Microsoft shifts security strategy
Published: 02 Oct 2003 09:00 BST
Conceding that its strategy of patching Windows holes as they emerge has not worked, Microsoft plans next week to outline a new security effort focused on what the company calls "securing the perimeter," a company executive told CNET News.com.
Although Microsoft will continue to devise ways to improve the means by which Windows users apply upgrades, or patches, to their software, the company had realised that too many customers don't upgrade quickly enough to thwart hackers.
"From our side, (it) has been a little naive to think that all of those customers are going to do patches," said Orlando Ayala, Microsoft's former sales chief, who now heads its sales push to small and mid-sized businesses. "It's just hard."
However, recent worm and virus attacks have repeatedly shown that many customers remain vulnerable long after patches have been released, he said.
Ayala declined to detail Microsoft's new approach, or say whether the plans include getting further into the market of providing antivirus software. He did say that part of the effort will be a deeper relationship with firewall providers.
"We are going to start putting more emphasis on what we call securing the perimeter," he said. "That speaks of a deep partnership with the firewall world."
Ayala said that although the company has made some gains with its Trustworthy Computing effort, it is now trying to take a new approach.
"The first question is how can you secure stuff so you don't (let attacks) get in," he said. "It's kind of a shift in the strategy. It's very important; that's all I can say."
The patch treadmill
The Slammer worm that hit companies in January and the recent MSBlast worm highlighted the failure of companies to patch their systems quickly. It's extremely hard for any company to keep up, said Bruce Schneier, chief technology officer for network monitoring service Counterpane Internet Security.
"The patch treadmill is endless -- you have to keep going faster and faster to keep up," he said.
Microsoft executives have recently hinted that a change of course might be needed.
Speaking to a crowd of Silicon Valley executives last month, Microsoft chief executive Steve Ballmer said that the recent security issues represented a threat to innovation. At the time, he said that Microsoft was developing what he called "shield technology."
"The most important technology area we are focused on is shield technology," Ballmer said in the 15 September speech. "We know bad guys keep writing viruses. The goal is to block them before they get on PCs."
At that time, Microsoft declined to comment further on what Ballmer meant.
Finding a way to deal with the avalanche of patches that come in, not just from Microsoft but from other software makers, has become a key focus of information-technology managers, said Ryan McGee, director of product marketing for McAfee System Protection Solutions at security and antivirus company Network Associates.
"This is a topic of conversation in every customer conversation that we have," he said. "We talk about how to mitigate the vulnerabilities that are in the environments because they haven't been able to patch."
The recent MSBlast worm that hit companies in August and September probably infected more than a million computers. From the time information about the vulnerability was released to the start of the attack, companies had 26 days to patch their systems. And the times are decreasing, according to a recent study. For companies with tens of thousands of systems, keeping up with the race is hard, McGee said.
"We hear customers telling us there is a problem," he said, adding that several companies offer patch management automation as a solution. "I wish I were announcing a (patch management) product or acquisition because it's a market where we could make money."
Many companies are already in the market of detecting and cataloging vulnerable computer and network devices and then automating patching. A recent study by one such company, Qualys, found that a significant portion of security vulnerabilities remain on computers connected to the Internet.
Those vulnerabilities are making selling patch management systems to large companies an easy prospect, said Mark Shavlik, chief executive of patch automation firm Shavlik Technologies, especially when the companies are faced with a serious widespread flaw such as the vulnerability that allowed MSBlast to spread.
"Our sales went up eight times between July and September -- that's a pretty big spike," he said. "None of those people were doing patch management before. MS03-026 (the advisory highlighting the MSBlast flaw) comes out; that changed the market for us."
Shavlik wasn't sure that Microsoft is headed in the right direction, especially if the focus is too heavily on the intersection of a company's network and the Internet. "If you go to a perimeter defence, and a worm slips by your perimeter, it will compromise your entire network," he said.
Coming in the middle of the second year of Microsoft's Trustworthy Computing Initiative, the move may indicate that more shifts are ahead for the software giant. Ayala did acknowledge that Microsoft needs to do better than it has done with its Trustworthy Computing effort.
Perhaps the biggest incentive, said Counterpane's Schneier, is diverting the bad publicity that major attacks heap on Microsoft. As long as the company continues to be attacked by online vandals and scofflaws, Microsoft will have to continue pushing security, he said.
"To Microsoft, the threat is bad publicity, and they are going to produce a security system that deals with the threat," he said.
Did you find this article useful?
68 out of 153 people found this useful
- Share this article:
Full Talkback thread
1 comment
