. For example, when our Digital Crimes Unit (DCU) conducted the take down of the Rustock botnet in 2011, it was the connections made through FIRST that paved the way for information sharing on a global scale.

For the last decade, we have supported the annual FIRST conference through Platinum sponsorship. I personally took over as the Microsoft representative in 2013 and have been attending the annual conference every year since. Last year in San Juan (our thoughts are still with those in beautiful Puerto Rico) Maarten and I discussed the needs of the FIRST community and how Microsoft could help. He suggested that providing education is always a huge need.

As a result of that conversation, I determined that we needed to beef up our overall contribution and in addition to being the Diamond sponsor this year, we are investing in the following educational activities either leading up to or at the annual conference in Kuala Lumpur:

1. We have been a core participant in the creation of the PSIRT framework and are funding and producing training that will be available on FIRST.org before the annual conference
2. We are bringing some of the worlds top computer forensics experts to deliver training labs in Kuala Lumpur
3. Our Windows Defender team will be sending one of our top malware reverse engineering experts to deliver training at the annual conference as well

Expect to see more about these training opportunities on www.first.org.

You can also find us working along side the community in various Special Interest Groups (SIGs) such as CVSS, the Vendor SIG, and Coordinated Vulnerability Disclosure. One thing I think that all participants in SIGs likely notice is how FIRST provides a seamless way to collaborate across the industry, even with organizations who may be direct competitors. For example, one of the videos in the above mentioned PSIRT training course consists of myself and CRob from Red Hat product security. Today’s threats tend to blur the lines of competition and through FIRST, we work towards a common good for all of our customers.

Outside of FIRST, one of the engagement areas we focus on heavily is government defender teams. Over the years we have done this through various programs and initiatives but now, the primary way we do this across the company is through our Government Security Program (GSP). GSP is a master agreement framework that has several sub areas, or authorizations, that a participant may decide to include. Access to source code through our global trust centers, and technical data are among the types of authorizations available. For the MSRC, we focus on the Information Sharing and Exchange authorization which when signed, enables a great deal of automated information flow to the participant including product vulnerability information, a feed of malicious URL data, a feed of file hashes for all Microsoft signed binaries, and customized access to the botnet sinkhole data from our Digital Crimes Unit.

Providing access to this data is just one part of the overall engagement. In a world of ever increasing threats, it is imperative to develop trust relationships with governments across the globe in order to collaborate on effective response. To do this, we look for opportunities to meet with these organizations face to face in the most efficient way possible. This again, is why organizations like FIRST are extremely important to us because it maximizes our ability to connect with many different types of incident response teams who all have a common goal of protecting the ecosystem.

At the FIRST conference in Kuala Lumpur this year, there will be several of us from the MSRC in attendance and we look forward to the opportunity to connect with as many defender teams as possible while there. Until then, you can find me on Twitter @jnabryant and be sure to follow the MSRC @msftsecresponse.