Layoffs and reorg have changed security at the company, say outsiders, and
not for the better
For the first time in a decade, Microsoft today did not give all customers
advance warning of next week's upcoming Patch Tuesday slate. Instead, the
company suddenly announced it is dropping the public service and limiting the
alerts and information to customers who pay for premium support.
"Moving forward, we will provide ANS information directly to Premier customers
and current organizations involved in our security programs, and will no longer
make this information broadly available through a blog post and Web page," wrote
Chris Betz, senior director at the Microsoft Security Response Center (MSRC),
the group responsible for the warnings.
The change also applies to the occasional alerts that Microsoft issued when it
gave customers a heads-up about an impending emergency patch. ANS will no longer
provide public alerts for those "out-of-band" updates.
Security professionals torched Microsoft over the change.
"They've gone from free to fee, and for really no particular reason," said
Andrew Storms, vice president of security services at New Context, a San
Francisco-based security consultancy, in an interview. "It doesn't make sense."
And Ross Barrett, senior manager of security engineering, at Rapid7, let loose
with both barrels. "This is an assault on IT and IT security teams everywhere,"
Barrett said in an email reply to questions. "Making this change without any
lead time is simply oblivious to the impact this will have in the real world.
Honestly, it's shocking."
The no-longer-available alerts from the "Advanced Notification Service," or ANS,
have been a part of Microsoft's monthly security apparatus for the last 10
years, Storms estimated. Those alerts appeared on Microsoft's website on the
Thursday before the next Patch Tuesday, the tag for its monthly security update
schedule.
Microsoft will still issue those updates next week -- on Jan. 13, at
approximately 10 a.m. PT -- but only some customers will receive the pre-Patch
Tuesday warnings, including today's. The warnings listed the number of updates
and what products they would affect, and described the severity of the
underlying vulnerabilities.
Betz explained the sudden disappearance of a public ANS by saying that customers
weren't using it.
"Customer feedback indicates that many of our large customers no longer use ANS
in the same way they did in the past due to optimized testing and deployment
methodologies," said Betz. "While some customers still rely on ANS, the vast
majority wait for Update Tuesday, or take no action, allowing updates to occur
automatically."
Microsoft prefers to call its monthly security release "Update Tuesday,"
apparently believing "Patch Tuesday" carries negative connotations.
Storms wasn't buying Betz's explanation. "I don't get it. It's the wrong
economic model," said Storms. "They say no one was using it, so now they're
going to charge for it?"
What Readers Like
"Privatizing ANS to Premier and paid support protection programs only reiterates
that Microsoft wants all of the pie, and will force organizations to pay," added
Tim Byrne, product manager at Core Security, in an email.
Storms said that pulling the ANS plug was probably part of the reorganization
that Microsoft has been implementing since 2013, but particularly since the
large layoffs of mid-2014. For example, the Trustworthy Computing security group
was shut down last September, with some staff let go and others beating a path
to the door for new jobs. Others were parceled out to the company's cloud
computing and legal teams.
"We know that there are a lot fewer folks at Microsoft," said Storms, referring
to the layoffs and the shuttering of the Trustworthy Computing Group. "With
X-percent fewer employees, I think they're just trying to make ends meet."
One result: ANS going from free to paid.
In hindsight, ANS's vanishing act shouldn't have been a shock. In November, for
instance, Microsoft discontinued its long-running post-Patch Tuesday webcast,
where senior security engineers and managers walked through the month's updates
in detail.
Jonathan Ness, senior development manager at MSRC, and Dustin Childs, group
manager of response communications -- who did the final webcast in November --
have both left Microsoft, illustrating Storms' point about staff reductions.
In a tweet today, Childs simply said, "Wow. #ANS now for premier customers
only," about the change.
ANS was valuable, Storms maintained, and not only to the large corporations that
will continue to receive the alerts as part of their Premier Support contracts.
"ANS was very useful for preparation before Patch Tuesday," said Storms. "It
gave you time to make a VM [virtual machine] with the correct version of
something so you could test the patches when they came out. There are definitely
organizations that have relied on it."
The ramifications of the new ANS policy are hard to gauge, said Storms, but he
worries about the trend in Redmond.
"I'm really surprised," said Storms. "It's very uncharacteristic of the
Microsoft we've come to know and appreciate. They spent years gaining a foothold
in the security community, changing how they were viewed in the industry, and
they continued to add information and make ANS more valuable over time."
Others were more blunt. "Microsoft is basically going back to a message of 'just
blindly trust' that we will patch everything for you," said Barrett of Rapid 7.
"Microsoft takes some control away from the users [with] this transition,"
argued Jon Rudolph, principal software engineer at Core Security, in an email.
"By making this switch, Microsoft is ... hiding their security report card from
the general public."
Microsoft left the door ajar in one aspect: While ANS won't issue warnings of
out-of-band patches, the company said it could use other unspecified ways to
communicate with customers.
"The changes announced today apply to all Advance Notification Service (ANS)
communications," a Microsoft spokesman said in an email response to questions
about ANS's former role in distributing emergency alerts. "If we determine broad
communication is needed for a specific situation, we'll take the appropriate
actions to reach customers."