I’m joining Microsoft’s Threat Protection division to bring what’s needed to threat intelligence: scale-y porgs.
I’m incredibly grateful, and a little scared, to say that soon I will be joining Microsoft Threat Protection as a Senior Threat Intelligence Analyst, working with the team in Redmond.
I just wanted to outline a few of the reasons why I’m making this move, as long time readers will know I’ve been largely suspect of the cybersecurity vendor industry and occasionally critical of Microsoft.
I mean, the most obvious reason is I applied for a job and they grilled me for five interviews and offered it to me, and I’m very fortunate, but other than that.
Cybersecurity isn’t happening in isolation
While the very (very) top tier of attackers use custom tools and implants, almost everybody else is using common tools and techniques. This includes the large, organised criminal groups you read about bringing down large companies in the press on a weekly basis nowadays.
A consistent theme I see is companies overestimating the skills of their attackers. The cybersecurity industry is still pretty new — I term it as in the black and white era of television still — and we haven’t yet nailed how to implement and secure technology. The sad truth is that organisations are getting attacked with whatever tools the attackers can gain access to, and quite often it’s not the most sophisticated or Hollywoodesque way in — it is what works.
The good news is there is significant value in being able to spot commonalities between attacks, and provide top down protection through the stack. This is something Microsoft Threat Protection is leading the way on, and this is fundamentally why I started looking at this job.
I made this tweet in the early hours after Christmas Day (because who needs a life? Me, by the way… like, badly — I finished Skyrim in 2011 and haven’t recovered yet).
It is high time I put my career where my mouth is, on that front. I’ve held various great jobs — implementing a security programme from scratch, rolling out Vulnerability Management, running a Security Operations Centre, and starting Security Operations from the ground up. I know the challenges organisations face as I’ve lived them, for decades, in the trenches. Security is hard. I also think CISOs are put in an impossible position, as the tools and systems they need aren’t quite there yet, and they’re too hard and disjointed to implement.
Scale and signals
Microsoft are collecting literally trillions of signals each day across their cloud infrastructure in Azure, services like Office365 and Hotmail, and across endpoint tools such as Microsoft Defender. These signals are fed into the Microsoft Security Graph, and essentially you have a database growing petabytes in volume each day around real time attacker activity and global threats:
The endpoint
Back in 2015, on this site I made a post around how endpoints (and by proxy end users) are the new DMZ. The reason at the time was Office macros, which continues to be a huge challenge. My frustration back then was I could see a clear signal that intrusions were going to move to devices inside the enterprise using pretty simple and cheap techniques — layers of traditional security controls were crumbling.
On the endpoint side you have Microsoft Defender — an antivirus tool which a decade ago was the laughing point of the security industry, but now sits well regarded as a tool across millions of organisations and home PCs. Why? Investment. In software, but mostly, people to build said software — and look at the outputs, i.e. the data it generates.
I don’t know how many people have used the threat investigation features of Microsoft Defender, but rather than that trojan alert being closed with no action by your security team, you can dig back into the alert and see, for exmaple, what the executable was, how it go to the endpoint, what it connected to… It’s basically full Batman investigator mode.
As an aside, even if you’re using the free, home version of Defender you are getting the under the hood engine of Microsoft Defender ATP, the enterprise grade tool.
This view, from Azure, to Defender for Windows, to Defender for Linux, allows a real world, global view of emerging attacks. It can also be used to spot supply chain attacks — such as this one, spotted by the team I’ll be joining, where software was used to deliver rogue cryptocurrency miners.
Security monitoring is king. It also sucks.
I’ve run a Security Operations Centre with about ~100k endpoints (between PCs, servers and devices). Let me tell you — SIEM monitoring solutions suck.
They’re also absolutely essential to be able to survive as an organisation, as you need them to respond to attacks.
There’s a whole boat load of problems with SIEM solutions, from the price, to the complexity to get basic value out of the systems.
Organisations spend big on SIEM solutions because they want to know when hackers break into their network. Quite often SIEM integration projects descend into chucking data into a hole, the hole filling, then everybody ignoring the ugly hole as nobody wants to stare into the abyss of Too Much Suck.
You have to deploy agents on every system, then upgrade the agents, then have agents to forward agent traffic… you need firewall rules… it’s a mess before the value arrives. For many organisations, the value never arrives because it’s too complex to get the value bit of the equation.
Back in 2017 I built a SMB honeypot network using Microsoft OMS (RIP) — this was able to detect DoublePulsar exploitation in the wild, and led to this very domain name. Last year I rebuilt the honeypot network using Azure Sentinel, Microsoft’s new SIEM solution, while my girlfriend was sleeping (we all need hobbies, okay..)
That honeypot, which had almost no customisation and was just real Windows endpoints reporting into Sentinel, detected BlueKeep exploitation in the wild.
Azure Sentinel’s vision is pretty simple — deploy it, send your logs to Azure, and let Sentinel provide both a traditional SIEM, and machine learning and threat hunting.
Pulling this together
Microsoft are doing something which I believe (and know) can benefit organisations globally — they’re building teams and technology around doing good with data. They’re turning the tides towards cybersecurity being valuable, rather than being an impossible to wrangle sticking plaster.
I’ve spent over 20 years in this industry shouting at the clouds about how much we haven’t got right yet. I would like to spend the final 20 years of my career shouting back from the cloud, helping distribute a rain of real time detection and intelligence.
Yours,
Kevin
Delivering stretched metaphors.
