Podcasts
The Microsoft Threat Intelligence Podcast
Ep 41
The Microsoft Threat Intelligence Podcast 4.2.25
Ep 41 | 4.2.25

Microsoft’s 50th Anniversary: Security Then and Now

Show Notes
Transcript

Sherrod DeGrippo: Welcome to The Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry. I'm your guide to the back alleys of the threat landscape. Hello and welcome to The Microsoft Threat Intelligence podcast. I am Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft. And we have a special episode for you. It is all about Microsoft's 50th anniversary, 50 years old. That's older than even me, and I've been around a while. I am joined here by EVP of Security at Microsoft, Charlie Bell, who just for the record so everyone is aware, yes. Charlie Bell is my boss's boss's boss. Welcome, Charlie.

Charlie Bell: Thank you, Sherrod. I will say I do remember 50 years ago. So I won't disclose my age, but I am older than 50. So I'm older than Microsoft.

Sherrod DeGrippo: You're like a time-traveling explorer to tell us what those times were like.

Charlie Bell: Absolutely. I remember driving past the original buildings when it was just a client company a long, long time ago.

Sherrod DeGrippo: Well, you have a really storied career in tech overall and at Security at Microsoft for a couple of years now. Tell us kind of -- I mean, 50 years ago, what was happening in technology? What was that like?

Charlie Bell: Oh, my gosh. Yeah. You go back that far, first of all, you had a lot of proprietary, very proprietary systems that were very hard to use. And so technology really -- really was fairly cloistered. You know, you had the glass house, they called it. You know, the -- everything ran on IBM and, you know, it was tightly controlled. I still remember the mini computer era when -- that was my first job, actually, working on a mini computer doing programming. It was in a little outlaw organization who was trying to solve its -- some of its problems quickly. And they were kind of going around IT by using a lab computer to get a bunch of work done. But that whole thing just, you know, exploded. There was the whole open systems thing, which was really proprietary Unix. It was just you could get different flavors of it running on different companies hardware, and it was kind of the same. So technology explodes a little further. Then the internet happens and, oh, my gosh. You know, by the way, Microsoft's on the scene as a client company in this original game. You know, it's sort of fighting the glass house even in the '80s. And I remember the early '90s. You know, it was -- remember the NT thing. Oh, my gosh. That was when Microsoft started to grow up. And now technology is really expanding and exploding in this whole distributed computing game, which Microsoft really had a huge hand in bringing about. The fact that it could run on commodity hardware, you know, you could buy your hardware from anybody and run NT on it, and that was just hugely liberating. And there was a huge explosion. But then you get to the internet, and that's another step function. And then cloud computing was a another big-step function. I mean, these are all, you know, exponential changes in the growth, the spread of technology and how it's used. And -- and then along comes AI, and now we're in another one. And this one's probably faster, bigger than anything we ever -- we've ever seen. So it's really exciting. Fifty years at Microsoft has really spanned pretty much the whole game there.

Sherrod DeGrippo: It has. And speaking of being able to bring your own hardware, essentially, which is kind of what the PC did when I was, let's say, 15 or so, I remember my dad would take me -- I grew up in the Atlanta area. My dad would take me off Buford Highway to these electronics importers, and I would pick -- the one I went to was called Gen Star. I will never forget. For my birthday, I got to pick my case that I wanted. I got to pick my motherboard, which I picked Asus, of course. Back in the '90s, you had to have Asus. They called it the king of motherboards. And you would pick all of your components, your video card and your sound card. You had to have a sound card so you could play your wav files. So I think looking back at that nostalgia and celebrating that at Microsoft is so cool. What's top of mind for you when it comes to AI, security, and how all of that's going to sort of converge very eminently?

Charlie Bell: Yeah. I love the way you describe it as a change in the trajectory of evolution. It really is. I mean, up to now, every tool we've built has been a dumb tool that it had no reasoning ability, had no ability to do anything really on its own. The huge change with this tool is AI can reason. It can do things on its own that we've never seen before. And it's a huge evolution in our -- you know, humans are tool makers. In our tool pantheon, see a huge evolution in it. And it's very rapid. I mean, when we look at how fast it's all come on, go think about, like, how long it took for the internet to grow into a mainstream everybody uses it kind of tool every day. You know that all happened here within a year. Like, it's amazing. So I think, from a security perspective, there's a couple of things. One is it's a surface area thing I mentioned a bit ago, which is, because AI is capable of reasoning, just as humans can be manipulated, it can be manipulated. And, you know, you can't manipulate a program that runs through a set of steps. You can have bugs. You can find the bugs. You can find the behaviors in it that behave certain ways and then leverage them as an attacker to do various things that it wasn't intended to do. But the AI can actually -- you can tell an AI that's embedded in something to go write some code to explore the surface area of what it's embedded in and see if they can find some vulnerabilities. Like, that's never existed before. So the fact that it's a reasoning thing means that it's created a whole new area of security that we have to start managing. And I think, you know, it starts with understanding how to control the intent that we have with the AI and then understanding how to control what it's -- what it's given permission to go do. It's just like a human. If you think about I could be the CFO of a company. And, like every other person in the company, I answer email; and I have normal privileges with my email that everyone else has, the same kind of thing. But wait a minute. I can have money transferred in very large sums that nobody else in the company can do. Well, as that human, I have two sets of privileges. One of them is devastating if somebody gets ahold of it. The other is, well, they get to see my email. And now, if I delegate my privilege to an agent, can the agent -- I did it to support my productivity on my email. Can the agent now go do things? So we've spent a lot of time, obviously, at Microsoft with that problem, making sure that we can segment things and make it safe. But that's the huge issue, I think, with AI is that AI can be persuaded to do things that it wasn't intended to do because it can be told to reason on its own and do it. And so that's the work that we do is to control that. And then the other side of it, though, to me, is for security is tantalizing. The biggest problem we've had in security forever is that the world we live in is too complex. The number of ways that you can manipulate technology is almost infinite. And understanding the environments and understanding how to secure them in a way that they just don't have attack surface is just too big a problem for humans to grapple with. It's like you have -- we have so much data and so much configuration and so much stuff to deal with in security. So security historically has been kind of a reactive chase it kind of problem, you know, understand the ways that the vulnerabilities that we see active out there and understand how do we fix and prevent and in that context. But what AI can do, and this is so exciting, is we have the one advantage over attackers. We have this data advantage. We understand our entire environment. You know, if you run a system within a company, you have the whole system. You get to see everything in it. The attacker has to work their way into it. They have to come in from the surface and work their way in. And, if we could just understand the entire environment and we could ask ourselves what are the attack paths through the environment and then what do we have to remove in order to make it extremely difficult for somebody to get to a goal, wow. We would be changing the whole equation. And that's what we can do with AI. It's fascinating. You know, AI can understand across different silos. It can understand what the process is that attackers go through and then apply that, help us apply it to defense, to proactive defense, just eliminate, continually eliminate surface area.

Sherrod DeGrippo: I love that you refer to AI as a tool, which I think there's so much conjecture. There's so much commentary around AI, what it is, what it isn't, what it will be, what it can't do. I think just describing it simply as a tool is one of the most succinct and accurate ways because, as we see, threat actors use tools for malicious purposes that we use for efficiency purposes every day. I mean, you can name tons of things that threat actors leverage that we also leverage in security. I also think that AI can really be seen as sort of a next interface. You know, we started with CLI command line interfaces with DOS. Then we got graphical user interfaces with things like Windows. AI is another interface where I can talk to my computer with natural language. And I think that, when we see it as that interface, it helps us kind of wrap our minds around it a little bit better.

Charlie Bell: Oh, boy. You're right, Sherrod. It's changing the whole way that we interact --

Sherrod DeGrippo: It is.

Charlie Bell: -- with the problems that we face.

Sherrod DeGrippo: Yeah. So wrapping up here, we are at the 50th anniversary. So, Charlie, I just -- I want to know one thing because you've been at Microsoft a couple of years now. What is something that you really feel is a memory for you at Microsoft in the past 50 years since you've been here or since you've been in technology at all?

Charlie Bell: That's a lot of memories. I think it was right, right when I came in, I was doing the annual planning kind of thing where we -- looking at all the things people were going to go build and create. I'm used to going through that by the areas and hearing what they're going to do. So I set it up, the process we were going to go here in each, you know. And then one of the Microsoft leaders said, Well, wait a minute. Where are we going to talk about the shared bets? I said, What do you mean, shared bets? He goes, Well, we do things like across these groups where we get together and we say, if you do this and I do this and somebody else does this, we put this stuff together, we get -- we get a new thing that's really cool. And I thought, oh, wait a minute. It hit me. It goes -- I always -- because I wondered what this One Microsoft thing was that, you know, Satya talked about. I really got a growth mindset. Growth mindset is really cool. That's a cultural thing here at Microsoft. But I really didn't understand what was meant by One Microsoft. And suddenly it hit me. I'd have -- oh, wait a minute. I've got to set up a process where people who collaborate get to come in and talk about what they want to go build that isn't related to a particular area. And that was a bit of a wake-up call for me, and it was about the culture. And, by the way, I've experienced it. You know, you know I work a lot with Vasu in Marketing. And I work with, you know, Aaron and Judson over in the Sales side. And, you know, I work with Amy and the Finance. I work across the company. Everybody just pitches in and does the piece that they've got to do together. That's the thing that shocked me about the company. And just I remember vividly that meeting. It was like coming on Teams; and it's like, wait. Where's the shared bets thing? Anyway, that was the one that stuck with me.

Sherrod DeGrippo: I love that because that's actually One Microsoft is at my one year because I've only been with Microsoft two years now. At my one year, I wrote a big LinkedIn post about how my favorite thing about Microsoft is One Microsoft, which --

Charlie Bell: Oh, you did.

Sherrod DeGrippo: I did.

Charlie Bell: You too.

Sherrod DeGrippo: I love it because I've been in tech for 26 years, and Microsoft is very unique in that cultural landscape of me saying I need this data. And someone with nothing to gain and no benefit says, Oh, I can get that for you. One Microsoft. Haha. Sure.

Charlie Bell: Yeah, yeah, yeah.

Sherrod DeGrippo: And you're just -- you'll do what for me? Really?

Charlie Bell: Why? Why? Wait a minute.

Sherrod DeGrippo: You're helping for nothing?

Charlie Bell: Yeah, yeah. Absolutely.

Sherrod DeGrippo: I love that too. Thank you so much, Charlie Bell, EVP of Security at Microsoft. Again, this is my boss's boss's boss, everyone. Thank you for joining us.

Charlie Bell: Oh, look. Every -- you've got to know Sherrod is awesome at what she does. So thank you, Sherrod.

Sherrod DeGrippo: Thanks, Charlie. And here we are back again, celebrating the 50th anniversary of Microsoft. And I am joined by my actual friend and coworker, Stephanie Calabrese, Principal PM manager at Microsoft. Stephanie, I'm so excited to work with you. How are you?

Stephanie Calabrese: I am well. Thank you so much. I'm very excited to be here chatting with you today, Sherrod.

Sherrod DeGrippo: Now, Stephanie, you're kind of a bit of like a mover and shaker underground celebrity that a lot of people know but don't know. So tell me a little bit. I think one of the biggest things you're known for is the Microsoft party at Black Hat. So what's some behind-the-scene things that we can know about that?

Stephanie Calabrese: Absolutely. And that's a perfect way to describe it. I usually am behind the scenes, and sometimes I like it that way. But here we are talking to the community, and I'm really excited about that, as well, because that is what we do. We are here to engage with the community. And one of the favorite things that we do each year is the annual MSRC Black Hat Celebration, where we bring together the best of the brightest researchers which are either our MVRs, who are our most valuable researchers who have participated in our Bounty Program and have earned great bounties, as well as all of the fun rewards that come with being a researcher. We invite key players that are across the industry. We partner with all of the friends across Google, across Meta, really bringing us all together. And then, of course, we bring our amazing Microsoft people from our red teams, MSRC, threat intelligence, all to come to have these conversations and get to know each other and celebrate the work that we do each year. And you've gone the last couple of years, and hopefully anyone who goes knows that we really want to lean into this community. And we try to show everyone a good time, and this year should be no exception.

Sherrod DeGrippo: I think something that's so important about the MSRC Researcher Celebration at Black Hat every year is that I always talk about trust and how we have to really trust each other as a community. We have to know each other. And so taking the opportunity to sit down with someone, even just to have, like, a quick bite or, you know, a glass of wine or whatever it may be and actually meet that person face to face, it really changes the game. And I think it's important that -- that listeners understand that you're part of making those connections for people so that we in the community can trust each other face to face.

Stephanie Calabrese: That's a really good point. So many, especially if you look at the researcher industry, we're all over the world. And they don't always have an opportunity to travel. And so we even find when people come to Black Hat, they know who each other are by their reputation or by their social presence. But they don't know each other. And it's not always easy for everyone to go up and introduce themselves and break into conversations. And so a big part of what we want to do is help you to foster relationships, not only with, of course, people in MSRC or Microsoft but with each other so they can collaborate, so they can work together. As I mentioned, we partner really closely with our partners in Google, and we have them come. We're trying to build these relationships across the board for us all to be able to, at the end of the day, make the world safer from a digital perspective.

Sherrod DeGrippo: I love that. I love that we're so committed at Microsoft to making that community happen. One of the other things that Stephanie is also in charge of is the vaunted storied BlueHat. Stephanie, for those who don't know because we are talking to a group of intelligence nerds, what is BlueHat?

Stephanie Calabrese: BlueHat is actually in I believe its 20th year now. BlueHat was started many years ago by some amazing folks, Window Snyder, Kimberly Price are some of the pioneers who started BlueHat. And it's grown and evolved like security and like technology has. And we hosted annually in Redmond, and now we are doing our second year in India. And the purpose of BlueHat is really just, again, similar, to bring the community together to be able to share either research that they're working on, amazing things that they found, ways that we can uplift the community. And it's done through talks. It's done through various engagements. It's done through the hall con, as you say, when people are out in the hallway getting to know each other and build those relationships. So it's really continuing what we want to do at Black Hat, but we get to bring everyone to campus so we can bring our amazing leaders, our product teams, all of these people. We have researchers, or we have attendees that say, you know, I really have a question on this product or I want to understand something, and we're able to connect them with those product teams to help them do better and faster research. And that's all what we're trying to do is bring us together to know how we can improve from a security perspective.

Sherrod DeGrippo: BlueHat, I've been a few times as an external attendee. I come as a Microsoft employee. And I remember, I guess it was two years ago now, Jason Haddix was the keynote. He did a fantastic keynote, one of the best I've ever seen, walking through an incident that he worked. And later that day, we were in the village, which Stephanie also sets up a villages area with all different kinds of, you know, lock picking and maker spaces and all different things you can do. And one of the activities in the village was soldering a Clippy light-up badge. It was -- I still have mine. I'm so happy that I have it. I'm going to all wear it to the next Vegas event. But I remember I saw Jason Haddix in the villages, and he kind of looked at me. He was like, You want to build a Clippy badge with me? And I was like, Yes, I do! We had such a good time. So I think that's important. And I think Stephanie sometimes Clippy comes to BlueHat.

Stephanie Calabrese: Sometimes Clippy does make an appearance at BlueHat, which is quite exciting. And it's funny because I was actually surprised how excited people got about Clippy. And I think it's the nostalgia, and people love it. And we've all leaned into this, right? We look at ways that we can have Clippies show up and surprise and delight us. We sort of joke that Clippy is the original AI, our person that's there to help us. And we love it. And, you know, I love it you're talking about Jason because that's one of the magical things about BlueHat. We had this similar -- you know, the last BlueHat we did, we had Chris Wysopal there. We have folks like John Lambert, Mark Russinovich. All of these amazing leaders at Microsoft come. And they will sit down next to you and lock pick with you, or they'll do the solder. They do these things because they are really invested in this community as well. And it's just incredible to be able to have folks from around the world that maybe don't have the opportunity to engage in either a typical corporate environment with these product leaders or these security leaders and see them build their relationships. It's really rewarding and exciting to see.

Sherrod DeGrippo: I loved it. I had a really good time. I just want to ask you just a little bit of behind the scenes, really quickly, about Clippy. So there is an actual Clippy that I want people to understand. Clippy itself -- not sure of the gender of Clippy. Clippy themself comes out and meets and greets you, will sign an autograph, and will take photos with you. And that one year I was -- I don't know if I want to say I was assigned by you or if I just pushed my way through, but I did get to be a Clippy handler one year. And, as you're walking the Clippy out from behind the scenes into the crowd, people literally pushed me aside to get photos with Clippy.

Stephanie Calabrese: Clippy is a celebrity.

Sherrod DeGrippo: Clippy is a celebrity. I have never had so many people shove their phones in my hand and say, take my picture with Clippy. These are strangers. These are not my coworkers. These are just random people at BlueHat that saw a human body and were like, Get my picture with Clippy now. And I will say, just as a shout-out to one of our other coworkers, we do have a version of Clippy that has real big guns, that has, like, big biceps. And that's -- you know, sometimes Clippy works out.

Stephanie Calabrese: Clippy does sometimes work out. And another little fun behind-the-scenes fact is there's actually arguing of who gets to be in Clippy. So we have to -- everyone wants to go because you're a celebrity when you're in Clippy. So we've had Sarah Young in there, Alex DeDoncker, I mean, most of my team has been in there. But people want to be Clippy because it is so much fun. It does get a little warm in there.

Sherrod DeGrippo: Yes.

Stephanie Calabrese: So that's why it's nice that we have people who want to switch it out. But, yeah. Clippy is just so beloved. And now that we've seen it, we've -- if you ever go to BlueHat or if you go to Black Hat, you'll start to see Clippy making appearances on stickers, on pins, and other little things. And with one of our new events that we have coming up, we're really excited about with Zero Day Quest. We have some other fun things that I'll give you a sneak peek. Sherrod, you're going to love it.

Sherrod DeGrippo: Okay. So let's talk about that. I know at Ignite this year Satya himself talked about the Zero Day Quest, which is coming up soon. There's a lot going on with it, and I want to get some more details. Tell us about Zero Day Quest.

Stephanie Calabrese: We were really excited that Satya announced this at Ignite. What we've done is we are inviting our researchers that are on our leaderboards across Identity, Azure, M365 Dynamics and Power Platforms. We invited them to Zero Day Quest, but then we also opened a qualifying period between November 19 and January 19. And anyone who submitted an important or critical severity across those programs are invited to join us in Redmond. It is kicking off on April 1. We have some amazing engagements where the researchers are going to come in. They're going to work directly with the product teams. They're going to work directly with MSRC. We're going to be helping them find those potential vulnerabilities, and we will be giving awards right on the spot. There's going to be some fun awards at the very end. And then, of course, in the style that we do, we've got amazing activities from baseball games to the Space Needle to an excellent Italian restaurant in Bellevue. Their -- their card is going to be packed with fun, great people, driving amazing discussions and hopefully finding some vulnerabilities out there that will keep our products, services, and ultimately our customers safer.

Sherrod DeGrippo: I love that. So you're really right at the forefront working at MSRC, the Microsoft Security Response Center, making sure that security vulnerabilities are found, remediated, understood by Microsoft. And I think that's just such an incredible thing. We've got to have more people from MSRC come talk on the podcast. But I really appreciate you being here, and I hope to see you soon. Well, you know that you can't get away from Sherrod.

Stephanie Calabrese: I can't. I know. I think in Vegas people see us and are like, Oh, my God. Sherrod and Stephanie together. There they go. They're in trouble. There they go, there they go.

Sherrod DeGrippo: Well, I hope I don't have to wait till August to see you. That's way too long. We're going to have to find time before that. Let's see what we can do. Thanks for joining us.

Stephanie Calabrese: Thanks for having me.

Sherrod DeGrippo: I am here celebrating the 50th anniversary of Microsoft with my friend, coworker, and my former boss. He is the reason that I am at Microsoft, CTO, CVP, and Security Fellow. It's John Lambert, everyone. Hi, John.

John Lambert: It's great to be here, Sherrod.

Sherrod DeGrippo: Thanks for joining me. I wanted to share a quick story before we begin that you are the reason this podcast exists, not just the reason I'm at Microsoft. But John said to me about a year and a half ago, Sherrod, I want you to do a podcast. And I said, Great. Whose podcast is it? I'll go on a podcast. And he said, No. You're going to make a podcast and run it. And I said okay, and we've been doing great ever since. But this is the first time you've been on.

John Lambert: Yeah. How did that work out?

Sherrod DeGrippo: I don't know. There's a lot of people clamoring for spots. I had to get Charlie Bell on first so.

John Lambert: There you go. There you go. Yeah.

Sherrod DeGrippo: So you've been at Microsoft, how many years?

John Lambert: This will be my 25th year. And since this is the 50th anniversary of Microsoft, I think of it as I've been here for half the company's life but 100% of the cyber.

Sherrod DeGrippo: 100% of the cyber. What a designation. Do you remember when you first started, like, what your first early days were like, like your first day of work at Microsoft, what that was like?

John Lambert: I do. I started as a program manager in the Windows team, in the Windows Security team because I was doing -- I fell into security, and that was the biggest team doing security stuff at Microsoft at the time. And during my new employee orientation, there was always an executive speaker. And our executive guest speaker was Bill Gates.

Sherrod DeGrippo: Whoa.

John Lambert: At the end, they're like, All right. We're going to take questions from the audience. And so I thought about what my question would be because how cool would it be in the year 2000 to go ask Bill Gates a question on your first day at work? And so I did.

Sherrod DeGrippo: What was the question?

John Lambert: I asked him -- he had just taken on a new title called Chief Software Architect. And so I said, What is that all about? And then he kind of made a joke. Like, he was at some other talk before that. And it said, Explain CSA. Explain CSA. And he was like, What the heck is CSA? And they said, Bill, it's your new title, Chief Software Architect.

Sherrod DeGrippo: That's so cool. And so do you remember any of the subsequent we're 25 years old, we're 30 years old, we're 35 years old. Do you remember earlier anniversaries and what those were like?

John Lambert: Yeah. I mean, every five years you get a memento at Microsoft, typically a crystalline statue.

Sherrod DeGrippo: Yeah. Your office is full of them. I've seen.

John Lambert: I have a bunch of them. Yeah. And I kind of had three or four major epics of my career here, my time in Windows and then my time after Windows in the group called Trustworthy Computing and then kind of the time in MSTIC since then. And so each one of them was sort of a big phase of the career working on something quite different but born on the heels of the previous one. And I think most folks that work at technology companies, if you go look at their career, you know, their careers are various titles that they got; but it's all what they worked on. They worked on this product. They work on that product. And I feel like in -- in our world of security, it's which vulnerability did we work on, or which attack did we work on? You know, it's NMDA or Blaster or Stuxnet or Notpetya. Those are the milestones of our career.

Sherrod DeGrippo: So you created MSTIC, essentially, Microsoft Threat Intelligence Center. Why? What caused you to say, Hey. We need some kind of threat intelligence capability?

John Lambert: Yeah. This goes back to like 2014. So November 2014 is when I sent the email announcing the creation of a team called MSTIC. And kind of what was going on then at the time, you know, if you go back a few years before that, we were starting to see pretty spectacular hacks affect the private sector. You know, they've been going on for quite some time but in sort of the defense industrial base, the military, the government. And they were certainly starting to trickle out and go beyond those to many companies in the private sector. There was the hack of RSA and the theft of the seeds for these security ID tokens. You know, there was a big hack of Yahoo! and Sony Pictures and a bunch of other things that were going on and -- but, at Microsoft, there was -- also goes back to the birth of our cloud. And so these threat actors, which we heard about and knew about, and customers would tell us about how they had to face them, they were dealing with them largely on premises. And as our cloud got built out, both for Office 365 and for Azure and those customers facing those adversaries moved into our cloud, their adversaries followed them into our cloud. And so not only did we have some responsibility because we had the cloud with their data in it to protect them better but also we could really start to see these attacks like never before because they had to come through our cloud to go after those customers. And, basically, if you think about, in every vertical and in every geo, these customers face their own set of threat actors. As all of those geos and verticals basically onboarded to our cloud over time, suddenly we're seeing more and more threat actors than ever before. That's probably a big Part 1 of the story. The other part was Microsoft had many teams that had security teams. We had Azure. Azure has a security team; Office, same thing; windows, same thing and so on. So all of these product areas, services, environments had security teams, but there was no security team focused on the adversary. And we learned through being involved in these different incidents that you really needed to study the adversary. They study us. They study our customers. They study our technology. Who's studying them? Because, by the time that threat actor comes and interacts with a Windows, an Office, or an Azure, you know, that's way too late. You don't know everything they're up to. And you may discover that too late unless you're tracking them all the time. And so that sort of led to the notion of we should have a team at Microsoft that acts Microsoft-wide, that is focused on the adversary and that is a central team for all teams at Microsoft, not just focused on one particular environment and protecting that. And that's why I chose the letters Microsoft Threat Intelligence and Center. And that goes back to the origin of it.

Sherrod DeGrippo: Okay. So you send out this email. You formed MSTIC. What were some of the, like, early days? Like, what are some of the first things that actually happened or got done as that was coming together?

John Lambert: Yeah. So, in the early days, I would say, if you're in the threat intelligence world, one of the things you realize very quickly is your world is about data. Data is how you see attacks. And later I came across this quote that, really, I felt like summed up a lot of our world and threat intelligence, which is, Every contact leaves a trace. And that was said in the 1800s by a French criminologist who was, like, the first -- if you ever watched a detective show and you kind of wonder, like, who was the first detective that was piecing together these clues, thinking about evidence and things like that? It was -- this person is the father of it. And his insight was, you know, there's this thing called evidence. There's a bloody footprint, there's a broken window, and there's fingerprints. And, if you look at them, they are stubborn facts. And so every contact by a criminal leaves a trace. And in our world today, every contact by a threat actor leaves a trace in a log. And, if you collect enough of those logs and you understand how threat actors operate in terms of their techniques and TTPs and so on, you know how to look for those that are their attacks in disguise in these logs. And so a huge part at the time was us understanding what datasets did we have at Microsoft that we could study threat actors? What would reveal the fingerprints of their attack across the attack lifecycle, not only in victim space but also in threat actor space? And so that was a huge pursuit of what data do we have? How do we get good at dealing with data at the massive scales that a cloud company like Microsoft has and understanding how we go build a methodology and analytic ability to go get those insights? The other half, I would say, was building out partnerships to get insights into threat intel. You need to find out who else is pursuing these threat actors? Who else is chasing them? And that leads to meeting I'd say like-minded people within technology companies, security companies, victim companies, target companies, government, you name it, and building up partnerships of trust with them where you're sharing these scarce ephemeral hard-to-get insights from these attacks. And then you're building this relationships of trust to share them among each other, intersect them through your own data, contribute back to that process so that you can understand more and more collectively about these threat actors and try to discover what they're up to.

Sherrod DeGrippo: And I know you work a lot with different people in the community at different organizations and our partners and things like that to really impact globally the security of the digital world. And I think, from my experience, even before I joined Microsoft, MSTIC has an outsized impact on being able to secure globally just because of the reach that Microsoft has. What do you think the impact of MSTIC has been over these past 10 or so years that it's been in business? Like, what have you seen make good changes that MSTIC has done?

John Lambert: Yeah. I mean, 10 years in cyber feels like 100 years in anything else maybe. But today we hire people into MSTIC or partner teams that we work with, and it's a little bit almost like of course we would have a team at Microsoft that does this. It makes so much sense. And, at the time, that was actually fairly novel to do that because we were not a security company really 10 years ago and the way we are now. We were certainly not in this world of all these geopolitical events and cyberespionage that surrounds them. And this was really before the rise of ransomware and that ecosystem. And we didn't do this. This was not part of a product, building this team. Like, Aha. We're the security team of the product that we're selling, and that's how this thing is funded. And so the team was kind of sponsored by leadership that understood what we were up against and what customers were up against in terms of these kinds of threat actors and so on. And so we basically got sponsored in that way. And we always tried to make a number of kinds of difference, even in the early days. So one was, well, we can see things through our lenses that other people can't see. And so we feel responsible for partnering well, respecting equities, learning insights, and then sharing back those insights in appropriate ways to contribute to a greater whole of understanding what we're all up against. That's one. Two is we're building all this pretty crucial technology as a company. And the Product teams, the Service teams need to know what customers are up against, what threat actors are going to do to it, how will they abuse it and so on so that it can be made safer. So sharing those insights about threats with those teams helped them build safer technology from the get-go because they could learn from that. And then I would say, as we started to have more security product offerings, we wanted those security product offerings to reflect the strength of what MSTIC knows. And so we built technical integrations from things we knew about threats in terms of detections and so forth to the very security products so that, if we knew about it and a product could block it or intercept it or whatnot, that that happened.

Sherrod DeGrippo: I think that it's interesting how, you know, closely coupled detection engineering and threat intelligence are at Microsoft in terms of the threat intelligence analysts, they see some new TTP, they see new behavior from a threat actor or sometimes even things that they just kind of say, Oh, this could happen. And there's this really close relationship and collegial relationship between threat intelligence analysts and our software engineers or our bug hunters or our vulnerability hunters to say, you know, I think this is something that we need to make, or this is something that we need to create and that's very threat intelligence driven. And then I think we also see a lot of detections go back into the Intel world that we have. And we say, Oh, you know, that one didn't quite work how we wanted; or this one ended up being absolute gold and caught things that we never could have found. And it was originated from the Threat Intelligence teams, or from MSTIC.

John Lambert: Yeah. Maybe one comment on there is a lot of folks that, you know, if you've ever worked on a security product or know people that do, they're expected to block the majority of the attacks that come through because, if they don't, what's a customer paying for. And so you end up having to build a promise of blocking, you know, 99% or whatever, of phishing or malware or whatnot. And these attacks by these sophisticated threat actors are always small volume. They're always really tiny. And so they're never volumetrically ever going to show up on any radar of any dashboard of any kind unless you study the adversary. And so, as people came to understand, these attacks have a higher risk, even though they're low in volume. And maybe customers are not complaining about them because they're more complaining about the phishing getting into their employees' mailboxes that are driving help desk calls. They understood that these attacks, today we would -- everybody knows these attacks are dangerous. But, if you go back 10 years, they were -- it was less obscure. You know, it was more obscure about how these things led to ransomware, how these things led to phenomenon that are common today. And so there was, I would say, both an educational part of, as we learn more about these attacks and shared them, what people built in security products, that they also gained greater purchase on sort of the consciousness of customers that they had to worry about them. And then these teams are very complementary.

Sherrod DeGrippo: That's really interesting. Something I know almost nothing about, quantum computing. What do you think the security aspects of that are going to be?

John Lambert: Well, I'm not an expert in it myself. But, when I joined Windows, I was the crypto API program manager. And so that was the PM for the part of the security libraries in Windows that dealt with the hash algorithms and public key cryptography and certificates and all of that stuff. And that world was like, hey. This hash algorithm for cipher is outdated. It has weaknesses that have been found and proven in it. Therefore, we have to migrate from, you know, MD5 to SHA-1, from SHA-2 to SHA-256 and so on. And don't use this mode of this cipher. And so deprecating these cipher suites, that was back then, 25 years ago. We knew we had to do these planned migrations of things because people could find these weaknesses. And then those weaknesses could actually not only be theoretical weaknesses demonstrated practically but actually maybe demonstrated practically in a way where you could weaponize it on an attack, you know, kind of thing. And we indeed did see novel cryptographic attacks in some of the incidents that we had to respond to, notably the Flame incident. And so this notion of, like, you have to have crypto agility is what we called it where whatever set of cipher suite that you're using, you have to be prepared to move to the next one. And the code needs to not hard code those things. You need to be able to, like, devolve it over time. You know, those are the same practices today. So as the ability for these algorithms to get better, for quantum to get better and more materialized, there are, at the same time, already quantum-resistant algorithms. And so that's a whole area of research and technology. And, again, it's another migration to quantum-resistant things, that it's the same journey of the past.

Sherrod DeGrippo: So I'm going to wrap up. But, John, just kind of as a final thought, what's kept you in it so long? Any advice for people who are in security and want to have such a long career as you?

John Lambert: Yeah. I think there's a couple of ingredients. One is, you know, if you have a curiosity about things and want to learn, this is certainly a fascinating place that will keep you there. But I also have to say getting a break from it is actually really important. Like, we talk about work-life balance at work. You have to have things outside of work that recharge you and rejuvenate you. And I don't know what it is about cyber. Maybe this is technology where people pick up these hobbies like hiking or blacksmithing or farming or whatever it is they do, you know. But, like, it's like their hands are in the earth, and there's dirt involved in them or something. And, you know -- and I -- I was born in Louisiana. We didn't hike. It was hot, you know. But, you know, here the beauty in the Northwest is alpine lakes wilderness, beauty forest mountains. And so finding ways to connect, for me, that's connecting with nature and going on hikes and things like that. But finding ways where you make sure you build in time to recover. And, you know, if anybody out there manages analysts or SOC people or whatnot, you have to build in that preventative time to recover from the thing where you're getting interrupted all the time. And that downtime is really important. Always thought, like, if you let -- you know, you may love your job or love the area. But, if you let work become your life, when your job sucks, your life sucks.

Sherrod DeGrippo: Yeah.

John Lambert: And, you know you don't want that. You want to make sure that, to stay in it, you build in time to restore. And you find things that do that, and you prioritize it. And, if you do that well, you'll be happier when your time is taken on things as these cyber things tend to do.

Sherrod DeGrippo: I think that's true. And I know I've seen you post some of your hiking pictures. They look amazing. Too cold for me. I've seen the snow. But I'll let those of you listening know that, just about whenever you see John, he's got on some kind of pseudo hiking gear, ready to go. I feel like you're always ready for someone to just say, Grab a stick. Let's go hike something.

John Lambert: It's like I'm ready for a hike to break out at any time.

Sherrod DeGrippo: I know. You are. Thank you so much for joining me. This has been John Lambert, CTO, CVP, and Security Fellow at Microsoft. Thank you so much. Scott, welcome to The Microsoft Threat Intelligence podcast. You've been at Microsoft for 24 years. Give me a quick rundown of the difference between when you started and what Microsoft is today.

Scott Woodgate: Oh, wow. Well, hey, Sherrod. It's great to be here. And you started with the most uncomfortable topic for me. So thanks for that. Clearly, I'm not as young as I used to be. Actually, I joined the company -- just if you bear with me a second they gave us a book. I think I joined in September 2000 which was, you know, only a few months after the April anniversary of the 25 years. And I was actually looking at last night this inside out book that we created. At the time, you could put all of the names of the people who are at Microsoft in small fonts on the front and the back covers of the book. So, literally, every employee was on that. You couldn't do that now. You know, it's been an incredible evolution for the company over just the time I've been here, which is only half of the company history. I mean, security wasn't a huge, huge topic, although it honestly quickly was with those XPS SP2 was perhaps one of the first moments that security played for me. And then, of course, has continued to be a growing and growing theme throughout the company and then also in my career as now I'm focused on threat protection.

Sherrod DeGrippo: So tell me a little bit about XP Service Pack 2. What was that like? Because I was in tech, but I wasn't quite in security I don't think at that point. So what was the sort of general understanding of security and what it meant when all that was going on with XP?

Scott Woodgate: Yeah. So I also wasn't in security at the time, so I was more observing from the outside. But it was very clear that we needed to do a lot of work there. And my understanding from those who were involved in the project was there was just a lot of focus on making SP2 more secure as we move forward. So one of the things that I've learned at the company is we may not always get it right the first time; but, when we pick a problem and decide that's the most important thing, there's a lot of amazing things that happen, you know. Sometimes it takes a crisis to have us respond, unfortunately. We're getting better at learning that. But this was an example, I think, of one of those occasions where it was like we just had to go do a much better job. And everybody bands together, and everybody starts collaborating and innovating; and we end up at a better place. I actually think we're doing the same type of thing with the Secure Future Initiative right now, you know, the biggest cybersecurity effort ever in the industry. Same type of thing. I wish we were always amazing, but there's so many priorities out there that, you know, sometimes we let things slip; and we need to make them better.

Sherrod DeGrippo: I remember when the Secure Future Initiative, or SFI, as you might hear it referred to if you're listening, when that first started I want to say a little over a year ago when it sort of started coming together, my boss at the time, John Lambert, said -- because I had just started with Microsoft. He said to me, Sherrod, I am so glad that you are here for this. And I interpreted that as him meaning, I'm glad Microsoft has you. But I also interpret that as him meaning, like, I'm glad that you get to experience this in your career because he was here for Trustworthy Computing and really connected with that. Like, that really got into his DNA. And, you know, he's a fantastic security professional. But he was very excited about SFI being, like, the next evolution. And I love the fact that we have such a big commitment to security after 50 years because, one, there's not a lot of tech companies that are 50 years old. You don't see that a lot; but, two, the fact that we are continuing to evolve as a security provider I think is really cool.

Scott Woodgate: Yeah. Look. I'd agree. If you go back in time, I think we created a runtime for something Windows or servers or cloud. And then, oh, yeah. You need some security with that. And sometimes it was -- obviously there was some foundational things at the beginning. But sometimes there was, you know, fairly significant gaps measured in years between when the runtime came along and when the security stuff came along. The last one I was involved in, I guess that was cloud security where initially we had the Azure runtime. And, for a moment there, everybody thought that all cloud runtimes were secure. Obviously not any of the people you talk to but broader CISOs or CEOs thought that, which was just not right. And then we had to build a bunch of tools to enable cloud security. And we felt pretty good that we did that maybe three or four years after we built cloud security, maybe 10 years after Amazon started it. And now, if I jump forward to AI, we're building AI runtimes, and we're building the security for those AI runtimes almost hand in hand. One has to follow the other but so, so much closer from a gap perspective. So over that course of time it's been amazing to see how we think about security at the same time as we think about runtimes versus when you were back, you know, 25 years ago, it was always the problem that got solved after you shipped the runtime.

Sherrod DeGrippo: I think, too, we're in this, like, third evolution. I think it used to be that you secured software in a box. Like, you -- I remember waiting in lines outside of office supply stores to go get my box of Windows, right. So you had to secure that physical box. And then the cloud came, and we had to secure the cloud. And I think now we're pushing into that reality where we're looking at the security of AI, which is a new interface, a new type of computing, a new type of resourcing. So I think that the Secure Future Initiative came at a really important evolutionary time in security where, you know, we've got the cloud under our belt. We're really handling security in the cloud now. The boxes days are gone. You don't buy a box on a shelf anymore. And I think that next AI evolution, how we're securing AI and how AI is deployed securely within organizations is going to be the next kind of frontier of what security has to grapple with.

Scott Woodgate: Yeah. I totally agree with that. I have a funny box story. I'm not sure it's appropriate share it but --

Sherrod DeGrippo: No. Do a box story, do a box story.

Scott Woodgate: Oh, I'll give you a box story. We may have shipped an enterprise product with a time bomb in a box at one point that was supposed to be the production version. But, anyway, as you mentioned, there are -- there are a lot of boxes that were wasted as a result of that, as the time bomb was removed and we subsequently re- boxed it up, but --

Sherrod DeGrippo: Is that like destroying CDs in a shredder or something?

Scott Woodgate: Yes. Yeah. I mean, and all the cases. I don't know that I still have one. I think it was a running joke for a while that a few of us had a piece of expensive software that was in a box, but it was time bombed about 20 years earlier at this point. But, anyway, all good. Those are the early days.

Sherrod DeGrippo: I think that's one of the things that I really actually love about Microsoft is that there really is this attitude and this culture of, Hey. That's not going to work. That's not right. Let's not -- oh, don't like that. Let's fix that and move on. And there's really this kind of like forward momentum all the time of there's security work we've got to get done. Let's keep this machine moving. We tried this, and it wasn't the best practice; or it didn't work out the best. Let's figure out the way forward from here. Microsoft doesn't tend to get paralyzed by sort of mistakes. I feel like we're constantly looking for the next innovative best practice thing to.

Scott Woodgate: No. 100%. And to your point, that obviously not so much a security story. But the very first item in the backlog for the next -- when you used to ship versions of products, in the next version of the product was remove the time bomb. So it was just like custom in that group ever since to put that in as the very first time.

Sherrod DeGrippo: I'd love to be the engineer that had that assigned.

Scott Woodgate: Learning and moving further forward is good fun.

Sherrod DeGrippo: It's like, Okay. Now this is your problem now. Yeah. Get that taken care of. But I feel like security really is an evolution. It's a process, not a product, as Bruce Schneier says, I completely agree with that. We are on the security process. It's a process, and we work the process every day at Microsoft in every direction that we can. So I just kind of want to ask you one more thing before we wrap up a little bit, which is, you started at Microsoft almost 25 years ago. Do you remember your first day, what it was like?

Scott Woodgate: I do remember my first day. We had this thing called NEO. Actually, we still have this thing called NEO.

Sherrod DeGrippo: I did it. I did it two years ago.

Scott Woodgate: Yeah. New Employee Orientation. So things I remember about NEO, this probably -- obviously, I've been at Microsoft for a long time; and I'm privileged as a result. But I distinctly remember being in a line of kids with NEO who were reflecting that, if they just stayed here for another seven years, they probably wouldn't have to ever work again because, if you went backwards from the year 2000 when I joined, that would have been true. The share price, I think, stayed flat for the following seven years. So that wasn't the case. Anyway, so I remember that. And then I also remember a guy -- I think his name was Steve Sloan, who was our spokesperson, who was showing us a Windows tablet that you could read like a book. And so it was very much, you know, Kindle before Kindle. And so it was a great idea that we didn't necessarily execute well on. And, you know, at Microsoft, we've executed on so many ideas so well at massive scale. But there have also been some that, you know, got away, the mobile phone being one of them, this one maybe being another one. But, like, to see that in 2000 well before any of those things became practical and, you know, at the right price point for people was just interesting.

Sherrod DeGrippo: That's amazing. I love hearing people's first day stories that have been here for a long time and kind of what they remember, what that was like. Well, Scott, thank you so much for joining me. We're celebrating the 50 anniversary of Microsoft here on The Microsoft Threat Intelligence podcast. This has been Scott Woodgate, General Manager of Threat Protection, and my friendly coworker who I'm so happy to see because I haven't seen you in a while. So thanks for joining.

Scott Woodgate: Oh, thanks for having us, Sherrod.

Sherrod DeGrippo: Thanks for listening to The Microsoft Threat Intelligence podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more; and subscribe on your favorite podcast app.

The Microsoft Threat Intelligence Podcast
Podcast Info
HOST(S):
Sherrod DeGrippo
Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, is a frequently cited threat intelligence expert with a 19-year career leading global threat research and analyst teams. She was named Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Sherrod has provided expert commentary for BBC News, Wall Street Journal, CNN, and New York Times and has presented extensively at conferences including Black Hat, RSA Conference, RMISC, SleuthCon, and others.
Schedule: Bi-Weekly
Credits: Producer is Rob Petrillo, Production Manager is Max Solomon, Scheduling and Administrative Support is Elliot Volkman, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft