Some of you may recall the launch of the Microsoft Active Protections Program (MAPP) back in 2008, when we began giving antivirus vendors security bulletin information early, so that they could develop and test signatures for vulnerabilities and be ready to release them when our bulletins were published. MAPP was our answer to a common phrase used back then: “Update Tuesday, exploit Wednesday.” This was a time when exploit writers had developed full automation for reverse engineering our security updates and building exploits. Security vendors received information at the same time as everyone else and had to then develop and test signatures before applying the updates. MAPP gave the security vendors, the “good guys,” a head start against the “bad guys.” In the years since its inception, MAPP has been successful in allowing these vendors to release protections when we release the updates so that our customers have the time they need to test and deploy them.
Along the way, MAPP has also become a key part of our incident response process when we find new exploits in the wild. During these incidents, we are able to help MAPP partners quickly build protections for our common customers by providing them with detailed detection guidance. In most cases, this allows for a significant level of protection for customers while we are working to address the issue with a permanent fix.
Since the program launched, there has been little external change to how it operates. Internally, we have made slight adjustments to how the program is managed but by and large, it is the same program it was in 2008 and the same program our partners still say is essential to their operations. For example:
“The MAPP program helps Trend Micro in strengthening further, its defenses against cyber criminals. This timely information sharing works great in providing our customers the best and accurate protection with least false positives,” said Raimund Genes, CTO, Trend Micro.
“The data from MAPP has proven to be a valuable source of information ahead of the curve allowing us to better deliver faster protection against 0-day vulnerabilities to our customers.” — Peter Szabo, Senior Threat Researcher, SophosLabs Canada
“MAPP provides us with advanced notification of vulnerabilities, as well as actionable information that allows us to even more quickly build protection for our customers. This saves us significant cycles, and MAPP’s valuable information sharing fully supports our threat-centric approach to cybersecurity.” – Matt Watchinsksi, Vice President of Vulnerability Research, Sourcefire
Even with this level of success, we are always evaluating our programs. Today, we are introducing a few changes based on the changing threat landscape and feedback from our partners.
MAPP for Security Vendors
First, in order to have a clear definition of the existing MAPP program and be able to convey how the new programs differ, we are now calling what the world today knows as MAPP, “MAPP for Security Vendors.” Here is an outline of how the traditional MAPP program will look going forward:
The MSRC has a history of gathering and acting on feedback from our customers and partners. For example, the Software Update Validation Program (SUVP) allows qualified enterprises to test our security updates in a non-production environment and give us feedback on those updates before we release them. This partnership with our customers extends our internal testing to include many of the custom applications enterprises run in their networks.
In much the same way, we are implementing MAPP Validate as part of MAPP for Security Vendors, which will allow qualified security vendors to give feedback on our detection guidance before distributing it to the broader MAPP community. This is a community-based initiative that will help to streamline the development and use of detection guidance in order to facilitate faster and higher quality protections for customers.
Next, our partners say they are getting clear business value from the one-day head start we give them to develop protections. But sometimes, building, testing, and deploying quality signatures takes additional time. So, on top of streamlining and improving the quality of detection guidance, we are expanding the signature development window from one to three business days for MAPP partners who meet certain stringent criteria. For example, partners must have at least a two-year track record of completing the reporting requirements of the program and a demonstrated willingness to partner back with us as they find new issues in the wild that we need to respond to quickly. Entry-level MAPP partners will still only receive information one day early. As always, we take customer security very seriously. Any partner found to have leaked information, either inadvertently or knowingly, is subject to removal from all parts of the program or, depending on the outcome of an investigation, subject to entry-level status only.
MAPP for Responders
Across the industry, it is recognized that targeted attacks are one of the primary threats to enterprises, governments and other entities. Incident responders, including response companies, CSIRTs, ISACs, and security vendors, represent the front lines in the fight to detect, respond, and remediate these attacks. Through this new program, MAPP for Responders, we are working to build new partnerships and community collaborations that will enable strategic knowledge exchange. Microsoft intends to contribute to this effort by sharing threat indicators such as malicious URLs, file hashes, incident data and relevant detection guidance. Employing a “give to get” model, the community will benefit when data they provide is enriched by aggregating it with data from others.
How is MAPP for Responders different from MAPP for Security Vendors? At a high level, the former targets detection and remediation while the latter is all about developing protections. The information we plan to share with response partners is focused more on threat intelligence than specifically on vulnerabilities. Where these two programs come together is around incident response. Arming more defenders against targeted attacks is a key part of our overall strategy.
Effective knowledge exchange requires automation and a common format. To accomplish this, we plan to support Mitre’s STIX (Structured Threat Information Expression) and TAXII (Trusted Automated eXchange of Indicator Information) specifications. As open specifications for the formatting and transport of information, STIX and TAXII are starting to see broad adoption. Regardless of format, we want to serve customers by facilitating the flow of threat intelligence to organizations who can capitalize on it. As such, we will also seek to build transforms for other commonly used formats. This effort is currently in development and we intend to launch a pilot in the near future.
The MSRC employs some of the brightest engineers in the industry, the sort who build tools such as !exploitable, OffVis, and EMET. MAPP Scanner, currently in a closed pilot program, is a content-based vulnerability scanner developed by our security engineers to aid in investigating incidents. We are introducing MAPP Scanner as a cloud-based service that can be used to scan Office documents, PDF files, Flash movies, and suspect URLs, to determine if they are attempting to exploit a vulnerability.
MAPP Scanner performs both static and active analysis to determine if files are attempting to exploit a vulnerability. It spins up virtual machines for every supported version of Windows and opens content in supported versions of the appropriate application. MAPP Scanner can help find a known vulnerability and return the CVEs and affected platforms for that issue, while also flagging suspicious activity not associated with a known vulnerability for deeper analysis. As a result, MAPP Scanner is extremely effective in identifying previously unknown vulnerabilities while at the same time dramatically improving the ability and efficiency of responders investigating an incident.
Making this technology available to partners who are likely to be subjected to targeted attacks and those who work with them to investigate and remediate security incidents increases the likelihood of new attacks and attack vectors being discovered. It also aids in the efficiency of investigations which speeds up the process of identifying and deploying the appropriate protections.
As with Microsoft’s other security initiatives, such as the BlueHat Prize and our new bounty programs, the mission for MAPP is simple: mitigate entire classes of attack and protect customers. We have a long history of working across many different communities to drive this mission and will continue to do so. We also have a lot of other initiatives we are working on so going forward, you can expect to hear more announcements from us impacting this space.
Senior Security Strategist
Microsoft Trustworthy Computing