Afternoon Cyber Tea with Ann Johnson 12.28.21
Ep 42 | 12.28.21

Inside Microsoft's Security Response Center


Ann Johnson: Today I am joined by my Microsoft colleague, Aanchal Gupta. Named one of Business Insider's most important female engineers of 2018, Aanchal is currently vice president of Azure Security and leads our Microsoft Security Response Center, which we call the MSRC. This is the front-line defense for millions of customers around the world who use Microsoft platforms and products.

Ann Johnson: Aanchal was previously the chief information security officer for Facebook's cryptocurrency initiative. Aanchal has more than two decades of experience leading geographically distributed teams. She serves on the board of Silvergate Capital Corporation, Internet Security Research Group and is a fellow at the RSA. She also serves on Silicon Valley's CISO Investments board and invests in and guides cybersecurity startups. Aanchal is a staunch advocate for building diverse teams and serves on the review board for the Grace Hopper and Black Hat conferences. 

Ann Johnson: Aanchal, welcome to "Afternoon Cyber Tea." 

Aanchal Gupta: Thanks, Ann, for this incredible introduction. It's great to be here. 

Ann Johnson: So, Aanchal, you have this amazing background, one that I really want to talk about. But first, let's start our conversation talking about your work leading Microsoft's Security Response Center. As I mentioned, we call it the MSRC. It is responsible for bringing together multiple teams across the company, ensuring customers and allies are safe when there is an issue. 

Ann Johnson: Now, not everyone knows what the MSRC is or what it does, so I would love for you to share what this amazing team of security experts does and how they all come together. Give our listeners just a little bit of a look behind the scenes, if you will. 

Aanchal Gupta: As you said, Ann, MSRC is the front-line defense for millions of customers around the world who use Microsoft platforms and products. We partner with security researchers and defenders across the globe, through our Bug Bounty Program and Microsoft Active Protection Program - also known as MAPP - to keep our customers and Microsoft safe. We also have a security research team focused on zero-day hunting and varying analysis. We also have a security incident investigations and response arm that we rely on during incidents like Nobelium to keep our customers safe. We partner closely with global government agencies and industry partners to share threat intelligence to help keep our communities safe. 

Ann Johnson: So we talk a lot about how the MSRC really is the orchestrator of bringing a lot of teams together. Can you talk a bit about how we brought teams together during Nobelium? I know people probably have seen the Brad Smith article in Fast, but I'd love to hear your unique perspective as a leader of the team. 

Aanchal Gupta: Yeah, it all started during the Thanksgiving break when we started to debug it with FireEye. But the gravity of Nobelium became evident to us around mid-December when everyone was gearing up to take holiday break. We pivoted quickly, and given the situation, we were all hands on deck. More than 500 security investigators and analysts canceled their time off and helped investigate the incident. Our focus was not to only secure our customers but to also help the larger security community. We reached out to other cloud and identity providers and CISA to help mitigate the supply chain risk globally across all service providers. 

Aanchal Gupta: We believe in transparency, so we published, like, almost 30 blogs over a period of a month to share indicators of compromising TTPs for a larger security community of investigators and defenders. We also provided guidance to our customers on how to stay safe. 

Aanchal Gupta: Pulling of this so many people from their holidays and family time wasn't easy. It weighed heavily on me. But all these folks are so passionate that they did it in a heartbeat. There were instances when I had to ask many of them to take a break because they were working nonstop. I just feel blessed to be working with this passionate group of people, and they inspire me every day. 

Ann Johnson: They are inspirational. And I've, you know, been working with them on - you know, all the way from WannaCrypt or NotPetya, you know, up through Nobelium and Hafnium and recent events related to Kaseya. The MSRC, even if it's not a Microsoft-direct event, is just this incredibly passionate group of talented resources that want to keep the world safe. And it's thanks to your leadership and the leadership of the team. They just do exceptional work, Aanchal. 

Aanchal Gupta: Thank you, Ann. 

Ann Johnson: So - and for anyone who's been watching the cybersecurity news, we've seen some unprecedented attacks in the past 9 to 12 months. Almost everyone in the security industry has been on their toes. But can you talk about some of the lessons you have learned and how we're applying them based on the recent threats? 

Aanchal Gupta: Yeah. There is definitely an uptick in the attacks we have seen since the pandemic started, and there are many reasons for that. One big reason is that the large post-individual (ph) workforce is now working remotely, and companies were forced to pivot to zero-trust model overnight. Many companies went through this digital transformation quickly and successfully, but on the flipside, many organizations are still struggling with the fundamental hygiene issues like patching and identity management. If we can patch in a timely manner and enable multifactor authentication, we will win 80% of the battle. 

Aanchal Gupta: I'm frequently asked about how much impact do I see because of o-days or zero-days. To be honest, I still see more compromises because of lack of fundamental hygiene than I see because of zero-days. I'll be happy if we can turn this equation around. 

Ann Johnson: Yeah. I know when working with the DART team, they had told me that - and we've blogged on it - that 80- to 90% of breaches actually have to do with security hygiene, whether it's patching or encryption or too much privilege or multi - you know, lack of use of multifactor authentication. As we're talking to our audience, where would you suggest they start? Because it's hard, right? Security isn't easy, or we would all be in this, you know, wonderful state. But where do you think has the most impact and people should really start? 

Aanchal Gupta: I think if they have to do only one thing, I would say patch in a timely fashion. I know it doesn't sound sexy enough and I wish I could say go hunt for zero-days and all, but no, it is still patch your systems. All major service providers and vendors have a CVD program, which is coordinated vulnerability disclosure program, where they work closely with security researchers. And security researchers submit their research to the vendor so the patches could be issued before they broadly blog about it. 

Aanchal Gupta: So as an industry, we have made progress on where you do not see zero-days landing left and right. We see patches come along. But then when we fail to apply the same patches, we end up hurting ourselves because we haven't applied them in timely fashion. 

Aanchal Gupta: Then, the researchers end up publishing their research because they want to help other researchers. They want to further their research in that area. And attackers also read the research. They start to leverage some of these things, which we saw, for example, in Hafnium attack, correct? We had the patches issued for Exchange Server, and it took a long time for our customers to apply those patches, and that's what made the attack that much more deeper than it needed to be. 

Ann Johnson: When you think about patching, that's another thing that's really hard for customers - right? - because they have so much technical debt and legacy systems. So could - can you break it down just a step further? When they're thinking about patching, how should they prioritize? 

Aanchal Gupta: So I think they should put it on a little bit of a regular cadence. Mostly what I have noticed is where customers struggle with patching is when they accumulate too much tech debt. Like, there will be some customers who would say, oh, I haven't patched in three years. Can I now just go and apply the latest patch, and what will it do to my systems? Well, if you haven't patched for three years, then the outcome would be a little bit unknown. So if you even apply patches at quarterly cadence, if not monthly, I would say that will get you a long way there, where you can continue to apply them at quarterly cadence and be on a rhythm so that when an emergency patch comes along or something that is widely or broadly exploited in the world, you can quickly apply that patch even out of band. 

Aanchal Gupta: Doing it in small increments and - I think is going to be very useful versus trying to do it all in one go when the emergency or too late. It's very similar to - I'm in California. We prepare for earthquakes ahead of time. It's not like when you - when the earthquake hits, you go look for that emergency kit, the flashlight, canned food items. You always, like - you're encouraged to keep these in two, three different places in your home so you can lean on those. 

Ann Johnson: Yeah, exactly. And we talk a lot, by the way, about operational resilience and that ability that if you are attacked, a cyberattack, you have to have the same business continuity and recovery plan that you have in the case of an earthquake - right? - same technical plan, communication plan, legal plan, regulatory plan, and it needs to be tested in advance. Anything you want to add to that? 

Aanchal Gupta: The team I lead is MSRC, Microsoft Security Response Center. Response in our name, so we heavily rely on our response plan. It's a mature, hardened plan. And if we didn't have this, I don't think we could have handled incidents like Nobelium with this much grace and this much less impact I would say. It could have had much deeper impact. And I give credit to our response plan for the speedy recovery we had from this incident. 

Ann Johnson: Exactly. And I'm going to reinforce that we encourage customers to save that same response plan for cyberattacks. Make sure it's communicated. Make sure it's tested. Make sure that your entire organization has bought in from executive leadership down and that, you know, everyone knows what their role is, what you don't want. 

Ann Johnson: And we talk about this, Aanchal. During the fog of war, as we say, you don't want people having to make difficult decisions. You want them actually just following the checklist, and then there will become time to debrief and think through things. But when it's really in crisis mode, you want that checklist available for everyone, including your most experienced people. 

Aanchal Gupta: Yes. And you need to have some grounded principles, using which you can make these decisions. So you were on many of these calls, Ann, with me, which were like late-night calls. We were working - we were losing track of days, and this was towards the end of December. So rather than spending that family time, we were bonding with each other so to speak. 

Aanchal Gupta: And you remember how our baseline principle was transparency and let's share with customers transparently what will help them protect. And that made so many of our calls easier. So I would say having those principles, having the response plan - because emotions run high when you're running these incidents. And you are doing long hours, so you probably won't make all the best decisions possible in the nick of moment, unless you have trained yourself and you have the response plan in place. 

Ann Johnson: Yeah. And let's talk about transparency because we do believe that transparency is absolutely critical to building trust, whether it's response to a significant vulnerability or a major cyberattack. What do you think is the most important piece of information that you believe - and you talk to customers, right? What do they want to know from Microsoft? What are they looking for from our leadership? 

Aanchal Gupta: The very first thing that customers want to know is, am I impacted? - a very simple question. And then the next thing, if the answer is yes, is how bad is the impact, and what do I need to do to protect myself? So it's a human nature. You are in a crisis mode. The very first thing you want to know is, what is the impact to me? 

Aanchal Gupta: And that's the reason with every Patch Tuesday, when we issue these patches, we issue CVEs for the vulnerabilities we are patching. And each CVE has an associated CVSS score. The CVSS score, which is short for Common Vulnerability Scoring System, is a public framework for rating the severity. Our customers can look at the score, and they can go like, oh, this is a really high-score vulnerability that is getting patched, so maybe I should go in patch it fairly quickly, as opposed to my regular cadence of 90 days or whatever they have. 

Aanchal Gupta: We also always provide the mitigation steps, like if you cannot apply patches, what else can you do to mitigate in the meantime? 

Aanchal Gupta: Sometimes we are asked by security researchers, hey, since you have issued the patch, can I go and publish my exploit details? - because they are eager to publish or they did research on. And we ask our researchers to hold back for 60 to 90 days because we don't want to tip the attackers, and we want to provide our customers enough time to patch because, as you and I talked about, patching is hard. It's not - customers have large fleet that they need to patch, and they just cannot turn it around overnight. So we definitely ask our research community to not share all the technical details until customers have patched. 

Ann Johnson: I'm going to digress a moment and just talk about - I'm going to opine, and then you can respond. Responsible disclosure is such an important part of what the security industry as a whole does because at the end of the day, not just Microsoft but other vendors are going to have vulnerabilities that need to be patched. And the research community does just a brilliant job for the most part of bringing those to the vendors in advance so we can do responsible disclosure and coordinated disclosure, meaning that we have a patch available for our customers. 

Ann Johnson: It is a disservice to everyone in cybersecurity if the researchers or someone leaks those information about the breach or the potential vulnerability or the attack vector without giving the vendor the opportunity to also release a patch either in advance or at the same time because it makes our customers vulnerable. And, you know, I've seen that it works really well. The responsible disclosure works really well. And I want to thank all of the research community and everyone who, you know, works with Microsoft to make certain that by the time we've released vulnerabilities, our customers have the opportunity to make themselves safe. 

Aanchal Gupta: Yeah. And one thing I would add here is when I think about this Bug Bounty Program or MAPP program where we are getting this research coming into us on our products and services, I see them as part of our team. Like, they are literally our extended team who are helping us protect our products and services. 

Aanchal Gupta: And once in a while, somebody would come to me and say, well, this researcher seems like they don't like us because they are finding this, or they're reporting this. I'm like, no, they are probably our biggest proponent, and that's why they're spending their precious cycles doing research on our product and services as opposed to elsewhere. And I'm totally with you that this is how we are going to make progress on these challenging situations. 

Ann Johnson: Yeah. And that is the best way for the industry to continue to collaborate. Speaking of the industry, you know, you do board review work for Grace Hopper and for Black Cat, who are very different organizations. So I want to pivot and talk a little bit about diversity. And there is a statistic that I always like to share that says that diverse teams make better and faster decisions 87% of the time. This is critical in a time of crisis. So how important do you believe diversity and an open work culture for diverse people is when trying to maintain trust and clarity during these crises? 

Aanchal Gupta: As you said, there are a ton of studies done that prove that diverse teams are better teams at problem-solving and innovation. And I have experienced it multiple times myself, even in my personal life. 

Aanchal Gupta: There's this incident that I'll always remember. We're a family of STEM geeks, and one day my son came home from school super excited about his math olympiad paper. He wanted to solve it together with us and, believe me, test his parents. And there were some curveball questions in that paper, and some of these questions I had no clue as I read them. And my husband and son figured it out relatively easily. And there was this one question that they were struggling with, and I could solve it easily. And it's not because I'm smarter or they are smarter. It's because how I interpreted that question. 

Aanchal Gupta: So it was very evident that it was the diverse team the three of us were making that we could solve the paper collectively, which none of us could have done it 100% if we were working in isolation. As our product and services are used by diverse and global customer base, our teams need to reflect the same diversity. 

Ann Johnson: I love that example because I think it makes it really tangible for our listeners, right? Here's a family coming together to work and solve, you know, a homework situation which is common in a lot of households, as opposed to some complex cybersecurity problem which could be really opaque and esoteric for a lot of people. So thank you for sharing it in that way. 

Ann Johnson: As we do "Afternoon Cyber Tea," we ask a couple of questions as we're wrapping up conversations. So the first thing I want to ask you is, what are you working on now, Aanchal? And what are you most excited about? 

Aanchal Gupta: So we have talked about this Nobelium incident, and it definitely has shone a light on our reliance on the software supply chain. To mitigate some of this risk, U.S. government issued an executive order earlier this year. We call it EO within Microsoft, and probably some external folks, too. The EO is the start of the process of the U.S. government identifying the problems and engaging with the private sector to define solutions. This is a multiyear effort that will profoundly change the requirements to sell software to the U.S. government, which is one of the largest tech buyers on the planet. But this will also shape the overall security of our software. 

Aanchal Gupta: And, so to speak, it will raise the bar for everyone, and not just for what we are selling to the U.S. government. There are things in it like software bill of materials. It will tell you, what are your dependencies in terms of software as you are installing something? 

Aanchal Gupta: Like, you do not go buy any food item unless you see the ingredient list. And our food industry has made so much progress. You can see on the ingredient list right there what is it composed of. Why not then do it for our software? And we have to play a little bit of a whack-a-mole when an incident hits, or when things like Nobelium happen, you have to find out - am I aligned on the software? Like, I'm not directly installing it, but is it getting pulled in through some indirect mechanisms? I don't know. 

Aanchal Gupta: Now, imagine if you were allergic to nuts and none of your ingredient lists told you that this thing has nuts in it, and suddenly you are having some reaction. Like, you can't look at your list and tell, oh, it's because this thing had nuts in it. I'm just oversimplifying it, but it's important that we start to go back to the basics of it and figure out how do we arm our customers with more information and not less - again, going back to the transparency discussion we had, Ann. And how do we arm them with this information? 

Ann Johnson: I like that answer. And I think that, you know, cybersecurity is an iterative game. And you take your learnings from the last incident forward and make things better, and we have to continue doing that. And I think the executive order has a lot of really great parts of it - you know, zero trust, talking about software supply chain, software bill of materials. There is a lot there to unpack, but it will make the U.S. government agencies and ultimately make, you know, public sector and private sector agencies more secure. So thank you for sharing that. 

Ann Johnson: You know, we always try to leave our audience with a couple of key takeaways. So we talked about patching, but what else do you think our customers could be doing today to help them overcome the future of cybersecurity challenges that they are going to face? 

Aanchal Gupta: I think I want to switch it around a bit. We are expecting too much from our customers. And I want to actually have this takeaway for our security community. We are still building products where we expect customers to do too much. We do not focus on secure-by-default options. We want them to be security experts to quite an extent. 

Aanchal Gupta: Now, again, looking back at our life outside of security, one example that comes to my mind is we all have GFCI outlets in bathrooms, as the building code requires it. It is required because it protects people from getting electrocuted while using hair dryers and shavers near water. We don't expect people to be electrical engineers while using their hair dryers or shavers. Then why do we still expect people to be security experts while using a computer? 

Aanchal Gupta: So my call to action is to our industry - security industry - to do a better job. Equip our customers to do what they want to do more efficiently while not focusing so much on, oh, you need to understand the cybersecurity aspect of things. 

Aanchal Gupta: And then the second thing I want to say is let's be more and more collaborative. As I said, Nobelium shone a light on supply chain risk. Colonial Pipeline is another one. Given these incidents, I think we need even a closer partnership between private and public sector. And with EU, with Jen Easterly's focus as CISA director to be more collaborative, I'm very hopeful that next year at the same time, we would be sharing a lot of information with each other all to keep our customers safe and without making or expecting them to be cybersecurity experts. 

Ann Johnson: I love that answer. We talk so much about digital empathy and that ability for technology to be forgiving and to understand the human experience. If you expect your users to know when they can't click on a link that could potentially bring down your enterprise and there's no failsafe behind it, you are putting too much on your users. 

Ann Johnson: Thank you so much, Aanchal, for those great examples. And thank you so much for being here today, making the time. You're one of the busiest people at Microsoft - I can say that - and I appreciate you carving out the time not just to join me for recording but also all the prep that's required to go into it. Thank you so much. 

Aanchal Gupta: Thank you, Ann. I'm so glad to be with you. 

Ann Johnson: And many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea." 

Ann Johnson: I chose Aanchal Gupta to join "Afternoon Cyber Tea" because Aanchal is one of our more senior leaders for security here at Microsoft and actually leads the Microsoft Security Response Center and all of our response to the research community. She has such a meaningful and impactful role in the industry, and she is a tremendous leader. And I knew she would have incredible insights to share with the audience.