Windows 8 is coming! In line with its tendency to introduce high-profile security features in each new version of its operating system, Microsoft is unleashing some pretty interesting new protection technologies with its next OS release. In fact, some of them may dramatically change the cyber threat landscape and bring the security industry a set of very handy tools for protecting users against sophisticated threats like rootkits.
Today my “in the Spotlight” guest is Alexey Polyakov, the Head of KL’s Global Emergency Response Team, our consulting service that assists enterprises in investigating security incidents, and auditing and improving corporate security policy.
Ever since graduating from Moscow State University with an M.Sc. in Physics, Alexey’s been working in the IT security industry – now for 15 years – with a résumé featuring positions at McAfee, IBM, Symantec and Microsoft.
Prior to joining us at KL Alexey worked as a senior security program manager at Microsoft, where he became the proud founder of the Microsoft Security Response Team and was one of the key members of the company’s security development. He’s authored and co-authored security technologies protected by 12 patents, and one such technology was Secure Boot – perhaps the most ambitious advance in Windows 8 in terms of security.
So, let’s see what our man can tell us about what to expect from Windows 8 from the security standpoint, and how this might change the security market.
Microsoft’s recent ‘Build’ conference made rather a splash in the industry by announcing many useful features in its upcoming Windows 8. While mostly addressing the new user interface, performance issues and multi-platform support, the company also presented a number of security innovations.
What do you think about Microsoft’s products’ security in general?
Microsoft is of course best known for being the vendor of the most popular operating system in the world plus a range of business applications. Sadly, its very successful business has always aroused the interest of cyber criminals, who try to abuse Microsoft products for their illegal goals.
C’est la vie. But it’s not about Microsoft being an evil company that develops bad software; it’s more about the popularity of its products that attracts so many cyber criminals.
However, at the same time Microsoft is doing a great deal to strengthen its security. And I should know – I had the honor of working at the hugely successful company and also with its partners. Kaspersky Lab is an illustrative example here. We rely on Microsoft’s reasonableness – i.e., openness and transparency – to allow us to better integrate our products with those of Microsoft and deliver customers better protection. And I have to say that Microsoft does plenty to make us (and our customers) happy.
It never stops improving built-in security features, and it does this efficiently and responsively. And of course it actively improves – as opposed to Apple saying it doesn’t care about malware because it cannot exist on Mac OS. Microsoft is very good at patching security breaches quickly as they become apparent – first and foremost due to improvements in the automatic Windows update system and the growing proportion of Windows 7 OS installed on PCs.
As one of the members who was involved in the development of some of the Windows 8 core security technologies, what are the major advances here?
Microsoft has a long track record of constantly improving its security features. As for the Windows 8 pack – this is certainly not a breakthrough (don’t expect it to solve all malware-related issues), but it does have some interesting features that will allow us to fight cyber criminals more effectively. Some of them are being introduced for the first time, while others have gone through major overhauls since the previous version.
The first line of defense remains the same. Here we see improvements in both the Malicious Software Removal Tool (MSRT) and Windows Defender, the latter now able to provide real-time protection, and not as obtrusive with alerts and notifications as before. Coupled with SmartScreen (similar to our URL Advisor and File Advisor reputation services available in our products) and the improved BitLocker (a drive encryption tool available in the top-end editions of Windows 8), they provide excellent basic protection.
But if malware still makes its way into a computer, users can restore the operating system with a combination of Secure Boot (Windows’ native boot sequence check) and Standalone System Sweeper (similar to our Rescue Disk – a clean OS boot disk for system restoration).
Doesn’t look like an avalanche of market-killing features!
Why do you think Microsoft still keeps on developing its built-in security?
In my opinion what we have here is Microsoft not trying to take over the security market. The company understands quite well that the IT security industry – especially anti-malware – is an industry of focused and agile experts. Starting with its MSAV in 1993, Microsoft had several attempts at getting into this market as a solution provider – with no luck. I don’t think it plans to make the same mistake yet again.
Customers prefer solutions offered by focused security companies because they possess the necessary specific expertise, which can be bred sometimes for decades, and are able to respond rapidly to today’s attacks. Typically, these companies offer better detection and removal capabilities, a wide range of products, plus combinations for all the possible operating systems and platforms, mobile devices, servers and desktops, not to mention multi-layer protection and dedicated support services. Agility is key in this business.
In my opinion there are two main reasons behind Microsoft’s security improvements.
First, customers, governments, the press, industry… everybody has been pushing Microsoft for security improvements, and the Windows 8 security features are an answer to these market and societal demands.
Second, Microsoft isn’t claiming to provide ultimate, rock-solid – Fort Knox – protection. Instead it delivers sound, basic defense for users, and a well-designed integration framework for security vendors.
Can you shortlist the three most important security features in Windows 8?
- The freshly beefed-up Windows Defender, tightly integrated with the MSRT;
- The Standalone System Sweeper; and
- What I reckon is the most interesting and technologically advanced feature – Secure Boot. This is very important for third-party protection as it delivers useful data from the early boot stages and allows to detect and prevent even the most sophisticated malware like rootkits and bootkits.
You are on the list of Secure Boot inventors, and the patent file date goes back to 2006. Is there anything else you can tell me about why you think Secure Boot is so important, and why it took Microsoft so long to implement it?
I’m sure Secure Boot is something that makes cyber criminals’ life much harder. I can’t say this feature is a panacea, but what it will do is force the bad guys to reformulate their infection procedures and find new ways to take control over computers. Sooner or later they’ll find ways – it’s just a question of when, and how efficient these ways will be.
And yes, you’re right, it took Microsoft quite a long time to get Secure Boot from the proof-of-concept stage to the ready-to-use-feature stage. But you have to take into account the fact that it was a very complex project, involving a dozen teams from the core development stage. However, I’m happy they gave the green light for it and it’s finally ending up in Windows 8.
A little more about Secure Boot, please!
Secure Boot is part of the standard operating system boot process: it scans the boot sequence. It examines every software driver at an early boot stage – preventing malicious drivers right from the outset.
In fact Secure Boot is part of the Platform Integrity Architecture (PIA), which also includes two additional components: the Early Launch Anti-Malware (ELAM) driver and Measured Boot Attestation (MBA). PIA works in combination with another useful feature – the Standalone System Sweeper, which permits deep analysis: it can analyze infected system files and registry content while the operating system is inactive. In general this is a great solution for eliminating complex malware attacks and excluding possible stealth malware from the boot sequence.
What is Microsoft’s position as regards transparency and cooperation with ISVs, specifically security vendors? And how can ISVs employ the new Windows 8 security features?
What I particularly like here is that Microsoft is very open when it comes to ISVs. For example, we at KL work very closely with Microsoft so as to integrate support for all the major Windows 8 security features into our upcoming products. And this is not just some one-off cooperation – we’ve been working together productively for quite a long time now, cooperating on every Windows release since the early 2000s.
As to your second question – how can ISVs employ the new Windows 8 security features? – our task is to have PIA supported as soon as it is out there – to make sure users can fully benefit from this feature.
We started working with Microsoft on Windows 8 security in 2010. Our developers took part in the company’s dedicated training and brainstorming sessions to get in-depth insight, understand platform specifics and architecture changes, and talk to the Microsoft guys directly and in person.
To summarize, I have to say that Microsoft is doing a lot to ensure its products are more secure, and is very open and cooperative with ISVs. I take my hat off to them.
What can users expect in the upcoming versions of our products in terms of integration with the newly announced Windows 8 security features? What are the benefits of integration?
We will fully support PIA and also integrate both our personal and corporate products with other Windows 8 security features where possible.
For example, at the moment we’re working closely with Microsoft to have the above-mentioned Early Launch Anti-Malware (ELAM) supported to strengthen our protection against rootkits – perhaps the most notorious and sophisticated technology used by malware. ELAM will allow us to reliably block rootkits at OS boot-up and significantly increase our capacity to disinfect already infected PCs.
As already touched upon, another useful Windows 8 feature we are going to integrate is Measured Boot Attestation (MBA). This acts like a safety seal on the Windows kernel to make sure that only trusted and certified applications figure in the OS boot-up sequence. However, in KIS/KAV 2013, we will enhance the attestation process and plug it into the cloud-based Kaspersky Security Network (video, details). Ultimately this feature will also take advantage of our whitelisting technology and achieve maximum integrity of both Windows and our products from compromise.
Great! Alexey, many thanks for this chat and the insight about the upcoming Windows 8 security features and our plans to support it!