1
00:00:00,000 --> 00:00:09,600
Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy,

2
00:00:09,600 --> 00:00:13,280
reliability and compliance on the Microsoft Cloud Platform.

3
00:00:13,280 --> 00:00:17,720
Hey everybody, welcome to episode 97.

4
00:00:17,720 --> 00:00:20,760
This week it is myself, Michael, with Sarah.

5
00:00:20,760 --> 00:00:22,560
Everyone else is busy.

6
00:00:22,560 --> 00:00:26,200
And our guest this week is Richard Diver, who's here to talk to us about artificial

7
00:00:26,200 --> 00:00:27,600
intelligence security.

8
00:00:27,600 --> 00:00:31,640
Actually, the note that we have here says AI security stuff.

9
00:00:31,640 --> 00:00:35,160
But before we get on to our guest, let's take a little lap around the news.

10
00:00:35,160 --> 00:00:36,160
I'll kick things off.

11
00:00:36,160 --> 00:00:39,200
I actually want to start with a personal news item.

12
00:00:39,200 --> 00:00:42,720
I've actually taken a new position within Microsoft, which I'll start in the new fiscal

13
00:00:42,720 --> 00:00:45,040
year, which is July the 1st.

14
00:00:45,040 --> 00:00:49,280
So right now, as some of you probably know, I work in the Azure Data Platform.

15
00:00:49,280 --> 00:00:54,440
So I work on Azure SQL Database, SQL Server, Cosmos DB, Postgres SQL and MySQL, all from

16
00:00:54,440 --> 00:00:55,440
a security perspective.

17
00:00:55,440 --> 00:01:01,960
I'm now actually moving over to basically that sort of similar work, but for the whole

18
00:01:01,960 --> 00:01:03,200
of Azure.

19
00:01:03,200 --> 00:01:08,280
So I'll be working on engineering stuff and sort of learning from attacks and how we can

20
00:01:08,280 --> 00:01:09,280
change our processes.

21
00:01:09,280 --> 00:01:12,440
So I started that in January the 1st.

22
00:01:12,440 --> 00:01:13,440
Really excited.

23
00:01:13,440 --> 00:01:15,440
I just, you know, I love the security stuff.

24
00:01:15,440 --> 00:01:20,600
And by the way, I couldn't say anything nicer about the Azure Data team.

25
00:01:20,600 --> 00:01:22,920
It's a fantastic team of engineers.

26
00:01:22,920 --> 00:01:23,920
They really know what they're doing.

27
00:01:23,920 --> 00:01:25,600
They've learned so much about database products.

28
00:01:25,600 --> 00:01:28,280
The stuff that I didn't buy, there's still a lot of stuff I don't know.

29
00:01:28,280 --> 00:01:30,640
I don't know about databases.

30
00:01:30,640 --> 00:01:34,000
Just the magnificent database team or engineering team in general.

31
00:01:34,000 --> 00:01:37,000
So it's going to be a bit of a bit of a bittersweet to be honest with you.

32
00:01:37,000 --> 00:01:39,880
But I'm really looking forward to this new endeavor.

33
00:01:39,880 --> 00:01:47,240
So in terms of news, first one is Azure Kailh Studio now has a feature where it can pause

34
00:01:47,240 --> 00:01:49,840
processes inside of virtual machines.

35
00:01:49,840 --> 00:01:55,200
This is really useful when it comes to things like mimicking updating processes rather than

36
00:01:55,200 --> 00:01:56,800
just rebooting the VM.

37
00:01:56,800 --> 00:01:57,800
So it's good to see that.

38
00:01:57,800 --> 00:02:02,480
Just one, you know, again, just one more thing to add a little bit of chaos to your environments.

39
00:02:02,480 --> 00:02:06,600
Azure API management now supports the circuit breaker pattern.

40
00:02:06,600 --> 00:02:10,360
So there's a whole bunch of sort of design patterns that are out there.

41
00:02:10,360 --> 00:02:11,720
And one of them is a circuit breaker.

42
00:02:11,720 --> 00:02:16,560
And the idea of this is that when a front end becomes completely overloaded, rather

43
00:02:16,560 --> 00:02:22,440
than sort of failing in a horrible mess and, you know, impacting all the stuff behind the

44
00:02:22,440 --> 00:02:25,840
API management, it does so in a graceful way.

45
00:02:25,840 --> 00:02:27,840
And that's the circuit breaker pattern.

46
00:02:27,840 --> 00:02:30,960
So you can now actually enable that patterns, a whole bunch of parameters you can have in

47
00:02:30,960 --> 00:02:31,960
there.

48
00:02:31,960 --> 00:02:34,840
I'll provide a link not just to that news item, but also a link to the circuit breaker

49
00:02:34,840 --> 00:02:38,800
pattern, which is on the Azure architecture center.

50
00:02:38,800 --> 00:02:44,960
The other bit of news is Azure Bastion now has a developer skew.

51
00:02:44,960 --> 00:02:49,560
Right now, if you deploy Bastion, you have to pay for it.

52
00:02:49,560 --> 00:02:50,800
There's no sort of free version.

53
00:02:50,800 --> 00:02:56,560
So what Bastion lets you do is, I know the Bastion guys are going to hate me for saying

54
00:02:56,560 --> 00:02:58,840
this, but it's almost like a jump box.

55
00:02:58,840 --> 00:03:02,520
So you're not connecting directly to your environment.

56
00:03:02,520 --> 00:03:06,400
You're going through the Bastion and then you can put all sorts of policies around the

57
00:03:06,400 --> 00:03:08,080
Bastion.

58
00:03:08,080 --> 00:03:12,280
And that way you're connecting just through that, as opposed to potentially compromising

59
00:03:12,280 --> 00:03:13,680
back ends if there's an issue.

60
00:03:13,680 --> 00:03:17,880
So it's a really magnificent product because it's really seamless the way it works in Azure.

61
00:03:17,880 --> 00:03:19,400
But historically you had to pay for it.

62
00:03:19,400 --> 00:03:22,600
Well, now there's a developer skew, which is free of charge.

63
00:03:22,600 --> 00:03:27,020
I'm not sure about all the limitations and what have you, but it is essentially free

64
00:03:27,020 --> 00:03:28,020
of charge for developers.

65
00:03:28,020 --> 00:03:33,600
And I think it only allows you to connect to one VM, I think, but I could be wrong there.

66
00:03:33,600 --> 00:03:39,200
And the last bit of news that I have is Azure Front Door now has log scrubbing of sensitive

67
00:03:39,200 --> 00:03:41,320
data and that's in general availability.

68
00:03:41,320 --> 00:03:42,720
This is really nice.

69
00:03:42,720 --> 00:03:47,000
So if you've got logs, you can put rules in there to scrub out sensitive data.

70
00:03:47,000 --> 00:03:49,320
So I'll put like asterisks where there may be sensitive data.

71
00:03:49,320 --> 00:03:54,200
So for example, if you're logging, you may decide you don't want to log all of an IP

72
00:03:54,200 --> 00:03:58,460
address or you may not want to log parts of a URI, that kind of stuff.

73
00:03:58,460 --> 00:04:04,520
Then you can have as your front door, just essentially scrub that out of the log so it's

74
00:04:04,520 --> 00:04:05,520
not there.

75
00:04:05,520 --> 00:04:11,660
Again, this kind of stuff is just great to see because it's not uncommon for attackers

76
00:04:11,660 --> 00:04:16,680
to go after log files because they might have sensitive information in there.

77
00:04:16,680 --> 00:04:20,080
So anything you can do to get that data out of there in the first place is always a good

78
00:04:20,080 --> 00:04:21,080
thing.

79
00:04:21,080 --> 00:04:22,080
So that's my news.

80
00:04:22,080 --> 00:04:23,080
Sarah, what you got?

81
00:04:23,080 --> 00:04:26,080
So a couple of bits.

82
00:04:26,080 --> 00:04:31,800
I've got some Kubernetes and AKS and then some copilot for security.

83
00:04:31,800 --> 00:04:35,960
So let's go for the AKS type stuff first.

84
00:04:35,960 --> 00:04:43,200
So firstly, the open source project called Draft that Microsoft keeps an eye on and maintains

85
00:04:43,200 --> 00:04:44,520
has been updated.

86
00:04:44,520 --> 00:04:46,720
It's including a new feature called Validate.

87
00:04:46,720 --> 00:04:52,240
So what Validate will do is it allows you to scan your manifest to see if you're following

88
00:04:52,240 --> 00:04:58,280
best practices so you can catch any issues early in the development lifecycle.

89
00:04:58,280 --> 00:05:03,480
And this is all part of our new AKS feature around deployment safeguards.

90
00:05:03,480 --> 00:05:08,260
So if people make silly mistakes, we catch them early, early.

91
00:05:08,260 --> 00:05:16,280
And then also in GA is support for disabling Windows Outbound NAT in AKS because we know

92
00:05:16,280 --> 00:05:20,320
it can cause a bit of problems in AKS pods.

93
00:05:20,320 --> 00:05:26,480
So now if you need to, you can go and turn that off when you're creating new Windows

94
00:05:26,480 --> 00:05:28,560
agent pools.

95
00:05:28,560 --> 00:05:30,800
Next is could it be my new baby?

96
00:05:30,800 --> 00:05:36,720
I don't know because I'm very loyal to Sentinel, but Microsoft Copilot for Security has a couple

97
00:05:36,720 --> 00:05:38,800
of new things in public preview.

98
00:05:38,800 --> 00:05:41,280
It has got Azure Firewall integration.

99
00:05:41,280 --> 00:05:47,240
So that means that you can retrieve IDPS signatures from an Azure Firewall.

100
00:05:47,240 --> 00:05:54,080
You can look at the threat profile of an IDPS signature and do some other things there.

101
00:05:54,080 --> 00:06:00,700
And then also, we also have WAF integration, public preview and copilot for security.

102
00:06:00,700 --> 00:06:05,920
So that means that you can have a look at, you can summarize and get copilot to pull

103
00:06:05,920 --> 00:06:10,360
things from the WAF and you can have a look at it in the prompt.

104
00:06:10,360 --> 00:06:12,160
So definitely exciting.

105
00:06:12,160 --> 00:06:17,680
If you're already on the Copilot for Security bandwagon, you should go and have a look at

106
00:06:17,680 --> 00:06:19,480
that.

107
00:06:19,480 --> 00:06:21,360
And that is my news.

108
00:06:21,360 --> 00:06:24,960
And with that, I get to kind of be Michael this time.

109
00:06:24,960 --> 00:06:29,040
We will turn our attention to our guest this week, who is Richard.

110
00:06:29,040 --> 00:06:34,520
Richard, do you want to tell us who you are and what you do at Microsoft?

111
00:06:34,520 --> 00:06:36,440
Hey, thank you very much.

112
00:06:36,440 --> 00:06:37,440
Yeah, Richard Diver.

113
00:06:37,440 --> 00:06:43,200
I've got 29 years experience now in the tech and security world, starting in the Navy back

114
00:06:43,200 --> 00:06:44,200
in the 90s.

115
00:06:44,200 --> 00:06:49,720
But my current role is the technical story design lead in Microsoft security marketing.

116
00:06:49,720 --> 00:06:52,640
Now, Richard, what does that mean?

117
00:06:52,640 --> 00:06:56,840
For those of us who might not know what technical design marketing is.

118
00:06:56,840 --> 00:07:00,080
I get to work between engineering and marketing.

119
00:07:00,080 --> 00:07:06,040
So I get to work with fun people like yourself and Michael and many other experts, work out

120
00:07:06,040 --> 00:07:10,120
the behind the scenes story and then bring it to the real world.

121
00:07:10,120 --> 00:07:11,800
That's basically what I get to do every day.

122
00:07:11,800 --> 00:07:12,800
I know.

123
00:07:12,800 --> 00:07:16,520
Well, I do know because I actually talk to you a lot, Richard.

124
00:07:16,520 --> 00:07:20,080
So, there's a couple of things.

125
00:07:20,080 --> 00:07:24,960
Now as Michael had said earlier, we're going to talk about AI security stuff, which I have

126
00:07:24,960 --> 00:07:30,200
to apologize was my note that I wrote on the podcast notes that we have.

127
00:07:30,200 --> 00:07:33,080
But let's talk about that.

128
00:07:33,080 --> 00:07:37,980
So we've had some guests on already talking about different aspects of AI security.

129
00:07:37,980 --> 00:07:43,320
So some earlier episodes, we had Ryan who talked about co-pilot for security.

130
00:07:43,320 --> 00:07:47,920
And we also had AI Red Team folks.

131
00:07:47,920 --> 00:07:50,120
We had Amanda and Pete on.

132
00:07:50,120 --> 00:07:59,360
But I know that you tell stories more kind of, how do I put this, straight up AI security.

133
00:07:59,360 --> 00:08:04,080
So if people are trying to get their heads around all of this, and obviously many people

134
00:08:04,080 --> 00:08:09,680
are trying to use AI, security people are worried because they need to understand it.

135
00:08:09,680 --> 00:08:12,880
Where would you say people would start with that?

136
00:08:12,880 --> 00:08:14,800
Good question.

137
00:08:14,800 --> 00:08:20,160
So AI security is not much different to any other security we've done before.

138
00:08:20,160 --> 00:08:24,080
There's a lot of basics in the data and identity layers.

139
00:08:24,080 --> 00:08:27,720
I think those are the two that most people get worried about is who's got access to it

140
00:08:27,720 --> 00:08:29,640
and what are you going to do with my data?

141
00:08:29,640 --> 00:08:34,360
So we have to go back and review some of the things we've maybe not done properly in the

142
00:08:34,360 --> 00:08:35,360
past.

143
00:08:35,360 --> 00:08:40,920
But the AI specific security problems, and this is where the Red Team comes in very handy,

144
00:08:40,920 --> 00:08:45,120
is that it's a little bit like you can social engineer it.

145
00:08:45,120 --> 00:08:46,720
And so that becomes a whole new problem.

146
00:08:46,720 --> 00:08:49,320
You can't social engineer machine learning.

147
00:08:49,320 --> 00:08:50,920
Machine learning has a start and an end.

148
00:08:50,920 --> 00:08:52,560
You put data in, you get data out.

149
00:08:52,560 --> 00:08:54,800
It's pretty solid.

150
00:08:54,800 --> 00:09:00,300
But generative AI, as we have today, that ends up with its own special unique characteristics

151
00:09:00,300 --> 00:09:08,120
that we have to be aware of, put some guardrails in place, and then monitor and watch and not

152
00:09:08,120 --> 00:09:09,120
let it fall down.

153
00:09:09,120 --> 00:09:10,640
That's basically where it goes.

154
00:09:10,640 --> 00:09:16,560
So you mentioned that people are concerned about identity and data.

155
00:09:16,560 --> 00:09:17,760
There's some top concerns.

156
00:09:17,760 --> 00:09:19,480
So let's start there.

157
00:09:19,480 --> 00:09:26,440
Now I know you did a Build session with my boss last week at Build or last week from

158
00:09:26,440 --> 00:09:28,360
the time we're recording this.

159
00:09:28,360 --> 00:09:30,660
That was all about data security.

160
00:09:30,660 --> 00:09:33,120
So why don't we start on that one?

161
00:09:33,120 --> 00:09:39,800
Tell me problem, what we should do about it, why it's different in the AI space.

162
00:09:39,800 --> 00:09:46,800
Yeah, so we luckily came up with the three golden rules that made life a lot easier for

163
00:09:46,800 --> 00:09:48,120
us to present it.

164
00:09:48,120 --> 00:09:50,220
And we had a lot of fun doing that one.

165
00:09:50,220 --> 00:09:56,820
So the rules basically say that data already has a lot of protections in place.

166
00:09:56,820 --> 00:10:00,800
So whether you're accessing a database or you're connecting to file servers, or maybe

167
00:10:00,800 --> 00:10:06,520
your user is uploading an email, looking at a website, every kind of data type you might

168
00:10:06,520 --> 00:10:09,840
use to interact with AI comes from somewhere.

169
00:10:09,840 --> 00:10:15,800
So hopefully it's either a trusted source like SharePoint or Office, or maybe it's coming

170
00:10:15,800 --> 00:10:18,600
from the internet, which means it might be untrusted.

171
00:10:18,600 --> 00:10:23,880
So knowing the kind of data you've got coming in, the idea is you should make sure that

172
00:10:23,880 --> 00:10:29,960
if there are already access controls or maybe API security, or maybe you started doing the

173
00:10:29,960 --> 00:10:36,440
more advanced labeling of content to say exactly what kind of sensitivity label this data has,

174
00:10:36,440 --> 00:10:41,360
you would make sure that when you get to your AI system, you do not want to let that AI

175
00:10:41,360 --> 00:10:45,800
system have unlimited access to the data on its own, because otherwise I will trick that

176
00:10:45,800 --> 00:10:49,040
AI into giving me all the data it has access to.

177
00:10:49,040 --> 00:10:53,560
So the first layer is make sure that your data is protected and that you don't undo

178
00:10:53,560 --> 00:10:58,720
those protections by giving even read-only access through a service account is not a

179
00:10:58,720 --> 00:10:59,720
good idea.

180
00:10:59,720 --> 00:11:05,360
So instead, you should use the user's credentials and get access to the data on behalf of the

181
00:11:05,360 --> 00:11:06,360
user.

182
00:11:06,360 --> 00:11:09,920
There are different ways of doing that, but that's the fundamentals of that first one.

183
00:11:09,920 --> 00:11:12,400
And then the second rule is about identity.

184
00:11:12,400 --> 00:11:17,300
And this one was surprising to a few customers I spoke to about this, but you should think

185
00:11:17,300 --> 00:11:21,360
about multi-factor authentication, what device the user is using.

186
00:11:21,360 --> 00:11:25,880
So when you get to the prompt of an AI system, that should be locked down and controlled

187
00:11:25,880 --> 00:11:27,560
to your trusted users.

188
00:11:27,560 --> 00:11:32,320
Now if you're making a customer-facing or public-facing AI app, you have a different

189
00:11:32,320 --> 00:11:36,880
set of problems, but mostly we're talking to enterprises and businesses that want to

190
00:11:36,880 --> 00:11:42,240
build some kind of chat GPT type functionality, but on their own data.

191
00:11:42,240 --> 00:11:46,080
And for that, they need to limit the scope down to the users that are trying to get to

192
00:11:46,080 --> 00:11:48,400
the data that that AI has access to.

193
00:11:48,400 --> 00:11:53,920
I have spoken to a few customers of building monolithic applications that has all the data

194
00:11:53,920 --> 00:11:57,320
with all the applications and all the users in one place.

195
00:11:57,320 --> 00:12:01,440
And really you're asking for trouble there because you're trying to expect that the LLM

196
00:12:01,440 --> 00:12:06,720
or the large language model is controlling access and I would not use that as a security

197
00:12:06,720 --> 00:12:07,920
layer.

198
00:12:07,920 --> 00:12:12,440
And then the third one is layers of security around the model.

199
00:12:12,440 --> 00:12:15,040
So models today, they're getting better.

200
00:12:15,040 --> 00:12:21,660
There's a, our red team works regularly with our own and other model makers to give feedback

201
00:12:21,660 --> 00:12:25,560
on how to improve model robustness in the first place and they're becoming more secure

202
00:12:25,560 --> 00:12:26,560
by default.

203
00:12:26,560 --> 00:12:32,480
However, I would always recommend that you put layers of controls like content safety,

204
00:12:32,480 --> 00:12:33,800
some kind of filtering.

205
00:12:33,800 --> 00:12:37,120
You don't want the user to work directly with them with an AI.

206
00:12:37,120 --> 00:12:42,200
You want some layers in the middle that look for potential bad things, filter them out.

207
00:12:42,200 --> 00:12:46,560
And then even when you get the answer back from the AI, you double check it and say,

208
00:12:46,560 --> 00:12:51,800
is the sensitivity of the data you're giving me either malicious or higher level than I

209
00:12:51,800 --> 00:12:54,040
trust this user to have access to.

210
00:12:54,040 --> 00:12:57,280
And that's, you get one last chance before you hand it to the user.

211
00:12:57,280 --> 00:13:02,360
So we've got, if you watch the build talk that we did, there's diagrams in there and

212
00:13:02,360 --> 00:13:04,880
it makes it much easier to explain.

213
00:13:04,880 --> 00:13:09,440
So many, many moons ago, I worked on this little thing called the security development

214
00:13:09,440 --> 00:13:10,440
life cycle, SDL.

215
00:13:10,440 --> 00:13:15,280
I heard through the great via that there's been some changes made to the SDL in light

216
00:13:15,280 --> 00:13:17,280
of AI security.

217
00:13:17,280 --> 00:13:20,280
Yes, there is because the build conference is coming up.

218
00:13:20,280 --> 00:13:24,280
We wanted to celebrate the 20 years of SDL.

219
00:13:24,280 --> 00:13:29,320
And so just before the build conference, we made it the new updated site go live.

220
00:13:29,320 --> 00:13:36,800
If you go and look at the SDL site now, we'll put a link in, but aka.ms slash Microsoft

221
00:13:36,800 --> 00:13:43,880
SDL, you'll see that we've created new 10 new practices and these practices cover end

222
00:13:43,880 --> 00:13:50,240
to end security for both developers and through DevSecOps and into live operations.

223
00:13:50,240 --> 00:13:52,880
And the intent is we will continue to update this.

224
00:13:52,880 --> 00:13:59,240
We have an initial set there today and then we'll continue to add detailed practices within

225
00:13:59,240 --> 00:14:02,360
each of these 10 in the future.

226
00:14:02,360 --> 00:14:06,540
Some of the best ones that we've added into the SDL is things like performing security

227
00:14:06,540 --> 00:14:08,800
design reviews and threat modeling.

228
00:14:08,800 --> 00:14:13,240
The number, I asked people to raise their hand in the session, but also other conversations

229
00:14:13,240 --> 00:14:17,120
I've had when I asked people if they do threat modeling, there's a little bit of an awkward

230
00:14:17,120 --> 00:14:18,600
silence of what is that?

231
00:14:18,600 --> 00:14:21,080
And I don't think we do it very well.

232
00:14:21,080 --> 00:14:25,320
So I'm glad that's now being called out something serious you need to go do.

233
00:14:25,320 --> 00:14:28,320
Another one would be the things like performing security testing.

234
00:14:28,320 --> 00:14:31,600
There's a lot of different security testing you have to do apart from pen testing and

235
00:14:31,600 --> 00:14:32,720
red teaming.

236
00:14:32,720 --> 00:14:39,240
And so in the software world and also physical world testing, and then as we get to the end

237
00:14:39,240 --> 00:14:41,280
of that, there's also training.

238
00:14:41,280 --> 00:14:45,760
And so as we all need to do is everybody needs to learn about security, which is why we bought

239
00:14:45,760 --> 00:14:47,880
more security sessions to build this year.

240
00:14:47,880 --> 00:14:52,680
We need everybody to take part in the security conversation going forwards.

241
00:14:52,680 --> 00:14:56,280
From a practical perspective, it's interesting you should bring that up.

242
00:14:56,280 --> 00:15:01,840
I can tell you right now, looking at the threat models that I review in Azure data, over the

243
00:15:01,840 --> 00:15:10,200
last, when I say nine, 12 months, there has been more of a focus on asking machine learning,

244
00:15:10,200 --> 00:15:17,480
large language models, AI protection of data of the models themselves, basically asking

245
00:15:17,480 --> 00:15:19,920
those questions during the threat model reviews.

246
00:15:19,920 --> 00:15:25,400
Whereas prior to the sort of wave of artificial intelligence, those questions honestly were

247
00:15:25,400 --> 00:15:29,600
not really asked, except in environments that were just pure, true AI.

248
00:15:29,600 --> 00:15:33,680
But yeah, so now there's a much bigger focus.

249
00:15:33,680 --> 00:15:38,980
That comment and those topics are brought up during basically every threat model review,

250
00:15:38,980 --> 00:15:39,980
as they should.

251
00:15:39,980 --> 00:15:44,680
Another work I got started in when I started learning AI last year, and I started to think,

252
00:15:44,680 --> 00:15:49,880
what are we going to say when all these different AI people at Microsoft are doing AI and they're

253
00:15:49,880 --> 00:15:51,160
doing security?

254
00:15:51,160 --> 00:15:54,240
And threat modeling became one of the quickest things we had to talk about because we had

255
00:15:54,240 --> 00:16:00,680
50 plus teams all rapidly building co-pilots and only one team having to check them all

256
00:16:00,680 --> 00:16:01,680
before they went production.

257
00:16:01,680 --> 00:16:05,840
And so that team needed some kind of standardization in how do you talk about AI?

258
00:16:05,840 --> 00:16:06,840
What are the components?

259
00:16:06,840 --> 00:16:14,400
And so building a, even building a tech stack, the fundamental tech stack for AI is the platform,

260
00:16:14,400 --> 00:16:16,060
the application, and then the usage.

261
00:16:16,060 --> 00:16:20,780
If you can go those three layers, then it's a good starting point to bucket things into

262
00:16:20,780 --> 00:16:22,640
at least three big areas.

263
00:16:22,640 --> 00:16:26,440
And then you need to make sure that you think of the threat from the user's prompt in the

264
00:16:26,440 --> 00:16:30,760
usage area through the application and then to the model.

265
00:16:30,760 --> 00:16:36,400
And it's always surprising how simple that is, but really effective as well.

266
00:16:36,400 --> 00:16:40,600
Well, I'm realizing I'm going completely off script here.

267
00:16:40,600 --> 00:16:43,600
By the way, for anyone who wants to know, we don't really have a script in this true

268
00:16:43,600 --> 00:16:44,600
sense of the word.

269
00:16:44,600 --> 00:16:47,920
We have just a couple of bullet points to sort of discuss.

270
00:16:47,920 --> 00:16:49,680
This is not in the list.

271
00:16:49,680 --> 00:16:51,480
So if you look at co-pilots, right?

272
00:16:51,480 --> 00:16:59,080
So co-pilots is the big Microsoft brand around using AI to bring it to the masses essentially.

273
00:16:59,080 --> 00:17:00,080
That's my perspective.

274
00:17:00,080 --> 00:17:08,280
I look at, we were designing the AI, the co-pilot for Cosmos DB and where you could basically

275
00:17:08,280 --> 00:17:11,560
give it a database and it could ask you questions like, how do I do this, that, and the other

276
00:17:11,560 --> 00:17:13,720
build up the SQL statement for you.

277
00:17:13,720 --> 00:17:19,320
And it was interesting, the safeguards that we had to put in place on the understanding

278
00:17:19,320 --> 00:17:27,200
that there was always the possibility that what question you asked could end up producing

279
00:17:27,200 --> 00:17:30,120
a query that was wrong.

280
00:17:30,120 --> 00:17:36,080
And we need to make sure that we had defenses in place to mitigate a potentially incorrect

281
00:17:36,080 --> 00:17:39,600
query coming back from the large language model.

282
00:17:39,600 --> 00:17:42,240
There's all these sort of things you have to think about, right?

283
00:17:42,240 --> 00:17:47,840
I mean, could you imagine, you know, you say, how do I query for ABC?

284
00:17:47,840 --> 00:17:53,080
And it gives you the prompt back or SQL statement that drops the table instead.

285
00:17:53,080 --> 00:17:54,080
Right.

286
00:17:54,080 --> 00:17:59,000
So, you know, we do things like warning people like, hey, you know, you're connecting as

287
00:17:59,000 --> 00:18:00,580
an admin.

288
00:18:00,580 --> 00:18:03,240
You really shouldn't be running these queries as an admin.

289
00:18:03,240 --> 00:18:06,040
First of all, it's just a bad idea anyway.

290
00:18:06,040 --> 00:18:11,840
But you know, if something goes wrong, then it can go wrong because you're an admin, you're

291
00:18:11,840 --> 00:18:14,120
violating the principle of least privilege.

292
00:18:14,120 --> 00:18:16,440
So you really probably shouldn't do this.

293
00:18:16,440 --> 00:18:22,480
And there's stuff in there that's like, you know, there's prompts to kind of just educate

294
00:18:22,480 --> 00:18:24,140
people on that.

295
00:18:24,140 --> 00:18:29,080
But there's also some real good stuff that we did under the covers to help mitigate and

296
00:18:29,080 --> 00:18:34,680
detect a potentially, you know, a hallucination of a query.

297
00:18:34,680 --> 00:18:36,840
Do you see that kind of stuff happening as well?

298
00:18:36,840 --> 00:18:39,720
Yeah, that makes a lot of sense.

299
00:18:39,720 --> 00:18:42,960
From a zero trust perspective, you should trust that the users probably put something

300
00:18:42,960 --> 00:18:48,420
in wrong and then trust that the, or don't trust that the LLM interpreted what they wanted

301
00:18:48,420 --> 00:18:50,640
to do correctly.

302
00:18:50,640 --> 00:18:54,560
And LLMs or large language models, even small language models, you know, they're very broad

303
00:18:54,560 --> 00:18:56,860
in all the things they can do.

304
00:18:56,860 --> 00:18:59,160
That doesn't mean they're very good at specific tasks.

305
00:18:59,160 --> 00:19:04,220
And so there was a really good session, a build between Mark Rusinovich and Scott Hanselman,

306
00:19:04,220 --> 00:19:08,600
where they were doing a very basic demo where they were trying to clean up the desktop icons.

307
00:19:08,600 --> 00:19:10,360
It's a really good storyline.

308
00:19:10,360 --> 00:19:14,800
But in doing so, what they got the AI to do or the generative AI to do was actually call

309
00:19:14,800 --> 00:19:17,160
features and functions that knew what they were doing.

310
00:19:17,160 --> 00:19:21,160
So basic tasks like count how many text files are on my desktop.

311
00:19:21,160 --> 00:19:23,680
The LLM, terrible at that.

312
00:19:23,680 --> 00:19:25,920
It didn't, it got the number wrong every time.

313
00:19:25,920 --> 00:19:29,600
But if it called a function and it called the correct function, it would get the correct

314
00:19:29,600 --> 00:19:30,600
answer back.

315
00:19:30,600 --> 00:19:36,400
And so I think what we're seeing is AI using AI is where we're going in the future.

316
00:19:36,400 --> 00:19:41,880
And that's good and bad because it all comes down to the developer putting these Lego pieces

317
00:19:41,880 --> 00:19:43,000
together.

318
00:19:43,000 --> 00:19:47,360
But if one AI gets it wrong and another AI gets it wrong, how many chances you got of

319
00:19:47,360 --> 00:19:48,720
getting it right.

320
00:19:48,720 --> 00:19:55,120
So the final part of that is we're looking at using something called an AI watchdog.

321
00:19:55,120 --> 00:20:02,400
And just purely from a security perspective of jailbreaks and prompt injection, you can't

322
00:20:02,400 --> 00:20:07,340
always tell from the language the user used that what they were trying to do was a jailbreak.

323
00:20:07,340 --> 00:20:13,640
And so you need AI, separate AI that's not influenced by the user's instructions, watching

324
00:20:13,640 --> 00:20:20,280
both the input of the prompt into the LLM and then the output from the LLM and say,

325
00:20:20,280 --> 00:20:21,800
do these two things match?

326
00:20:21,800 --> 00:20:23,920
Does any of this look suspicious in any way?

327
00:20:23,920 --> 00:20:26,800
And it's not just one-on-one, but like the whole conversation.

328
00:20:26,800 --> 00:20:28,960
And you're looking at things like intent and semantics.

329
00:20:28,960 --> 00:20:30,800
And so that's where we're heading with it.

330
00:20:30,800 --> 00:20:35,240
Like we need AI to protect AI or protect users and AI interactions.

331
00:20:35,240 --> 00:20:42,000
So Richard, you mentioned earlier on about the different layers of an AI application.

332
00:20:42,000 --> 00:20:48,600
But for the security folks out there, how does that translate into something that we

333
00:20:48,600 --> 00:20:52,960
can do something with in terms of say defenses or mitigations that we put in place?

334
00:20:52,960 --> 00:20:55,200
Can you run us through that?

335
00:20:55,200 --> 00:20:56,480
Absolutely.

336
00:20:56,480 --> 00:21:00,720
So if we started the usage layer, the first thing to think about is that we still have

337
00:21:00,720 --> 00:21:08,480
all the same cybersecurity risks from things like an insider, which is growing in popularity.

338
00:21:08,480 --> 00:21:12,320
Then there's social engineering and phishing links and phishing documents.

339
00:21:12,320 --> 00:21:15,440
They're all going to be amplified by the use of AI by the attackers.

340
00:21:15,440 --> 00:21:21,240
They're going to find better ways to do that in localized languages or targeting individuals.

341
00:21:21,240 --> 00:21:26,600
And then we have this not a new concept, but we're resurfacing it with poisoned content.

342
00:21:26,600 --> 00:21:30,520
And that idea being that you might trust the content is benign.

343
00:21:30,520 --> 00:21:34,280
Let's say I'm a hiring manager and I'm going to look at a bunch of CVs.

344
00:21:34,280 --> 00:21:39,480
And so I might want to take 10 CVs from my top candidates and have the language model

345
00:21:39,480 --> 00:21:40,840
review them all for me.

346
00:21:40,840 --> 00:21:45,800
What I don't know is that somebody might have hidden some kind of instructions inside of

347
00:21:45,800 --> 00:21:49,960
that Word document or even an image or an audio file, whatever it might be.

348
00:21:49,960 --> 00:21:54,560
So at that usage layer, there's a whole set of things that we can do to protect ourselves,

349
00:21:54,560 --> 00:21:59,400
like identity security, make sure we're not logging in as admin so that if we do trigger

350
00:21:59,400 --> 00:22:03,120
some kind of phishing link, we're not causing more damage later on.

351
00:22:03,120 --> 00:22:08,300
We can do content filtering, some basic things like just know where the content came from.

352
00:22:08,300 --> 00:22:13,200
Looking for white text on white background is such an obvious one.

353
00:22:13,200 --> 00:22:16,440
And also special characters, smiley faces.

354
00:22:16,440 --> 00:22:19,720
There's lots of telltale signs, very basic and simple you could do.

355
00:22:19,720 --> 00:22:23,160
I think those defenses will get more mature in time.

356
00:22:23,160 --> 00:22:28,200
Once we create the prompt and then we create the content and we add it all together, we're

357
00:22:28,200 --> 00:22:29,640
now into the application.

358
00:22:29,640 --> 00:22:32,780
So we've sent that in when we're waiting for a response.

359
00:22:32,780 --> 00:22:34,200
That's when prompt filtering comes in.

360
00:22:34,200 --> 00:22:39,840
This is something that in Microsoft Copilot, we build all this in and we look after all

361
00:22:39,840 --> 00:22:42,880
that, we make sure it's best defenses we can make.

362
00:22:42,880 --> 00:22:46,560
But if you're building your own, you need to make sure that your prompt filtering is

363
00:22:46,560 --> 00:22:49,840
kind of top of the game to prevent some of the obvious harms.

364
00:22:49,840 --> 00:22:52,320
It's like malware filtering today.

365
00:22:52,320 --> 00:22:57,600
Then you have all your applications, security controls, it's the normal things like SQL

366
00:22:57,600 --> 00:23:01,480
commands or API security, et cetera.

367
00:23:01,480 --> 00:23:03,240
Eventually you're going to build a meta prompt.

368
00:23:03,240 --> 00:23:07,400
So a system meta prompt is where you take what the user said they wanted you to do,

369
00:23:07,400 --> 00:23:10,200
you've cleaned it up and then you might add additional guardrails.

370
00:23:10,200 --> 00:23:15,320
Like I want you to act like a professional health and safety representative and I want

371
00:23:15,320 --> 00:23:18,000
you to answer the user's questions in a certain way.

372
00:23:18,000 --> 00:23:21,200
Then you give a whole bunch of instructions that comes along with whatever the user asked

373
00:23:21,200 --> 00:23:22,200
for.

374
00:23:22,200 --> 00:23:24,540
Now we package that up and then we send that to the LLM.

375
00:23:24,540 --> 00:23:30,200
So now we're in the platform and in the platform again we've got layers of security here but

376
00:23:30,200 --> 00:23:34,440
in that deep safety system we're certainly filtering for harmful content and there's

377
00:23:34,440 --> 00:23:35,760
a bunch of categories for that.

378
00:23:35,760 --> 00:23:43,160
We've just updated the Azure AI Content Safety Filter now has customizable filters.

379
00:23:43,160 --> 00:23:47,400
So if you don't want certain words or certain kinds of language being used, you can change

380
00:23:47,400 --> 00:23:48,400
it.

381
00:23:48,400 --> 00:23:54,280
But we've also got political problems and racist problems and harmful content like

382
00:23:54,280 --> 00:23:57,540
bio weapons, all of that can get filtered out.

383
00:23:57,540 --> 00:23:59,680
And then we ask the LLM the question.

384
00:23:59,680 --> 00:24:03,560
So it's taking a long time to get there, it's milliseconds in the real world, but by the

385
00:24:03,560 --> 00:24:06,720
time it now gets the LLM it's going to process whatever information it's given and it's going

386
00:24:06,720 --> 00:24:08,880
to send it back out.

387
00:24:08,880 --> 00:24:11,720
That's your on the way back out, we're back into the application layer.

388
00:24:11,720 --> 00:24:18,640
We can look at what data is if I used content from HR and content from finance and content

389
00:24:18,640 --> 00:24:21,560
from legal, what is my outcome?

390
00:24:21,560 --> 00:24:23,560
Is it a mix of all three?

391
00:24:23,560 --> 00:24:24,560
Is it none?

392
00:24:24,560 --> 00:24:27,640
Because we've cleared all the sensitive data out like what is it?

393
00:24:27,640 --> 00:24:32,400
And so you have to do some kind of sensitive labeling on the data going out.

394
00:24:32,400 --> 00:24:35,800
But you also want to check it again to see if it's appropriate for the user that's using

395
00:24:35,800 --> 00:24:36,800
it.

396
00:24:36,800 --> 00:24:41,480
So are you giving out customer pricing lists when it's the customer you're sending it to?

397
00:24:41,480 --> 00:24:43,280
No, I want to send that to my sales reps.

398
00:24:43,280 --> 00:24:45,100
I don't want to send it to my customer.

399
00:24:45,100 --> 00:24:48,140
And so you can check all these things before you then send it out.

400
00:24:48,140 --> 00:24:51,700
And then we're back into the first layer again, which is the usage layer.

401
00:24:51,700 --> 00:24:55,960
If the user isn't on a corporate managed device or on the right kind of application, if it's

402
00:24:55,960 --> 00:24:59,560
anything that's suspicious, you might not want to send that data to them.

403
00:24:59,560 --> 00:25:05,640
That's some of the normal layers of security we put in place, like don't send it to Dropbox,

404
00:25:05,640 --> 00:25:08,720
just only send it to OneDrive or only send it to an office application.

405
00:25:08,720 --> 00:25:13,320
So there's controls, that's 10 controls I've just told you about in the diagram I'm staring

406
00:25:13,320 --> 00:25:14,800
at.

407
00:25:14,800 --> 00:25:19,880
But there's many different ways that you can try to prevent, expect it's going to go wrong

408
00:25:19,880 --> 00:25:23,440
and then do detection and response on the way back in real time.

409
00:25:23,440 --> 00:25:27,880
Richard, you're talking to loads and loads of customers and I'm sure people who are listening

410
00:25:27,880 --> 00:25:29,920
are thinking about this too.

411
00:25:29,920 --> 00:25:34,400
But I'd like to ask people, where do you think, because there's a lot to do here, where do

412
00:25:34,400 --> 00:25:39,840
you think is the best place people can start and be the most impactful with these controls

413
00:25:39,840 --> 00:25:42,880
and mitigations and things they should be worried about?

414
00:25:42,880 --> 00:25:47,640
Because of course, we'd love to say do everything straight away, but we all know that that's

415
00:25:47,640 --> 00:25:49,600
not really possible, right?

416
00:25:49,600 --> 00:25:50,600
Absolutely.

417
00:25:50,600 --> 00:25:54,280
I can plug my book here, I think, and say go read my book.

418
00:25:54,280 --> 00:25:58,280
So I put all this together just a couple of months ago, I decided to write a book on this

419
00:25:58,280 --> 00:25:59,600
topic.

420
00:25:59,600 --> 00:26:03,040
And through the chapters, I try to structure that of like all the things you need to think

421
00:26:03,040 --> 00:26:04,040
about.

422
00:26:04,040 --> 00:26:09,960
But apart from reading the book, I would say that at a bare minimum, start drawing diagrams

423
00:26:09,960 --> 00:26:15,400
is my personal offering to the world is like without a good diagram, you don't know what

424
00:26:15,400 --> 00:26:16,680
people don't know.

425
00:26:16,680 --> 00:26:18,060
And you don't know what you don't know either.

426
00:26:18,060 --> 00:26:22,060
So by putting the diagram together of what you think the system looks like, then trace

427
00:26:22,060 --> 00:26:27,440
the data through that system and see if everyone else in the room agrees or as what ifs, you

428
00:26:27,440 --> 00:26:32,480
know, and just keep asking what if what happens if I interject a command here or what if I

429
00:26:32,480 --> 00:26:33,480
leak the data there.

430
00:26:33,480 --> 00:26:37,080
And so they're going back to threat modeling and that idea of getting more people involved

431
00:26:37,080 --> 00:26:38,280
in threat modeling.

432
00:26:38,280 --> 00:26:43,280
A diagram for me is why I'm that's why I moved into marketing is I want to make sure that

433
00:26:43,280 --> 00:26:47,640
we we provide people with the tools to go and make a difference.

434
00:26:47,640 --> 00:26:52,920
And that's a very nice segue into our next into what I was going to ask you about next,

435
00:26:52,920 --> 00:26:53,920
Richard.

436
00:26:53,920 --> 00:26:58,800
As you said, you've written a book, both Michael and I have also written books.

437
00:26:58,800 --> 00:27:04,440
And I know there's a lot of people in industry who quite like the idea of doing it.

438
00:27:04,440 --> 00:27:11,140
So although a little bit of a segue, I wanted to ask you what what's your advice for for

439
00:27:11,140 --> 00:27:17,520
people who might want to get their name on a book and be an author to show it to the

440
00:27:17,520 --> 00:27:18,520
nearest and dearest.

441
00:27:18,520 --> 00:27:19,920
I mean, I'm not going to lie.

442
00:27:19,920 --> 00:27:24,840
That's basically my was my motivation originally for doing it, that I just wanted to say I

443
00:27:24,840 --> 00:27:27,920
was an author more than anything.

444
00:27:27,920 --> 00:27:28,920
That's about it.

445
00:27:28,920 --> 00:27:29,920
I'll be honest with you.

446
00:27:29,920 --> 00:27:30,920
You don't do it for the money.

447
00:27:30,920 --> 00:27:34,760
I would say you do it because the best reason I found is to learn.

448
00:27:34,760 --> 00:27:38,520
So I thought I knew a lot about AI as like confident enough to write a book.

449
00:27:38,520 --> 00:27:39,520
Why not?

450
00:27:39,520 --> 00:27:42,520
And so I started to track like, what does it take to write?

451
00:27:42,520 --> 00:27:45,520
I've written books before, but I've written them on Windows and Sentinel.

452
00:27:45,520 --> 00:27:49,040
They're very technical, and I wanted to make sure this book was to a broader audience.

453
00:27:49,040 --> 00:27:50,320
So I just started writing it.

454
00:27:50,320 --> 00:27:52,160
But I don't know how you both approached it.

455
00:27:52,160 --> 00:27:54,640
Maybe you can share your experiences here.

456
00:27:54,640 --> 00:28:00,880
But the easiest way to get started, if anybody wants to do it, is you create your 10 chapters

457
00:28:00,880 --> 00:28:04,280
and inside each of your 10 chapters, you write 10 bullet points.

458
00:28:04,280 --> 00:28:06,480
And that gives you the bones of your book.

459
00:28:06,480 --> 00:28:13,840
Now with that, it will take you, I'd say 140 hours of writing, and then 60 hours of perfecting,

460
00:28:13,840 --> 00:28:20,400
which is research and diagrams and editing and getting reviews from 10 more people.

461
00:28:20,400 --> 00:28:26,160
But eventually, you're aiming to write somewhere between 60 and 70,000 words, and it will take

462
00:28:26,160 --> 00:28:28,200
you about 200 hours of effort.

463
00:28:28,200 --> 00:28:32,040
So depending on how many books you sell and how much you sell the book for and whether

464
00:28:32,040 --> 00:28:36,280
your publisher takes most of the profit or not, you're probably not going to get minimum

465
00:28:36,280 --> 00:28:37,280
wage for writing a book.

466
00:28:37,280 --> 00:28:44,120
But what you do get is all the lessons learned of having to, the two hardest chapters for

467
00:28:44,120 --> 00:28:50,600
me, has to be the ethical framework and then AI governance.

468
00:28:50,600 --> 00:28:55,080
So these are two things that don't normally think about ethics in a security world, some

469
00:28:55,080 --> 00:28:56,440
people do, but not everybody.

470
00:28:56,440 --> 00:29:00,120
When you're from a technical background, ethics weren't the thing I studied.

471
00:29:00,120 --> 00:29:04,120
And then AI governance is so new that took a lot more research to understand where are

472
00:29:04,120 --> 00:29:05,920
we at in the world of governance.

473
00:29:05,920 --> 00:29:09,860
And so you have to dig into the bits that you don't know very well.

474
00:29:09,860 --> 00:29:13,720
But now I can say I'm more confident in being able to have these conversations just because

475
00:29:13,720 --> 00:29:16,360
I spent those 200 hours in writing.

476
00:29:16,360 --> 00:29:19,600
And then it is nice to feel it in your hands and you've got a book and you can put it on

477
00:29:19,600 --> 00:29:20,600
the shelf.

478
00:29:20,600 --> 00:29:23,720
And every now and again, someone says, Hey, I bought your book and I'm reading it.

479
00:29:23,720 --> 00:29:24,720
That's pretty cool.

480
00:29:24,720 --> 00:29:25,720
Yeah.

481
00:29:25,720 --> 00:29:31,240
I don't know how many hours we spent on the last book, which are designing and developing

482
00:29:31,240 --> 00:29:33,640
Secure ASI solutions.

483
00:29:33,640 --> 00:29:36,520
As you don't know, I don't really track it to be absolutely honest with you, but I do

484
00:29:36,520 --> 00:29:44,600
agree with agreeing on basically the chapter outline and then the main points in each chapter

485
00:29:44,600 --> 00:29:47,660
on the understanding that you're probably going to change.

486
00:29:47,660 --> 00:29:49,440
We were pretty lucky.

487
00:29:49,440 --> 00:29:56,080
I think that the outline that we had for the book, I think we deleted one chapter and we

488
00:29:56,080 --> 00:30:00,560
took the content of that chapter and infused it into other chapters.

489
00:30:00,560 --> 00:30:04,560
So for example, that actual chapter was going to be a whole chapter on Defender, Defender

490
00:30:04,560 --> 00:30:06,640
for cloud.

491
00:30:06,640 --> 00:30:11,800
And we realized it was actually better to not make it a separate chapter because it

492
00:30:11,800 --> 00:30:18,960
was changing so much and rather just infused the best practices into the other chapters

493
00:30:18,960 --> 00:30:19,960
instead.

494
00:30:19,960 --> 00:30:22,440
Just things that you should be aware of when it comes to, for example, in the Key Vault

495
00:30:22,440 --> 00:30:25,520
chapter, we talk about Defender for Key Vault, right?

496
00:30:25,520 --> 00:30:30,400
In the storage stuff and the database chapter, for example, is a bit better example.

497
00:30:30,400 --> 00:30:35,480
We talk about Defender for databases and we talk about sort of the overall security score

498
00:30:35,480 --> 00:30:37,920
just conceptually.

499
00:30:37,920 --> 00:30:38,920
But I agree with you.

500
00:30:38,920 --> 00:30:43,000
I think getting that structure in your head helps substantially.

501
00:30:43,000 --> 00:30:45,760
So, but yeah, I agree with that a hundred percent.

502
00:30:45,760 --> 00:30:47,400
As for timing, I don't know.

503
00:30:47,400 --> 00:30:50,020
I'm terrible when it comes to predicting timing.

504
00:30:50,020 --> 00:30:51,520
Some people know this story.

505
00:30:51,520 --> 00:30:58,280
When I wrote the crypto chapter, it was supposed to be 25 pages long and ended up being 88.

506
00:30:58,280 --> 00:31:04,280
So yeah, that'll give you an example of how good I am at working out what we should be

507
00:31:04,280 --> 00:31:07,200
doing in terms of time and length.

508
00:31:07,200 --> 00:31:08,200
Yeah.

509
00:31:08,200 --> 00:31:12,560
That's why I recorded all my times to just work out how long does it take.

510
00:31:12,560 --> 00:31:17,920
It's about 3, 530 words per hour and that's when you'll spend 140 hours.

511
00:31:17,920 --> 00:31:19,680
So if you go to 60,000 words.

512
00:31:19,680 --> 00:31:20,680
But you're right.

513
00:31:20,680 --> 00:31:23,560
And that's actually why a lot of people don't write a book because they don't know how long

514
00:31:23,560 --> 00:31:27,880
it's going to take or what efforts involved or they get two chapters into it and it's

515
00:31:27,880 --> 00:31:28,880
amazing.

516
00:31:28,880 --> 00:31:30,120
And now you've got the grunt work to do.

517
00:31:30,120 --> 00:31:31,600
You've got to finish it.

518
00:31:31,600 --> 00:31:34,240
So well, it's more than just that.

519
00:31:34,240 --> 00:31:35,240
You're absolutely correct.

520
00:31:35,240 --> 00:31:36,520
But it's more than that.

521
00:31:36,520 --> 00:31:38,040
You're under a time constraint.

522
00:31:38,040 --> 00:31:40,080
Like you can't take forever to write a book.

523
00:31:40,080 --> 00:31:44,040
You just can't, you know, I mean, people, you know, they're holding your feet to the

524
00:31:44,040 --> 00:31:45,040
fire.

525
00:31:45,040 --> 00:31:47,480
You can't just lollygag your way through writing a book.

526
00:31:47,480 --> 00:31:49,840
You know, you've we actually hit our schedule.

527
00:31:49,840 --> 00:31:53,880
In fact, we were actually about about a week and a half ahead of schedule when we were

528
00:31:53,880 --> 00:31:54,880
done.

529
00:31:54,880 --> 00:31:57,400
We were very proud of ourselves, but you know, we put in the hours.

530
00:31:57,400 --> 00:32:02,760
My guess is we probably put in more hours than we thought to make that schedule though.

531
00:32:02,760 --> 00:32:04,560
But that's just the nature of the beast.

532
00:32:04,560 --> 00:32:09,360
I mean, you bring up a really interesting point about learning stuff.

533
00:32:09,360 --> 00:32:12,640
You will learn stuff as you write the book.

534
00:32:12,640 --> 00:32:16,360
Even if you're an expert in the topic, you will still learn things.

535
00:32:16,360 --> 00:32:22,280
And in fact, one thing I've found with doing, you know, sort of the stuff that I write about,

536
00:32:22,280 --> 00:32:24,360
you'll find bugs in products too.

537
00:32:24,360 --> 00:32:28,520
So there's a product from the Key Vault team called Managed HSM, Managed Hardware Security

538
00:32:28,520 --> 00:32:29,520
Module.

539
00:32:29,520 --> 00:32:32,480
And there was a bug signing data.

540
00:32:32,480 --> 00:32:33,880
There's a bug in their REST API.

541
00:32:33,880 --> 00:32:35,880
It wasn't a bug in the HSM.

542
00:32:35,880 --> 00:32:39,200
But I, you know, I was doing some experiments and I found this bug calling the REST API.

543
00:32:39,200 --> 00:32:42,600
It was brand, by the way, it wasn't even shipping when I was using it.

544
00:32:42,600 --> 00:32:44,480
So you know, bugs are expected.

545
00:32:44,480 --> 00:32:49,600
But yeah, you'll probably find bugs and discrepancies in products and features as well when you're

546
00:32:49,600 --> 00:32:52,160
writing a book because you're being very disciplined about it when you're writing.

547
00:32:52,160 --> 00:32:55,320
I hope, you know, I hope people are disciplined when they're writing.

548
00:32:55,320 --> 00:32:56,680
And yeah, you'll probably find issues.

549
00:32:56,680 --> 00:32:58,680
Is that something you came across too?

550
00:32:58,680 --> 00:33:02,720
Yeah, I started to come across the what if scenarios.

551
00:33:02,720 --> 00:33:06,600
So I'm not in the red team, but I get to work with them so often that I work, you get to

552
00:33:06,600 --> 00:33:10,280
see how they work or some of the thought patterns they go through.

553
00:33:10,280 --> 00:33:11,880
And it's really just what if.

554
00:33:11,880 --> 00:33:17,920
And so I thought about things like what would a poisoned well or a honey pot look like if

555
00:33:17,920 --> 00:33:21,640
you reverse what we're using for today, the honey pot is to attract the attackers.

556
00:33:21,640 --> 00:33:23,960
Well, what if we try to attract AI?

557
00:33:23,960 --> 00:33:25,240
What if we get AI to go on?

558
00:33:25,240 --> 00:33:26,880
And there's been some examples in the news recently.

559
00:33:26,880 --> 00:33:31,480
I won't repeat them now, but there's some interesting stories of AI telling users to

560
00:33:31,480 --> 00:33:33,960
do things because it found it on Reddit.

561
00:33:33,960 --> 00:33:37,800
And so if you can attract the AI to go and use something as a source of truth, and it's

562
00:33:37,800 --> 00:33:41,360
really not, that's a great scenario.

563
00:33:41,360 --> 00:33:45,960
And on your point like about being under the gun, when normally I would be and I'd have

564
00:33:45,960 --> 00:33:46,960
been told you're on a schedule.

565
00:33:46,960 --> 00:33:51,080
So if you go to a publisher, you'll be under a schedule and you'll say, I'll submit X chapter

566
00:33:51,080 --> 00:33:55,240
by a certain date and then version two X number weeks later.

567
00:33:55,240 --> 00:33:57,240
I didn't, I went self-published.

568
00:33:57,240 --> 00:34:00,440
And that's another angle is you do everything yourself.

569
00:34:00,440 --> 00:34:02,760
It means you've got the freedom of time, but you're right.

570
00:34:02,760 --> 00:34:06,800
If you start writing and you take two years, how relevant is the information you wrote

571
00:34:06,800 --> 00:34:07,800
two years ago?

572
00:34:07,800 --> 00:34:09,140
And you'll end up rewriting it so many times.

573
00:34:09,140 --> 00:34:11,680
So I gave myself six weeks.

574
00:34:11,680 --> 00:34:13,680
I wrote it in six weeks.

575
00:34:13,680 --> 00:34:15,720
So I don't encourage anybody to do that.

576
00:34:15,720 --> 00:34:17,880
I had a lot of spare time on my hands.

577
00:34:17,880 --> 00:34:22,320
I just uninstalled Instagram and spent all the spare time writing a book instead.

578
00:34:22,320 --> 00:34:23,320
Yeah.

579
00:34:23,320 --> 00:34:27,240
Uninstalling social media is probably just a good idea anyway.

580
00:34:27,240 --> 00:34:28,240
Yeah.

581
00:34:28,240 --> 00:34:29,240
But that's interesting.

582
00:34:29,240 --> 00:34:31,560
So you did it all in six weeks.

583
00:34:31,560 --> 00:34:32,560
That's pretty good.

584
00:34:32,560 --> 00:34:36,960
I mean, all things considered, you know, but again, and just for people who are listening

585
00:34:36,960 --> 00:34:40,960
need to understand, we're not paid as Microsoft employees to write these books.

586
00:34:40,960 --> 00:34:43,780
I mean, they're basically deemed moonlighting.

587
00:34:43,780 --> 00:34:46,000
You actually have to get an agreement from your manager.

588
00:34:46,000 --> 00:34:50,160
In fact, in my case, I had to get an agreement from my manager's manager as well to actually

589
00:34:50,160 --> 00:34:55,400
write the book and you actually sign a moonlighting document because you're essentially earning

590
00:34:55,400 --> 00:34:59,360
money outside of, outside of Microsoft and it's not a Microsoft sanction thing.

591
00:34:59,360 --> 00:35:00,760
It's not part of your job.

592
00:35:00,760 --> 00:35:03,500
You are literally moonlighting.

593
00:35:03,500 --> 00:35:04,500
So yeah.

594
00:35:04,500 --> 00:35:07,520
And to your point, you're not going to, you're not going to retire on many books.

595
00:35:07,520 --> 00:35:12,660
That being said, writing secure code and writing secure code second edition were immensely

596
00:35:12,660 --> 00:35:15,240
successful by any measure.

597
00:35:15,240 --> 00:35:21,560
I mean, I'm not talking John Grisham novels successful, but in terms of tech, tech books

598
00:35:21,560 --> 00:35:24,640
successful, they were ahead of the pack.

599
00:35:24,640 --> 00:35:29,560
We sold a lot of those books, a lot of books.

600
00:35:29,560 --> 00:35:32,160
But yeah, for the most part, you're not going to, like you say, you're not going to retire

601
00:35:32,160 --> 00:35:35,040
on the earnings from a, from writing a book.

602
00:35:35,040 --> 00:35:38,180
It's almost a labor of love if nothing else.

603
00:35:38,180 --> 00:35:42,720
It's good to see people are still reading books with the opportunity of AI and search

604
00:35:42,720 --> 00:35:47,880
to just go find it, you know, summarize this for me or, or tell me what you think of X

605
00:35:47,880 --> 00:35:48,880
topic.

606
00:35:48,880 --> 00:35:49,880
You can learn so fast.

607
00:35:49,880 --> 00:35:51,880
That's one of the things I love about AI is I don't search anymore.

608
00:35:51,880 --> 00:35:55,400
I just ask AI for its opinion on something and it does all the searching for me and then

609
00:35:55,400 --> 00:35:56,920
brings you back to top five websites.

610
00:35:56,920 --> 00:36:00,320
Now not always accurate and you got to double check it, but it's easier than doing like

611
00:36:00,320 --> 00:36:02,320
a search and getting 10,000 pages.

612
00:36:02,320 --> 00:36:03,700
I can go look at.

613
00:36:03,700 --> 00:36:10,020
So they're one of the problems we've got in publishing is it's getting swamped with low

614
00:36:10,020 --> 00:36:15,540
quality AI created content, which people are just trying to do for like a quick buck.

615
00:36:15,540 --> 00:36:19,320
So if you are an expert out there and you do know your topic, you should think about

616
00:36:19,320 --> 00:36:23,120
contributing to the proper corpus of the library, right?

617
00:36:23,120 --> 00:36:27,960
And having content that people can read and appreciate because there is an audience out

618
00:36:27,960 --> 00:36:28,960
there.

619
00:36:28,960 --> 00:36:33,020
And this is where you might not self publish and you might go down the path of a publisher

620
00:36:33,020 --> 00:36:36,520
because if you can convince them it's a good book, they can do all the legwork of getting

621
00:36:36,520 --> 00:36:37,520
that book out there.

622
00:36:37,520 --> 00:36:42,080
And we're still selling books we wrote four or five years ago, one or two copies a week

623
00:36:42,080 --> 00:36:46,080
maybe, but it's still a, you know, Windows security and Sentinel.

624
00:36:46,080 --> 00:36:49,280
They're still books people want to pick up today and go and read about.

625
00:36:49,280 --> 00:36:51,980
So they have long lifespans too.

626
00:36:51,980 --> 00:36:55,040
So be careful what you write in your book because it will still be around in five and

627
00:36:55,040 --> 00:36:56,040
10 years time.

628
00:36:56,040 --> 00:36:59,680
But you bring up an interesting point there though.

629
00:36:59,680 --> 00:37:01,080
I love to read.

630
00:37:01,080 --> 00:37:03,960
I read all the time.

631
00:37:03,960 --> 00:37:09,560
I do use AI to summarize some things once in a while, but I do enjoy reading a book.

632
00:37:09,560 --> 00:37:13,440
Look, this is probably more information than anyone needs to know, but I have a whole bunch

633
00:37:13,440 --> 00:37:19,560
of Kindles around, let's just say strategically placed around the house and leave it at that.

634
00:37:19,560 --> 00:37:24,200
And I have one in my laptop bag.

635
00:37:24,200 --> 00:37:26,560
Whenever I go on vacation, I take my laptop with me because of course I have to take my

636
00:37:26,560 --> 00:37:27,600
laptop with me.

637
00:37:27,600 --> 00:37:30,680
I have a Kindle in there as well.

638
00:37:30,680 --> 00:37:35,240
Because they use so little power, you know, the thing can stay on power for a long time.

639
00:37:35,240 --> 00:37:38,280
But yeah, and then that way, you know, if I'm reading something, I can just pick it

640
00:37:38,280 --> 00:37:40,760
up and you know, where I left off.

641
00:37:40,760 --> 00:37:43,560
But yeah, I read all the time.

642
00:37:43,560 --> 00:37:49,080
I probably don't use AI as much as I should to sort of summarize stuff.

643
00:37:49,080 --> 00:37:50,920
I probably should start doing that a little bit more.

644
00:37:50,920 --> 00:37:55,600
The best part of course, you can ask AI to summarize things in a snarky voice, which

645
00:37:55,600 --> 00:37:58,400
is even more interesting.

646
00:37:58,400 --> 00:38:01,840
But yeah, is there anything else you want to add before we wrap this up?

647
00:38:01,840 --> 00:38:06,080
If you're wondering why Sarah's not chiming in, she's actually got a, just right now,

648
00:38:06,080 --> 00:38:09,240
she's got a horrible internet connection and she's just dropped.

649
00:38:09,240 --> 00:38:13,720
So I just sent her a message on Teams and just say, Hey, just hang in there and Richard

650
00:38:13,720 --> 00:38:14,960
and I will wrap this thing up.

651
00:38:14,960 --> 00:38:21,200
And on that very topic, so Richard, one thing we always ask our guests is if they had one

652
00:38:21,200 --> 00:38:25,080
final thought to leave our listeners with, what would it be?

653
00:38:25,080 --> 00:38:29,960
I think as I was writing the book, there's one quote that I came back to time and time

654
00:38:29,960 --> 00:38:34,000
again, and it's from Michael Crichton and Jurassic Park.

655
00:38:34,000 --> 00:38:38,960
And he said, your scientists were so preoccupied with whether or not they could, that they

656
00:38:38,960 --> 00:38:41,560
didn't stop to think if they should.

657
00:38:41,560 --> 00:38:45,640
And when it comes to AI, I think that we could all learn from that one still.

658
00:38:45,640 --> 00:38:50,960
I love the movie, but as we get into the idea of AI, it's like, should you be doing this

659
00:38:50,960 --> 00:38:52,960
with that data and using AI?

660
00:38:52,960 --> 00:38:55,960
And it doesn't mean no, just stop and think.

661
00:38:55,960 --> 00:38:57,240
I love Crichton's work.

662
00:38:57,240 --> 00:39:01,520
I like a lot of Crichton's thinking beyond his books.

663
00:39:01,520 --> 00:39:02,640
All right.

664
00:39:02,640 --> 00:39:05,200
So with that, let's bring this episode to an end.

665
00:39:05,200 --> 00:39:06,960
Richard, thank you so much for joining us this week.

666
00:39:06,960 --> 00:39:11,560
You and I meet somewhat regularly inside of Microsoft, so it's good to sort of interview

667
00:39:11,560 --> 00:39:13,680
you beyond the work that we do.

668
00:39:13,680 --> 00:39:15,960
So again, thank you so much for joining us.

669
00:39:15,960 --> 00:39:19,160
And to all our listeners out there, we hope you found this of use.

670
00:39:19,160 --> 00:39:21,280
Stay safe and we'll see you next time.

671
00:39:21,280 --> 00:39:24,640
Thanks for listening to the Azure Security Podcast.

672
00:39:24,640 --> 00:39:31,480
You can find show notes and other resources at our website, azsecuritypodcast.net.

673
00:39:31,480 --> 00:39:36,320
If you have any questions, please find us on Twitter at Azure Setpod.

674
00:39:36,320 --> 00:39:51,760
Background music is from ccmixtor.com and licensed under the Creative Commons license.