Live from New York it’s Microsoft Secure

Sherrod DeGrippo: Welcome to the Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. [ Music ] Welcome to the Microsoft Threat Intelligence Podcast, and I have a couple of exciting things. We are actually broadcasting from the podcast studio at the Microsoft flagship store in Times Square, never been here before. They have an entire flight simulator, Dune Copter. It's pretty amazing. And my guest is also a first. We have an external to Microsoft guest, Chris Wysopal, CTO of Veracode, also known as Weld Pond. All of you follow him on Twitter. I know that you do. And we're so glad to have you here, Chris. Thank you for joining us.

Chris Wysopal: It's great to be here at the Microsoft Experience Center. It's fun.

Sherrod DeGrippo: Did you see the Orinthopter Flight Simulator upstairs?

Chris Wysopal: I have not, and I want to check it out. I did come, I think, a year ago because my son wanted to drive in the McLaren.

Sherrod DeGrippo: Oh, yes.

Chris Wysopal: Which is a lot of fun.

Sherrod DeGrippo: One of the things that surprised me when I started at Microsoft a year ago was that the flight simulator thing is huge with people. They -- they love it, and it's used both commercially and as, like, a video game. It's pretty weird.

Chris Wysopal: It's great technology.

Sherrod DeGrippo: Yeah, so stop by -- stop by The Experience Center and you can fly the Dune Orinthopter with Flight Simulator. I'm obsessed with Dune, so I think it's very cool that we have that up there. Chris, so you're super old school, and I was really excited when I saw that we got to talk to you, because you have such a depth in history of security and vulnerability disclosure. And I want -- I said I would ask you one L0pht question.

Chris Wysopal: Okay.

Sherrod DeGrippo: The question is, Wikipedia says L0pht is a think tank, and I just wanted to get your opinion on that.

Chris Wysopal: That is, I think, a little extreme because we didn't -- we didn't, like, really publish reports. We actually did publish one, but that doesn't make a think tank. I feel like we weren't formal enough or organized enough to be a think tank, and nor did we want to be. But that doesn't say we weren't thought leaders, right?

Sherrod DeGrippo: For sure.

Chris Wysopal: So it was just in a more informal way. And I think it was because we were kind of outside of the mainstream, right? We were independent. We weren't part of a big, you know, established research organization or an enterprise. And there's a huge benefit to that, right? Because you don't have all that baggage. Who am I going to upset? So you can kind of tell it like it is. So, you know, the word think tank's kind of loaded, but I'm pretty happy with the messages we got out and the kind of push we gave in the right direction.

Sherrod DeGrippo: Absolutely, and I think that -- that's seminal and influences things even today. I really got stuck on that think tank word, because, you know, it just doesn't do it justice to me. And I -- I would say, like, Hacker Collective or, like, like you said, like, thought leaders or, like, chaos research or something like that.

Chris Wysopal: Right, like Hacker Collective is provocative. It's like, Well, what is that? I need to understand what these guys are doing. Saying think tank kind of just shuts it down.

Sherrod DeGrippo: Yeah.

Chris Wysopal: They're -- they're writing -- they're writing papers.

Sherrod DeGrippo: Right, which is just, doesn't do it justice to me. So, let's talk about your work with vulnerability disclosure. You've been doing that for 25 years?

Chris Wysopal: Yeah, I think the very first coordinated vulnerability disclosure we did at L0pht was with Microsoft back in, like, I think, like, 1998.

Sherrod DeGrippo: Wow.

Chris Wysopal: The very, Scott Culp was running the Microsoft, the FM.

Sherrod DeGrippo: Legend.

Chris Wysopal: Yeah, research center. I guess he was the first director. And he actually reached out to us. He sent an email to us and said, You know, guys, if you tell us about the vulnerability before you release this to the public, we'll fix it and we'll let you know when we fix it, and then we don't care what you release. And so it was actually him reaching out to us. Like, we -- it couldn't go the other way, right? Because if we said, Hey, we're willing to not publish until you fix it, I don't think that would've gone anywhere.

Sherrod DeGrippo: And so where -- where do you think we are today? Because bug bounty programs and bug bounty vendors have really dominated that space now. Is that a good thing, a bad thing? How do you kind of see that in the world?

Chris Wysopal: I think dominated is -- is the right phrase. I mean it's, I don't know if it's upwards of 80, 90%. It always seems that way, and it makes it a lot easier for the researchers. I mean, let's be frank, doing this independently is a pain, right? And also doing it in such a way that you don't know what the outcome's going to be, you don't know what's going to happen to you, and the structure of the bug bounty really makes it easier for the researcher. The flip side is the researcher is not really independent anymore. There's some sort of -- they're kind of a contractor because there's rules of the road, and I think we lose a little bit with that. We lose a little bit of the independence that we had in the past.

Sherrod DeGrippo: So speaking about independence, we were talking a little bit earlier about vulnerabilities in open source. And open source, you know, I think first has really come to play a major part in this push for SBOM, so the Software Bill of Materials. It's huge. And I think, in my opinion, that open source is really the driver behind some of the SBOM fear of almost, I feel like organizations don't want to open the box and know what they have in there. They'd rather not know in some ways.

Chris Wysopal: I mean, we did -- we did a, one of our State of the Software Security reports at Veracode, I think it was, like, four or five years ago, we really focused on open source. And we found that the average open source library stays the same version for over five years. It's basically like someone includes it and then it gets forgotten, and it just sort of fossilizes there and never changes. And that's the way that people, developers, think about open source. It solves a problem. Why would I ever, why would I ever change it? And developers want to solve problems. They want to create the functionality and be done with it. They just don't think about it, especially if it's not their code. They worry about their code. No one ever gets fired for including some open source that has functionality that later gets a vulnerability, right? Like, so there's no incentive.

Sherrod DeGrippo: Or -- or accountability.

Chris Wysopal: Or accountability. There's no incentive or accountability. So it's just thought of differently than first-party code. You know, I think in general, when I talk to developers, they might not know how to write secure code, but they want to, and they don't want their code to have security bugs in it.

Sherrod DeGrippo: For sure.

Chris Wysopal: But with open source, it's sort of like, Hey, that's someone else's code.

Sherrod DeGrippo: So there's, like, open source as opposed to these large enterprise software vendors that have really mature bug bounty programs. It's kind of a different story. It's a little more Wild West in open source. And I know you were doing some research work looking at vulnerabilities in open source. What have you found there?

Chris Wysopal: Yeah, so, you know, I think one of my old maxims is, you know, more software, more vulnerabilities. So the fact that there's just so much open source, like, millions and millions of packages, and the churn. Like, some of these packages are new releases, new updates almost on a weekly basis. So it's constantly changing and changing code, another opportunity for bugs. So it's just, if you think about the sheer volume, you just have a lot of vulnerabilities out there. And so the scale of trying to manage your organization's use of open source becomes something that not only do you have to automate, you have to automate it really well. So what we ended up doing, because we wanted to have a great open source vulnerability database, we ended up crawling all the packages that our customers use on a nightly basis and using ML to look to see if any of the changes in that code were changes that fixed the vulnerability.

Sherrod DeGrippo: Okay. And --

Chris Wysopal: And that's a signal that the developer thinks they fixed the vulnerability. So, like, the version prior to that probably has a vulnerability in it. And -- and then so you can have a human go and look at that and determine, Is it really a vulnerability? What kind is it? Is there a CVE associated with it. And it turns out that, like, 40% of the open source vulnerabilities that we find don't have CVEs. So 40% of, I don't know if it's 40% of developers, but a lot of developers don't bother getting a CVE, which is the way the industry thinks about vulnerabilities, right? If there's no CVE, there's sort of no vulnerability. Like, in the back of our heads, we're like --

Sherrod DeGrippo: Schrodinger's vulnerability.

Chris Wysopal: Like, oh yeah, of course there's vulnerabilities that don't have a CVE, but we really don't think about it. We have no process.

Sherrod DeGrippo: To how to handle those.

Chris Wysopal: To how, to how, yes, exactly. So I feel like we're missing a lot when it comes to open source. And I always put on the attacker hat, right? Like, that was one of the things the L0pht brought to, back then it was InfoSec.

Sherrod DeGrippo: It's still InfoSec to me.

Chris Wysopal: Was the adversarial thinking, right? And the ad -- what would an adversary do with this information? So I, you know, I look at that and I say, Well, why aren't the adversaries doing this, right? Why aren't they crawling open source repos, looking for vulnerabilities that have been fixed that don't have a CVE? So it's less likely they've been patched anywhere. And so I think of that, you know, I always like to flip it around, saying, like, this is a good security solution, but it's also a good attack solution.

Sherrod DeGrippo: Did you ever read The Cathedral and the Bazaar?

Chris Wysopal: Yeah, I skimmed it, actually.

Sherrod DeGrippo: I feel like we're kind of talking about that, open source versus walled garden, versus -- and organizations have to be able to handle both. You don't get to pick, you don't get to choose one beautiful environment to enjoy. You're going to have this interwoven reality of enterprise-grade, very regimented, traditional software practices, and then you're going to have open-source cowboy code that you desperately need, that's, like you said, maybe not developed for five years at a go, and so organizations have to know how to do that.

Chris Wysopal: Yeah, I think you can kind of tame it to some degree, and it's just having the mindset that whenever I use an open-source package, at some point in the future it will have a vulnerability that will be attacked in the wild, and I'm going to have to patch that, right? And set up a process that -- that assumes that's going to happen. When log4j happened, we had two kinds of customers. We had customers that had these really great DevOps pipelines where everything's automated, you just push a button and it can update the code and push it to production. And then we had people, or we had projects, and these are probably the older ones, that it was, Does anyone remember how to build that? Where's the script we run to do that? And where's the recipe that we have to type in? Oh, and we don't have any automated testing for that, so then we have to manually test it. So on one end, you had organizations or applications within organizations that literally within a day were patched. And then you had organizations that were weeks and weeks and weeks to do that. And the scary thing to me was a lot of those, the organizations that were the weeks and weeks and weeks, were, like, the legacy, like, appliance vendors that --

Sherrod DeGrippo: Edge devices.

Chris Wysopal: The Edge device, it's been around for 20 years using this, you know, 11-year-old software package, and it was, like, the more critical stuff, right? It was the stuff that was -- took so long to patch.

Sherrod DeGrippo: Well, if it's been running and it's old, it's probably critical because no one wants to touch it.

Chris Wysopal: Right, right. So, and that's not -- the thing is, that's not going to change. I don't think that 20-year-old appliance tomorrow is going to have a pristine build environment where they push a button and it goes out there, right? So we're kind of stuck with the problem with all the legacy stuff.

Sherrod DeGrippo: Well, so let me ask you a question then. From a kind of, you said, the bug bounty researchers, those people that I kind of see them as, like, these cowboy mercenaries that are just out there, like, looking for a way to make a buck, I mean, there really is that kind of bounty hunter feel to them in a lot of ways. What advice would you give them if they want to be successful? Operationally or, you know, mood or attitude, what's the key for those people to be successful?

Chris Wysopal: Yeah, so I really think a lot of it is having, like, you know, good tooling, right, for your attacks, right? When -- and keep up on the latest, you know, attack tools, fuzzers, things like that, because it makes such a huge difference. Like, if no one has used a tool on a project before, it's probably going to find something, right? And that's why we see, like, some of the software that's just been attacked so much, every single tool has been used on it. You find something like a legacy appliance somewhere and you use a new tool on it, you're going to -- you're going to find something. So I think a lot of it comes down to, you know, knowing what tools you have to find bugs, and then picking -- picking some good targets. Like, I would look for things that, you know, don't have any CVEs.

Sherrod DeGrippo: Okay, because there's always one lurking, is that the --

Chris Wysopal: Yeah, yeah, I think that's an indicator that, you know, no one's really looked there, right?

Sherrod DeGrippo: It's a big rock to turn over.

Chris Wysopal: Again, it's like the Schrodinger's cat, if no one's looking, maybe.

Sherrod DeGrippo: Then there's no BOM.

Chris Wysopal: We don't know if anything's there. So find places where no one's looking and use some -- use some cool new tools on it.

Sherrod DeGrippo: I love that. So you just heard from Weld Pond how to be an amazing bug bounty hunter. That's incredible advice. Just one more question. I want to kind of talk about AI, machine learning. We're at, you know, this new Copilot world. Physically, we are in the Copilot world because we're at this event right now. What do you think the role of AI is going to play in terms of security, vulnerabilities, bounties? Where are we going?

Chris Wysopal: Yeah, so it's -- it's interesting. I, you know, I see this sort of, I don't know if it's a meme or just a way that people are thinking about AI. I've seen it on, you know, on X, Twitter, where people are saying, Well, why is AI helping boring people be creative? I want AI to help creative people do all the boring things so that they can just do more. And of course it's both, right? I mean, that's the thing is a lot of times it helps someone who doesn't know anything about a particular subject area or barely anything, you know, upskill and be pretty proficient at what they're -- at what they're doing. And sometimes it's, you know, someone who is really skilled, and it's their assistant, right? And I think we see -- we see both of those things. So I think that's really interesting. If you started to take the lens of, you know, if I'm an expert in some area, like, I'm the most senior person at the SOC or something like that, how is AI helping me is going to be different than someone who's, like, the junior engineer. So I think it has something for everybody. And people who are designing these products I think have to think that way. Helping -- helping the newbies, but also helping the -- the senior people. One of the things we're doing at Veracode is we've used AI to create Veracode Fix, because we found the biggest problem was developers don't know how to fix vulnerabilities in their code. Like, how long have we talked about SQL injection? They still don't get it, right? Like, you can point them at an OWASP page describing this is how SQL injection works and this is how to do it, and they'll spend, you know, hours and hours and hours trying to figure it out to fix their code, when you could just have the AI saying, Here's the code you need to patch it, right? So I think that's an example of someone who's really proficient in one area just not knowing how to do something, and the AI can take over there. So I'm pretty excited. It's going to make a big impact in cybersecurity.

Sherrod DeGrippo: I think it's going to make a big impact, too. I think what I have learned, and I've been in security for 20 years, which is not as long as you, but a long time. And I feel like we still see such a divergence of developer persona and security persona. Like, if you ask, you know, somebody on the street, they're both dorks, they're both nerds, they're both computer nerds. Like, they're tech people, I don't know. But when you get into the nuance and personality differences between developers and security people, I feel like on the security side, we just have such a different wealth of mental health issues. There's just so much deep anxiety, and I feel like developers, in many ways as a group, live in an unanxious world. They live in this, I'm going to build and create beautiful things world. And it's really different than the sort of, I'm freaked out security mindset.

Chris Wysopal: Yeah, that's definitely a problem that we have. Because the mindsets are so -- are so different. There's even a lack of respect for what the other person's skill set is.

Sherrod DeGrippo: Yeah. Yeah.

Chris Wysopal: Like I took, when Veracode started, I took our VP of engineering to Black Hat.

Sherrod DeGrippo: Oh, is he okay?

Chris Wysopal: And he sat through some talks, and he just said, he didn't have any respect for any of the research -- I'm like, they're doing all these amazing things. And he's like, oh, it's just a bunch of tricks. Like, there's no solid, like, architecture and engineering. I'm like, yeah, but it -- it works. That's the thing. And so sometimes they think, like, the security people just have sort of a bag of tricks we're pulling out and we're kind of just lucky to know how to -- to find a particular vulnerability. Like, we're not engineers. And the flip side is we're like, the security people are like, well, you know, the developers and IT people don't really care. They don't care like I care. Like, I'm protecting --

Sherrod DeGrippo: It's personal for me.

Chris Wysopal: I'm protecting the -- the enterprise's resources and I'm keeping us safe and they're not helping me. And we just have to get over that, right, and have mutual respect. Each individual has a different role to play, and they're there for a reason. Like, the organization needs both.

Sherrod DeGrippo: Let me ask you, and I would love your personal answer here, are you using AI in your daily world, in your personal life? What are you doing?

Chris Wysopal: Absolutely, absolutely. I mean, it makes me a better writer, it makes me a better organizer, writing outlines for things. I'm mostly using it for just the written word, communication. I would say that's the biggest reason I'm using it.

Sherrod DeGrippo: I've found that I'm really receptive to learning things conversationally, and I talk to it and ask it, like, what -- you know, I have Copilot, I have ChatGPT, you know, and I'm always kind of bouncing between Bing AI, whatever I can get my hands on and saying, You know, I was thinking about this, what do you think? And it gives you this sort of respectful intelligence back to you of, Oh, here are some ideas for you. And it's an interesting validator, because you might have an idea and think it might work, and then the AI tells you, Oh yeah, so what you should do, it's exactly what you thought of.

Chris Wysopal: Yeah, it's sort of, it could be a coach, right? Like, you know, I think you could, without that, you'd be sort of like, I don't know if I'm wasting someone's time --

Sherrod DeGrippo: Right, 100%.

Chris Wysopal: -- bouncing the thought of them. Right, and people are a little bit embarrassed to, like, show what they don't know. But the AI doesn't care.

Sherrod DeGrippo: No, it's -- it's fully non-judgmental, I'm sure.

Chris Wysopal: Well, who knows?

Sherrod DeGrippo: For now. Chris, thank you so much for joining us. It was amazing to meet you in person. Thank you so much for coming on the podcast. You have a wealth of knowledge, I know. So I hope we get to talk to you again soon and enjoy the event today.

Chris Wysopal: Thank you. This has been great. Nice to meet you in person.

Sherrod DeGrippo: Thank you. I have another guest here live in the studio from the Microsoft Copilot for Security launch event. Microsoft Secure. It's Chip Calhoun, VP of Cyber Defense at BP. How you doing, Chip?

Chip Calhoun: I'm doing pretty good, and you?

Sherrod DeGrippo: I'm good. This is pretty exciting. I know that you've had access to Copilot.

Chip Calhoun: I have.

Sherrod DeGrippo: What are you doing with it?

Chip Calhoun: We're playing with it a lot.

Sherrod DeGrippo: Yeah?

Chip Calhoun: You know, we're learning a lot from it. Our -- our folks are really starting to get used to the idea of having a virtual assistant in front of them all the time. In the early days, it was a little strange to them, because I've got some very, very seasoned incident responders and intelligence folks and just the frontline SOC analysts, I think, are the people that are trying to -- trying to play with it the most because it's -- it's still new to them, but they're not as seasoned in the -- in the world of instant response. And it -- so they're probably having an easier time with it. Some of my more advanced folks have struggled a little bit more, but they are -- they're starting to embrace it in the last three or four weeks.

Sherrod DeGrippo: Love that. I find it so sort of exciting to just be like, I can ask this thing anything and it's going to tell me stuff. Do you ever play the game where before you ask Copilot, you try to guess what it's going to tell you.

Chip Calhoun: You definitely play that game.

Sherrod DeGrippo: Yeah.

Chip Calhoun: Almost all the time, because when you do that, what you're trying to do is you're trying to reverse engineer the prompt you need to give it to get the answer that you want.

Sherrod DeGrippo: Yeah, and I kind of give myself a little pat on the back sometimes when I'm like, Oh, not only was I right, but I maybe have more personal context with whatever it told me, or I can, you know, work with this information in a way that maybe the Copilot didn't know that I could. And I think that it really does, you know, Copilot's a good name, because it really does act as that seat next to you that's got good guidance. And maybe sometimes it has deeper information more quickly than you could go look up. Threat intelligence is tough, with how many different names does every threat actor have?

Chip Calhoun: Yeah, I tell folks that it augments our analysts' ability to do what they do every day. Doesn't replace them, but it definitely augments what they do.

Sherrod DeGrippo: Yeah, and so you are an old school incident responder.

Chip Calhoun: I am.

Sherrod DeGrippo: And what do you think is kind of the personality that does best in incident response? It's something we talk about a lot with DART, which is Microsoft's incident response team. What's that personality profile?

Chip Calhoun: All right.

Sherrod DeGrippo: All right, tell me.

Chip Calhoun: I know this. The people that love something brand new every day. I tell people I've been at BP 27 years and I've never had a boring day.

Sherrod DeGrippo: Wow.

Chip Calhoun: Because we are always responding to something new, something crazy. You know, we've had some really wacko things that have been compromised before, and we've been able to stop it right away, so that's always been good. I've had an electron microscope compromised.

Sherrod DeGrippo: Wow.

Chip Calhoun: I've had GPS systems that keep tractors driving the right way down -- down the sugar cane fields compromised. Beyond that, go into your regular business stuff that gets compromised and it's -- it's really a fun game to play every day.

Sherrod DeGrippo: Oh no, I can tell you're one of those incident response types. No, I love them, and I love the kind of attitude that a lot of IR folks come with, which is, Just throw me in, throw me in the storm. Just put me in, I'm ready to go. And that's a fun kind of personality to be around. And our incident responders at Microsoft work really close with MSTIC, the Microsoft threat intelligence team. And they talk about how that's such a good combination. So in your world, how are your incident responders interacting with your threat intelligence analysts?

Chip Calhoun: They work side by side every day.

Sherrod DeGrippo: Love it.

Chip Calhoun: So as a matter of fact, you know, we've got several different types of people that do threat intelligence, whether it is our tactical, our operational, or our technical intelligence folks. And the people that are -- that work the most closely with, like, my CERT team, my Cyber Emergency Response Team, are the people that are doing that -- that very operational intelligence. So when they get a piece of information from wherever our source might be, they'll take that. They'll break it down very quickly. And they'll start to create these hunting scripts and hunting queries. Has this occurred in our environment? Because intelligence is very rare to get before something happens. Usually you get it after it's happened to somebody else somewhere else.

Sherrod DeGrippo: Yes.

Chip Calhoun: So then we go search for it through our environment. So we've done a ton of automation around that kind of stuff to be able to look across years of data to find out if we ever saw that before in our environment. So, I don't know. It's, if I can mention it real quick, Copilot is actually one of the places where we've seen some of the benefits of intelligence helping us with threat hunting. So my first-level analysts can now very quickly break down an intelligence document, start to do a search across the environment very easily just through a few requests through Copilot. And the other cool thing is my more advanced intelligence analysts can start to use that natural language processing to not look for IOCs, which my first-level analysts can do all day long. But they're starting to ask questions to where it looks for the characteristics of the threat actor within the environment, rather than just the standard IOCs. That's very powerful.

Sherrod DeGrippo: So you're saying the TTP is, it links it directly to the TTP. That's awesome. I think that's something that Copilot is really revolutionary in we've never had that ability before as practitioners. I think that's, like, one of the things that's really going to bring people, you know, skills and acceleration they didn't have before. I want to ask you something else. Do you have anybody looking at the script analysis out of Copilot?

Chip Calhoun: Absolutely.

Sherrod DeGrippo: Because that's a mind blower.

Chip Calhoun: That's their favorite thing.

Sherrod DeGrippo: That's their favorite thing?

Chip Calhoun: Absolutely.

Sherrod DeGrippo: One of the things that I, you know, I've been in security for 20 years. And one of the things that I think I've heard the most is I wish I was a better reverse engineer. And they all, you know, have these aspirations of, I've got to get better at reverse engineering. And I feel like Copilot really can help you accelerate and almost act as, like we said, a quiz. Like, you can look at a script, think about what does this script do for me, and then ask Copilot and it can tell you what it does. I think that's one of the coolest things that I've seen with Copilot is the script analysis capability, especially with malicious scripts, VBScript, and Audiscated, too.

Chip Calhoun: Yes, absolutely.

Sherrod DeGrippo: So --

Chip Calhoun: There's a -- it's a big time saver.

Sherrod DeGrippo: And I think that's one of -- one of the things that people don't know about these Copilots until they're really deep into them, is how much faster you can be when you use them.

Chip Calhoun: Yeah. The other thing, I mean, just building off that script analysis, one thing we use, you know, beyond Copilot, we use other local LLMs with generative AI, and we open up APIs in our local systems with high-spec laptops that we use. And we use some of these local models, and we pump in malware to those local models, and it helps us to reverse engineer that malware.

Sherrod DeGrippo: Wow, so you're actually training it with malware that you know to be malicious and know how it works.

Chip Calhoun: Not training it, we're actually just pumping it into the LLM, so the LLM gives us details about how it's built and what to look for. Then this, again, speeds up the process of that reverse engineering of true malware.

Sherrod DeGrippo: That's incredible.

Chip Calhoun: Not just scripts, but you know.

Sherrod DeGrippo: Like a full-fledged piece of, yeah. That's really cool. So you're in this, like, critical infrastructure world. You've mentioned a couple of, like, industrial systems that you've looked at. What do you think is unique in securing those kinds of targets?

Chip Calhoun: Yeah, I think the most unique thing about securing those environments is you understand that what the impact of a compromise in that environment might be first and foremost. And then you have to take steps you wouldn't take normally throughout the rest of your business environment, such as complete full separation of those systems from your business environment. Business environment's got to be, you know, we don't want any of our environments, you know, loosey-goosey, but I promise you, people's business environments are more loosey-goosey than the OT environments are. And we really have to think about them differently. The impact of a compromise in a business environment is much different than the impact of a compromise in an OT environment where you can turn a valve or change a setting or do something like that if a bad guy is motivated enough and has enough information and knowledge about the systems and how they operate.

Sherrod DeGrippo: And when you're observing, since you're doing a certain response, when you're observing threat actors, do you feel like they understand the OT environments?

Chip Calhoun: I think there are groups of threat actors that understand OT environments thoroughly, but they don't always understand your OT environment thoroughly. You have to think about how these things are built up over time. And every single one of them, at least in our world, are built differently because they're serving different purposes. They've been built at different timeframes with different hardware from different manufacturers over time. That's one of the challenges with securing those environments, is understanding that well enough, get a great inventory, being able to get that visibility. Another challenge in those environments is being able to have something that you can actually monitor in that environment on the system because those systems can be highly controlled by the vendors that produce those systems, the hardware for those systems and the software for those systems. So you have to find ways to -- to monitor for that that is touchless. It's more passive across the network. So, understand the protocols, understand what might change over time, and how you react to that change.

Sherrod DeGrippo: That's something good that you brought up, great for my next question, which is, let's say somebody says, not only do I want to get into security, but I want to focus on ICS, OT, oil and gas. That's where I'm really interested. What kinds of skills do you think that they need to absolutely have? What's vital?

Chip Calhoun: That's a hard -- that's a hard question.

Sherrod DeGrippo: That's right, hard-hitting questions here.

Chip Calhoun: I don't think it's -- I don't know that it's that much different than all the other people that need to get into security. You need to have a passion for security. You need to have a good base understanding of the product or environment you want to secure, because if you don't understand it, there's no way to secure it. If you don't know about it, how are you going to know to secure it? So you have to have a good, solid understanding. We see some good security folks that come out of the OT operational environments that were, you know, OT engineers, that were work -- working with those systems before. They come into the security team and start to say, Okay, we know the importance of securing these things. Let's come in there. So a lot of them have the background in that environment already, yeah.

Sherrod DeGrippo: And so I guess like switching a little bit over to threat actors, is there any sort of threat actor profile that you're seeing more than others? Are you seeing, you know, concerns around nation state? Are you seeing concerns around crime? Are you seeing fraud, BEC? Like, what are you having to skill up and focus on?

Chip Calhoun: So first of all, we, as everybody else, sees it all. We really do. But the thing that we see more of than anything else is the e-crime stuff.

Sherrod DeGrippo: I love crime.

Chip Calhoun: Constantly trying, every way they possibly can, to get in. And luckily, we've been pretty good at being able to stop them at, you know, stage one, stage two, before any major impact occurs. So that's a positive thing. But I'll tell you what, I don't think anything, as long as there's money involved, you're going to see e-crime is probably number one. The thing that could impact us more than anything else isn't e-crime. It's probably more nation state actors that could, for whatever reason, have the destruction in mind or some of disruption.

Sherrod DeGrippo: Absolutely. Thank you so much for joining us, Chip. It was great to talk to you. I really appreciate your time. I'm going to let you go so you can go enjoy more Copilot festivities.

Chip Calhoun: Woo-hoo.

Sherrod DeGrippo: Hello, and we are still here at the Microsoft Copilot for Security Microsoft Secure event. And joining me now in the Live Studio for Podcasting is Torrell Funderburke, Executive Director of Cybersecurity Architecture at Sealed Air. Torrell, welcome. How are you?

Torrell Funderburk: I'm doing well. I'm happy to be here. I'm really excited about where things are going with our overall program and our ability to detect and respond at scale is -- it's becoming a very interesting kind of day-to-day operation.

Sherrod DeGrippo: And how do you feel adoption is going? Does it seem like more junior people are using it, more senior people? Who do you see kind of gravitating toward Copilot the most?

Torrell Funderburk: Well, I think from an initial adoption standpoint, it was the more -- more junior people. But as time goes on, there's a little bit of need for a security Copilot for everyone. Not just the junior people, but also kind of senior people, people that may be generating reports and not kind of reverse engineering the script or something like this. I think it's fascinating, those use cases for more than just the, kind of the trope associated to, like, junior analysts. And that's what's fascinating about it to me. And on top of that, the -- the amount of innovation is spurred within our kind of security operations and security program has been fascinating.

Sherrod DeGrippo: You're in an executive role, and you've been in security quite a long time. How long have you been working in security?

Torrell Funderburk: I've been in security seven or eight years now. Before security, I was in software engineering.

Sherrod DeGrippo: Okay. Oh, a developer came to the dark side.

Torrell Funderburk: Yeah, yeah, it was fascinating.

Sherrod DeGrippo: What do you think the differences are in the personalities? Something we've been talking about a little bit today is that developers kind of have a profile, software engineers kind of have a profile, and then security people kind of have a profile.

Torrell Funderburk: Yeah.

Sherrod DeGrippo: What -- what do you see those differences as?

Torrell Funderburk: My trick is to understand those profiles and act the exact opposite of it, but understand the technical underpinning.

Sherrod DeGrippo: Okay.

Torrell Funderburk: Able to navigate both spaces fairly well. What's also interesting is that an engineer is an engineer, even though they try to have the security and software engineering personas, but we all like requirements and technically-driven tasks. So.

Sherrod DeGrippo: And if somebody is a software engineer, what would you tell them if they said, I'm thinking about going over the security side? What do you think?

Torrell Funderburk: Do it.

Sherrod DeGrippo: Do it.

Torrell Funderburk: Yeah, do it. Because if you just start thinking about first principles and kind of the foundations of security, I mean, it's -- it's networking and software makes up our world, right? It's connectivity and applications that interface with applications and they're more suited than they think to come to security and they will pick it up very fast, I believe.

Sherrod DeGrippo: Awesome, yeah, so I guess we're getting a flood of developers and security and everybody because Torrell said to come on over.

Torrell Funderburk: I sure do hope so.

Sherrod DeGrippo: So tell me a little bit about your, like, background. Were you a nerdy kid?

Torrell Funderburk: I didn't think I was, but when I look back now --

Sherrod DeGrippo: You thought you were cool then.

Torrell Funderburk: Yeah. I mean, I was in sports and stuff, but I was always into the nerdy things as well. I remember kind of going way too deep into, like, the Harry Potter books in, like, sixth or seventh grade. But I was, yeah, I was always interested in technical things and taking things apart, and they wouldn't work when I put them back together. And I eventually found out that -- that maybe I was suited for a more technical track, professional track.

Sherrod DeGrippo: So talking about securing Sealed Air, is there anything in that environment that you feel is pretty unique among, you know, security environments that people look at?

Torrell Funderburk: So I've been in various industries, right? I've been in finance, I've been in healthcare, I've been in manufacturing, where I'm at now. And when I was developing software, I was building automated systems, material handling systems, like, completely, fully-automated warehouses. But what I find interesting is the commonalities across the -- the different industries. Because fundamentally is technology is communications between devices and people and processes. It's all -- it's all similar, but what's different is the context in which those things are being applied. So the challenge normally is just understanding the nature and the culture of the business and then how those kind of standard systems apply to that -- to that business.

Sherrod DeGrippo: You have a favorite protocol?

Torrell Funderburk: Favorite protocol? No, a least favorite one.

Sherrod DeGrippo: What's your least favorite?

Torrell Funderburk: I'm not saying.

Sherrod DeGrippo: You can't say your, wow, this is a level of protocol bias I've not seen before. You won't tell me your least favorite protocol?

Torrell Funderburk: No.

Sherrod DeGrippo: What if I guess it?

Torrell Funderburk: I won't respond.

Sherrod DeGrippo: Oh my gosh. I respect that you're protecting the --

Torrell Funderburk: Yeah.

Sherrod DeGrippo: -- identity of the guilty protocol that you don't like. And you don't have a favorite?

Torrell Funderburk: Nope.

Sherrod DeGrippo: No. I think my favorite's DHCP. I feel like it's underappreciated.

Torrell Funderburk: Which one?

Sherrod DeGrippo: DHCP.

Torrell Funderburk: Oh yeah?

Sherrod DeGrippo: Yeah, you need an IP, man, you've got to get at least --

Torrell Funderburk: That's true.

Sherrod DeGrippo: It's important.

Torrell Funderburk: That's true. It used to.

Sherrod DeGrippo: So, tell me a little bit about, like, we kind of talked before about new people coming into the industry. Like, if you were looking for somebody to come in, what would you tell them? What are you looking for, like, when you're looking to pull people into your team?

Torrell Funderburk: Curiosity. Like, all those people are genuinely curious and which is why I was kind of encouraging the software developers before. Curious and willing to build things and potentially build things that -- that don't really exist right now. A lot of times you will run into a wall and how do you go about kind of getting over that wall? Are you going to build something? Are you going to wait for the market to catch up to offer a solution to solve that problem, or kind of navigate that problem yourself with the toolkits you have? And kind of operating from that first principle standpoint, right, that I need two devices to communicate or I need this interface. When they click this button, this should happen, right? It's stored and read it from a database. It's all -- it's all kind of fundamental things, but just a willingness to kind of commit to overcoming those challenges and then just constantly being curious.

Sherrod DeGrippo: What do you see as kind of the next frontier for InfoSec problems? Like what are we going to be battling coming up, do you think?

Torrell Funderburk: Scaling, I think. Obviously with the kind of boom of JNAI, you can kind of build things faster from the defensive side and the adversarial side. So maybe the agility of kind of the bad things we're seeing out there, the upticks. But also how does our environments respond to that and are we agile enough to scale to support any new things that we're seeing? So I think -- I think scale is going to be critical going forward.

Sherrod DeGrippo: So you're higher up in the organization. Are you personally getting into Copilot yourself?

Torrell Funderburk: Of course. I'm a developer at my core, right? So, I mean, I'm leveraging AI, like, in my personal time as well. So, I'm a fan of this, and I'm a fan of emerging technologies and applying those emerging technologies to our standard traditional use cases. And what does that mean for us, and what problems does that help us solve? So, yes, I'm a fan of Security Copilot. And what I'm interested in is, so not from an analyst standpoint, but how can it also help us with program-level things?

Sherrod DeGrippo: Oh, yeah.

Torrell Funderburk: We have some really talented people at C and one thing I recently challenged them with is surfacing kind of potential program-level issues from the alerts incidents that we see coming in. So can you summarize over those things and suggest an area of focus that we should kind of solve at a program level. So it's almost like leveraging Security Copilot to create a feedback loop to better the overall program versus just responding to incidents.

Sherrod DeGrippo: So it gives you kind of where you should prioritize focusing people and, like, what processes and procedures and things like that need attention.

Torrell Funderburk: Yeah, yeah. So -- and it reinforces kind of foundational processes and procedures and documentation that you may not have, right? Because you know that if you do develop that, you can ground your Security Copilot in that and then leverage that context of service. It will only get better, right? So quality in, quality out. So.

Sherrod DeGrippo: I love that idea, of using it to help build your security program. That's not something that I've really played with or talked to people about and it's kind of overall program improvements, which, you know, I don't know for your team, but I know, like, overall security practitioners are freaking exhausted. Like, they're so over leveraged and so burnt out. It's really not a work-life balance industry. Like, people kind of accept or sometimes don't notice that they don't have that. And I feel like if you're using Copilot to build some of those programs, hopefully you're giving some of those people a little bit of their life back.

Torrell Funderburk: Yeah, and they also are able to help us build a program. They have insights, right? But in the traditional environment, they may be caught up in the, what we're doing and how they should do it once they get this scenario. But now I think they have a little more leeway to ask the question of, like, Why? Like, Why did this occur to begin with? And, like, how can I help the program alleviate this from happening in the future? So, like, we don't have to continuously deal with it. And that's empowering. It's great, and it's something that I definitely encourage.

Sherrod DeGrippo: That's awesome. I think that that's something that we'll probably see more is that AI starts to, in the security landscape, starts to be that best practices guide, as well as like, you know, tell me about this threat actor, tell me about this login, show me the credentials. It's going to become this kind of, like, guided program builder and program maintenance key, which I think is really cool. So you seem like to me, and you said that you kind of like to tinker around, you like checking out new tech. When it comes to AI, in your personal life, what are you doing with it, anything cool?

Torrell Funderburk: Trying to keep up with OpenAI and all the things that they're releasing, and trying to understand, like, how that could potentially impact the broader population, but also kind of enterprise level and also the security level. There was a project released on GitHub for kind of building out your own infrastructure, brag model, internally. It was just one of the greatest things ever because I can see how the backend worked and how that kind of retrieval automated generation work from resources that you have access to already. And it was -- it's incredible to understand it from that level, because then you can kind of service those solutions to other problems within the organization that may be outside of security that want to have an integration, an AI integration. But you're able to help them integrate in a secure way because you understand how the underpinning works.

Sherrod DeGrippo: That's really important. And I think that's something that we've seen, especially in security with so many paranoid personalities, which I fully support, kind of saying, like, Well, I don't -- I don't trust the AI because I don't know how it got, how it got this. And --

Torrell Funderburk: Yeah.

Sherrod DeGrippo: -- Copilot has done something really cool where if you ask it a question and then you say, Okay, well, how did you come up with that? It's like, I looked at this. Number one, I, like, it gives you an enumerated list of how it got there.

Torrell Funderburk: Yeah, and that's incredibly valuable. And I wish you can measure it, but that's incredibly valuable because you can show the value of all of those atomic kind of actions that you've taken to secure your environment and establish a trust boundary. And you can show how that aligns to your trust boundary. Like, okay, this was -- this document was surfaced from this store that you have access to. If you don't have access to it, then this document wouldn't have service to begin with. So I think that's incredibly valuable to explain the integration of AI in your environment to people who may not be familiar with it, but are definitely impacted by it. And that's probably most organizations right now.

Sherrod DeGrippo: Right, it's so early that it's, like, What's going to happen? I mean, it could be a really revolutionary thing. And every day I think of something new that I'm like, Ugh, I could have used AI for that. And you have to retrain your daily kind of mindset to, Why am I doing this myself? I should have a Copilot do this. I should go -- you know, I need crazy images for this, like, little internal site I'm working on. I need to get the AI to make these images for me.

Torrell Funderburk: That was actually one of my favorite kind of behavioral observations with an organization, like, for adoption is you made it available and then people would still not use it. But it's not that they were intentionally doing it. It's just they have a habit of not using it.

Sherrod DeGrippo: Right.

Torrell Funderburk: And then they're like, Oh, yeah, I should use that. They use it and it gives them what they want. A lot of my day-to-day interact -- interactions were kind of like, Oh, yeah, just use Copilot for that. Why don't you use Copilot?

Sherrod DeGrippo: Yeah.

Torrell Funderburk: Yeah. I hear what you're saying, but just use Copilot. You know, so it's good stuff.

Sherrod DeGrippo: Well, Torrell, thank you so much for joining us. I really appreciate it. That was Torrell Funderburk, the Executive Director of Cybersecurity Architecture at Sealed Air. And I'll let you get back to enjoying the Copilot event. Thank you so much.

Torrell Funderburk: Perfect. Thank you. [ Music ]

Sherrod DeGrippo: Thanks for listening to the Microsoft Threat Intelligence Podcast. We'd love to hear from you. Email us with your ideas at tipodcasts at microsoft.com. Every episode, we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more, and subscribe on your favorite podcasting app.