Trusting Your Hybrid Workforce
Nic Fillingham: Hello, and welcome to "Security Unlocked," a podcast from Microsoft where we unlock insights from the latest in news and research from across Microsoft's securities, engineering and operations teams. I'm Nic Fillingham.
Natalia Godyla: And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft security, deep dive into the newest threat intel, research and data science.
Nic Fillingham: And profile some of the fascinating people working on artificial intelligence in Microsoft security.
Natalia Godyla: And now let's unlock the pod.
Natalia Godyla: Hello, everyone, and welcome to another episode of "Security Unlocked." Welcome, listeners. Welcome, Nic. Today we have Carmichael Patton on the show with us today. Carmichael is a lead architect for Microsoft's internal zero-trust deployment, and he will be joining us to continue the conversation on the Microsoft Digital Defense Report. So a couple of episodes ago, we had Sian John join us to talk about the Microsoft Digital Defense Report as a whole, but today we're going to go through one of the chapters in particular. Carmichael had a heavy hand in the hybrid workforce security chapter and will discuss that chapter and all of the insights that his team has pulled together.
Nic Fillingham: Absolutely. So this is the 2021 edition of the Microsoft Digital Defense Report. You can download that at aka.ms/mddr. And Carmichael is talking to us about Chapter 5, the hybrid workforce security chapter. This chapter represents sort of a look-back of the previous 12 months, July 2020 to June 2021, roughly sort of around that period. It's the U.S. financial year calendar. We think this was sort of like the first full 12 month period of hybrid work where, you know, Microsoft in particular had made that switch, that full switch to hybrid work. And so now we were living hybrid work 365 days. And so what you find in this chapter is a really unique combination of insights into how Microsoft implemented zero trust and how that sort of played out over that period.
Nic Fillingham: But then Carmichael sits in a really interesting place in Bret Arsenault's group at Microsoft. Bret is our chief information security officer, where not only is he designing the zero-trust architecture for Microsoft employees - so Natalia and I, we're benefiting from that as sort of end users as part of Microsoft as their customer - Carmichael and his team also get to chat with other customers and see how they're implementing zero trust and sort of bring all that together. And the output there is sort of this sort of ever-evolving best practice of zero trust in a hybrid workforce world. So Carmichael gives us a really good sort of harbor cruise through Chapter 5 of the MDDR.
Natalia Godyla: And for anyone who is interested in going a little deeper into zero trust after this discussion, there's also a great link, aka.ms/zerotrust, where you can go to access more materials to learn how, you know, Carmichael and team have been implementing zero trust and the best practices that they've been learning along the way.
Nic Fillingham: And with that, on with the pod?
Natalia Godyla: On with pod.
Nic Fillingham: Carmichael Patton, welcome to the "Security Unlocked" podcast. Thanks for joining us.
Carmichael Patton: Hey. Thanks, Nic.
Nic Fillingham: Carmichael, this is the first time we're seeing you on the podcast. So would you give us a quick introduction? Who are you? What do you do? What's your day to day look like? What's the Carmichael Patton story?
Natalia Godyla: The Carmichael Patton story, yeah. So I think (laughter) - there's a lot going on there. So I'm - inside of Microsoft, I'm a senior project manager, a program manager here at Microsoft. But my role is more on the architecture side of things. I've been the lead security architect here inside of Microsoft for our zero-trust internal strategy. Traditionally, I focus a lot around that non-Windows or, I like to call it, the non-Microsoft aspects. So what about iOS, Android, Mac, Linux, not just in client spaces but on, you know, Azure and the, you know, server resources and things like that, as well as containers, open source workflows and things like that, just making sure that we're internally carrying them as a business, as an enterprise, not just, you know, Microsoft selling these to customers, but actually as the internal team that's responsible for protecting Microsoft.
Natalia Godyla: Day-to-days is insane (laughter). Working with groups like we did here with the MDDR team, putting the latest MDDR together, working with - you know, across Microsoft groups on our zero-trust strategy, not just our internal efforts that we do, but, you know, working with the different product engineering teams to really get an understanding of how we're doing zero trust and how we, you know, can put all the products together to try to make it work and where it doesn't for us working with them to, how do we get it to be better, not just for Microsoft, but for our customers as well. So a lot goes on in the day of the life of (laughter).
Nic Fillingham: I'd love to know a little bit about your specific journey with zero trust at Microsoft. Microsoft has been talking about zero trust for a while. But not only been talking about it, we've been actively living, breathing, walking the walk, talking the talk. So from your perspective, how long has the zero-trust journey for Microsoft been going on? I mean, it's a number of years at this point, right?
Carmichael Patton: Yeah. I mean, I think it's a myth to think we just started it overnight and got to where we are today, right? I started - it's hard to believe - six-and-a-half years ago at Microsoft. And I think the non-Windows standard - again, I'll focus on that for a second - was written on a tablet back then. It was thou shalt not have non-Windows. But clearly, Microsoft has been in the non-Windows game for a long time, whether it was Skype that was based on, you know, old Debian platforms or - Xbox sits on Ubuntu servers or whether it was our, you know, different aspects of the company we're developing for Mac, for Office - you know, all those different things that we put out into the communities to support all of the different platforms that we build on. And, you know, I think there was just sort of a behind-the-scenes thing. And so we, you know - even before that, we were starting on our sort of, how do we manage BYOD journey? - and all those things. But I would really like to think that it was at least six, 6 1/2 years ago where we really started focusing in on, what is device management to us? What is identity to us? What are - you know, what are all those things that we had to do as a business to get to the point where we are today? And a lot of what we do is recommendations for zero trust - are the same things we started with six-some-odd years ago on that. So we've been on this journey for a long time. I think we didn't really rally around the banner of zero trust until about 2018, late 2018, when we had a lot of requests from Bret and some of the SLT about how some of our competitors were doing things. And why isn't Microsoft doing what they're doing? And it really became, well, we do actually do a lot of those same things, but we do it here, and we do it here, and we sell it here. We do this here. And it wasn't really as a come-together story that really simplified it. And I think that's where the birth of zero trust inside of Microsoft started - was just trying to pull all that together and really make it that sort of common framework, common language that the industry was sharing to really start getting it out there into what we were trying to do. It also allowed us internally to pull all the different work streams in. So as you're looking through the MDR - MDDR with, you know, identity and devices and applications and networks and all of those things that make up zero trust, we had different teams doing different sets of those work. And how do we have to get all of those teams on the same page with, what are we delivering? How are we delivering it? Where are we going with it? So, you know, like you said, we've been doing it for a long time. We rallied around the banner of zero trust, and we're still doing it today. It's a journey, not a destination. So we're deep in the middle of it but doing a great job. So...
Nic Fillingham: Zero trust is going to feature pretty heavily in today's conversation. So I think before we jump any further, let's just sort of reorient our listeners that maybe aren't super familiar with the concept. Or they have heard it, but they're - you know, they're not really sure what it breaks down to. So, Carmichael, what is zero trust in its - you know, how do we think about that in its sort of most simple sense?
Carmichael Patton: I like to maybe distill it down to this thought. In order to trust, you must verify. You know, and I think that's really - gives it the aspect - and I think, you know, even internally, people hear zero trust, and they get a negative response when they think about it. But ultimately, we're not trying to block anybody or not give access to anything. We just need to verify that you are who you are, that your device is healthy and manageable and that, you know, we're getting all the signals and things like that, right? It really sort of instills - I think, you know, Bret even in the intro to the MDDR talks about this, where he leans on the, we have to have healthy devices and healthy identities. So that means, you know, you're using MFA for all of your authentication requests. We're - in a lot of cases, we've gone passwordless inside of Microsoft. So I don't even have to enter my password anymore. I just grab my phone, punch in authenticator app, whether it's my fingerprint or grabbing a number up on the screen. And then I'm authenticated in. You know, there's a whole token check that's happening on the back into that. And then I - asking to do that every, you know, periodic check to make sure that my identity is still healthy, that my devices are managed and healthy. So I've got a set of policies that I'm deploying to those devices, and I'm checking those devices every hour or so to make sure that they continue to be healthy. And then I'm getting telemetry from all of those things to make sure that if something were detected in the environment, that I could respond and react to that and then be there - block the devices or ask the users to reset their passwords or pull the application offline till we can go fix those things, right? So making sure that we have all of that telemetry that underlines all of this is another big, you know, thing for us and just sort of simplifying - you know, it's, again, identity devices and telemetry that really sort of make up the stack of what - if you focused on those things, you are so much further down the path of zero trust while you work on all the other stuff.
Natalia Godyla: The endless list of to-dos, right? Well, Carmichael, you teed us up really nicely by mentioning the MDDR. So that is the focus of today's conversation, the Microsoft Digital Defense Report or more specifically, the chapter on the hybrid workforce. So today, we'll talk about zero trust and how it applies to building a more secure hybrid workforce, as well as break down the conversation across multiple components of zero trust - so identities, devices, applications and so on. So to start, I'd love to just hear, what are some of your big takeaways from putting together this section of the Microsoft Digital Defense Report? Maybe the top three.
Carmichael Patton: Ooh, wow. My top three takeaways. I think we did a session last year. It was a little bit different. There was more focus specifically around zero trust because it was really sort of the introduction of the concept into the MDDR. It was, you know, brand-new. I think this year one of my big things was just seeing how, you know, not just as a company but as an industry and as a global entity, we all had to pivot to hybrid work and how much that really became a factor in a lot of what is out there. And especially when you're talking about cyberdefense, it also became a big factor in attack vectors, you know, people working from home on personal devices that may not be as protected as you want them to be. And, you know, seeing some of the attacks and things like that that have occurred as a result of that - I think that's just - it's been an interesting year (laughter), right? I think that's - you know, like you said, maybe that's one, two and three of my takeaways for doing it - was just seeing how hybrid work just played such a big role in everything this past year.
Natalia Godyla: And stepping back a moment, for this particular section of the MDDR, how did you pull together the insights? Where does this data come from, and what did that process look like?
Carmichael Patton: Yeah, great question. So, you know, a lot of the data - I think there's some data where we have around a hybrid workforce where it's actually - we're talking about Microsoft as a company. We talk about, you know, how employees are going into offices. And we see badge scanning and some of the things in there that we see in the data.
Carmichael Patton: But a lot of the data - as you go down into the report of the hybrid section around identity devices and some of the other areas, it really is an industry focus, you know? So our identity team, the Azure Active Directory team, has, you know, data on the back end that they can go look at across all of our tenants - you know, customer tenants and inside tenants - to just really sort of see what the heuristics of the whole platform are and how we're actually seeing those types of events and triggers and stuff on the platforms.
Nic Fillingham: Can you talk a little bit more, Carmichael, about the role of that your team runs? So you guys report up to Bret Arsenault, who's Microsoft's chief information security officer. So he - you know, he and your group - the mission is to protect Microsoft. But you have this dual role where you're protecting Microsoft, but then there's also this incredible level of sort of fidelity and perspective that you get on the internet at large, as well as, you know, Microsoft's customer base but also beyond that. Can you talk a little bit about that role and that sort of unique position that you're in and how you leverage both Microsoft as a customer of itself as well as being in that sort of unique, sort of middle position?
Carmichael Patton: Yeah. I like how you said that, right? We are a customer of Microsoft, which gives us a unique ability inside of Microsoft to really sort of challenge and not always leverage the things that are Microsoft. It's definitely a unique perspective, you know, because we take that customer. And I think, you know, traditionally, we've called ourselves sort of the first and best customer. And we take that identity or that persona pretty religiously in that we really want to be able to use the tools that Microsoft puts out and really sort of bang on them and make sure that they work for us and then, where they don't, push it back into it.
Carmichael Patton: But to your point, it gives us a unique perspective of really seeing - because we have access to all these platforms and all of this telemetry and all the stuff that we get, any given day, we can pull a report and really just sort of see not just across Microsoft but working with other teams like the MSRC and other groups around Microsoft - really see what's happening in the industry and what's happening in the environment.
Carmichael Patton: You know, we can dive into data and see, you know, what are we seeing from, like, the attack vectors? What are we seeing from a threat intel perspective? Where do we see these threat actors that we have out there? And what are they doing in the different environments? And then how can we take that, embed it into our environment to really get an understanding for what may be happening inside of Microsoft and then taking that as a reference to what other customers can do? You know, I think that's super-unique. And then it has provided other opportunities where we can actually then build teams not within DSR but outside of DSR, where we could build teams that actually can then take that on to other customers and really reflect it.
Carmichael Patton: And actually, one of the things I love about my day-to-day role, you know, that you mentioned earlier is I actually do get to talk to a lot of customers about how we do it at Microsoft. And I think it's always been one of my highlights to talk to customers about it because I love hearing their questions. And I love getting feedback from them on things that don't work well that they seem to be maybe a little bit more open to give to me as a customer also that I can then take back to some of the product teams and say, you know, hey. They mentioned this. I didn't think about it. This is super-awesome. Let's do this, too.
Carmichael Patton: So I think that also is that unique perspective where, you know, any - the product team is stacking up a list of all the customers that - we can take some of that uniqueness and bounce it back and forth with the customer and really sort of say, hey; how can we do this together and make it better? So it's been super-interesting playing that role where I'm not on the product marketing or product engineering side but on the internal customer team side.
Nic Fillingham: Yeah, it sounds like you can empathize with Microsoft customers in a sort of unique way because you are also Microsoft's customer, both as a user as well as responsible for Microsoft's own security. So that's sort of fascinating perspective.
Carmichael Patton: It definitely is (laughter).
Natalia Godyla: Diving a bit more into the report, you know, as we mentioned earlier, there different sections of this hybrid workforce chapter dedicated to the different components of an environment - identities, devices, endpoints, applications, et cetera. Kicking off with identities, what are some of the emerging trends impacting the hybrid workforce? And how have customers responded to identity-based attacks?
Carmichael Patton: Great question. You know, I think one of the things that we talk about in the report is that, you know, we observe - you know, kind of back to that how much data we see and not just Microsoft but, of course, all of the Azure Active Directory estates - we see about 50 billion password attacks daily. And yet only 20% of those users and 30% of the global admins are actually using strong authentication such as MFA, right? Like, you know, talking about healthy identities and MFA - that's huge, like, to me. Like, only 20% of you guys are using MFA out there. Like, what - seriously?
Nic Fillingham: What do we know about that? You know, you've had a chance to talk to some customers. Do you come across a customer that is not using MFA, especially an admin using - not using MFA? And do they have a semi-legitimate reason, or is it just sort of apathy? Or just - what is it?
Carmichael Patton: I don't know if it's apathy. It's - well, I don't think it is apathy. I think what it is is it's a - I mean, first off, Microsoft is way ahead of the curve. Let's be completely honest here, right? Like, every customer I talk to - they see us as sort of, like, you know, you guys are way ahead of us, but we get it. But they understand that we're all on the same journey together. There's just that love. There's that sort of sharing what we do there. We just may be further down the path. When I talked to customers and I ask them that exact question, it's a lot of - they're still using legacy on-prem identities. You know, a lot of their identities are stuck sort of in their active directory. They're still connecting through VPN to their on-prem environments and, you know, to those legacy applications. And they haven't really modernized anything, which by the way, that's not bad. Like, you are where you are. And we hope you can help - we can help you get to the newer places and get into the, you know, cloud identities and start doing these other things.
Carmichael Patton: But because they have that, they haven't really thought to move to it because they're just so mired in sort of that legacy mindset. And I think, you know, for us, the big push was really getting on to modern identities and then deploying MFA. And by the way, it - you know, I said we started this thing six years ago. It wasn't until recently that we're 100% MFA everywhere. That includes guest MFA, right? Like, please understand, you know, it's not, like, an overnight flip the switch, turn on MFA. I mean, it actually is that easy. But, you know, (laughter) there's a lot that goes on with that, right? So, you know, again, I don't think it's that they're being willfully ignorant or that they're, you know, dismissing it. I just think it's a challenge that they've put off because they have - they think they have other mitigations in place for it.
Carmichael Patton: But it is still - you know, when you're looking at phishing attacks, which is another thing we see in the trending for identities, right? And the rise of phishing has just been enormous over the last few years and exponentially. Like, you see password spray going down, and breach replay is going down, but you see phishing just skyrocketing. And every time that account is compromised, if you had had MFA in place, think about how you would have mitigated that versus now you're having to react to that phish and that compromised account, right? And I think that's what we're really trying to say in this, is sort of, again, focusing on that identity health and really getting that out there so that - you know, you don't have to get to the passwordless journey. That's, you know, a step down the road. But just getting MFA implemented, even in - on your on-prem environments is still super important.
Natalia Godyla: What are we seeing in terms of device and endpoint security in the hybrid workforce? Carmichael, what are the big concerns and some of the considerations for how folks listening in can continue to protect their organization?
Carmichael Patton: Well, I think the big thing you see in devices here, especially for organizations that weren't necessarily ready for a particular event that occurred last year - right? - is a lot of move to BYOD and bring your own devices and, you know, people now using personal devices to connect to resources that they weren't planning for or allowing for originally that just started connecting to those resources. And maybe you didn't have device management in place. You weren't prepared for it.
Carmichael Patton: I think one of the biggest issues we saw last year - and Microsoft suffered from this, too, in a big way - was supply chain and supply chain demand, right? I mean, hardware just became nonexistent last year in that, I think, like, super early on in the pandemic last year, we were bringing in a very large class of interns, and none of them could get machines. So how do you immediately get them working and not just have interns sitting around, not learning or being able to participate in the community was a huge thing for us inside of Microsoft, and I'm sure for others as well. And as you hire new people, you know, how do you get them a PC or monitors or any of the other things that they needed to do work? So I think that became a big driver is - because you didn't have the hardware, you were relying on them to use hardware that they already had, which was, you know, in some cases, their own home PC. And you were either issuing out VPN to them or giving them access to some sort of, you know, connection in, and maybe you sort of didn't understand that that was opening up the door for an attacker to come in, right?
Nic Fillingham: Has the shift away from group policy to modern management, has that in and of itself empowered defenders and empowered security teams to be able to protect devices in ways that they couldn't in the past and sort of have that greater control and sort of greater confidence in what's happening on the endpoint?
Carmichael Patton: BOYD being a huge issue, I think our move to modern management - and I think this shocks a lot of people when we say this - is we are fully embracing the BYOD strategy here at Microsoft. We had to start pivoting super heavily into virtualization. So we were using the Azure Virtual Desktop platform and building that out as an entry point for folks to come on board to Microsoft. And that was, like, trial by fire for us (laughter) internally because it was something we had never really - we were starting to pilot it. We were going through the processes of learning about it and getting people to use it. But then all of a sudden, you had to turn on that switchboard and have all of that happen.
Carmichael Patton: We sent all of our devs home. And how do you get a dev to do work when their PC that they left in the office wired to the network because that's where all of their build systems are and they need that internet speed or that network speed to do all of their builds and publish the builds and all the things - how do you get them to remote into a machine? Well, you don't want them to use their home PC to remote into a device and potentially, you know, push things across the wire. So we had to build out remote desktop gateways through Azure Virtual Desktop as well. So, I mean, just all of these things we had to go do to make it happen - so started looking at Intune and how do we get to manage giving them - you know, if you want a wireless certificate to get on to the wireless to use your phone, please enroll your device and, you know, getting them to at least get managed and then, over the years, you know, getting them to then be healthy. And that is, you know, looking at, you know, threat and vulnerability detections on the devices - so, you know, deploying MDE or other vulnerability management tools on your devices, DAC controls, so ensuring that - we don't do this a whole lot, but ensuring that we kind of do allow listing and block listing of applications on devices to make sure that we're not putting an application that's unhealthy on there, that could potentially be a threat vector, that we're patching - I mean, patch, patch, patch, patch, patch - probably could say that a hundred times and still not say it enough.
Carmichael Patton: So you know, it's super awesome to see that we've come this far. And honestly, when we look at some of the attacks, having that visibility and telemetry because the devices have MDE and all the other things running on them that we get telemetry from, you know, we can really start looking in our environments, you know, kind of back to the whole, what are we showing here, right? We see the customers' things. We understand the correlation of data that we get across all our platforms. But for us internally, it's been a huge - you know, that telemetry aspect - of now having all of this disability because devices are actually enrolled and managed and healthy. You know, we're seeing just - what? I think the last number I saw was 530-some-odd million events a day coming into the system that we could, you know, start triaging with machine learning and all the other stuff that fits into that. But you know, all of that feeding into Sentinel and then, you know, getting down to the SOC analysts and stuff like that for whatever we need, right? I mean, that's - it's awesome just now having that telemetry in the pipeline. So...
Natalia Godyla: So Carmichael, we're maybe a fraction of the way through this chapter, and you've already listed so many different initiatives that your team has kicked off in order to ensure that we have a more secure hybrid workforce. You know, MFA enrollment, device management. Neither of these are small tasks. So before we continue through the chapter, I'd like to pause and just understand, how did you prioritize the different initiatives, and how do you continue to prioritize the right things to do in order to secure a hybrid workforce?
Carmichael Patton: You know, again, kind of back to our earlier conversation about just sort of how did zero trust become a thing? And I mean, to your point - right? - we had so many workstreams doing so many things just even inside of Microsoft. I mean, ignore all the other stuff going on, right? Like, we had network team doing things. We had our identity teams doing things, our devices teams doing things, so on and so forth - right? - like our engineering groups building applications and doing their thing. And there was just never really a common language or a common - I mean, I think we all have a common goal to be secure and to do it the right way. But there wasn't really an overriding program or overriding concept, strategy that was sort of driving us all.
Carmichael Patton: So I think, you know, one of the biggest things we did early on was just sort of pull all these teams together and really sort of figure out what everybody was working on, come up with our, you know, our own principles of what zero trust is, our own goals of what we wanted to accomplish through zero trust and really start putting that banner and planting that flag of, OK, now that we all have an understanding and a single goal of what we're getting to, you know, bringing in Bret and his peers across our entire Microsoft digital organization, you know, really getting them on board and aligning to that message and so that we were all, like I said, talking the same thing and having the - and sharing the same experiences, that is really what it took us to do. And that was probably the first six months or so of just putting our program together.
Carmichael Patton: You know, work didn't stop. We didn't stop what they were working on. It was just more pulling the focus together, you know, making sure we were doing the right things in identity, the right things in devices, that we had the right network strategies going, that we were building the services to support all of this. And I think the key thing here, too, that we don't necessarily talk about in the hybrid, but the work from home piece of it can't be understated when you think about zero trust and employee experience. Like, if you make this thing so rigid and you block them from being able to do things or if you didn't have the capability for them to work from home, you know, and be productive, then you really have sort of failed at your strategy (laughter).
Carmichael Patton: And we have for, I mean, I think three or four years back before zero trust was in place - I mean, Nic, you're here in the Puget Sound area. Snow events, right? I mean, think about all the different snowmageddons we have here in Seattle area. And then early on having to work from home during one of those and everybody's on a full tunnel VPN crashing into all of the Redmond servers, trying to do things. And all of a sudden, it's becomes so unproductive you don't know what you're doing. And now, today, you know, during the pandemic, we've got telemetry that suggests we've got about 93% of our applications in the cloud. And that - you know, they're connecting to resources that are actually in a data center. So VPN becomes - you know, because when you split tunnel VPN, it becomes sort of a negligible thing at this point.
Nic Fillingham: So networking and I think some of the data that's in here around distributed denial of service attacks is sort of fascinating. And also, given the timing of this chat we're happening here, Carmichael, there's been a recent piece of news around sort of DDoS mitigations on Azure. So I wonder, could you talk a little bit about some of the highlights in that networking session? And maybe we can touch on the DDoS stuff as well.
Carmichael Patton: Yeah. I mean, you know, networking is - you can't understate it. And I think it definitely is a big part of the whole zero-trust strategy. Internally, we call it access strategy and segmentation and making sure you have all the right things. And I think some of the stuff we talk about in the report is on the Azure Firewall signals - and this - again, this is across all of Azure, not just internally at Microsoft - but 2 trillion flows blocked in the past year for things that have just tried to access the network, you know?
Nic Fillingham: Can you clarify a flow in this context here? What's the definition of that?
Carmichael Patton: Yeah. So it would be IP to IP trying to get access into something, right? So it's - a request is made to an IP address on a particular port. That port just happens to be blocked because of Azure Firewalls or NSGs that are deployed within a subscription, right? So seeing that amount of traffic just sort of dropping off - right? - not actually coming into your data center - whereas, you know, in the past, if you're using an on-prem data center, all of that traffic may come in, go through your network, you know, into your environment and then hit a firewall and maybe get blocked depending on how many rules you had in place that potentially blocked it or didn't block it and how good your firewall admins were on that particular day. But just seeing that stuff sort of drop off at the edge is awesome.
Carmichael Patton: I think, you know, sort of complementary to that are the WAF, the web application firewall rules that triggered. And we've seen about 25 billion rules trigger per week over the past year, which is actually pretty significant when you're thinking of, like, the wall's top 10 and just the basics that you're - you know, you see just having a WAF in place and protecting yourself against things like cross-site scripting and other stuff like that - right? - is pretty big, too, if you've got that deployed in front of your applications.
Carmichael Patton: And like you said, on DDoS, you know, I could quote some of the stats in the document, but let me quote the one stat from last week. You know, around - I think it was October 11, we posted a blog up there where we had a 2.4 terabyte per second DDoS attack that came in that we mitigated, you know, over I think it was a span of 20 minutes give or take if I remember correctly. You know, again, having those things - having your resources sitting in the cloud and being just natively protected by Azure DDoS is phenomenal, right?
Carmichael Patton: I mean, I think about my last company I worked at, you know, prior to coming to Microsoft, and we were still, you know, heavily on the data center side. I actually was working on DDoS and WAF protections. And just - I can't even fathom an attack of that size trying to hit our, you know, company network and, you know, then you having to worry about, you know, email and all the other things that are supposed to come through that network at the same time, right? So I think that's pretty, pretty awesome to see that the platform itself is protecting you as a customer of Azure, so.
Nic Fillingham: And some of the takeaways there, I think, from that section - you know, obviously the MDDR is about providing on insights, but also sort of some guidance here. Is the takeaway here to utilize cloud-based firewalls and to really sort of think about taking what was traditionally, you know, a device that would be in your physical network and putting it up in the cloud?
Carmichael Patton: Yeah, absolutely. You know, whether - you know, even if it's using your physical network, but extending it to cloud through, you know, whether it's ExpressRoute-like connections or using Azure Arc to make that enabled, you know, into the - into Azure as an Azure resource, you know, I think it's definitely getting those applications - I think we sort of skipped to the application section. So if we just talk about, you know, how - I mentioned earlier, we're at 93% in the cloud on our applications, right? I think modernizing your apps to - in a way to make them accessible through the internet, and by doing that, it's enabling those network connectivities through Azure Networking, through your subscriptions and your things.
Carmichael Patton: You don't have to necessarily make your application fully public cloud-facing. You know, that's not what we're suggesting here. You definitely don't want to put your database on any firewall rule, right? You know, it's making sure you're deploying those resources in a smart way, using those things like Azure Firewall and web application firewalls in front of your application gateways in order to protect those assets. And just getting those native security functions that come with Azure is definitely the recommendation that this section is saying.
Natalia Godyla: So as we wrap up, Carmichael, I'd like to take a couple minutes to talk about people. Overall, users, end users of our security controls and processes have had a hard couple of years. There's been a lot of change. However, their ability to learn and be more aware of security and use new technologies is a key part of the success of our security strategy. So, you know, how can we enable new security protections while ensuring that our workforce remains productive? What kind of guidance can you give to other security practitioners and leaders who are listening to this episode and might be struggling to, let's say, implement MFA with their workforce because their workforce can't accept this new change?
Carmichael Patton: Yeah. I think, you know, in this section, let's answer that question, but I know we also talk about insider risk here, so I just want to call that out, too. But I think the big part of this section we talk about with people is the empathy. And I mean, I can't understate it. If I liken it to how I started here at Microsoft - and I remember getting the first email telling me that I had to go patch my computer or that something was happening. It was like, hi, we're security, and we're doing something to you again. Immediately, I felt like, why is my organization making me feel like I've done something wrong, right?
Carmichael Patton: You know, if I think about the past three or four years and how the culture has changed and we - bringing the employees along with us and making them understand the journey and the standards of business conduct video that we get every year that we get to watch - Nelson doing his thing and the rest of the team doing theirs - I mean, think about those videos and the learnings that you get from it. While it's fun and exciting to kind of watch the videos, it's really sort of shaping the view or the perception that security is everybody's business and that it's not just our team trying to go do something to them, but it's them also taking an active role in that. And the cultural change that has to happen is something significant that just doesn't happen overnight. And it's that empathy we have to feel and the desire to want to understand how they do work and how they need to do work. It's sort of fundamental to even Microsoft's mission to empower every person on the planet to do more, right? Like if you say that is the mission, just at a - that's your company mission - we have to say that for us internally, too, right? And I think it's the same empathy we have to share because I am an employee. I want to be protective. I want to do the right things. And I feel like I can do that because I'm empowering you to do it. But I'm also making it easier for you to do your job by enabling you to work from anywhere when we're all at home right now on this call or, you know, having this conversation. So I think that in and of itself is - stories on how we've been so productive in really sort of trying to play that role of understanding and being empathetic to our employees and how they do business. So...
Nic Fillingham: I think, Carmichael - correct me if I'm wrong - but the definition of insider risk - it's a spectrum, right? There's sort of malicious intent, and then this sort of accidental risk where, you know, an employee sort of does something wrong more out of maybe negligence or just sort of ignorance and, you know, accidentally exposes the company to risk or leaks data with absolutely no malicious intent. Is that correct?
Carmichael Patton: Yeah, there's absolutely those. I think there's definitely - I think we usually say there's usually three types. There's those that just have no clue and will go do something. There's those that have a clue and just may accidentally do it. And there's those that are just completely malicious about it. They know exactly what they're doing, right? And I think it's helping understand the first two cases of somebody who just doesn't know what they're doing and kind of clueless about it and making sure that they learn and get understanding - those who know better but just make the mistake - like, hey, you did this. Did you mean to do that? OK, it was an accident. Totally get it. And I think we have tools. If I just use an example, the report-it-now feature that Microsoft Office has that you can enable and phishing. You know, we just talked about phishing earlier. Like, giving them a button to go - report a phishing message - and we get so many reports. Not all of them are real phishing. Some of them are actually messages that somebody has sent out that may have looked like phish, but we've done such a good job of training them to look for it. So, sometimes, you can catch those first few people. But it's building that program around those malicious folks that really sort of want to be malicious, you know, whether it's that they're really doing it to really make a negative impact on the company or if they're doing it because they're just trying to get away with something, right? I think it's - regardless, there has to be sort of that visibility and telemetry that you're getting from there and really understanding what those mindsets are to try to catch those types of processes that are happening in your environment.
Nic Fillingham: Yeah, I wanted to bring it up because I think it's important to understand that there is this sort of spectrum of insider risk and that on on one end, you do have people that are - they're actually not trying to do the wrong thing. They just don't realize what they're doing - because the chapter ends, this people chapter - sorry, the Hybrid Workforce Security chapter but the people section - ends with, I think, a fantastic little callout box that just says, assume positive intent. Mistakes happen. And so I really like that the people - sort of section here talks about insider risk, and that's obviously, you know, a very significant threat factor the CISOs and security folks need to be aware of. But part of your role is not just looking out for the bad guys. It's looking out for people who accidentally do the wrong thing. And so having this digital empathy, having empathy for people, especially those of us who have been - haven't been in the office in the best part of two years and haven't seen a co-worker maybe ever, depending on when our job started, I just really liked it - personally, as someone who has read the report, I really like that this idea of empathy and digital empathy sort of flows throughout. Ann Johnson talks about it in her section. Bret covers it. You'll see it a few times in the report. So I just thought - I just wanted to close on that because I thought that was a really - I thought it was really good that we sort of start with, OK, here's a risk. Let's think about that risk. But then let's also sort of remember that these are humans. Humans make mistakes. And let's sort of build systems around that, allowing for it.
Carmichael Patton: Yeah, absolutely. And I probably couldn't have said it better myself. And I think, you know, even - I think we talk about this at the end of the report, too. People have become just more siloed, like you said, and the digital exhaustion. You know, it's not just even digital empathy, but it's the digital exhaustion that we all have. And I remember starting the pandemic and just focusing a lot on work because that was what I was doing to try to forget all the other things. And you do get burned out really quick. Sometimes, you make mistakes just because you were tired or exhausted and just didn't know what you were doing. So it's great. And I love that quote for sure. The assume positive intent makes mistakes happen. It's very in line with our, you know, always trust, but verify, right? And just it's that we trust that you're going to do the right things. We want you to do the right things. We're going to help coach you and train you and give you the tools to do the right things. Mistakes will happen. Absolutely. Mistakes will happen.
Natalia Godyla: Thank you so much for joining us today to discuss the Hybrid Workforce Security chapter of the 2021 Microsoft Digital Defense Report. It was a really great conversation. And hopefully, we'll be able to have you back on the show again, Carmichael.
Carmichael Patton: Yeah, look forward to it.
Natalia Godyla: Well, we had a great time unlocking insights into security, from research to artificial intelligence. Keep an eye out for our next episode.
Nic Fillingham: And don't forget to tweet us at @msftsecurity or email us at email@example.com with topics you'd like to hear on a future episode. Until then, stay safe.
Natalia Godyla: Stay secure.