In mid-November, Microsoft unveiled a facility on its Redmond, Wash., campus that had become the new home for its Digital Crimes Unit. It took the opportunity to offer up new details about the multi-agency initiative that disrupted the huge Citadel botnet earlier this year.
What Microsoft hasn’t yet talked much about is the role the cloud played in the Citadel project and how the cloud enables the company to tackle cyber crime. I had a chance to hear more about it from Richard Boscovich, assistant general counsel for Microsoft’s Digital Crimes Unit, this week.
The Digital Crimes Unit has some dedicated hardware on-premises, although Boscovich revealed only a few specifics. “We do in fact use quite a lot of storage power, a lot of compute power,” he said. “We have a Hadoop cluster on SQL server and a parallel data warehouse right here on-premises. We’re talking terabytes of storage.”
Still, that’s not always enough. “Even with that, we have to go to the cloud to get some more capacity when we do some of these take downs,” he said.
“One interesting aspect of being able to scale in the cloud is you’re able to provision computers or virtual servers quickly, without the need of having hardware here in the DCU. We leveraged that ability of scalability in the recent takedown of Citadel,” he said.
That kind of scalability also helps with the increased traffic that Microsoft sees after a takedown, when cyber criminals attack Microsoft for disrupting their activity.
Without the cloud, it would have taken much longer to disrupt Citadel, a botnet that Microsoft said siphoned $500 million from people around the world whose computers it infected.
“In the past, we would have been between a rock and a hard place,” said Boscovich, who went on to describe the typical, drawn-out process that most businesses have to procure new hardware. “That would of course slow us down,” he said. “The cloud saves us a lot of time and makes us much more nimble and able to move much faster.”
The DCU uses Azure in other ways too. Microsoft works with authorities around the world to inform them when computers in their regions are being infected. When Microsoft works on a takedown, its goal is to quickly stop the harm done by the malware and work to correct the problem, Boscovich said.
Microsoft collects the IP addresses of infected computers and geolocates them. If it has a partnership with authorities in that region, it will notify them so that they can reach out to the impacted individuals.
As the IP address data is being collected, it’s sent real-time to Azure, which Microsoft’s partners use to access the data. “They’re getting up to the minute – in actuality a 30-second delay – information about infected IPs that we see located within their countries,” he said.
Given the sensitive nature of the DCU’s activities, its use of Azure shows that the cloud can be used for projects with strict security needs, he said.
“Everyone’s moving to the cloud. The issue everybody has is, is it safe enough and scalable. This demonstrates and underscores that yes, we’re providing this important information around the world via Azure,” he said.
Read more of Nancy Gohring's "To the Cloud" blog and follow the latest IT news at ITworld. Follow Nancy on Twitter at @ngohring and on Google+. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.