[ISN] Inside Microsoft's security war room

From: InfoSec News (alerts@private)
Date: Tue Dec 04 2007 - 00:19:04 PST


http://www.news.com/8301-13860_3-9827124-56.html

Posted by Ina Fried 
December 3, 2007

REDMOND, Wash. -- Tired of having to fight for a free conference room, 
Microsoft's security chief, Mike Nash, decided in early 2005 that the 
company needed a dedicated "war room" where his team could handle 
emergency responses.

And while he was at it, why not have two? That way, the folks working on 
fixing a security crisis could have a little breathing room from those 
drafting the public and customer communications around the issue.

"They were tired of the communications people hearing of things that 
were half-baked," Nash said.

The Microsoft Security Response Center (MSRC) was completed in June 
2005. The engineering conference room includes four flat-panel screens 
that can display live TV or a computer screen as well as a couple dozen 
chairs, though the place is often standing-room-only in a real crisis.

The war room is just one of a number of changes Microsoft has made over 
the years, usually the result of a lesson learned the hard way through 
some work or other outbreak. In part one of a three-part series starting 
Monday, I take a look back at those painful lessons and how they have 
shaped Microsoft's current practices. On Tuesday, I'll look at the role 
of the human element in trying to keep software secure. And on 
Wednesday, I'll look at some of the people Microsoft counts on to keep 
its products safe. Each day there will be a blog too, going into more 
depth on one issue raised by that day's story.

While most of the room's accoutrements are practical--food, a world map, 
and clocks showing the time around the world, there is also a photo of 
actor Harvey Keitel. That's courtesy of Christopher Budd, who used to 
work as part of the security response effort.

"Back in 2001, I joked about how working to protect customers in the 
MSRC was a lot like being Harvey Keitel's character, "The Wolf," in Pulp 
Fiction," said Budd, who now works on Microsoft's privacy team. "Just 
like his character, I said, you're doing a hard job, and doing it right 
means you have to remain calm in a crisis and help others stay calm. 
When you do that, you help everyone stay focused on solving the 
problem."

To me, "The Wolf" seems like an odd choice for a company that is looking 
to be more transparent. Wasn't his role in the movie to help clean up 
after a murder so that the rest of the world would not know what had 
transpired?


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Tue Dec 04 2007 - 00:26:26 PST