Slashdot Mirror
Microsoft Invests $1 Billion In 'Holistic' Security Strategy (darkreading.com)
ancientribe writes: Microsoft has invested $1 billion over the past year in security and doubled its number of security executives, according to company's CISO Bret Arsenault. In an address today (webcast), CEO Satya Nadella officially announced the launch of a new managed security services group and a new cyber defense operations center — all part of its new strategy of holistic and integrated security across its products and services. Microsoft execs rarely detail the company's strategy so publicly, so that in itself underlines how security is a major element in its strategy.
Paying MS to fix security problems is like paying chemical companies to clean up their own pollution.
Table-ized A.I.
It seems like this is mostly a marketing effort to sell others on their "security" managed services...
Hi! I'm an Executive at the Microsoft Cyber Defense Operations Center, and we've detected a problem with your internet....
it's Integrated!
Hmm... I thought "executives" mean more people pointing fingers to others instead of do the coding???
about saftey
Isn't that precisely what companies are doing with security bug bounty programs?
All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
But, I find it hard to imagine the amount of polished code that could be created for $1,000,000,000.
I guess because the code executes so much faster today, it costs more to create and debug it?
Applying the inverse square law... means 1/4 of the productivity.
>> Isn't that precisely what companies are doing with security bug bounty programs?
No, that's called "outsourcing QA"
Wake me when we get to crystal healing.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So I guess their Security through stupidity model isn't working for them in the long run.
Why is Snark Required?
A 'holistic' security strategy does not mean an operating system that's full of holes.
I'm guessing he used the term "holistic" in a sense that the plan covers multiple aspects of security. The classical term of "holistic" refers to not alternative treatments, but rather it covering the entirety of something or treating everything as interconnected. In medical terms, it usually refers to the mind and body as a whole.
Might I add that most "holistic" medicine is grade A horseshit.
Anything's better than the prior approach, which was homeopathic.
Before most of you were born IBM attempted to solve all the world's communications problems with a product called SNA (Systems Network Architecture). Basically SNA was an enormous protocol stack roughly equivalent to many modern day RFC standards. Now the best way to solve a big problem is to divide it up like eating an elephant something big companies are organizationally incapable of doing - too many meetings, reviews and inconsistent requirements not to mention political career conflicts. I'm not optimistic
This will follow the usual path of all MS "Initiatives".
IOW, it will be a "Big Thing" for about 3 years, and then be replaced with the next Big Thing.
So "Government Cloud Forum" mixes in "industry, government, law enforcement, customers and consumers" to sell or rent more "tools and services" back to governments.
So 'intelligence, platform and partnering broadly" is the monetized trap door and back doors sold on "another vendors" systems too?
Only then can govs can get the keys for "personal devices"?
How about just encryption for gov data so when all the fancy world facing networking and clouds fail the data copied out is a worthless honeypot. No more network facing plain text just waiting for anyone with a fast pipe and skills, just traps and tracking.
How did the USA gov do really good security?
Move the trusted staff to a secure gov site to work on the air gapped data. Data been networked all over the USA, in the private sector hands and other random low security sites will get unencrypted at so many stages just to help it move, be stored, get added to, updated or be sorted.
Why would the private sector need a full copy of a secure US gov database in plaintext on an open network? Profit and ideology vs the most basic security considerations?
Stop giving secret gov data in bulk to the private sector to unencrypt and work on.
Domestic spying is now "Benign Information Gathering"
We can fix this for you remotely, we just need you to give us the Administrator passwords to your Windows hosts and your social security number so we can verify your identity. Don't worry, I'll hold the line while you get this information.
Most of them will be incompetent (as most executives are) with regards to security anyways. What about hiring some actual experts (i.e. engineers) and giving them the power they need to change things?
Of course, that would result in these experts telling MS to scrap everything and start over (based on xBSD or Linux) because Security is not something you can successfully bolt-on after the fact. And that is the reason why this is pure show. MS has never cared about their customers or about having a good product. They have always ignored other things that work whenever they could and made their own thing instead, badly. As long as their bottom-line is unaffected, that will never change. Of course, with all the mobile devices these days, a "pure MS" ecosystem does not exist and the average person has found out that you can do cool things with non-MS systems too.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I got two of these this week. First I just hung up, second I cursed the person on the other side. Seems to have worked as security measure.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Who gives a shit how they do it as long as the end result is a more secure product? And FYI, in house teams are not always capable of finding all the bugs no matter how much money and resources you through at it, that's when bug bounty comes in, to get an outside perspective.
So...nothing about a version of windows that doesn't give ambient authority to every line of code that runs... this has a zero percent chance of success.
"This makes perfect sense"
This makes perfect sense... TWICE!
"CEO Satya Nadella officially announced the launch of a new managed security services group and a new cyber defense operations center â" all part of its new strategy of holistic and integrated security"
In order to attain an holistic approach, Microsoft's CEO creates new separated groups and facilities. Brilliant!
If you think Microsoft has no in-house testing team, you are delusional! Microsoft does not use conventional QA testers, they use whats called SDET (Software Design Engineer in Test), and they have a very large team of that: https://www.microsoft.com/en-i...
Yes they have! Microsoft produces very polished and secure products with incredibly fast and consistent response to bugs and security issues for such complex array of software they offer. People on Slashdot with limited technical background simply like to rag on Microsoft with the mentality that Linux rocks/Microsoft sucks.
Well, they DO secure it. They made many tough decisions like including a breaking driver security model and UAC in Vista that ultimately gave them a very bad rap from users, but that be damned, it was much more secure. They have recently included (or will soon) a new kernel virtualization mode that makes it nearly impossible for even kernel-mode exploits and driver malware to cause damage to user-mode applications and data... because even the kernel doesn't have direct access to user mode processes.
You hate Microsoft, I get it. But get out of the 1990s; Microsoft security has been very serious for quite a while now.
All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
Didn't they do this dance 10-15 years ago? Bill put a big stop to everything and for 6-12 months MS was just focused on "security".
Someone should tell them it's not a 'every once in a while' thing.
Sleep your way to a whiter smile...date a dentist!
For several years now I've jokingly referred to myself as a "holistic IT troubleshooter", partially as a shout-out to Dirk Gently. Now I'll probably get a cease-and-desist letter from M$...
First of all Linux is far from secure, and this is after a very large community of developers which includes commercial organizations such as Intel, Red Hat, Suse, etc. Secondly, Microsoft develops and maintains their entire tool chain which includes compiler, file system, kernel, desktop manager, etc. On top of that, due to popularity of Microsoft products they are the target of much greater audience, including black/white hat and government agencies. Despite all this, Microsoft still manages to create very secure software with cutting edge security. Obviously they cannot 100% secure their software since software is constantly evolving and as a result new bugs and security issues are introduced, but Microsoft DOES care about the security of their product and that's why they are spending $1 billion on security according to this article.
To play devil's advocate here: suppose you have a new incentive to grow a new group in your company. Would you want dedicated employees to help it grow, or would you prefer people working on established projects maybe, possibly working on your pet project when they have a few minutes when they're not distracted with something they know has traction?
Some people don't believe in fairies. I don't believe in The Patriarchy.
Not really. It's challenging people to find weaknesses in their products that they clearly haven't discovered themselves and be rewarded for doing so. It's not a new concept. Locksmiths have been challenging people to pick locks, open safes for centuries.
Bret Arsenault, CISO, Microsoft
"My internal operations team can swivel with the DCU [Digital Crimes Unit]" there, for example, Arsenault says.
WTF is this?
and I'm not their biggest fan, but I would submit that most of the modern exploits are due to vulnerabilities in browsers and the internet itself. In the past MS has done a piss poor job of security but it's much better now.
OSX, Linux, UNIX, Android, iOS - they all have vulnerabilities. It's just that Windows has a much bigger install base than the others and that makes it a logical target. If you want a 100% secure system then don't connect it to the internet and don't let anyone have physical access to the keyboard. As soon as you connect it to the internet you open a port, and therefore an attack vector.
"To play devil's advocate here"
Play devil's advocate all you want: if you look for an holistic approach the last thing you want is a new different silo.
"Would you want dedicated employees to help it grow"
Maybe yes. Maybe I understand that in order for change to come I need people above and beyond the current "business as usual" level. But if I look for an "holistic approach" I'll integrate them in the structures already in place, that's what "holistic" means to start with.
It's not me but Satya the one that came with the "holistic" concept. Maybe it's a clever approach, maybe it's stupid (if the current way is too entrenched, maybe it's better to start anew with new people and groups and facilities: in the end, you don't change the way people interact by just putting a different name in their presentation cards) but if you say it's going to be holistic, you being the CEO, it's going to be damn holistic or the stupid one is you!
I've found that means they have absolutely no clue what they're doing. They'll spend a bunch of money, nothing with get done and somehow it'll be a success.
Holistic security and closed source is oxymoron
Casteism
>> Isn't that precisely what companies are doing with security bug bounty programs?
No, that's called "outsourcing QA"
I think we can also thank Snowden and many others that have noted how
common it is that a Microsoft machine gets used in a farm of attack
bots....
I know that I have written before that known flaws and exploits
are a risk to national security. Some falsely believe knowing how
to exploit systems is power but as script kiddies demonstrate these flaws
are not only known by honest law enforcement.
The problem is finding a global definition of honest law enforcement
for global companies to interact with.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.