Traditionally, Ness explained, the job of the attacker is easier than that of the defender. This is what Microsoft is looking to change. “We need to reduce the attackers ROI”.
There are three ways that Microsoft can do this:
- Increasing attacking investment required to find usable vulnerabilities
- Increasing attacker investment requires write reliable exploits
- Decreasing the attacker’s opportunity to recover their investment (shrinking the window of vulnerability)
Microsoft’s goal, Ness explained, is to triple investment costs facing cybercriminals trying to exploit software vulnerabilities. “We want working exploits to be expensive and scarce – as rare as crypto [encryption] breaks”, he concluded.
| Security Science |
| The Security Science department of Microsft Trustworthy Computing sits within the Microsoft Security Engineering Center (MSEC). It is concerned with future projects, with a proactive rather than reactive focus. |