Mark Curphey here. Nearly two years ago I came to Microsoft to explore an idea. As Big Weld in the film Robots said “see a need, fill a need” and I had seen a need! For several years I had been looking at the security management tools space and talking with security professionals about their custom and commercial off the shelf (COTS) software that made up their diverse portfolio of technology to drive their information security programs. I had been trying to figure out what was common among all the tools and how you could tie them all together to allow companies to answer questions and make informed decisions about information security risk management.

Questions like “Which applications have SQL Injection bugs where the hosts are also un-patched and the boxes sit in a data center with no disaster recovery plan?” or “Which applications process credit cards that use library ‘x’ which is known to contain a specific flaw?” or “What is the net effect of user awareness in specific geographies or business units on our overall risk posture?” or “Which firewalls rules have a registered owner that is no longer a full time employee?”. These are very small subset of examples of questions that I think should be readily answerable and proactively managed by an information security program but sadly rarely are.

As I delved into reasoning why companies couldn’t provide these answers I started to confirm that almost all enterprises relied heavily on a significant portfolio of custom built security tools (of varying maturity (that’s me being polite)) and COTS tools. Rarely did these things work well together if at all. Some tools like security incident and event management tools were aggregating security events (hence solving a small portion of the problem) and other tools were attempting to be a “CSO in a box”. These tools all had significant drawbacks; especially in the large enterprise customers with diverse environments. I had been reading the Long Tail by Chris Anderson when one day I woke up and had a Eureka moment; the thing they all of these companies had in common was that they were all different and almost definitely always would be. It was the Long Tail of Security and what everyone needed was a “glue framework” to bind the “reality” of custom and COTS apps together with business infrastructure so they can work together and help security professionals make informed decisions. What was needed was a development platform or framework on which custom security applications could be built faster, cheaper and better and crucially with a higher degree of architectural consistency and what was needed was a set of reusable common components providing common services like security controls or business intelligence (BI) or workflow (BPM).

Marc Andreesen (of Netscape fame) says “By definition a “platform” (framework) is a system that can be reprogrammed and therefore customized by outside developers and users and so it can be adapted to countless needs and niches that the platform’s original developers could not have possibly contemplated, much less had time to accommodate.”

This definition and its implications are key. [NOTE: Platforms and frameworks are becoming very overused terms.]

image Now to be clear at the time I was initially thinking about this I had been planning to build another start-up in the security management space and so this wasn’t a good thing to have concluded for me personally. The economics of ‘selling’ frameworks for money are tough but the more I spoke to people the more my conclusion was validated. Luckily for me I stumbled across some folks in the Microsoft Information Security team who were in need of such a framework for themselves and I landed a job running the information security tools team. We build a wide variety of software from static code analysis tools to a sizeable portfolio of custom security management applications. We are no different from most information teams I have come across in the sense we have a range of custom and COTS tools and guess what? We have the same issues others have. The custom tools are all unique (and for the most part need to be to support unique ways we run the program) and none work together well. We spend a lot of money building unique tools and it always takes us longer than we have. More than anything there is a LOT of things we would want to do but until they run on a platform we simply can’t. I could spend a LOT of time writing about why I personally think a security tools development framework will feature heavily in the future of information management tools and indeed I recently wrote a chapter in an O’Reilly book called Beautiful Security on just that topic.  You can download a free PDF copy of that here. We are clearly a long ways of but eventually I hope this framework will allow people to build the type of tools I describe in the book.

SO now for the good news. In a few weeks we plan to release a Community Technology Preview or CTP of the Connected Information Security Framework or CISF. This is our internal development framework that we have built to create our own custom information security applications so that we can engineer them cheaper faster and better with a higher degree of architectural consistency. Our framework also which is an SDK and a set of reusable components to create custom security management applications.  We also plan to release a sample application that we have built using CISF to track information security risk called “Risk Tracker”.  Both CISF and Risk Tracker will be released open source on CodePlex using an MS-PL license essentially meaning our customers and ISV’s can take the code and use it as they see fit. Companies can use and extend the framework to create new applications, port their current custom applications to use it, update existing applications to consume framework services like controls and either use or extend our sample applications. ISV’s can even use the reporting portal as an example in their commercial applications for no charge. We hope users will port and share their custom applications via a CISF Apps site on CodePlex; apps that can all work together on the framework and together we can start a movement to improve the state of custom security applications and work together to create and share interesting new ones. we know that there are loads of mini-apps out there that if mashed up with others apps could provide real incremental value.

I want to be up front and say this is a big project and what will be released initially is very much a CTP. We expect our team to be working on this for several years to get to where we really want it to be; and are planning quarterly code drops as we add more functionality and refactor the existing framework while we learn and get feedback from ourselves and others using it. We are building it for ourselves so have a major real customer from day one but want other Microsoft customers to share in our work and partner with us. We want to hear from people that are interested in the framework idea, using it, people who would use it if it had ‘X’ or ‘Y’ and from people who are using it so we can support your development. Well be setting up some user groups in due course and sharing more technical details.

So what is actually in the framework;

  • Portal – Built using ASP.NET and AJAX to present custom applications
  • Workflow – Built using WWF to create a  business process management layer
  • Integration – Built using WCF to provide a services integration bus to integrate custom apps with themselves and with core business infrastructure including defect tracking systems, document management and HR systems and a services layer to expose core framework functionality. Using integration services we can connect client tools and data sources.
  • Controls – Security controls service that can be consumed by humans and tools (think threat modeling, Risk Tracker or code review tools)
  • Risks – manipulate core risk objects
  • Assets – From applications to hosts (and potentially data).
  • BI – Analytics and reporting. Create a data cube and a large chunk of custom reporting will be taken care of (coming in next CTP release in October)
  • Data warehouse – Built using SQL Server 2008 providing staging, data hosting and archiving
  • Notifications – Ability to send notifications and reports etc.
  • Tasks – Ability to track human activity assigned to “stuff”
  • Authorization – Application and data level authorization using Active Directory as the authoritative store

While we are in the very early stages of this project we have been able to build a fully functioning Risk Tracer application using the initial CTP that is connected to our corporate HR system (so we can track which business groups risk owners report to) and connected to an internal web service to map risks to business units and geographies. The Risk Tracker app is also connected to the application portfolio management system.

Over the coming weeks and months we will be blogging about components and showing some more of the Risk Tracker application and plans for the framework components to evolve and applications we are building using it. Those include a lot of custom reporting, a business continuity planning application and a user access reporting tool that supports SOX audits.

Got custom security apps? Interested in using CISF?

- Mark (typing this from my house which is 90 degrees at 11pm!)