The Microsoft Threat Intelligence Podcast 3.13.24
Ep 14 | 3.13.24

Data Science for Security


Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence" podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. Hello and welcome to the "Microsoft Threat Intelligence" podcast. I'm Sherrod DeGrippo and I am joined today with Anna Bertiger, Principal Applied Scientist, and Emily Yale Senior Data Scientist. And let me tell you, this is going to get a little different than what we normally do because I don't know anything about this stuff. And I'm going to learn from Emily and Anna. Emily, thank you for joining us.

Emily Yale: Thank you for having me.

Sherrod DeGrippo: Anna, how are you doing?

Anna Bertiger: I'm doing well. Thanks for having me.

Sherrod DeGrippo: It's good to have you on here because I feel like here are some buzzwords, data science, machine learning, applied sciences, artificial intelligence, all of these things that we keep hearing in the security industry, but for me, that's new stuff. I'm a hundred years old so I have been in that world that has really come to the forefront over the past probably two years. That's on everybody's lips. It's in every mainstream headlines. So, I guess what I kind of want to understand is what is machine learning, what is data science, what are we missing, what are we needing to like kind of know about that. So, I guess, Emily, I'll kind of start with you because like your title is data scientist. What is that?

Emily Yale: Yeah. So, I think of data science as a pretty broad field that involves a lot of things. So, to start, we have to clean the data, we have to identify features from it, we have to get it into a usable shape for some more advanced technique. And so, within data science, some of those advanced techniques are machine learning or other artificial intelligence types of models. But it also includes, you know, basic statistical testing and other techniques like that as well. It's a really broad area that encompasses a lot of different technical pieces.

Sherrod DeGrippo: And, Anna, you are a principal applied scientist, that is crazy. What does that mean?

Anna Bertiger: The title is supposed to represent that I sit sort of between a data science-type role and directing product and research. So, I do research that I then apply direct to our products to make our customers safer. So, I get to invent cool new things and then use them.

Sherrod DeGrippo: So, you are literally doing research on things like data science and the data that we have. And both of you work in security. That's how I know you guys. Because you're kind of adjacent to the work that I do as well. So, like, Emily, I met you at BlueHat last year. And, Anna, I've been working with you on some of the public speaking that you've been doing. Give us kind of an idea of like a little bit about what your day-to-day looks like from a security perspective. I know there's a lot of security practitioners out there that are like how do I work things like data science into my workflow to make my organization safer? What can like practitioners think about? Emily, I'll ask you first like what can practitioners think about in terms of where machine learning or data science, or things like that make sense for them?

Emily Yale: Yeah, that's a really good question. So, I have a really cool role in that I directly support our internal SOC here at Microsoft. And I think through the time that I've been here and the relationships I've been able to establish with the analysts there, they have a pretty good idea now that when they have a detection idea that needs to be generalized, that needs to move away from some of the static thresholds or static rules that they're using, that's when they should call me and have me come help them build that detection. So, they can offer me insight in the subject matter expertise that they had about why the specific query they were running is identifying this specific type of malicious behavior. And so, right away, that's already pointing me at the data and what I need to look at, which is then an essential first step. And it's showing me how I can try to make that broader, make that more general so that it's not tied to let's say a specific incident or a specific piece of data that they saw a week ago, it's something that we can use to identify similar malicious behavior six months from now as well.

Sherrod DeGrippo: So, like day to day, do you have like SOC analyst reaching out to you? Like, Emily, can you do something to accelerate my work?

Emily Yale: Maybe not day to day, but maybe week to week, or a time or two a month. We are always doing so much internal testing here with Red Teams and things like that too. So, I also am often in contact with those sorts of people as well who will tell me, hey, we just conducted this exercise, I want you to try to go find this and then build something that would, you know, detect in future incidents as well. So, I will say I do get hit up quite frequently but it's not every day.

Sherrod DeGrippo: Anna, what about you? Like are you hands-on practical things? Are you doing research and more theory? How does that work for you in terms of like how you're applying that in security?

Anna Bertiger: I mean, research is only valuable to security if we can use it to actually secure people. So, there's a lot of hands-on practical, right, I want to solve problems that will make Microsoft and our customers safer. And so, it's not actually dissimilar to Emily's job. Every once in a while someone calls me up and says, "Hey, Anna, I think this is a great problem for anomaly detection. Would you, you know, look at it with me?" Oh, yeah. I would like to be your friend. Like, let's go look at that together. So, I've worked a lot on unsupervised things in security because, in post-breach security, labels are often very hard to come by. So, this was a real attack. You're not going to get very many of those. Most things aren't a real attack, thank goodness. And the minute you get this was a real attack and we get good at identifying that pattern, the adversary will change tactics. And so, a lot of data science and a lot of other fields works on building supervised machine learning type models where you, okay, let's learn to mimic what the past has looked like label-wise. And that doesn't work as well in security, especially sort of if you're looking for human hands-on-the-keyboard type of adversaries. And so, I work a lot on anomaly detection. Is this weird? But you have to be careful because people do weird things on computers, all day every day. And the vast majority of them are not malicious, they're just people, you know -- we've never seen this show before ever. Is it malicious? No. It's someone's "hello world". Right? Like except they spelled hello wrong. Like, you know. So, that kind of thing. You have to find anomalies along axes in which those anomalies are likely to be malicious. And that trick is sort of the secret sauce of combining security expertise with data science statistics machine learning expertise.

Sherrod DeGrippo: Wow. Okay. So, I have so many questions now. So, you mentioned labeling. Like you mentioned like kind of understanding data. Emily, you mentioned a little bit about that too. So, I remember in the previous role, we were dealing with a lot of data labeling dramas. And I want to kind of get your point of view on like, first of all, for the audience and for me too, when you say like labeling, what do you mean by that? And like what are some things that you've run into that cause problems there? Emily, like do you want to tell us a little bit about data labeling?

Emily Yale: Yeah. So, I think if you are kind of vaguely familiar with machine learning, the way that it was likely introduced to you was in binary classification, which means that everything had kind of like a zero or one label. So, from our perspective, we could think of that as everything is like, you know, good - zero or bad - one. And like Anna was pointing out, we rarely ever have those labels. And then if we do, we have the fancy term here is called data set imbalance. We're going to have --

Sherrod DeGrippo: What does that mean?

Emily Yale: We're going to have tons of zeros because lots of things are not actually bad. And we're going to have a few ones. And so, in a traditional setting, you often have like an equal mix of those two. And that's how you're able to most effectively identify what separates those classes from each other. But once you don't have that even split, it gets really, really difficult to figure out how would you really identify the handful of ones out of this massive pile of zeros. So, we rarely have those labels. And to Anna's point, we don't necessarily want to rely on what we've seen in the past, we want to be predicting ahead for the future as well. So, if we might see a particular type of vulnerability that was exploited, for example, but we want to think more broadly about what is the behavior that we saw and what could we build that captures that behavior that might take advantage of other vulnerabilities related to what we saw previously but that we haven't necessarily seen yet.

Sherrod DeGrippo: Wow. So, Anna, what are you doing to kind of solve for that in security then? Is it a lot of just by hand?

Anna Bertiger: I mean, it's not -- there's only so much by hand you can do compared to the volume of data we have, what any human can do by hand is pretty small. So, I think part of it is, you can't solve for it, right? We don't have labels for the future behavior of the adversary. It's not going to be exactly like the past. And so, part of what we do is we use methods in machine learning and data science that are not based on having labels. So, I mentioned anomaly detection earlier where we look for things that are unusual. So, except we have to be careful to look for things that are unusual, where unusual and malicious are likely to coincide. So, for example, if a file is created and it is unusual, that may or may not mean malicious. There are a lot of not seen very often in the world files but they're not malicious or a process that's created is unusual but not malicious necessarily. But on the other hand, if that process claims that it is service host and it is unusual, unless that is the person at Microsoft who writes service hosts, that unusual service host is very likely to be malicious. And so, we look for unusual in that way where it's likely to also be malicious in order to find things that are both unusual and malicious. And then we will find perhaps -- we will hopefully find patterns that we have thought of, a long list of fake service hosts maybe, but also some things we haven't thought of, new fake service hosts, something else, some other kind of attack that did something weird here. And so, that lets us sort of rake up more maybe not quite no one ever thought of things to look into.

Sherrod DeGrippo: Wow. Okay. You just also gave me a question. So, Microsoft as I have learned in my time here which is only, not even one year -- oh, it's weird, it's so weird. You might actually be interacting with the person that writes service hosts or PowerShell or Windows sound drivers or like the unique amount of weirdos in the company that would be nowhere else in any other corporate organization, they're here, and I mean that both personality and stuff they work on.

Anna Bertiger: I caught the person who makes service hosts every day for like a month at one point.

Sherrod DeGrippo: That's what I was wondering. So, tell me a little bit what that was like. What happened?

Anna Bertiger: I caught some actually really worthwhile interesting stuff, and then I also caught the person who makes service hosts to Microsoft. And, oh, you know, this is global prevalence 1 version of service hosts. And then you look, you know, like at what's being launched from the D-drive like it's -- oh, yeah, this is the person who makes service hosts. I mean, at some point, I memorized who they were. Like, you know, I was like, oh, yeah, that's that person. Don't worry about them. But, yeah.

Sherrod DeGrippo: So, how often do you feel like that happens? Are you seeing that pretty frequently or you've kind of intuitively learned how to pick those out?

Anna Bertiger: That one only happened to me -- I mean, that particular thing only happened to me that once. But Microsoft is weird. And we see things in Microsoft as an organization that you probably wouldn't see anywhere else. I bet Emily has many more insights than I do into weird things that you see at Microsoft but not anywhere else.

Sherrod DeGrippo: Emily, do you have a specific team or a person who you keep running into?

Emily Yale: Man, I wish I had as good of a story as that. So, my like particular specialty is dealing with like non-person accounts. And so, I deal a lot with service principles which is a fun Azure phenomenon. But you could think of it broadly as an application. And let me tell you, people are not always aware of how their application works. And sometimes they will be told by a SOC analyst that it needs to work differently.

Sherrod DeGrippo: How does that go? How does that go?

Emily Yale: See, the best part is I just get to the surface of stuff and be like so this account is doing this. And someone else has to go reach out to them and say, you need to knock that off. So, I think to the best of my ability, most of the incidents I've heard about have gone well where the owner just isn't aware. I mean, oftentimes, the naivety is kind of like a strong word, but that's more of an issue than actual maliciousness, right? So, it's not like they meant to like over-permission things or they meant to have this application like go, grab all this data, definitely doesn't need, or something like that, they just didn't know any better or they were checking boxes until things worked. So, often it goes well. Once you make it clear the specific changes that need to be made. But fortunately, I don't have to have any of those conversations anyways.

Sherrod DeGrippo: That really reminds me of a skit in a show called Tim & Eric where he can't get to a site, so he calls tech support and he says, "I can't get to my sites, now it's your problem." And so, I feel like you get to kind of tell people, ah, now it's your problem. That's sort of fun. So, like I guess to -- Anna, I'll ask you like I know that you have worked in the security side of the house for a long time. Where is that intersection in terms of like trying to secure things using the technologies that you use or when does it just not make sense? Like are there times when you're like it really has to be done this way or it's not going to work or are you like, you know what, just do it old-school style, that's better? Like how do you know when to apply your stuff that you work on in security?

Anna Bertiger: I think partly you do it for a while, you get better at guessing things, right? So, maybe I'm better at guessing than I was five years ago. But I think that sort of general rule if you know exactly what you're looking for and you want to find exactly this thing, and you know a regex that finds it, just type your regex. Like it will take you under an hour, and it will be deployed, and you will be in business. But on the other hand, that regex will only ever find exactly what that regex is saying it will find. It's never going to find you variations on the regex you have written. So, if what you are looking for is something a little bit broader, you're looking for a little bit of variations, you're looking for unknown unknowns, right, the regex is going to find unknown unknowns. Does it look like this? If yes, put it in a list, have someone deal with it. But if you're looking for, you're not quite sure what it is, but it's something off in this direction, it can change a little bit, it's slippery. That would be a great moment to talk to someone in data applied sciences that is going to be able to sort of figure out how to put those two things together. And I think that it's an important -- you have to build a sort of -- it's got to be a combination of security expertise and some kind of math to make this really work well. Like that's when it's magical and you find great things and you build durable detections and it's fabulous.

Sherrod DeGrippo: Okay. You add math, oh, jeez. You have to know something that I really love very much so I'm glad that you're there to do that.

Emily Yale: I mean, I think that data science and math is very, very, very intricately related, right, because you can use math on data. That's what we do.

Sherrod DeGrippo: And, Emily, yeah, like speaking of math, when I first met Emily she horrified me because you have what in math?

Emily Yale: I have a Ph.D. Yeah.

Sherrod DeGrippo: She has a Ph.D. in math, which kind of makes me feel sick in my stomach a little bit when she said that, I was like, oh, no. I hope she's okay.

Emily Yale: Yep. We both have Ph.D.s in math.

Sherrod DeGrippo: Oh, my God.

Emily Yale: I was going to say Anna is one of me. So --

Sherrod DeGrippo: I'm so uncomfortable right now.

Emily Yale: You're surrounded.

Sherrod DeGrippo: Are you all right? Are you guys here -- you guys seem to love it. Like every time I talk to both of you, you're both very enthusiastic and happy with the work you do as I am too. But I imagine like switching places, we would probably -- I would go heavy on the security part and you would probably go heavier on the math part. And we would have to figure that out. But -- Yeah, like I think that the math magic part is something that we're going to see more and more like as things like, you know, ChatGPT, the Copilot, all that stuff becomes much more democratized, as an example talking about regex, so far, I've used ChatGPT, and I know security Copilot can do it too, to write YARA, to write KQL, and to write regex. And I've been very impressed with the ability to do that there. So, Emily, I'll start with you like are you using AI like as a tool in your work, not necessarily building it yourself but like are you using it day to day?

Emily Yale: Yeah, absolutely. My first place to go to when the code I run breaks and I have some error I don't understand is Bing Chat. And I just ask like what does this error mean? Because it's already searching through the stack overflow for me, it's going to have the references if I need to go look at something. And the follow-on of like, okay, well, correct this piece of code for me, then is just -- it's awesome. Like sometimes I forget syntax and things like that too and it's just the easiest way for me to go look that up and get that information to you. So, I absolutely am using that in my day to day.

Sherrod DeGrippo: Give me -- and I'm asking Anna too so, Anna, get ready. Emily, give me the wildest thing that you've used ChatGPT or Bing chat for.

Emily Yale: Well, it never did this correctly. It couldn't get me the answer, but I had a very complicated question around goal scoring in the Premier League.

Sherrod DeGrippo: What is that? What is that? Sports?

Emily Yale: Yes. Sports.

Sherrod DeGrippo: What sport is that? Soccer. Okay. Soccer, one of my faves. Love that. Love that Messi guy, the Beckham guy. Love them. Great. So, you were asking it for soccer scores.

Emily Yale: Yeah, I was asking it a specific question about like an incidence of like goal scoring and MVP and it never figured it out. I asked it a lot of different ways and I couldn't get the answer. And, you know, generic searches were absolutely useless. So, but that is the most unusual use case I have so far.

Sherrod DeGrippo: Were you needing that data for gambling?

Emily Yale: No. Just to satisfy my own curiosity because when we think we have the ability to get the answer, then we have to know the answer. That's how I am. So --

Sherrod DeGrippo: Yeah. I use it in like all kinds of daily personal life things. Like I have it make a lot of grocery lists for me. And I have it like split up like if I'm having a party, I'll be like give me the liquor store grocery list, give me the like Costco big bulk grocery list, give me -- like and it will split it all up for me. And then I'm like give me the cocktail recipes and the food. And so I use it very like a personal assistanty and I also let it plan a vacation for me. Or not a vacation, it was a work trip. But I let it plan the work trip for me. And I was very impressed. I just was like what hotel should I stay at? And it said this one. And I said great. That's the one I booked. I was like what flight should I take. It was like take that one. That's what I picked. Worked out fine.

Anna Bertiger: I have a colleague who let Bing ChatGPT plan his trip to Hawaii.

Sherrod DeGrippo: And how did it go?

Anna Bertiger: Like with his kid and his family. And I think it was lovely. He was like it was great.

Sherrod DeGrippo: Well, it is really good --

Anna Bertiger: I mean, he, you know, I'm going to Hawaii, what should I do? And it answered the question. He was like great, you know, which one should I book and it was like here, do this. He booked the things.

Sherrod DeGrippo: That's awesome. I love that. Because you can also tell it like I don't like that, that sounds stupid. And it will redo it. If you're like -- like that's literally I told it like that sounds dumb, I don't like that. And it'll change it. But I'm very polite to it, you know, just to keep that artificial intelligence Skynet karma. I want it to like know that I'm cool and not hurt me. Anna, what are you using it in your day-to-day work first, and then I'll hear -- I want to hear like something that you've used like the artificial intelligence LLMs for that are kind of crazy.

Anna Bertiger: I mean, I use the Bing GPT integration to ask questions all the time at work. That's not crazy, I guess, that's sort of fairly normal. And I've used GitHub copilots. It is much faster if you have it like I need the method for doing this and I don't know it off the top of my head, it is much faster to get GitHub Copilot to tell you about it than this, to look it up on Stack Overflow. Like if you don't know the right method off the top of your head. So, it's definitely an accelerant, not a direction.

Sherrod DeGrippo: And you're using that with natural language, you're like I need to do the following.

Anna Bertiger: You can tell GitHub Copilot what you need to do and it will produce code for you. And it's not perfect every time, and it sometimes misunderstands you but sometimes it's awesome, sometimes you're like that's great. That's much more efficient than what I would have written.


Sherrod DeGrippo: Any like work or outside work uses that you've -- use cases that you've been really impressed by or thought were really cool?

Anna Bertiger: I mean, I've had a couple where I needed code to do something and it would have been, you know, two hours of down the Stack Overflow rabbit hole for me to do it. And it produced the answer in 10 seconds. And so, that was pretty impressive. I don't remember what it was. It was some, you know, complicated thing that I was going to need to use some package I didn't know well enough and it just wrote it down for me.

Sherrod DeGrippo: Would you let it plan your vacation?

Anna Bertiger: I would check its work. But I would love to try.

Sherrod DeGrippo: It's hard with those things that have a personal taste.

Anna Bertiger: I do security for a living. I'm very suspicious.

Sherrod DeGrippo: Yeah. Yeah. No, I know. I feel that too. And I feel like there's -- you know, there's the elements where like I need it to write a query for me or I need it to like with you guys, you want it to write code for you or like I've put packet captures in it and said like walk me through what's happening here. It's really good at that very objective stuff. But when you start talking like where should I stay in the -- what neighborhood should I stay on a New York trip? It's like very -- it's almost too neutral. Like it doesn't want to be opinionated. It wants to just fact you, fact, fact, fact. And it's like I'm interested to see what happens because I know eventually it's going to be like talking to your friend, it's going to be like you're an old-school New Yorker that's lived there for, you know, 30 years and you know all the cool spots. Tell me what's up. And it'll kind of change its attitude around that. So, let's talk about the industry. Machine learning, tech in general, data science, stuff like that. What kinds of things are you seeing? Like are there cool papers being published? Are there cool talks you've seen? Is there cool technology that you're sort of experimenting with or you've heard about? Emily, like I'll start with you, is there anything out there that's like up and coming that might be of interest?

Emily Yale: It's tough right now I think because everyone is so on the LLM hype train. And I'm just like that's great, I'm really happy that you love that hammer but I'm not dealing with nails so I don't care. Like it's just not relevant to me. So, that's a little bit how I feel with a lot of like what's really hyped right now is it's just not as relevant as I would like it to be. But I think in general, more of what I am interested in is like an application of something that I haven't thought of or like a use of data that I haven't thought of because I'm very much a proponent of use the simplest method that gets the job done. So, you know, Anna talking about if your regex works, use your regex, you know. If your statistical test works, use your statistical test. If your logistic regression works, don't use a neural network. You know, all the way up the scale. So, what I like to try to look for more in conferences is the use of data that I haven't seen before or just the type of problem that I haven't thought about solving yet. So, if someone's doing something really cool with say using permissions data and a graph-based approach that's going to help you identify at-risk, over-permissioned applications, or something like that, that's kind of the sort of thing I'd be on the lookout for.

Sherrod DeGrippo: Okay. Anna, what about you? Anything cool that you've heard of lately that's kind of coming out in the industry?

Anna Bertiger: Well, I'm always on the lookout for cool graph approaches. Graphs are very near and dear to my heart. So, definitely those things. But I think I have seen a lot more awareness of the kinds of models that we're starting to see everywhere and that they are part of our life and therefore are part of our technical realm to protect. And thinking about I've started to see -- I went to a conference this fall where I saw a number of attacks on large language models displayed. Everything from old-school attacks that work on large language models to fancy new things. I'm starting to see a bunch more about AI security in general out there. So, that's definitely a trend that's going on. And I think it's something we're going to have to think hard and wrestle with, especially because a model is not going to be quite so repeatable and testable as old-school code, and we all know how hard that is. So, this is going to be really hard. And I'm excited to see what we all do.

Sherrod DeGrippo: I am too. I'm excited. And I think it will be like really interesting. I mean, I think it will be a turning point for humanity. Like I think that there's, you know, really big implications for the way that we secure ourselves, secure our data, secure these kind of interactive capabilities where I'm natural language talking to a machine. Like that's not something that I think a lot of us have our brains wrapped around in a lot of ways yet. And so, I think that's what's so interesting about the work that you do is that you're already in that mindset of like how do I automate this? How do I make this scalable? How do I do this in a way that like a human necessarily couldn't? And stuff like that.

Emily Yale: I think I just want to add something to that too which you and Anna kind of both raised to my mind which is I think, you know, a couple of years ago when we talked about wanting to apply machine learning models to solve a problem in security, the SOC analysts were just so inherently distrustful of anything that a model was going to put out. And I think what you both are highlighting is that this increasing acceptance and adoption of these models and methods for all sorts of other use cases means that we're not running into that same wall of distrust that we used to have previously I think. People understand more now that these are useful tools that we can take advantage of. And so, instead of requiring that they have some in-depth understanding of every piece of how it works, what I get asked for instead is just some additional context for them to understand like why it produced the answer that it produced. And that's not nearly the same thing as saying I need to look under the hood and know exactly how this is working, otherwise, I will never, you know, respond to a case it generates or something like that. And so, that's been a huge step forward that we've seen lately too.

Anna Bertiger: I would say that there's a lot more recognition that we need machine learning to do security right. And so, we're seeing more of that. We're seeing a lot more willingness to say I'm getting more phone calls, "Hey, Anna, is this a thing you could help with?" than I used to. And maybe it's just that I've been around here long enough, more people know me. But I think there is also some change in how people feel. But it is still true. I think it is still important. The more valuable results involve like why do we think this precisely because now it's easier to -- right. Something is wrong. You sound like Chicken Little. But something is wrong, this is the way in which it's wrong. Like now that's actionable. So, yeah, I think we're definitely getting more willingness to depend on ML but with sort of clear -- I still need a good reason. I still need a good reason about what's going on. Not necessarily because they don't trust you anymore but because that's how I start investigating.

Sherrod DeGrippo: Got it. And I think that that point about analysts and security people kind of being resistant. I definitely was part of that camp for a long time where I kind of said like, oh, ML said this was malicious. Okay. Why? And then you have that trace back gap I think in a lot of ways where somebody looking at like -- I feel like network is probably my most comfortable -- networking email my most comfortable detection schemes platforms. Looking at something and just it says, well, this is malicious email, this is cred phish. Why does it say that? Like what did it do? And so, let me ask you both, for somebody who is in the SOC or somebody who is in a detection creation role, the ML is saying this is bad. How can they respond to that in a way that will walk them through getting comfortable with those verdicts? Emily, go ahead, I'll start with you.

Emily Yale: Yeah, that's a good question. I think -- so from kind of the detection creator sort of piece like it's necessary that you bring in some other context that helps you fill out like why the answer is the answer that it is. And what that is can depend upon the model or the method that you used. So, this is also in part why I like sort of simpler things like if I have a linear model like I understand directly the impact that all of the features that I used in that model had on the resulting output. So, I can say to you like what in this, you know, larger piece of data that I analyzed contributed to that decision. And if I'm using like a statistical test, well, I can make it super clear like they've been active for this many days so I established an upper limit of here based on no assumptions about the underlying data distribution and they exceeded that. And they exceeded it by this much. Like that's really easy for someone to understand. When you get to more advanced models, sometimes you have to apply totally different technique in order to understand why a given output or a prediction is the way that it is. And I think more and more we will see those sorts of things incorporated because, as Anna pointed out, it's not actionable for the analyst unless they know where to start investigating. And so, I'm using like a tree-based method for some of my work. And I do this whole secondary analysis on top of that to highlight why if I say this person's behavior was unusual, what specific operations contributed to that so an analyst knows I'm going to look at this operation. I'm going to look at this operation. If those do look weird, okay, then I am starting to trust that the initial output of this behavior looks weird.

Sherrod DeGrippo: Anna, do you have anything you want to add to that?

Anna Bertiger: I think the interpretability drives the trust, right? If you can -- and then that's true with people too, right? If you came to me and said, "Anna, this is, you know, a problematic piece of telemetry. I just know." And you refuse to explain why. Eventually, I would be like, okay. That's fine. But like I have work to do. But if you said this is a problem and here is why. Then I can look at it and be like, "Oh I totally follow what you have to say. You are completely correct. The sky is falling like let's ring all the alarm bells." And so, we need our models to be trustworthy in the same way that we need people to be trustworthy.

Sherrod DeGrippo: That's a good thing I think that will probably help, especially you've both been in security for a long time in terms of like your career. You understand that those personalities are paranoid and they have anxiety, and they worry, and they're stressed out, which can be very much your superpower like going to a security conference, even just kind of if you can people read even just a little bit, after an hour of being in those environments, you can see there's a common sort of underlying thread of people that are dealing with an anxiety, a worry, a kind of paranoia process running in the background at all times with them, and me, and probably both of you. And, you know, there's this -- it's a spectrum, right? There's the healthy side where you're leveraging that in your career and it's going really well. And someone shows you a network diagram or a packet capture, or a web landing page with username and password inputs on it, and you're kind of -- your senses kind of fire up a little bit and you're kind of like I don't like that. I don't know why I don't like it. It's stressing me out. I don't feel good about that. And that kind of leads a lot of times to, oh, I didn't like that because this is part of a malicious campaign distributing some malware. Then there's that other side of the spectrum where people really get into trouble and have like bad experiences and mental health problems because they're so deep into it. So, we kind of I think have to realize that when we bring things like machine learning into the environments where people are rewarded for their anxiety, they're immediately going to have anxiety. Okay. So, you both have Ph.D.s in math, and what I want to move over to now to finish up with is I don't even know why you would do, oh, my gosh. Okay. You've got the math, why security though? Like what attracted you to security? Anna, I'll start with you. Like how that happened?

Anna Bertiger: How did that happen? So, I came from math to data applied sciences and eventually landed at Microsoft. And I worked my first job at Microsoft. One of the things I worked on was our anti-credit card fraud system. There was definitely security-adjacent things there. And towards the end of my time on that team, we got a new PM, who is a security person and now is a good friend, in fact. And I was telling him about the system I worked on and how it all worked. And I said something about like, well, I'm not a security person so I don't know if this thing is right. But I know that these numbers are accurate for whatever reason. And he said, "Well, I am a security person so I know they're the right things to be looking at. But also, you should know you're a security person too. It's not a set of skills, it's a personality type and you have it."

Sherrod DeGrippo: I love that. I completely agree.

Anna Bertiger: And like now, yeah, he was right, right? So, then I left that team and I went off and I did other things. I worked for an internal data science consulting team. I worked on gaming for a while and I worked on Windows quality, and I worked on responsible AI. And I sort of wanted to find my way back to security and I had this fabulous boss who was like, "Well, if you can tell me it's impactful to Microsoft, we're an internal consulting team, go do it." And so, I went and found my way to security. And I went to a great talk given by a past manager, a now past manager of mine, where he talked about using statistics to solve cybersecurity problems, his Ph.D. is in statistics. And I was like this is fabulous. I want to do that. And I came up to him after the talk, I said I want to work on what you're working on. And he said, "What does your management think about that?" And I was like, "They're totally fine with it. I want to work on what you're working on." And he gave me a problem, and eventually, his team had a job and he said, "Do you want to apply?" And I've been doing security ever since. And I am a security person like my friend was right.

Sherrod DeGrippo: Yes. I think that people who are this interested in it, just I mean, everyone who has been on this podcast is the most security person because they get on and they want to just talk, talk, talk about security. And I think that they're so much feeling. Like I feel like there is really this foundation of feelings and intuition. People know I'm like super into astrology. I feel like there is an intuitive draw for security for people that have that kind of background process running in their brain or their heart, that's like, that doesn't look good. I don't like that. And that's how a lot of people end up here. Emily, what about you?

Emily Yale: Yeah. I love that, Anna, the security is a type of person. When I was finishing my Ph.D. and applying for jobs, I felt so burned out on the very specific thing that I had been working on, that I was really interested in something new. And so, I had a couple offers and some of them were going to be kind of fairly similar to what I was I guess, at that point, you're supposed to say you're an expert, isn't it right? But I just thought to myself, "I want to know nothing next." You know? I want to -- I want to have to earn my way up again. So, I took an offer as a cybersecurity engineer. I think that was actually my first title. And, oh, wow, did I have imposter syndrome for quite a while about how I knew literally nothing about security. But could someone please allow me to apply math to it? And so, I've been a couple of places now but I just loved the types of problems that I started getting to work on. I just really loved the detection space. I love working closely with analysts in the SOC, feeling like I have an impact in how they're able to do their jobs and how we're able to improve our posture overall. So, I briefly considered, you know, should I do more general data science and I thought no, absolutely not. I actually -- I could do less data science as long as I don't leave security and I don't leave this detection space. So, here I am now.

Sherrod DeGrippo: I love that. I'm so glad that you both made the right choice.

Anna Bertiger: No, I'm with you. I could do less data science as long as I got to keep doing security. Security is important. And also, I will also add security has the advantage that it feels like you're making the world a better place. Like it feels like this really matters. And that makes me like my job more.

Sherrod DeGrippo: Your day-to-day job is to be a superhero. So, that's pretty cool.

Anna Bertiger: Right. All the benefits of superhero work, none of the risk of bodily harm.

Sherrod DeGrippo: I think that that is a great attitude to take. And I love that -- I love that you both are so integrated into the mindset and the community, and it's like -- it's like you're just leveraging all that math Ph.D. to get security done better. And I love that. That's the goal. Thank you for coming on, Emily. Thank you for coming on, Anna. Thank you for joining us on the "Microsoft Threat Intelligence" podcast. I hope to have you back soon to learn all of the new things that you're working on. And have a great week. Thanks for listening to the "Microsoft Threat Intelligence" podcast. We'd love to hear from you. Email us with your ideas at Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out for more. And subscribe on your favorite podcast app.