News

RSA: Microsoft Urges Greater Internet Security Collaboration

As cyber security problems become more widespread, Microsoft urged the IT community to take a more active role, and described its security approach.

• By Jabulani Leffall
• 04/21/2009

That approach includes an "End to End Trust" concept, which Microsoft announced on Tuesday at the RSA Conference in San Francisco. It's an idea that combines identity verification with hardware and software security assurances. Microsoft considers End to End Trust to be a subset of its Security Development Lifecycle (SDL) initiative, which is an overall plan to build security into the software development process.

Scott Charney, corporate vice president of of Microsoft's Trustworthy Computing group, said in a video that the Internet, while here to stay, is still not trustworthy -- mostly because it "can be anonymous and untraceable" for criminals to use. Microsoft takes measures to eliminate possible exploits, such as via its SDL approach, but vulnerabilities "will never be down to zero," Charney admitted.

The biggest message RSA attendees are getting from Microsoft is that the company is reaching out to individuals, channel partners, government officials and even competitors to make computing on and off the Internet a safer place for doing business, as well as socializing.

Microsoft has been working with a number of groups toward that end. It's part of the Internet Safety Technical Task Force, the Internet Consortium for Advancement of Security on the Internet, and the Center for Strategic and International Studies' Cybersecurity Commission. Microsoft is also part of an enterprise collaboration group called the Conficker Working Group, addressing a worm that targets Windows-based machines.

Microsoft has seen software security threats abounding in 2008. The threats included rogue security software, malware, spam and sophisticated worm strains, Microsoft asserted in the sixth edition of its "Security Intelligence Report."

IT product vulnerabilities generally decreased five percent in the second half of 2008 compared with the same period in 2007, according to the report. However, vulnerabilities classified as being "high severity" were found to have increased 13 percent year over year. And this was found just at the product level. When it comes to trends in threats in the enterprise space, every report since the start of the year has revealed the same thing: an unprecedented amount of incidents of hacking and theft.

A "2009 Data Breach Investigations Report" (PDF), published by Verizon Business, was no exception. It found that more electronic records were breached in 2008 than in the previous four years combined, fueled by cyber criminals' growing focus on the financial services industry and the involvement of organized crime.

One of the key findings in Verizon's report was that 74 percent of breaches came from "external sources," while 32 percent were linked to "business partners." Only 20 percent were due to "insiders," a finding that may be contrary to what many would expect.

"This is something companies need to look out for because we're at a pretty critical stage in enterprise security," said Wade Baker, research and intelligence principal at Verizon Business, in an interview on the eve of RSA. "Something like this is hard to legislate. Companies need knowledge of the threat and also internal policies and operational procedures around security. But it has to be combination of these things to get the low-hanging fruit and catch the complex technical attacks, as well."

Enterprise security strategies have been at the forefront, but they lack a uniform standard. Arthur Coviello, president of RSA, outlined four fundamental rules for enterprise security. He said that companies should have policy management, policy decisions, policy enforcement and policy monitoring all in place to deal with security issues. Coviello spoke on Tuesday at the RSA event, following Microsoft's presentation.

Aside from those points regarding how companies should act internally, the spirit of collaboration was evident at the end of Coviello's keynote address. He asked Microsoft's Charney join him onstage along with Brett Galloway, Cisco's vice president of wireless and security technology. Coviello talked about a common "language of policy and risk."

"Although [it's] almost a cliché, we must collaborate on standards," Coviello said. "Second, we need to share technology. We're not good at sharing always. Making core technologies in key areas more accessible can accelerate the growth and productivity of the ecosystem by reducing the time and expense of developing mature enterprise-class capabilities."