We all know that there have been a number of issues with Microsoft’s security. We have all been bothered by the daily ‘Windows Update Available’ alert. Steve Ballmer has stated that making their products more secure is their highest priority. In fact, MSFT’s CFO mentioned that security-related issues had a negative impact on its most recent quarter delaying some very large licensing deals. So what is Microsoft doing to fix this? In MSFT’s recently announced ‘Securing the Perimeter’ initiative, the company will place greater emphasis on firewalls and other network security technologies to prevent hackers from reaching vulnerable PCs. What does this mean? Well, first of all MSFT is emphasizing the importance of Defense in Depth. Defense in depth implies that enterprises must have security in every layer of a company’s infrastructure from the edge to the center where all of the data resides. MSFT is also acknowledging that patching systems and installing windows updates as a sole method of security does not work because these methods are all reactive. In fact, most people do not even install updates and patches right away still leaving many computers and servers highly vulnerable. Selling antivirus technology (via their acquisition of Romania’s GeCAD Software) will not make their OS less vulnerable. All of these technologies are all getting better but for the most part will still not catch the newest blended threat, worm, or virus. Antivirus software relies on signature updates of attacks that have already happened and with patch management most of the patches are never installed. So Microsoft is telling us that they need an early warning signal technology to allow its customers to stop an attack at the edge before it hits vulnerable PCs and Servers.
I applaud Microsoft for getting it. Windows is an old, bulky piece of software rife with holes. While security on Windows is a high priority, MSFT has finally acknowledged that a customer needs a defense in depth strategy to enhance security and that they need to push this into enterprises. By the time a worm, virus, DOS attack, etc. reaches the desktop it is too late. If we want real security we have to put proactive defense on the edge and not just in the center. The edge means that MSFT needs to take security out to the network and yes, this is where companies like Cisco dominate. We all know that routers are dumb, and that it is time to put more intelligence in them. Yes, this has not happened yet. Right now, MSFT seems to be looking at firewalls as their perimeter defense. Even if they add Intrusion Detection (lots of false positives, data overload, most technology relies on signatures) via partnership or acquisition, it will still not be enough. In order to fully round out their strategy, MSFT should look at security management software companies like netForensics (full disclosure-i am on currently on the Board of Directors) to provide real time analysis of a company’s total infrastructure from the routers and edge firewalls to the NT and IIS servers residing in the internal data center.
How does security management software help? Most corporations spend millions of dollars buying security products yet they still do not feel secure. It is the equivalent of having a building equipped with numerous cameras (security hardware) without anyone monitoring (security management software) the activity in real time. Therefore, how will anyone really know if they were attacked, by whom, when, and where? Take this concept to an enterprise and you get the same picture-lots, and I mean lots of dollars spent on security (firewalls, intrusion detection systems, antivirus, etc.) to protect a company, but if there is no software to proactively filter all of the reams of data (gigabits upon gigabits of it) from a myriad of heterogenous devices to correlate what happened and when in real time, then a company will never really know it was under attack. Well done security management software does not rely on past events to issue warnings. For example, netForensics was able to catch SQL Slammer while it was happening. It was able to view anomalous network activity gathered from various devices like firewalls and intrusion detection systems and in real time correlate and send an alert to the user who could then shut off the port for Slammer. Of course, if one could shut that data stream off automatically as soon as it detected an issue (prevention), that would be even better. While netForensics can do this to a certain extent, many customers are afraid of having machines completely take over security control without a human filter. There is lots of buzz around prevention these days but most Chief Security Officers I speak with are not yet ready to let machines do all of the work. What happens if an automated security system causes a trader to miss a $100 million trade?
My recommendation is that MSFT should look at partnering with security management software companies so its customers can take control of their security. Adding more firewalls, intrusion detection systems, and antivirus technology alone does not make an enterprise more secure. Without a highly intelligent software layer sitting on top of and providing real-time monitoring of all of these devices and the systems and servers in an infrastructure, a company will be as secure as a building with lots of cameras and no one there to monitor it. One other reason for partnering with companies like netForensics is that MSFT has already taken a step into the management software arena with the Microsoft Operations Manager (MOM), an area they were traditionally happy to let vendors like NetIQ handle on its own.