Community-based defence is key to IT security, says head of Microsoft's Security Response Center

No software supplier can solve the problem of security alone, according to Mike Reavey, director at the Microsoft Security Response Center (MSRC).

"Microsoft is committed to community-based defence within its Trustworthy Computing initiative," he said.

The ecosystem strategy team is just as key as the operations and engineering teams that make up the MSRC, said Damian Hasse, principal security development manager at Microsoft.

"This team is one of many outreach teams that engage with people across the security community, including researchers, national CERTs, partners and customers," he said.

The ecosystem strategy team engages with all segments in the security community to understand what they are doing and why, said Hasse

Computer Weekly spoke to Reavey at Microsoft's Redmond headquarters and asked him to describe Microsoft's community-based security strategy and how he sees this process evolving in future.

Reavey said community-based protection includes various programs aimed at enabling defenders over attackers and giving security researchers a positive outlet for their work.

He predicted that the communities involved would become increasingly complex and Microsoft would have to find innovative ways of keeping them engaged with Microsoft and other software developers.


See also:

Productivity that works: Videos, web seminar and case studies

In this special programme of content from Computer Weekly, in association with Microsoft, we examine the tools, technologies and best practices to create a productive, collaborative modern workforce.

Read the full transcript from this video below:  

Community-based defence is key to IT security, says head of Microsoft's Security Response Center

Warwick Ashford: After a week at Microsoft's Redmond Campus speaking to various
members of its security teams, it is clear that an important part of
their work is interacting with other software producers, partners,
customers, and the wider security community. I asked Mike Reavey,
director of Microsoft Security Response Center, to describe this
community-based strategy.

Mike Reavey: One of the things we realized is the security problems is something
Microsoft cannot solve alone, so we really embrace the idea of the
community-based defense. There are a couple of things there. One is
making sure that when we put our protections that the defenders are
enabled over the attackers and getting protections out worldwide. We
have programs like the Microsoft Active Protections Program and the
Defensive Information Sharing Program where we share vulnerability
details in the short window of time. That way, protections can get out
before even the updates are deployed across for customer base. The
other part of that is there is a thriving security researcher
community. They have done a great job of finding unique issues in
software across the industry, including Microsoft products, so we
really want to make sure that we are listening to that community, are
able to find positive outlook for their research, and acting to try to
provide protections, because the groups within that community are
actually focused on the same things we are, which is customer safety.

Warwick Ashford: Where do you see this outreach program going? In general, where do
you see the Microsoft Security Response Center going in the future?
What are the things you are looking to improve/extend?

Mike Reavey: I got to the Microsoft Security Response Center in 2003. Back then,
we were releasing security updates basically whenever they were
ready, and we did not have this repeatable predictable process, so in
some ways, some things will not change, even in the future. A
predictable, repeatable process is actually one thing that enables
defenders over attackers; it lets the defenders know when to say 'go,'
because they probably have harder job than an attacker who just needs
to find one vulnerable systems. They have to defend everything. I
think those principles will stay the same, along with timely relevant
guidance. I think over the years you will see the communities getting
more complex that we deal with, the information sharing that we do
with them growing. I think you will see us looking for more innovative
ways to be enable defenders over attackers and to keep the security
researcher community engage with us, as a vendor, and the vendors as a

Warwick Ashford: Thank you very much.

View All Videos