• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
MSRC - Funcionamiento
 

MSRC - Funcionamiento

on

  • 2,434 views

Charla impartida por Fermín J. Serna, del MSRC de Microsoft, en el evento Asegúr@IT 6, que tuvo lugar el día 18 de Junio de 2009 en Getafe, Madrid.

Charla impartida por Fermín J. Serna, del MSRC de Microsoft, en el evento Asegúr@IT 6, que tuvo lugar el día 18 de Junio de 2009 en Getafe, Madrid.

Statistics

Views

Total Views
2,434
Views on SlideShare
1,072
Embed Views
1,362

Actions

Likes
0
Downloads
21
Comments
0

3 Embeds 1,362

http://www.elladodelmal.com 1289
http://elladodelmal.blogspot.com 72
http://servdesarrollo 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    MSRC - Funcionamiento MSRC - Funcionamiento Presentation Transcript

    • Inside The MicrosoftSecurity Response Process
      Fermín J. Serna
      MSRC Engineering
    • We’re Microsoft and we’re here to help!
      MSRC Teams responsible for security updates:
      MSRC Operations PM
      MSRC Engineering
      Why we are here:
      Expose internal MSRC process for security updates
      Case studies on two cases
      In band comprehensive fix
      Out of Band fix
    • Releasing a Security Update
      Release
      Content Creation
      Security bulletins - second Tuesday of every month
      Coordinate all content and resources
      Information and guidance to customers
      Monitor customer issues and press
      Managing Finder Relationship
      Security bulletin:
      Affected software/components
      Technical description
      FAQs
      Acknowledgments
      Triaging
      Establish communications channel
      Quick response
      Regular updates
      Build the community
      Encourage responsible reporting
      Vulnerability Reporting
      Assess the report and the possible impact on customers
      Understand the severity of the vulnerability
      Rate the vulnerability according to severity and likelihood of exploit, and assign it a priority
      MSRC receives incoming vulnerability reports through:
      Secure@Microsoft.com – Direct contact with MSRC
      Microsoft TechNet Security Site – anonymous reporting
      MSRC responds to all reports:
      24 hour response Service Level Agreement to finder
      Internal response can be immediate when required
      Update Dev Tools and Practices
      Technical guidance
      Fix Validation
      Investigation
      Update best practices
      Update testing tools
      Update development and design process
      MSRC Engineering:
      Workarounds and Mitigations
      SVRD Blog
      MAPP Detection Guidance
      MSRC-Engineering and Product Team:
      Test against reported issue
      Test against variants
      MSRC-Engineering
      Reproduce the Vulnerability
      Locate variants
      Investigate surrounding code and design
    • MSRC Operations
      Vulnerability Reporting
      Managing Finder Relationship
      Content Creation
      Release
      Work with finders and security researchers that report vulnerabilities
      Coordinate internal product teams to work towards an update
      Develop and release messaging around vulnerabilities
      Advisories, Bulletins, KB Articles, blogs
      Coordinate severity ratings with MSRC Engineering and Product teams
    • VulnerabilityReporting
      MSRC receives incoming vulnerability reports through:
      Secure@Microsoft.com – Direct contact with MSRC
      Microsoft TechNet Security Site – anonymous reporting
      Industry Security Events
      Honey-pots
      Security Community Partners
      MSRC responds to all reports:
      24 hour response Service Level Agreement to finder
      7 day support
      Every report is triaged by a security specialist
    • Exploitability Index and Bulletin Severity ratings
      Provides customers with guidance on the likelihood of functional exploit code being developed
      Developed in response to customer requests for additional information to further evaluate risk
      Published as part of the monthly Microsoft security bulletin summary
    • Second Tuesday
      Release Day
      Pre Release
      Post Release
      Security Bulletin Advance Notification - three business days prior to release
      MAPP notifications prior to release
      Updates posted on Download Center, Windows Update and/or Office Update
      Bulletins posted
      RSS Feeds
      Customer email and instant message notifications
      Community outreach
      MS Field alerts and call downs
      SVRD Blog
      Security Bulletins Webcast (Wednesday following release, 11AM PT)
      Supplementary Webcasts if needed
      Monitor bulletin uptake and customer issues through PSS and Windows Update
      Bulletin maintenance
      Outreach And Communications
    • Releasing a Security Update
      Release
      Content Creation
      Security bulletins - second Tuesday of every month
      Coordinate all content and resources
      Information and guidance to customers
      Monitor customer issues and press
      Managing Finder Relationship
      Security bulletin:
      Affected software/components
      Technical description
      FAQs
      Acknowledgments
      Triaging
      Establish communications channel
      Quick response
      Regular updates
      Build the community
      Encourage responsible reporting
      Vulnerability Reporting
      Assess the report and the possible impact on customers
      Understand the severity of the vulnerability
      Rate the vulnerability according to severity and likelihood of exploit, and assign it a priority
      MSRC receives incoming vulnerability reports through:
      Secure@Microsoft.com – Direct contact with MSRC
      Microsoft TechNet Security Site – anonymous reporting
      MSRC responds to all reports:
      24 hour response Service Level Agreement to finder
      Internal response can be immediate when required
      Update Dev Tools and Practices
      Technical guidance
      Fix Validation
      Investigation
      Update best practices
      Update testing tools
      Update development and design process
      MSRC Engineering:
      Workarounds and Mitigations
      SVRD Blog
      MAPP Detection Guidance
      MSRC-Engineering and Product Team:
      Test against reported issue
      Test against variants
      MSRC-Engineering
      Reproduce the Vulnerability
      Locate variants
      Investigate surrounding code and design
    • Initial Technical Investigation
      Triaging
      Investigation
      Reproduce the issue internally
      Determine Root cause
      Gather network captures, crash dumps, etc.
      See if it is a valid security issue. If so:
      Determine exploitability and severity
    • Hacking for Variations
      Investigation
      Update threat model (if needed)
      Review code for variants of the reported issue
      Review code for other issues in the same module/area
      Check for similar defects in other products
      See if related bugs were found by internal testers
      Fuzzing:
      Develop custom tools / improve existing fuzzing tools as needed.
      Run fuzzing tools and investigate any issues found
      Static analysis:
      Sometimes the issue could be flagged by static analysis of source or binaries
      If so, update tools as needed and run analysis
    • Validation & Sign-off
      Fix Validation
      Update Dev Tools and Practices
      Technical guidance
      Fix validation:
      Review the proposed fix, review the fixed code, test the fixed binary
      Bulletin review:
      Review the technical content of the Security Bulletin and provide feedback
      Communication strategy:
      Additional information provided to customers via our SRD blog http://blogs.technet.com/srd/
      Improvements rolled into the standard fuzzing and static analysis tools prescribed by SDL
    • Mitigations & Workarounds
      Technical guidance
      Content Creation
      Opportunities to disrupt vulnerable code path
      Methods
      Analyze callstack + process flow looking for ACL opportunity
      Inspect source code
      Ask product team for ideas
      Knowledge about protocol or product
      Process Monitor / dynamic analysis
      Brainstorm with teams
    • Detection Guidance
      Technical guidance
      Content Creation
      Opportunities for partners to detect vulnerability
      We share
      Internally generated safe-to-investigate repro
      Explicit detection guidance (boundary conditions, etc)
      Problem Description / Technical Notes
      Exploit Indicators (Event log entries, for example)
      Stack trace with public symbols
      Disassembly with public symbols
      Affected module version
    • Case Studies
      MS08-025
      Cumulative update
      Variant investigation
      Understanding new attack vectors and research techniques
      Testing cycles
      MS08-078
      Quick response time ( 8 days)
      Timelines
      Advisory +
      Communications
    • Internal Process for MS08-025
      MSRC Case Opened
      Internal Repro
      Root Cause
      Severity and Attack Vectors
      Hacking for Variations
      Mitigations and Workarounds
      Agree on Fix
      Review Source Code
      Functional Tests on Binaries
      Bulletin Review
      Bulletin Ships
      31st
      31st
      11th
      26th
      8th
      4th
      28th
      15th
      25th
      31st
      24th
      3rd
      Fuzz Testing / Developing Fixes
      Broad Test Pass
      Depth Test Pass
      MS08-025
      26th
      26th
    • Internal Process for MS08-078
      Bulletin Ships
      Vuln posted to Chinese message board
      Root Cause
      Begin M&W Investigation
      Advisory published
      Out-of-Band
      Planning Begins
      Agree on Fix
      Advisory Rev’d (OLEDB32.dll workaround)
      Advisory rev’d
      (Disable Row Position workaround)
      Advisory rev’d
      (Disable XML Island workaround)
      CN-MSRC discovers public posting
      MSRC Engineering initial repro
      SRD blog posted
      10th
      8th
      10th
      13th
      10th
      12th
      7th
      8th
      16th
      12th
      11th
      Hacking for Variations
      Focused Package testing
      MS08-078
      9th
      9th
    • Blogs:
      MSRC Operations: http://blogs.technet.com/msrc/
      MSRC Engineering http://blogs.technet.com/srd/
      Microsoft Security Web sites: www.microsoft.com/security and www.microsoft.com/technet/security
      Sign up to receive notifications on security updates: www.microsoft.com/security/bulletins/alerts.mspx
      Sign up for the Security Bulletin Web cast: www.microsoft.com/technet/security/bulletin/summary.mspx
      RSS Feeds for Security Bulletins: www.microsoft.com/technet/security/bulletin/secrssinfo.mspx
      Security Advisories: www.microsoft.com/technet/security/advisory
      Security Guidance Center for Enterprises: www.microsoft.com/security/guidance
      Protect Your PC: www.microsoft.com/protect
      MAPP http://www.microsoft.com/security/msrc/mapp/overview.mspx
    • © 2003 Microsoft Corporation. All rights reserved.
      This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
    • Microsoft Active Protections Program(MAPP)
      New program for security software providers
      Members of MAPP receive security vulnerability information from MSRC in advance of monthly security update
      Members can provide updated protections to customers via their security software or devices
      Antivirus
      Network-based intrusion detection systems
      Host-based intrusion prevention systems.