Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Microsoft Security Windows

Microsoft Invests $1 Billion In 'Holistic' Security Strategy (darkreading.com) 80

ancientribe writes: Microsoft has invested $1 billion over the past year in security and doubled its number of security executives, according to company's CISO Bret Arsenault. In an address today (webcast), CEO Satya Nadella officially announced the launch of a new managed security services group and a new cyber defense operations center — all part of its new strategy of holistic and integrated security across its products and services. Microsoft execs rarely detail the company's strategy so publicly, so that in itself underlines how security is a major element in its strategy.
This discussion has been archived. No new comments can be posted.

Microsoft Invests $1 Billion In 'Holistic' Security Strategy

Comments Filter:
  • >> doubled its number of security executives

    This makes perfect sense: the original Microsoft group will write vulnerable applications while the new services group chases the problem around. Brilliant!

    • by parkinglot777 ( 2563877 ) on Tuesday November 17, 2015 @05:36PM (#50951047)

      Hmm... I thought "executives" mean more people pointing fingers to others instead of do the coding???

      • Didn't they do this dance 10-15 years ago? Bill put a big stop to everything and for 6-12 months MS was just focused on "security".

        Someone should tell them it's not a 'every once in a while' thing.

    • by bondsbw ( 888959 )

      Isn't that precisely what companies are doing with security bug bounty programs?

      • by xxxJonBoyxxx ( 565205 ) on Tuesday November 17, 2015 @05:54PM (#50951185)

        >> Isn't that precisely what companies are doing with security bug bounty programs?

        No, that's called "outsourcing QA"

        • Who gives a shit how they do it as long as the end result is a more secure product? And FYI, in house teams are not always capable of finding all the bugs no matter how much money and resources you through at it, that's when bug bounty comes in, to get an outside perspective.
        • by DrXym ( 126579 )
          Not really. It's challenging people to find weaknesses in their products that they clearly haven't discovered themselves and be rewarded for doing so. It's not a new concept. Locksmiths have been challenging people to pick locks, open safes for centuries.
        • >> Isn't that precisely what companies are doing with security bug bounty programs?

          No, that's called "outsourcing QA"

          I think we can also thank Snowden and many others that have noted how
          common it is that a Microsoft machine gets used in a farm of attack
          bots....

          I know that I have written before that known flaws and exploits
          are a risk to national security. Some falsely believe knowing how
          to exploit systems is power but as script kiddies demonstrate these flaws
          are not only known by honest law enforcement.

          The problem is finding a global definition of honest law enforcement
          for global companies to interact with.

    • "This makes perfect sense"

      This makes perfect sense... TWICE!

      "CEO Satya Nadella officially announced the launch of a new managed security services group and a new cyber defense operations center â" all part of its new strategy of holistic and integrated security"

      In order to attain an holistic approach, Microsoft's CEO creates new separated groups and facilities. Brilliant!

      • To play devil's advocate here: suppose you have a new incentive to grow a new group in your company. Would you want dedicated employees to help it grow, or would you prefer people working on established projects maybe, possibly working on your pet project when they have a few minutes when they're not distracted with something they know has traction?

        • "To play devil's advocate here"

          Play devil's advocate all you want: if you look for an holistic approach the last thing you want is a new different silo.

          "Would you want dedicated employees to help it grow"

          Maybe yes. Maybe I understand that in order for change to come I need people above and beyond the current "business as usual" level. But if I look for an "holistic approach" I'll integrate them in the structures already in place, that's what "holistic" means to start with.

          It's not me but Satya the one tha

  • by Tablizer ( 95088 )

    Paying MS to fix security problems is like paying chemical companies to clean up their own pollution.

    • by Anonymous Coward

      Microsoft just helps the economy. There is a whole industry selling anti-virus software for Window's shitty security. Linux doesn't have anti-malware products, and if, its scanners for servers to check relayed mails for windows viruses. Linux destroys the economy. Microsoft will help make AMERICA GREAT AGAIN. Linux is the OS of the islamic state. Obama and the democrats install it in the US ARMY so that it BECOMES WEAK. TRUMP will make AMERICA'S ARMY GREAT AGAIN. Trump 2016.

      • by Tablizer ( 95088 )

        Such is called the "broken window" economic theory. It may generate employment, but not necessarily better living.

        • The first job of the" managed security services group" at MS needs to be, Windows. Once they get that figured out, they can then offer their services to others. But they seem to be more interested in turning Windows into a targeted advertising platform, so I am not sure that their own product is even on their managed security services group radar.

          • Yeah, I was going to make a similar comment. Microsoft seems to have really improved on the security front... too bad no one wants to use their software any more. Usability seems to have gone by the wayside, along with any aesthetic sense. Windows is now uglier than it's been since Windows 2.

            • I would love to know what made them go for the flat monochrome look. It is hideous. What I was hoping they would do is make themes much more robust (rather than eliminating them). I would love it if they had standard themes for XP, W7 and W8/8.1, all of which could be infinitely customized further. It would be fun to be able to switch to Windows XP theme, and then click on the Windows 7 theme, and have everything just the way it was. Or you could choose the standard W10 theme. So themes would be more than a

              • I hear you. Up until Windows 7, I enjoyed the "Windows Classic" theme, because I think the Windows 2000, while dated-looking, was also the cleanest and most function UI skin Microsoft ever made. Everything since then has been some degree or other of ugly, with Windows 8 and 10 being the worst-looking versions of Windows since Windows 2, which mostly suffered from the lack of hardware capabilties (low resolution, low color depth).

                It seems that everything that was meticulously studied and developed back in

                • Agree completely. I have been over at the MS Windows 10 forums where lots of the "Insiders" debate Windows issues. The attitude from many of the Insiders is incomprehensible. It seems to be that they know best, and they have to repeatedly remind everyone that they "are not stupid" and MS is not stupid, so they obviously have gotten lots of negative feedback to be that defensive.

                  So MS is going for a free OS, app-store-on-the-start-menu revenue stream, and I just don't think that is going to pull in the kind

      • Linux doesn't have anti-malware products

        I had to laugh at this. I have to say that almost all of the automated attacks I ever see hitting my firewall are Linux server exploits.

        I have managed many servers over the years, almost all of them Windows. I have had maybe 4 separate instances of one of my servers getting owned and they were all Linux servers.

        • ok, yeah, I read your post all wrong.

          This was me being distracted while posting....

          is my face red?

        • Linux doesn't have anti-malware products

          I had to laugh at this. I have to say that almost all of the automated attacks I ever see hitting my firewall are Linux server exploits.

          I have managed many servers over the years, almost all of them Windows. I have had maybe 4 separate instances of one of my servers getting owned and they were all Linux servers.

          Your view is illuminating yet the millions of laptops and home computers
          are not behind a well managed firewall.

          This lack of quality firewalls in ISP provided hardware is a real problem.
          +1 for OpenWrt and friends.

  • by Anonymous Coward

    It seems like this is mostly a marketing effort to sell others on their "security" managed services...

  • by fhage ( 596871 ) on Tuesday November 17, 2015 @05:34PM (#50951027)
    Hi! I'm an Executive at the Microsoft Cyber Defense Operations Center, and we've detected a problem with your internet....
    • by tnk1 ( 899206 )

      We can fix this for you remotely, we just need you to give us the Administrator passwords to your Windows hosts and your social security number so we can verify your identity. Don't worry, I'll hold the line while you get this information.

    • by gweihir ( 88907 )

      I got two of these this week. First I just hung up, second I cursed the person on the other side. Seems to have worked as security measure.

  • it's Integrated!
  • by frnic ( 98517 ) on Tuesday November 17, 2015 @05:49PM (#50951139)

    But, I find it hard to imagine the amount of polished code that could be created for $1,000,000,000.

    I guess because the code executes so much faster today, it costs more to create and debug it?

    • It just goes to show - if you want secure code, you should write it carefully in the first place. Because trying to fix it later is an order of magnitude more expensive, and probably won't work anyway.
      • by frnic ( 98517 )

        yeah, OLD cliches are often true, since the reason they are cliches is they work...

        "If you don't have time to do it right the first time, will you have time to fix it or do it again?"

    • by gweihir ( 88907 ) on Tuesday November 17, 2015 @08:22PM (#50952111)

      No, no, they have not spent that money on _code_. They have spent it on _executives_! You know, clueless people with big egos that earn a lot of money and prevent engineers from doing a good job.

  • by exabrial ( 818005 ) on Tuesday November 17, 2015 @05:49PM (#50951149)
    Applying the inverse square law... means 1/4 of the productivity.
  • by Opportunist ( 166417 ) on Tuesday November 17, 2015 @05:54PM (#50951193)

    Wake me when we get to crystal healing.

  • So I guess their Security through stupidity model isn't working for them in the long run.
    • by gweihir ( 88907 )

      So far it has worked splendidly. Juts look at all the stupid people still flocking to them and defending their decades out-of-date crap like it was the second coming.

  • A 'holistic' security strategy does not mean an operating system that's full of holes.

  • I'm guessing he used the term "holistic" in a sense that the plan covers multiple aspects of security. The classical term of "holistic" refers to not alternative treatments, but rather it covering the entirety of something or treating everything as interconnected. In medical terms, it usually refers to the mind and body as a whole.

    Might I add that most "holistic" medicine is grade A horseshit.
  • by tlambert ( 566799 ) on Tuesday November 17, 2015 @06:26PM (#50951411)

    Anything's better than the prior approach, which was homeopathic.

  • by Anonymous Coward

    Before most of you were born IBM attempted to solve all the world's communications problems with a product called SNA (Systems Network Architecture). Basically SNA was an enormous protocol stack roughly equivalent to many modern day RFC standards. Now the best way to solve a big problem is to divide it up like eating an elephant something big companies are organizationally incapable of doing - too many meetings, reviews and inconsistent requirements not to mention political career conflicts. I'm not optimis

  • This will follow the usual path of all MS "Initiatives".

    IOW, it will be a "Big Thing" for about 3 years, and then be replaced with the next Big Thing.
  • So "Government Cloud Forum" mixes in "industry, government, law enforcement, customers and consumers" to sell or rent more "tools and services" back to governments.
    So 'intelligence, platform and partnering broadly" is the monetized trap door and back doors sold on "another vendors" systems too?
    Only then can govs can get the keys for "personal devices"?

    How about just encryption for gov data so when all the fancy world facing networking and clouds fail the data copied out is a worthless honeypot. No more
  • by gweihir ( 88907 ) on Tuesday November 17, 2015 @08:18PM (#50952089)

    Most of them will be incompetent (as most executives are) with regards to security anyways. What about hiring some actual experts (i.e. engineers) and giving them the power they need to change things?

    Of course, that would result in these experts telling MS to scrap everything and start over (based on xBSD or Linux) because Security is not something you can successfully bolt-on after the fact. And that is the reason why this is pure show. MS has never cared about their customers or about having a good product. They have always ignored other things that work whenever they could and made their own thing instead, badly. As long as their bottom-line is unaffected, that will never change. Of course, with all the mobile devices these days, a "pure MS" ecosystem does not exist and the average person has found out that you can do cool things with non-MS systems too.

  • So...nothing about a version of windows that doesn't give ambient authority to every line of code that runs... this has a zero percent chance of success.

  • For several years now I've jokingly referred to myself as a "holistic IT troubleshooter", partially as a shout-out to Dirk Gently. Now I'll probably get a cease-and-desist letter from M$...
  • by segedunum ( 883035 ) on Wednesday November 18, 2015 @11:39AM (#50955123)

    Bret Arsenault, CISO, Microsoft

    "My internal operations team can swivel with the DCU [Digital Crimes Unit]" there, for example, Arsenault says.

    WTF is this?

  • and I'm not their biggest fan, but I would submit that most of the modern exploits are due to vulnerabilities in browsers and the internet itself. In the past MS has done a piss poor job of security but it's much better now.

    OSX, Linux, UNIX, Android, iOS - they all have vulnerabilities. It's just that Windows has a much bigger install base than the others and that makes it a logical target. If you want a 100% secure system then don't connect it to the internet and don't let anyone have physical access to th

  • I've found that means they have absolutely no clue what they're doing. They'll spend a bunch of money, nothing with get done and somehow it'll be a success.

  • Holistic security and closed source is oxymoron

Never let someone who says it cannot be done interrupt the person who is doing it.

Working...