Microsoft Invests $1 Billion In 'Holistic' Security Strategy

ancientribe writes: Microsoft has invested $1 billion over the past year in security and doubled its number of security executives, according to company's CISO Bret Arsenault. In an address today (webcast), CEO Satya Nadella officially announced the launch of a new managed security services group and a new cyber defense operations center — all part of its new strategy of holistic and integrated security across its products and services. Microsoft execs rarely detail the company's strategy so publicly, so that in itself underlines how security is a major element in its strategy.

One set to create the problem, one set to solve it

[xxxJonBoyxxx]

>> doubled its number of security executives

This makes perfect sense: the original Microsoft group will write vulnerable applications while the new services group chases the problem around. Brilliant!

Conflict of Interest?

[Tablizer]

Paying MS to fix security problems is like paying chemical companies to clean up their own pollution.

Re:Conflict of Interest?

Microsoft just helps the economy. There is a whole industry selling anti-virus software for Window's shitty security. Linux doesn't have anti-malware products, and if, its scanners for servers to check relayed mails for windows viruses. Linux destroys the economy. Microsoft will help make AMERICA GREAT AGAIN. Linux is the OS of the islamic state. Obama and the democrats install it in the US ARMY so that it BECOMES WEAK. TRUMP will make AMERICA'S ARMY GREAT AGAIN. Trump 2016.

Re:Conflict of Interest?

[Tablizer]

Such is called the "broken window" economic theory. It may generate employment, but not necessarily better living.

Re:Conflict of Interest?

[The+Real+Dr+John]

The first job of the" managed security services group" at MS needs to be, Windows. Once they get that figured out, they can then offer their services to others. But they seem to be more interested in turning Windows into a targeted advertising platform, so I am not sure that their own product is even on their managed security services group radar.

Re:Conflict of Interest?

[The-Ixian]

Linux doesn't have anti-malware products

I had to laugh at this. I have to say that almost all of the automated attacks I ever see hitting my firewall are Linux server exploits.

I have managed many servers over the years, almost all of them Windows. I have had maybe 4 separate instances of one of my servers getting owned and they were all Linux servers.

Re:Conflict of Interest?

[The-Ixian]

ok, yeah, I read your post all wrong.

This was me being distracted while posting....

is my face red?

Re:Conflict of Interest?

Linux doesn't have anti-malware products

I had to laugh at this. I have to say that almost all of the automated attacks I ever see hitting my firewall are Linux server exploits.

I have managed many servers over the years, almost all of them Windows. I have had maybe 4 separate instances of one of my servers getting owned and they were all Linux servers.

Learn to manage your Linux servers better.

Every instance of a Linux server being owned that I've seen has happened due to poor management.

Re:Conflict of Interest?

So you're admitting that you don't know how to administer a Linux box. Thanks for playing!

Re:Conflict of Interest?

Yeah... I spent 20 years managing UNIX and Linux systems.. only 4 known exploits.
1 - internal done by the testing group (we didn't have access)
1 - my stupidity.
1 - remote connection via stolen credentials (from a university no less)
1 - attack on a print server (also done by the testing group).

Did they suceed? Only the first, and the machine penetrated had not been turned over for hardening.

Windows? died many times (worms, mail virus, office macro viruses...). One situation lasted an entire week - due to the fact that Outlook server+SQL couldn't provide a simple reject message for a mail that overflowed the disk...

Windows was deemed to insecure for use - so the entire group went UNIX/Linux. Had no problems since.

Attacks? sure - every day. None were successful. They were so common we ignored them unless something was unusual about a particular one.

Re:Conflict of Interest?

[ConceptJunkie]

Yeah, I was going to make a similar comment. Microsoft seems to have really improved on the security front... too bad no one wants to use their software any more. Usability seems to have gone by the wayside, along with any aesthetic sense. Windows is now uglier than it's been since Windows 2.

Re:Conflict of Interest?

[The+Real+Dr+John]

I would love to know what made them go for the flat monochrome look. It is hideous. What I was hoping they would do is make themes much more robust (rather than eliminating them). I would love it if they had standard themes for XP, W7 and W8/8.1, all of which could be infinitely customized further. It would be fun to be able to switch to Windows XP theme, and then click on the Windows 7 theme, and have everything just the way it was. Or you could choose the standard W10 theme. So themes would be more than a look, it would also change the way the OS worked to make it like the original in both look and feel. So for XP through 7 you would have the control panel, but for 8 and 10 you would have PC settings. This way everyone is happy.

Re:Conflict of Interest?

[ConceptJunkie]

I hear you. Up until Windows 7, I enjoyed the "Windows Classic" theme, because I think the Windows 2000, while dated-looking, was also the cleanest and most function UI skin Microsoft ever made. Everything since then has been some degree or other of ugly, with Windows 8 and 10 being the worst-looking versions of Windows since Windows 2, which mostly suffered from the lack of hardware capabilties (low resolution, low color depth).

It seems that everything that was meticulously studied and developed back in the 80s by people like IBM and Microsoft themselves (like CUA), has been thrown out of the window with no guiding principles replacing them other than what a bunch of pajama boys with art degrees and no real-world experience think looks good. This has been going on for almost 20 years (the quality of UI started to decline in the late 90s when everyone went way overboard with skeuomorphic design and you could no longer tell what was a control and what was background ornamentation. Windows 8 went for some kind of minimalist look where large swaths of blank space on the screen seemed to be the guiding principle, not unlike 90s grunge music, which cast off all the excesses of 80s pop, with the over-reliance of synthesizers and excessive production, but along with the grunge movement, MS also threw out the baby with the bathwater, and forgot to make what was left good.

So now we have the Gnome mentality where choice is bad for you because apparently all users are stupid, as opposed to the truth, which is that a lot of users are inexperienced and unsophisticated, but plenty of users can and want to control as much as they can. For instance, I tried the OneDrive app for Android and like Windows, it doesn't show file extensions by default, which I think is the stupidest usability mistake MS ever made, except in the case of the Android app, there's no way to turn it on, so I'm reduced to deciphering icons to figure out what the hell kind of file I'm looking at. The application intentionally cripples the user by removing important information.

And don't get me started on Amazon, who are much, much worse than MS. MS may have forgotten how to make a good UI, but Amazon never knew in the first place, and it shows in their software UI. (I'm referring to their software... their website isn't bad, IMO).

Re:Conflict of Interest?

[The+Real+Dr+John]

Agree completely. I have been over at the MS Windows 10 forums where lots of the "Insiders" debate Windows issues. The attitude from many of the Insiders is incomprehensible. It seems to be that they know best, and they have to repeatedly remind everyone that they "are not stupid" and MS is not stupid, so they obviously have gotten lots of negative feedback to be that defensive.

So MS is going for a free OS, app-store-on-the-start-menu revenue stream, and I just don't think that is going to pull in the kind of money that selling the OS to most businesses and government agencies had done for them. It's a big gamble, and risks losing even more of their vast user base. I just don't see them breaking into the mobile market to any great extent, so the entire push to make a one-size-fits-all-devices OS doesn't seem like a good business decision.

I guess we will find out if they are or are not stupid over the next few years.

PS, I hate the default setting of not showing extensions, and it is the first thing I change when I install Windows on a machine for someone.

Re:Conflict of Interest?

[niftymitch]

Linux doesn't have anti-malware products

I had to laugh at this. I have to say that almost all of the automated attacks I ever see hitting my firewall are Linux server exploits.

I have managed many servers over the years, almost all of them Windows. I have had maybe 4 separate instances of one of my servers getting owned and they were all Linux servers.

Your view is illuminating yet the millions of laptops and home computers
are not behind a well managed firewall.

This lack of quality firewalls in ISP provided hardware is a real problem.
+1 for OpenWrt and friends.

Conflating security with marketing

It seems like this is mostly a marketing effort to sell others on their "security" managed services...

Phone calls from MS

[fhage]

Hi! I'm an Executive at the Microsoft Cyber Defense Operations Center, and we've detected a problem with your internet....

Holy Security, Batman!

[turkeydance]

it's Integrated!

Re:One set to create the problem, one set to solve

[parkinglot777]

Hmm... I thought "executives" mean more people pointing fingers to others instead of do the coding???

what's with the BF quote

[turkeydance]

about saftey

Re:One set to create the problem, one set to solve

[bondsbw]

Isn't that precisely what companies are doing with security bug bounty programs?

I feel old (because I am - sigh)

[frnic]

But, I find it hard to imagine the amount of polished code that could be created for $1,000,000,000.

I guess because the code executes so much faster today, it costs more to create and debug it?

Re:I feel old (because I am - sigh)

[phantomfive]

It just goes to show - if you want secure code, you should write it carefully in the first place. Because trying to fix it later is an order of magnitude more expensive, and probably won't work anyway.

Re:I feel old (because I am - sigh)

[frnic]

yeah, OLD cliches are often true, since the reason they are cliches is they work...

"If you don't have time to do it right the first time, will you have time to fix it or do it again?"

Re:I feel old (because I am - sigh)

[gweihir]

No, no, they have not spent that money on _code_. They have spent it on _executives_! You know, clueless people with big egos that earn a lot of money and prevent engineers from doing a good job.

Doubling the number of executives 1/x^2

[exabrial]

Applying the inverse square law... means 1/4 of the productivity.

Lipstick on a pig!

[rstanley]

They have done so much with securing their systems in the past, how can they possibly fail? ;^)

What more can I say?

Translation:

"We've noticed you've been using standalone firewall appliances to keep our software from calling home. Allow us to correct that oversight."

Re:One set to create the problem, one set to solve

[xxxJonBoyxxx]

>> Isn't that precisely what companies are doing with security bug bounty programs?

No, that's called "outsourcing QA"

We're at "holistic"

[Opportunist]

Wake me when we get to crystal healing.

Re:We're at "holistic"

[Calydor]

http://tvtropes.org/pmwiki/pmw...

Re:We're at "holistic"

[l0n3s0m3phr34k]

well, we've got Prism, which IRL is a triangular crystal...

Security through Stupidity

[Required+Snark]

So I guess their Security through stupidity model isn't working for them in the long run.

Re:Security through Stupidity

[gweihir]

So far it has worked splendidly. Juts look at all the stupid people still flocking to them and defending their decades out-of-date crap like it was the second coming.

The first thing they should do...

Y'now, I think the first thing any Microsoft security effort should do is NOT announce themselves.

Dear Microsoft

[Applehu+Akbar]

A 'holistic' security strategy does not mean an operating system that's full of holes.

Holistic terminology

[nawcom]

I'm guessing he used the term "holistic" in a sense that the plan covers multiple aspects of security. The classical term of "holistic" refers to not alternative treatments, but rather it covering the entirety of something or treating everything as interconnected. In medical terms, it usually refers to the mind and body as a whole.

Might I add that most "holistic" medicine is grade A horseshit.

Re:Holistic terminology

[phantomfive]

As used in Dirk Gently's Holistic Detective Agency.

Re:Holistic terminology

> Might I add that most "holistic" medicine is grade A horseshit.

Aha! That's why Microsoft selected that word then.

Re:Holistic terminology

[DeanCubed]

Yeah maybe the extra security are detectives.

Re:Doubling the number of executives 1/x^2

The General Dynamics Law of Engineering:
"There is no problem so big, that it cannot be fixed by another layer of management."

I guess some GD manager moved to MS...

Anything's better than the prior approach ...

[tlambert]

Anything's better than the prior approach, which was homeopathic.

Re:One set to create the problem, one set to solve

The main effect of more managers is to slow a project down. So they will also reduce the rate at which new problems are created, but it won't really change anything.

big company fiddle-faddle

Before most of you were born IBM attempted to solve all the world's communications problems with a product called SNA (Systems Network Architecture). Basically SNA was an enormous protocol stack roughly equivalent to many modern day RFC standards. Now the best way to solve a big problem is to divide it up like eating an elephant something big companies are organizationally incapable of doing - too many meetings, reviews and inconsistent requirements not to mention political career conflicts. I'm not optimistic

It's Microsoft. That's all you need to know

[macs4all]

This will follow the usual path of all MS "Initiatives".

IOW, it will be a "Big Thing" for about 3 years, and then be replaced with the next Big Thing.

Tax paying for more PRI$M

[AHuxley]

So "Government Cloud Forum" mixes in "industry, government, law enforcement, customers and consumers" to sell or rent more "tools and services" back to governments.
So 'intelligence, platform and partnering broadly" is the monetized trap door and back doors sold on "another vendors" systems too?
Only then can govs can get the keys for "personal devices"?

How about just encryption for gov data so when all the fancy world facing networking and clouds fail the data copied out is a worthless honeypot. No more network facing plain text just waiting for anyone with a fast pipe and skills, just traps and tracking.
How did the USA gov do really good security?
Move the trusted staff to a secure gov site to work on the air gapped data. Data been networked all over the USA, in the private sector hands and other random low security sites will get unencrypted at so many stages just to help it move, be stored, get added to, updated or be sorted.
Why would the private sector need a full copy of a secure US gov database in plaintext on an open network? Profit and ideology vs the most basic security considerations?
Stop giving secret gov data in bulk to the private sector to unencrypt and work on.

Re:Phone calls from MS

[tnk1]

We can fix this for you remotely, we just need you to give us the Administrator passwords to your Windows hosts and your social security number so we can verify your identity. Don't worry, I'll hold the line while you get this information.

Unlikely

Because the answer the group should provide is avoid Microsoft
(My sheep in wolves clothing detector is going off.)

[dream mode on]
It would seem that if Microsoft were actually serious about security, they would make a simple OS which just works.
Folks could choose to use the new API or what they offer in the Winfoo stuff.
Perhaps the Winfoo stuff would eventually become a not well behaved, but contained guest of the secure OS.
This seems unlikely because it violates the economic necessity of making things that need continual replacement.
[end dream mode]

And "Security Executives" help how?

[gweihir]

Most of them will be incompetent (as most executives are) with regards to security anyways. What about hiring some actual experts (i.e. engineers) and giving them the power they need to change things?

Of course, that would result in these experts telling MS to scrap everything and start over (based on xBSD or Linux) because Security is not something you can successfully bolt-on after the fact. And that is the reason why this is pure show. MS has never cared about their customers or about having a good product. They have always ignored other things that work whenever they could and made their own thing instead, badly. As long as their bottom-line is unaffected, that will never change. Of course, with all the mobile devices these days, a "pure MS" ecosystem does not exist and the average person has found out that you can do cool things with non-MS systems too.

Re:Phone calls from MS

[gweihir]

I got two of these this week. First I just hung up, second I cursed the person on the other side. Seems to have worked as security measure.

Re:One set to create the problem, one set to solve

[holostarr]

Who gives a shit how they do it as long as the end result is a more secure product? And FYI, in house teams are not always capable of finding all the bugs no matter how much money and resources you through at it, that's when bug bounty comes in, to get an outside perspective.

Holistic!

Now a technology that uses a relatively obscure word like that, that many use but whose meaning few understand, is a sure sign of company who knows what it is doHA, HA, HA, HA, HA!

Re:One set to create the problem, one set to solve

Who gives a shit how they do it as long as the end result is a more secure product? And FYI, in house teams are not always capable of finding all the bugs no matter how much money and resources you through at it, that's when bug bounty comes in, to get an outside perspective.

What "in-house teams"? The Windows division laid off all of its QA in 2014?

Actual security content - 0%

[ka9dgx]

So...nothing about a version of windows that doesn't give ambient authority to every line of code that runs... this has a zero percent chance of success.

Re:One set to create the problem, one set to solve

[turbidostato]

"This makes perfect sense"

This makes perfect sense... TWICE!

"CEO Satya Nadella officially announced the launch of a new managed security services group and a new cyber defense operations center â" all part of its new strategy of holistic and integrated security"

In order to attain an holistic approach, Microsoft's CEO creates new separated groups and facilities. Brilliant!

Re:One set to create the problem, one set to solve

[holostarr]

If you think Microsoft has no in-house testing team, you are delusional! Microsoft does not use conventional QA testers, they use whats called SDET (Software Design Engineer in Test), and they have a very large team of that: https://www.microsoft.com/en-i...

Re: One set to create the problem, one set to solv

And they've done a stellar job so far.

Re: One set to create the problem, one set to solv

[holostarr]

Yes they have! Microsoft produces very polished and secure products with incredibly fast and consistent response to bugs and security issues for such complex array of software they offer. People on Slashdot with limited technical background simply like to rag on Microsoft with the mentality that Linux rocks/Microsoft sucks.

Re: One set to create the problem, one set to sol

Unless and until ms can find a way to make bank doing security on their products, they just won't care. Billions, literally billions, of dollars in profit from windows and they still can't secure it? They are not trying or they don't care. I don't know the answer to that but then I don't care either way.

Re: One set to create the problem, one set to so

[bondsbw]

Well, they DO secure it. They made many tough decisions like including a breaking driver security model and UAC in Vista that ultimately gave them a very bad rap from users, but that be damned, it was much more secure. They have recently included (or will soon) a new kernel virtualization mode that makes it nearly impossible for even kernel-mode exploits and driver malware to cause damage to user-mode applications and data... because even the kernel doesn't have direct access to user mode processes.

You hate Microsoft, I get it. But get out of the 1990s; Microsoft security has been very serious for quite a while now.

Re:One set to create the problem, one set to solve

[davester666]

Didn't they do this dance 10-15 years ago? Bill put a big stop to everything and for 6-12 months MS was just focused on "security".

Someone should tell them it's not a 'every once in a while' thing.

Oh a Microsoft Security story again eh

http://science.slashdot.org/comments.pl?sid=8335785&cid=50943875

Over and over, same shit. Spyware company that back-stabbed the global public wants to tout how the words Microsoft and "security" go hand in hand.

GTFO spyware. Microsoft was the foremost global botnet/spyware host.. until it became the actual global botnet/spyware itself.

Microsoft Inc. Putting spyware companies out out of business with superior spyware. Fire yourselves.

Re: One set to create the problem, one set to s

Let's see. In this corner a company that makes billions (pinky in corner of mouth) selling a commercial os. And in the other corner a bunch of unwashed hippies and communists giving (giving - the horrors!) away an os. How can the open sourcers create a system that is just as secure (some things better, some not) as the commercial product? Magic, I assume. Unless...maybe profit *is* put before end user security.

"Security pretty soon, we promise"â. Ima saying this in jest but it's hard to spin it any way but what it is.

Dirk Gently??

[l0n3s0m3phr34k]

For several years now I've jokingly referred to myself as a "holistic IT troubleshooter", partially as a shout-out to Dirk Gently. Now I'll probably get a cease-and-desist letter from M$...

Re: One set to create the problem, one set to s

[holostarr]

First of all Linux is far from secure, and this is after a very large community of developers which includes commercial organizations such as Intel, Red Hat, Suse, etc. Secondly, Microsoft develops and maintains their entire tool chain which includes compiler, file system, kernel, desktop manager, etc. On top of that, due to popularity of Microsoft products they are the target of much greater audience, including black/white hat and government agencies. Despite all this, Microsoft still manages to create very secure software with cutting edge security. Obviously they cannot 100% secure their software since software is constantly evolving and as a result new bugs and security issues are introduced, but Microsoft DOES care about the security of their product and that's why they are spending $1 billion on security according to this article.

One Billion Dollars!

Spending $1 Billion on a couple more executives does not increase security, at all

Re: One set to create the problem, one set to s

Gee, wonder who you work for...?

Re:One set to create the problem, one set to solve

[LaurenCates]

To play devil's advocate here: suppose you have a new incentive to grow a new group in your company. Would you want dedicated employees to help it grow, or would you prefer people working on established projects maybe, possibly working on your pet project when they have a few minutes when they're not distracted with something they know has traction?

Data transfer

Note the data transfer law enabling Microsoft to send data to the spooks for "cyber security" related purposes.

And suddenly Microsoft is setting up a vague Cyber Security division? Sounds like data is being sold, and presumably that links up with all the spyware Windows 10 now has.

As a side note, IBM just bought that weather widget that is on most Android devices. It has masses of tracking data in it, and I doubt they suddenly got interested in weather prediction! More likely they saw an opportunity in the new law and took it. Watch the widget get updated and wanting more and more rights to the data on the device..... betcha.

Re:One set to create the problem, one set to solve

[DrXym]

Not really. It's challenging people to find weaknesses in their products that they clearly haven't discovered themselves and be rewarded for doing so. It's not a new concept. Locksmiths have been challenging people to pick locks, open safes for centuries.

Re: One set to create the problem, one set to s

And despite all the work on security....

IT STILL FAILS - REPEATEDLY.

the problem is the original designs are not secure.

World Upside Down

Holistic Security?? What is this? Like cures like? Malware fixes malware? Microsoft is going to make me more secure by taking all our data from Windows 10 computers as well as update Win7 and 8 computers?

"information it gathers worldwide from its sensors and customers."

This is nuts!

FUD. Plain and simple.

FUD. Plain and simple.

Why don't they spend that money on end-user privacy?

Or fixing Win7 Media Center Schedule data updates? Mine stopped working in July on 1 machine. Another machine has the schedule data working great! Don't know why 1 works and the other will not.

Surely This is a Spoof?

[segedunum]

Bret Arsenault, CISO, Microsoft

"My internal operations team can swivel with the DCU [Digital Crimes Unit]" there, for example, Arsenault says.

WTF is this?

In Microsoft's defense....

[erp_consultant]

and I'm not their biggest fan, but I would submit that most of the modern exploits are due to vulnerabilities in browsers and the internet itself. In the past MS has done a piss poor job of security but it's much better now.

OSX, Linux, UNIX, Android, iOS - they all have vulnerabilities. It's just that Windows has a much bigger install base than the others and that makes it a logical target. If you want a 100% secure system then don't connect it to the internet and don't let anyone have physical access to the keyboard. As soon as you connect it to the internet you open a port, and therefore an attack vector.

Re:One set to create the problem, one set to solve

[turbidostato]

"To play devil's advocate here"

Play devil's advocate all you want: if you look for an holistic approach the last thing you want is a new different silo.

"Would you want dedicated employees to help it grow"

Maybe yes. Maybe I understand that in order for change to come I need people above and beyond the current "business as usual" level. But if I look for an "holistic approach" I'll integrate them in the structures already in place, that's what "holistic" means to start with.

It's not me but Satya the one that came with the "holistic" concept. Maybe it's a clever approach, maybe it's stupid (if the current way is too entrenched, maybe it's better to start anew with new people and groups and facilities: in the end, you don't change the way people interact by just putting a different name in their presentation cards) but if you say it's going to be holistic, you being the CEO, it's going to be damn holistic or the stupid one is you!

Holistic?

[ebvwfbw]

I've found that means they have absolutely no clue what they're doing. They'll spend a bunch of money, nothing with get done and somehow it'll be a success.

Exactly: It's why I created this... apk

"modern exploits are due to vulnerabilities in browsers and the internet itself" - by erp_consultant (2614861) on Wednesday November 18, 2015

See subject & APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...

It protects vs. malware serving sites, maliciously scripted sites, botnets (freezing their communications even IF you have one inside the perimeter already (bonus)), trackers, DNS Security issues (kaminsky redirect poisoning, Open DNS Servers (not OpenDNS) being abused, rogue dns servers, routers + OS ip stack dns settings poisoned (ala DNSChanger)), & increases speed 2 ways (hardcoded favorite sites you spend MOST of your online time @, placed @ the top of hosts for the tumost in speed of resolution as hosts is cached into RAM which also increases reliability (double-bonus) + adblocking), & also reliability of connectivity (If dns is hijacked as noted earlier) + anonymity (vs. DNS request logs).

APK

P.S.=> MS should fix hosts (they removed the ability to use 0 vs. 0.0.0.0 as a valid blocking address circa 10/2009's "patch tuesday" in Win7 onward (yet it STILL WORKS JUST FINE in 2000/XP/Server 2003 that way)!

&

Even their then "VP of the Client Performance Division" who discussed this w/ me AGREED I WAS CORRECT ON IT -> http://slashdot.org/comments.p... in that it creates a SMALLER & FASTER hosts file to initially load!

(In fact, literally 30% smaller in my case with 3,813,455++ entries & growing (mostly known bad sites &/or botnets + trackers blocked, & 24 favorites sites @ the top of hosts as noted above earlier))... apk

Oxymoron

[NewYork]

Holistic security and closed source is oxymoron

Re:One set to create the problem, one set to solve

[niftymitch]

>> Isn't that precisely what companies are doing with security bug bounty programs?

No, that's called "outsourcing QA"

I think we can also thank Snowden and many others that have noted how
common it is that a Microsoft machine gets used in a farm of attack
bots....

I know that I have written before that known flaws and exploits
are a risk to national security. Some falsely believe knowing how
to exploit systems is power but as script kiddies demonstrate these flaws
are not only known by honest law enforcement.

The problem is finding a global definition of honest law enforcement
for global companies to interact with.