Microsoft to make its software ‘behave’

SAN FRANCISCO – Microsoft‘s revelation last week that it is adopting a new approach to computer security dubbed “behavior blocking” represents a radical shift in the company’s software design strategy that could pay off for attack-weary Windows users, industry watchers say.

Microsoft’s embrace of behavior blocking – a technique for protecting applications and operating systems from worms and other attacks by recognizing when computers aren’t acting like themselves – was one of several security initiatives outlined by the company and others at last week’s RSA Conference. Behavior blocking, already available from Cisco, Network Associates and others, is seen as complementing signature-based anti-virus tools.

Bill Gates, Microsoft’s chairman and chief software architect, outlined the “active protection technology” effort during a keynote address.

“You can really think of this as taking the notion of secure-by-default to the next level,” said Gates, who along with other Microsoft executives has been talking tough about security for the past two years under an initiative called Trustworthy Computing. “The system will truly know what actions are allowed for operating-system components and the applications that are running.”

He described how it could help prevent the spread of worms that take advantage of unpatched vulnerabilities in Microsoft applications. “For example, the Blaster worm caused the RPC service to open a back door and download some malicious code on the machine. In this case, behavior blocking would recognize that this behavior is out of the ordinary for the RPC service and block it,” he said.

Gates offered little detail about how or when the new technology would show up in products. But analysts say they expect the technology, obtained in part through Microsoft’s acquisition last year of start-up Pelican Security, will be in Windows client and server software by year-end. Microsoft sources confirmed that is the goal.

Gartner analyst John Pescatore says Microsoft’s effort to safeguard Windows networks via behavior blocking runs counter to the company’s traditional way of designing software, which “was always about making things easier for the user. ” That approach has led to more than its fair share of holes.

“To Microsoft, it’s been foreign culture to try and stop anything,” he says.

The biggest challenge in behavior-blocking software is making sure it doesn’t “keep good things from happening too,” Pescatore says.

Vendors already with behavior-blocking technology seemed unfazed by Gates’ pronouncement.

Avert Research Security, a worm-watching group within Network Associates’ McAfee division, last week announced it will begin issuing alerts about new software vulnerabilities and will add filtering safeguards or updates to McAfee’s Entercept behavior-blocking product if necessary.

Microsoft’s heightened interest in behavior blocking “validates these new methods are being required to solve the problems of today’s world,” says Jeff Platon, security products manager at Cisco, which sells behavior-blocking software based on technology obtained last year via its Okena acquisition.

RSA and Microsoft

Microsoft also has been working with RSA Security, which introduced SecurID for Windows at the show. This is authentication and audit software for Windows 2000 and XP that allows direct log on to Windows desktops by means of the SecurID handheld token. The token generates a new password every minute.

RSA, which is making SecurID for Windows available in May, designed the software so a laptop can use dynamic one-time passwords offline without having to be connected to RSA ACE/Server 6.0 to authenticate the user. The software, which costs about $20 per user, marks the first time RSA has designed a SecurID product intended for internal enterprise use rather than remote access.

ChevronTexaco already has 25,000 users with SecurID for remote access to the San Ramon, Calif., company’s network. The company plans to upgrade from an earlier edition of ACE/Server to Version 6.0 to give SecurID dynamic-password tokens to 70,000 users for internal use as well, says Edmund Yee ChevronTexaco’s manager for security.

“We want to get rid of simple passwords completely,” Yee says, noting that reusable passwords not only present higher risk because they might be shared or stolen, but add management cost. “We have 3,000 to 4,000 password resets every month,” says Yee, who calculates this can reach $20 per help desk call. The SecurID dynamic passwords can eliminate the need for password changes.

Separately, RSA says it is working on an RFID Blocker Tag, a technology that would prevent radio frequency identification readers from performing unwanted scans on goods with RFID tags in them. The technology is being developed with Massachusetts Institute of Technology professor Ron Rivest, who contributed to the development of the RSA public-key technology.

Also at the show:

• IT security executives from Macromedia, McKesson and Motorola joined with security firm Foundstone to launch the Security Metrics Consortium. William Boni, Motorola’s chief information security officer and the new consortium’s chair, says he envisions coming up with a kind of “dash board” to define security practices and implementation approaches that would help give IT departments and executive boardrooms a better understanding of how security is applied to regulatory requirements, such as the Sarbanes-Oxley Act or the Health Insurance Portability and Accountability Act, across various industries.

• Eleven security vendors banded together to form the Cyber Security Industry Alliance (CSIA), a nonprofit advocacy group to represent their policy views to federal agencies, such as the Department of Homeland Security, and international governments. CSIA is headed by executive director Paul Kurtz, who recently served as special assistant to the president and senior director for critical infrastructure protection on the White House’s Homeland Security Council. The founding members – which pay anywhere from $60,000 to $150,000 in annual dues to have a say in policy views – include BindView, Check Point, Computer Associates, Entrust, Internet Security Systems, NetScreen Technologies, Network Associates, PGP, RSA, Secure Computing and Symantec.