Microsoft Cyber Security: blending engineering with policy-making for cyberspace confidence

Matt Thomlinson ( Microsoft Security )

4Jun
15:30 4th June 2014 ( week 6, Trinity Term 2014 )
Tony Hoare Room, Robert Hooke Building

Microsoft has a unique reach and responsibility for the online experience of many of the cyberspace citizens of the world. A dozen years ago Bill Gates demonstrated the leadership of Microsoft software security across the industry by establishing Trustworthy Computing, then an initiative and now an organisation responsible for Security, Privacy, Reliability and Business Practices across the whole of Microsoft. Back then, security was a matter of rapid response and Matt Thomlinson was an established software engineer building security features into Windows and so he was well placed to conceive Service Pack 2 for XP, a major threshold in Microsoft security. Today Matt is the Vice President for Trustworthy Computing Security and XP SP2 has gone out of support, superseded by many more security step-changes and, the diversification of the cyber threat and defence into Microsoft’s portfolio of products and online services.

In his lecture, Matt will discuss the evolution of the cyber security threat from: the origins of hacktivism through web defacement 15 years ago; through the emergence of Worms and their impact on business networks; and the establishment of the BotNet as a new means of organised crime; to the embedding of the targeted attack as an advanced persistent threat. Through all of these threats Matt has lead research and development of technical and organisational responses based upon his concept of security exploit economics, reframing engineering problems into business solutions.

The adaptation, growth and proactivity of Matt’s organisation in the face of these technical threats could have remained in the domain of engineering. However engagement in the language of risk, regulation and opportunity, was the next key security step for Microsoft. For many years Matt has encouraged engagement on cyber security with Governments and international Institutions to translate software and service issues into the language of policy-makers. Microsoft is in the vanguard on engagement in security standards, information sharing, critical infrastructure protection, capacity building and norms of behaviour in cyberspace. A future perspective is key to Microsoft’s security strategy and Matt will be announcing the latest in a series of cyber security policy papers, addressing scenarios for the 5 billion citizens of cyberspace in 2025.

Speaker bio

Matt Thomlinson is Vice President of Microsoft Security and leads the Microsoft Security Engineering Center (MSEC), the Microsoft Security Response Center (MSRC) and Global Security Strategy & Diplomacy (GSSD) and internal Network Security (NetSec). His teams are responsible for proactively implementing training, tools and processes to improve the security of Microsoft products and services. As such, Matt is responsible for assessing the threat to, and assuring the security of, Microsoft products and services from their inception, development, and through their supported life.

Matt built Microsoft’s security research group to further security science, improve the security of products and develop fundamentally new methods to mitigate security vulnerabilities. Once a founding member of the MSRC, he now owns all aspects of Microsoft’s security response, from the triage of new vulnerabilities, through the management of Product Group solutions, to responding to vulnerability exploitation emergencies and driving incident postmortems. This technical team investigates vulnerability reports and associated malware, and work closely with the many communities involved in software security ranging from researchers to law enforcement and governments. His GSSD team is responsible for tracking and responding to legislation and government information assurance relationships; the NetSec team is responsible for monitoring and investigating issues on Microsoft’s own network.

In his 19 years at Microsoft, Matt has led many security engineering efforts with global customer impact. Early in his career, Matt led various development teams building operating system infrastructure during the development of Windows Server 2003, Windows XP and Windows 2000. In 2003, he was the inspiration for, and directed the creation of Windows XP Service Pack 2, the first significant security improvement of the Windows client platform.

Matt is involved across the software industry as a security specialist, and is the chairman of NIST’s Information Security & Privacy Advisory Board (ISPAB). Matt is named as inventor or co-inventor on over 20 patents on technologies ranging from secure secret storage and random number generators to various vulnerability mitigation techniques. He is a Seattle native and holds both Master’s and Bachelor’s degrees in Electrical Engineering from the University of Washington.