Microsoft: Know your network to stop fraud

Anti-spyware Outreach exec says knowing what's normal can help spot data leaks

The past six months, anti-virus companies Symantec and McAfee have engaged in a full-on proxy war with Microsoft, appealing to the media and the European Commission about the threats to competition and innovation as the world’s largest software maker steps into the security software space.

You would think that all that background noise would make Jeff Williams’ job at Microsoft that much harder. After all, as director of technical outreach for Microsoft’s Antimalware Response group, Williams coordinates with Symantec, McAfee, and other companies to stop malicious code outbreaks, even as those companies squabble about getting their products to work together. Despite heated rhetoric on the business side of things, Williams said that relationships between security researchers at the companies are rosy.

InfoWorld Senior Editor Paul F. Roberts met with Williams at the recent Virus Bulletin Conference in Montreal to talk about spyware, user monitoring, and privacy.

InfoWorld: We’ve heard a lot of security experts talking about data and identity theft. What’s your advice to enterprise IT folks who are concerned about these problems?

Jeff Williams: Knowing your environment is the most important. Having good control on what is and isn’t on your systems. That means staying up to date on software patches and having up-to-date definitions for anti-virus and anti-spyware [products] and those kinds of things.

Also, knowing what’s normal in your environment. If you’re looking at network flows and see some aberration, it can be a tip-off that there’s an investigation that needs to be conducted. Ultimately it boils down to knowing what your environment should be doing at any given time: What kind of traffic is normal? What kinds of applications are appropriate on an individual system? Educating your user base on what some of the social engineering threats are. In some cases, you’ll want to support that with technology-based solutions to enforce policy. But ultimately the end-user is someone you’re putting in a position of trust. And if you can’t trust the end-user to make a good decision because you haven’t given them the tools, then you have some work to do.

IW: What technologies can enterprise IT folks look at to do this?

JW: If the focus is on what’s happening today, one of the best things to do is to keep up on patches. Make sure your firewall is working as expected. Keep out traffic don’t want and allow traffic that you do want and only to the systems you want. If you have a strong IT department, start investigating event logs. What is going on with your systems? Think about event log consolidation.

IW: Yesterday we heard a gentleman from CERT saying corporate data theft, or “exfiltration,” is a big issue, and that most companies are not watching closely enough for it. Is Microsoft aware of this problem?

JW: The whole industry is aware of data exfiltration as a problem, but I’d ask you what is the bigger threat: [data exfiltration] or leaving your notebook with unencrypted data in a cab? 

IW: Well, but you can’t keep people from losing their laptops.

JW: No but you can encrypt your data.

IW: I’ve had anti-virus researchers say to me that the volume of data is too massive to make sharing data useful. Instead, it’s about being able to sift through the massive quanti-ties of data to give you an edge over attackers. Is that something Microsoft is struggling with too?

JW: Ultimately it comes down to a question of how (to) best protect our customers. Some of that is cooperation. Some of that is improving technology. And some is just raw scut work of identifying all inbound threats. Categorizing and classifying them, and so on.

IW: You work a lot with other anti-virus vendors. What’s the state of those relationships, with Microsoft becoming an important security player?

JW: From the response organization perspective, we have excellent relationships with all the vendors out there. We are new to the game, but think we have been accepted openly because we do bring something to the table. We have expertise on the platform. We bring our expanded reach and the ability to help more users. At the same time, we help each other.