Microsoft Invests $1 Billion In 'Holistic' Security Strategy (darkreading.com) 80
ancientribe writes: Microsoft has invested $1 billion over the past year in security and doubled its number of security executives, according to company's CISO Bret Arsenault. In an address today (webcast), CEO Satya Nadella officially announced the launch of a new managed security services group and a new cyber defense operations center — all part of its new strategy of holistic and integrated security across its products and services. Microsoft execs rarely detail the company's strategy so publicly, so that in itself underlines how security is a major element in its strategy.
One set to create the problem, one set to solve it (Score:1)
>> doubled its number of security executives
This makes perfect sense: the original Microsoft group will write vulnerable applications while the new services group chases the problem around. Brilliant!
Re:One set to create the problem, one set to solve (Score:4, Interesting)
Hmm... I thought "executives" mean more people pointing fingers to others instead of do the coding???
Re: (Score:2)
Didn't they do this dance 10-15 years ago? Bill put a big stop to everything and for 6-12 months MS was just focused on "security".
Someone should tell them it's not a 'every once in a while' thing.
Re: (Score:3)
Isn't that precisely what companies are doing with security bug bounty programs?
Re:One set to create the problem, one set to solve (Score:5, Interesting)
>> Isn't that precisely what companies are doing with security bug bounty programs?
No, that's called "outsourcing QA"
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Funny)
Re: One set to create the problem, one set to so (Score:2)
Well, they DO secure it. They made many tough decisions like including a breaking driver security model and UAC in Vista that ultimately gave them a very bad rap from users, but that be damned, it was much more secure. They have recently included (or will soon) a new kernel virtualization mode that makes it nearly impossible for even kernel-mode exploits and driver malware to cause damage to user-mode applications and data... because even the kernel doesn't have direct access to user mode processes.
You ha
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
>> Isn't that precisely what companies are doing with security bug bounty programs?
No, that's called "outsourcing QA"
I think we can also thank Snowden and many others that have noted how
common it is that a Microsoft machine gets used in a farm of attack
bots....
I know that I have written before that known flaws and exploits
are a risk to national security. Some falsely believe knowing how
to exploit systems is power but as script kiddies demonstrate these flaws
are not only known by honest law enforcement.
The problem is finding a global definition of honest law enforcement
for global companies to interact with.
Re: (Score:3)
"This makes perfect sense"
This makes perfect sense... TWICE!
"CEO Satya Nadella officially announced the launch of a new managed security services group and a new cyber defense operations center â" all part of its new strategy of holistic and integrated security"
In order to attain an holistic approach, Microsoft's CEO creates new separated groups and facilities. Brilliant!
Re: (Score:2)
To play devil's advocate here: suppose you have a new incentive to grow a new group in your company. Would you want dedicated employees to help it grow, or would you prefer people working on established projects maybe, possibly working on your pet project when they have a few minutes when they're not distracted with something they know has traction?
Re: (Score:2)
"To play devil's advocate here"
Play devil's advocate all you want: if you look for an holistic approach the last thing you want is a new different silo.
"Would you want dedicated employees to help it grow"
Maybe yes. Maybe I understand that in order for change to come I need people above and beyond the current "business as usual" level. But if I look for an "holistic approach" I'll integrate them in the structures already in place, that's what "holistic" means to start with.
It's not me but Satya the one tha
Conflict of Interest? (Score:2, Informative)
Paying MS to fix security problems is like paying chemical companies to clean up their own pollution.
Re: (Score:1)
Microsoft just helps the economy. There is a whole industry selling anti-virus software for Window's shitty security. Linux doesn't have anti-malware products, and if, its scanners for servers to check relayed mails for windows viruses. Linux destroys the economy. Microsoft will help make AMERICA GREAT AGAIN. Linux is the OS of the islamic state. Obama and the democrats install it in the US ARMY so that it BECOMES WEAK. TRUMP will make AMERICA'S ARMY GREAT AGAIN. Trump 2016.
Re: (Score:2)
Such is called the "broken window" economic theory. It may generate employment, but not necessarily better living.
Re: (Score:1)
The first job of the" managed security services group" at MS needs to be, Windows. Once they get that figured out, they can then offer their services to others. But they seem to be more interested in turning Windows into a targeted advertising platform, so I am not sure that their own product is even on their managed security services group radar.
Re: (Score:2)
Yeah, I was going to make a similar comment. Microsoft seems to have really improved on the security front... too bad no one wants to use their software any more. Usability seems to have gone by the wayside, along with any aesthetic sense. Windows is now uglier than it's been since Windows 2.
Re: (Score:2)
I would love to know what made them go for the flat monochrome look. It is hideous. What I was hoping they would do is make themes much more robust (rather than eliminating them). I would love it if they had standard themes for XP, W7 and W8/8.1, all of which could be infinitely customized further. It would be fun to be able to switch to Windows XP theme, and then click on the Windows 7 theme, and have everything just the way it was. Or you could choose the standard W10 theme. So themes would be more than a
Re: (Score:2)
I hear you. Up until Windows 7, I enjoyed the "Windows Classic" theme, because I think the Windows 2000, while dated-looking, was also the cleanest and most function UI skin Microsoft ever made. Everything since then has been some degree or other of ugly, with Windows 8 and 10 being the worst-looking versions of Windows since Windows 2, which mostly suffered from the lack of hardware capabilties (low resolution, low color depth).
It seems that everything that was meticulously studied and developed back in
Re: (Score:2)
Agree completely. I have been over at the MS Windows 10 forums where lots of the "Insiders" debate Windows issues. The attitude from many of the Insiders is incomprehensible. It seems to be that they know best, and they have to repeatedly remind everyone that they "are not stupid" and MS is not stupid, so they obviously have gotten lots of negative feedback to be that defensive.
So MS is going for a free OS, app-store-on-the-start-menu revenue stream, and I just don't think that is going to pull in the kind
Re: (Score:2)
Linux doesn't have anti-malware products
I had to laugh at this. I have to say that almost all of the automated attacks I ever see hitting my firewall are Linux server exploits.
I have managed many servers over the years, almost all of them Windows. I have had maybe 4 separate instances of one of my servers getting owned and they were all Linux servers.
Re: (Score:2)
ok, yeah, I read your post all wrong.
This was me being distracted while posting....
is my face red?
Re: (Score:2)
Linux doesn't have anti-malware products
I had to laugh at this. I have to say that almost all of the automated attacks I ever see hitting my firewall are Linux server exploits.
I have managed many servers over the years, almost all of them Windows. I have had maybe 4 separate instances of one of my servers getting owned and they were all Linux servers.
Your view is illuminating yet the millions of laptops and home computers
are not behind a well managed firewall.
This lack of quality firewalls in ISP provided hardware is a real problem.
+1 for OpenWrt and friends.
Conflating security with marketing (Score:1)
It seems like this is mostly a marketing effort to sell others on their "security" managed services...
Phone calls from MS (Score:5, Funny)
Re: (Score:2)
We can fix this for you remotely, we just need you to give us the Administrator passwords to your Windows hosts and your social security number so we can verify your identity. Don't worry, I'll hold the line while you get this information.
Re: (Score:2)
I got two of these this week. First I just hung up, second I cursed the person on the other side. Seems to have worked as security measure.
Holy Security, Batman! (Score:2)
what's with the BF quote (Score:2)
I feel old (because I am - sigh) (Score:5, Interesting)
But, I find it hard to imagine the amount of polished code that could be created for $1,000,000,000.
I guess because the code executes so much faster today, it costs more to create and debug it?
Re: (Score:2)
Re: (Score:2)
yeah, OLD cliches are often true, since the reason they are cliches is they work...
"If you don't have time to do it right the first time, will you have time to fix it or do it again?"
Re:I feel old (because I am - sigh) (Score:4, Insightful)
No, no, they have not spent that money on _code_. They have spent it on _executives_! You know, clueless people with big egos that earn a lot of money and prevent engineers from doing a good job.
Doubling the number of executives 1/x^2 (Score:5, Funny)
We're at "holistic" (Score:4, Funny)
Wake me when we get to crystal healing.
Re: (Score:2)
http://tvtropes.org/pmwiki/pmw... [tvtropes.org]
Re: (Score:2)
Security through Stupidity (Score:2)
Re: (Score:2)
So far it has worked splendidly. Juts look at all the stupid people still flocking to them and defending their decades out-of-date crap like it was the second coming.
Dear Microsoft (Score:2)
A 'holistic' security strategy does not mean an operating system that's full of holes.
Holistic terminology (Score:2)
Might I add that most "holistic" medicine is grade A horseshit.
Re: (Score:2)
Re: (Score:2)
Yeah maybe the extra security are detectives.
Anything's better than the prior approach ... (Score:4, Funny)
Anything's better than the prior approach, which was homeopathic.
big company fiddle-faddle (Score:1)
Before most of you were born IBM attempted to solve all the world's communications problems with a product called SNA (Systems Network Architecture). Basically SNA was an enormous protocol stack roughly equivalent to many modern day RFC standards. Now the best way to solve a big problem is to divide it up like eating an elephant something big companies are organizationally incapable of doing - too many meetings, reviews and inconsistent requirements not to mention political career conflicts. I'm not optimis
It's Microsoft. That's all you need to know (Score:1)
IOW, it will be a "Big Thing" for about 3 years, and then be replaced with the next Big Thing.
Tax paying for more PRI$M (Score:2)
So 'intelligence, platform and partnering broadly" is the monetized trap door and back doors sold on "another vendors" systems too?
Only then can govs can get the keys for "personal devices"?
How about just encryption for gov data so when all the fancy world facing networking and clouds fail the data copied out is a worthless honeypot. No more
And "Security Executives" help how? (Score:3)
Most of them will be incompetent (as most executives are) with regards to security anyways. What about hiring some actual experts (i.e. engineers) and giving them the power they need to change things?
Of course, that would result in these experts telling MS to scrap everything and start over (based on xBSD or Linux) because Security is not something you can successfully bolt-on after the fact. And that is the reason why this is pure show. MS has never cared about their customers or about having a good product. They have always ignored other things that work whenever they could and made their own thing instead, badly. As long as their bottom-line is unaffected, that will never change. Of course, with all the mobile devices these days, a "pure MS" ecosystem does not exist and the average person has found out that you can do cool things with non-MS systems too.
Actual security content - 0% (Score:2)
So...nothing about a version of windows that doesn't give ambient authority to every line of code that runs... this has a zero percent chance of success.
Dirk Gently?? (Score:2)
Surely This is a Spoof? (Score:3)
Bret Arsenault, CISO, Microsoft
"My internal operations team can swivel with the DCU [Digital Crimes Unit]" there, for example, Arsenault says.
WTF is this?
In Microsoft's defense.... (Score:2)
and I'm not their biggest fan, but I would submit that most of the modern exploits are due to vulnerabilities in browsers and the internet itself. In the past MS has done a piss poor job of security but it's much better now.
OSX, Linux, UNIX, Android, iOS - they all have vulnerabilities. It's just that Windows has a much bigger install base than the others and that makes it a logical target. If you want a 100% secure system then don't connect it to the internet and don't let anyone have physical access to th
Holistic? (Score:1)
I've found that means they have absolutely no clue what they're doing. They'll spend a bunch of money, nothing with get done and somehow it'll be a success.
Oxymoron (Score:1)
Holistic security and closed source is oxymoron