MSRC - Funcionamiento

2,373 views
2,226 views

Published on

Charla impartida por Fermín J. Serna, del MSRC de Microsoft, en el evento Asegúr@IT 6, que tuvo lugar el día 18 de Junio de 2009 en Getafe, Madrid.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,373
On SlideShare
0
From Embeds
0
Number of Embeds
1,484
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

MSRC - Funcionamiento

  1. 1. Inside The MicrosoftSecurity Response Process<br />Fermín J. Serna<br />MSRC Engineering<br />
  2. 2. We’re Microsoft and we’re here to help!<br />MSRC Teams responsible for security updates:<br />MSRC Operations PM<br />MSRC Engineering<br />Why we are here:<br />Expose internal MSRC process for security updates<br />Case studies on two cases <br />In band comprehensive fix<br />Out of Band fix<br />
  3. 3. Releasing a Security Update<br />Release<br />Content Creation<br />Security bulletins - second Tuesday of every month<br />Coordinate all content and resources<br />Information and guidance to customers<br />Monitor customer issues and press<br />Managing Finder Relationship<br />Security bulletin:<br />Affected software/components<br />Technical description<br />FAQs<br />Acknowledgments<br />Triaging<br />Establish communications channel<br />Quick response<br />Regular updates<br />Build the community<br />Encourage responsible reporting<br />Vulnerability Reporting<br />Assess the report and the possible impact on customers<br />Understand the severity of the vulnerability<br />Rate the vulnerability according to severity and likelihood of exploit, and assign it a priority<br />MSRC receives incoming vulnerability reports through:<br />Secure@Microsoft.com – Direct contact with MSRC<br />Microsoft TechNet Security Site – anonymous reporting<br />MSRC responds to all reports:<br />24 hour response Service Level Agreement to finder<br />Internal response can be immediate when required<br />Update Dev Tools and Practices<br />Technical guidance<br />Fix Validation<br />Investigation<br />Update best practices<br />Update testing tools<br />Update development and design process<br />MSRC Engineering:<br />Workarounds and Mitigations<br />SVRD Blog<br />MAPP Detection Guidance<br />MSRC-Engineering and Product Team:<br />Test against reported issue <br />Test against variants<br />MSRC-Engineering<br />Reproduce the Vulnerability<br />Locate variants<br />Investigate surrounding code and design<br />
  4. 4. MSRC Operations<br />Vulnerability Reporting<br />Managing Finder Relationship<br />Content Creation<br />Release<br />Work with finders and security researchers that report vulnerabilities<br />Coordinate internal product teams to work towards an update <br />Develop and release messaging around vulnerabilities<br />Advisories, Bulletins, KB Articles, blogs<br />Coordinate severity ratings with MSRC Engineering and Product teams<br />
  5. 5. VulnerabilityReporting<br />MSRC receives incoming vulnerability reports through:<br />Secure@Microsoft.com – Direct contact with MSRC<br />Microsoft TechNet Security Site – anonymous reporting<br />Industry Security Events<br />Honey-pots<br />Security Community Partners<br />MSRC responds to all reports:<br />24 hour response Service Level Agreement to finder<br />7 day support<br />Every report is triaged by a security specialist<br />
  6. 6. Exploitability Index and Bulletin Severity ratings<br />Provides customers with guidance on the likelihood of functional exploit code being developed<br />Developed in response to customer requests for additional information to further evaluate risk<br />Published as part of the monthly Microsoft security bulletin summary<br />
  7. 7. Second Tuesday<br />Release Day<br />Pre Release<br />Post Release<br />Security Bulletin Advance Notification - three business days prior to release<br />MAPP notifications prior to release<br />Updates posted on Download Center, Windows Update and/or Office Update<br />Bulletins posted<br />RSS Feeds<br />Customer email and instant message notifications<br />Community outreach<br />MS Field alerts and call downs<br />SVRD Blog<br />Security Bulletins Webcast (Wednesday following release, 11AM PT)<br />Supplementary Webcasts if needed<br />Monitor bulletin uptake and customer issues through PSS and Windows Update<br />Bulletin maintenance<br />Outreach And Communications<br />
  8. 8. Releasing a Security Update<br />Release<br />Content Creation<br />Security bulletins - second Tuesday of every month<br />Coordinate all content and resources<br />Information and guidance to customers<br />Monitor customer issues and press<br />Managing Finder Relationship<br />Security bulletin:<br />Affected software/components<br />Technical description<br />FAQs<br />Acknowledgments<br />Triaging<br />Establish communications channel<br />Quick response<br />Regular updates<br />Build the community<br />Encourage responsible reporting<br />Vulnerability Reporting<br />Assess the report and the possible impact on customers<br />Understand the severity of the vulnerability<br />Rate the vulnerability according to severity and likelihood of exploit, and assign it a priority<br />MSRC receives incoming vulnerability reports through:<br />Secure@Microsoft.com – Direct contact with MSRC<br />Microsoft TechNet Security Site – anonymous reporting<br />MSRC responds to all reports:<br />24 hour response Service Level Agreement to finder<br />Internal response can be immediate when required<br />Update Dev Tools and Practices<br />Technical guidance<br />Fix Validation<br />Investigation<br />Update best practices<br />Update testing tools<br />Update development and design process<br />MSRC Engineering:<br />Workarounds and Mitigations<br />SVRD Blog<br />MAPP Detection Guidance<br />MSRC-Engineering and Product Team:<br />Test against reported issue <br />Test against variants<br />MSRC-Engineering<br />Reproduce the Vulnerability<br />Locate variants<br />Investigate surrounding code and design<br />
  9. 9. Initial Technical Investigation<br />Triaging<br />Investigation<br />Reproduce the issue internally<br />Determine Root cause<br />Gather network captures, crash dumps, etc.<br />See if it is a valid security issue. If so:<br />Determine exploitability and severity<br />
  10. 10. Hacking for Variations<br />Investigation<br />Update threat model (if needed)<br />Review code for variants of the reported issue<br />Review code for other issues in the same module/area<br />Check for similar defects in other products<br />See if related bugs were found by internal testers<br />Fuzzing:<br />Develop custom tools / improve existing fuzzing tools as needed. <br />Run fuzzing tools and investigate any issues found<br />Static analysis:<br />Sometimes the issue could be flagged by static analysis of source or binaries<br />If so, update tools as needed and run analysis<br />
  11. 11. Validation & Sign-off <br />Fix Validation<br />Update Dev Tools and Practices<br />Technical guidance<br />Fix validation:<br />Review the proposed fix, review the fixed code, test the fixed binary<br />Bulletin review:<br />Review the technical content of the Security Bulletin and provide feedback<br />Communication strategy:<br />Additional information provided to customers via our SRD blog http://blogs.technet.com/srd/<br />Improvements rolled into the standard fuzzing and static analysis tools prescribed by SDL<br />
  12. 12. Mitigations & Workarounds<br />Technical guidance<br />Content Creation<br />Opportunities to disrupt vulnerable code path<br />Methods<br />Analyze callstack + process flow looking for ACL opportunity<br />Inspect source code<br />Ask product team for ideas<br />Knowledge about protocol or product<br />Process Monitor / dynamic analysis<br />Brainstorm with teams<br />
  13. 13. Detection Guidance<br />Technical guidance<br />Content Creation<br />Opportunities for partners to detect vulnerability<br />We share<br />Internally generated safe-to-investigate repro<br />Explicit detection guidance (boundary conditions, etc)<br />Problem Description / Technical Notes<br />Exploit Indicators (Event log entries, for example)<br />Stack trace with public symbols<br />Disassembly with public symbols<br />Affected module version<br />
  14. 14. Case Studies<br />MS08-025<br />Cumulative update<br />Variant investigation<br />Understanding new attack vectors and research techniques<br />Testing cycles <br />MS08-078<br />Quick response time ( 8 days)<br />Timelines <br />Advisory + <br />Communications<br />
  15. 15. Internal Process for MS08-025<br />MSRC Case Opened<br />Internal Repro<br />Root Cause<br />Severity and Attack Vectors<br />Hacking for Variations<br />Mitigations and Workarounds<br />Agree on Fix<br />Review Source Code<br />Functional Tests on Binaries<br />Bulletin Review<br />Bulletin Ships<br />31st<br />31st<br />11th<br />26th<br />8th<br />4th<br />28th<br />15th<br />25th<br />31st<br />24th<br />3rd<br />Fuzz Testing / Developing Fixes<br />Broad Test Pass<br />Depth Test Pass<br />MS08-025<br />26th<br />26th<br />
  16. 16. Internal Process for MS08-078<br />Bulletin Ships<br />Vuln posted to Chinese message board<br />Root Cause<br />Begin M&W Investigation<br />Advisory published<br />Out-of-Band<br />Planning Begins<br />Agree on Fix<br />Advisory Rev’d (OLEDB32.dll workaround)<br />Advisory rev’d<br />(Disable Row Position workaround)<br />Advisory rev’d<br />(Disable XML Island workaround)<br />CN-MSRC discovers public posting<br />MSRC Engineering initial repro<br />SRD blog posted<br />10th<br />8th<br />10th<br />13th<br />10th<br />12th<br />7th<br />8th<br />16th<br />12th<br />11th<br />Hacking for Variations<br />Focused Package testing<br />MS08-078<br />9th<br />9th<br />
  17. 17. Blogs: <br />MSRC Operations: http://blogs.technet.com/msrc/<br />MSRC Engineering http://blogs.technet.com/srd/<br />Microsoft Security Web sites: www.microsoft.com/security and www.microsoft.com/technet/security<br />Sign up to receive notifications on security updates: www.microsoft.com/security/bulletins/alerts.mspx<br />Sign up for the Security Bulletin Web cast: www.microsoft.com/technet/security/bulletin/summary.mspx<br />RSS Feeds for Security Bulletins: www.microsoft.com/technet/security/bulletin/secrssinfo.mspx<br />Security Advisories: www.microsoft.com/technet/security/advisory<br />Security Guidance Center for Enterprises: www.microsoft.com/security/guidance<br />Protect Your PC: www.microsoft.com/protect<br />MAPP http://www.microsoft.com/security/msrc/mapp/overview.mspx<br />
  18. 18. © 2003 Microsoft Corporation. All rights reserved.<br />This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.<br />
  19. 19. Microsoft Active Protections Program(MAPP)<br />New program for security software providers<br />Members of MAPP receive security vulnerability information from MSRC in advance of monthly security update<br />Members can provide updated protections to customers via their security software or devices<br />Antivirus<br />Network-based intrusion detection systems<br />Host-based intrusion prevention systems.<br />

×