Despite the changing threat landscape and all the security challenges we face today, there are many reasons for the security industry to be optimistic, a Microsoft executive said at the RSA Conference.
Yes, major organizations are being breached, cyber-criminals are becoming much more organized, and attackers are crafting more elaborate and sophisticated attacks. None of these challenges change the fact that there have been big successes in the security industry in recent years, Scott Charney, corporate vice-president of Trustworthy Computing at Microsoft, said during his keynote speech on Tuesday. Improvements in identity systems, new delivery models, and operational security, are signs that innovation is alive and well, Charney said.
Being optimistic about the state of security may be a sign of delusion, but Charney was adamant that recent industry and government advances have improved security and also created “the foundation for a more secure tomorrow.”
Building security protection right into hardware is something the industry has been discussing for a while, and thanks to some great strides in hardware, it is now reality, Charney said. Advancements such as Trusted Boot, UEFI, and early load anti-malware features help protect systems against rootkits and other malware. All these are elements in Windows 8.The industry has worked to “fundamentally reshape” security so that organizations can see things before they happen and solve them in advance, Charney said.
The Secure Software Development Lifecycle has helped bake security into all levels of Microsoft, and many other companies have also made investments in software security. There have been other secure coding programs, but Microsoft successfully scaled SDL across 36,000 engineers. And vendors and other types of organizations are beginning to demand in contracts that companies adopt secure development practices.
“When you see markets starting to demand secure development, you’ve reached an inflection point, and the future will look different,” he said.
The fact that the industry is looking at whitelisting, addressing ways to improve update rates, and moving towards “least privilege” are more examples of successes, Adrienne Hall, General Manager, Trustworthy Computing Group at Microsoft told SecurityWeek. Updating was a basic problem—not enough people were doing it. It was still a hard problem, though, and the company tried several methods and worked hard to refine the process, to the point where a significant majority of users are now updating their software regularly, Hall said.
On the social and political level, security now has a more prominent space than in previous years. The president recently signed a cyber-security executive order that addresses information sharing and how to protect critical infrastructure. There are voluntary code of conduct and national identity projects. There is interest in privacy issues on the government level. The move towards public-private partnership is critical, because security is a problem that requires input from all sides. If the industry is not part of the conversation, there can’t be progress, Hall said.
The industry has also matured in how they share information, Hall said, adding there is a “pull in the common direction.”
Governments are increasingly collaborating on security issues and defining strategies to tackle security challenges. While some countries may disagree about the definition of cybercrime and cyberwarfare, at least the discussion is happening, Charney said.
There is still a lot to do. Microsoft is not suggesting there are no challenges left in security, Hall said. Some of the issues we are looking at are “conundrums” but that just means it’s time to break them down to smaller pieces, look at what needs to be done, and tackle them one at a time, Hall said. If the industry has successfully met, to some degree, the previous challenges, then the prospects are bright that the current problems can be fixed, Hall said. That’s where the case of optimism comes in.
There is crime in the physical world, but “we aren’t going around being terrified,” Hall said. The cyber-realm isn’t that different. Or shouldn’t be
“There’s a lot of serious stuff happening on the Internet. I’m not delusional,” but the industry and governments have made it possible to “fundamentally move into a more secure world,” Charney said.