Microsoft’s OSA: think like a hacker to secure your online services

Flame was a bad time for Microsoft and for Mike Reavey, General Manager, Trustworthy Computing at Microsoft — he is still gets Nam-like flashbacks thinking about it.

Flame is a modular computer malware discovered in 2012 that attacked computers running Windows. The malware was mostly used for targeted cyber espionage in Middle Eastern countries. It was a very “intense” time for Microsoft says Reavey, but the company managed to respond within days of its discovery.

Malware like Flame has taught the company some valuable lessons around security, especially for online services. Say hello to Operational Security Assurance (OSA).

“The design of a secure operations methodology is part of our ongoing commitment to enable trustworthy computing in all aspects of our online services, and OSA represents the next evolution of these efforts,” says Reavey.

He argues that when it comes to defending cloud services against network attacks, such as Flame, two things are required: strong development practices, such as its Security Development Lifecycle and a strong operational security regime. Reavey argues developers who are writing code need to understand and connect with operations teams who are running services. He reckons that hackers do not distinguish between these two arms, and neither should defenders.

In short when it comes to securing your cloud services or business against hackers, the best thing is to think like the hacker. That’s what threat modelling helps you do, Reavey says. He warns that a dedicated hacker will always find a way, but using a service like OSA helps you limit the chances of that hacker.

Reavey believes that OSA adds considerable value to the focus on infrastructure issues and operational security such as:

• Use of a proven methodology for verification and continuous improvement that was first established with the SDL and is closely tied to Microsoft Security Response Center (MSRC) incident response processes.
• Support of Microsoft internal security policies that align with standards such as NIST 800-53, ISO 27001, and other related industry guidance that applies to a broad range of cloud services. It also reflects Microsoft experience in the secure operation of online services.
• Helps to protect against internet-based external threats.
• OSA is designed to better discover attacks as a way to inform future security improvements.
• OSA prescribes key security controls that Microsoft has seen to be effective in mitigating known attacks and previously unknown vulnerabilities.
• Decades of Microsoft experience operating cloud services at scale.
• Integration with the SDL, so that changes in operations can result in changes to the development of software used in operations and vice-versa. More importantly, OSA creates a feedback cycle that Microsoft can use to update its operational processes more rapidly than a typical policy cadence can support.
• Repeatable practices and methodology that are used to actively and continuously update services to improve security and resolve incidents as quickly as possible.