1
00:00:00,000 --> 00:00:06,200
Welcome to the Azure Security Podcast,

2
00:00:06,200 --> 00:00:09,320
where we discuss topics relating to security, privacy,

3
00:00:09,320 --> 00:00:13,760
reliability, and compliance on the Microsoft Cloud Platform.

4
00:00:13,760 --> 00:00:17,600
Hey everybody, welcome to episode 101.

5
00:00:17,600 --> 00:00:19,120
This week is myself, Michael,

6
00:00:19,120 --> 00:00:20,720
with Sarah and Mark.

7
00:00:20,720 --> 00:00:24,280
Our guests this week are Wayman Ho and

8
00:00:24,280 --> 00:00:27,200
Mac Zorich who are here to talk to us about the Ghost Team.

9
00:00:27,200 --> 00:00:28,960
But before we get to our guests,

10
00:00:28,960 --> 00:00:30,680
let's take a little lap around the news.

11
00:00:30,680 --> 00:00:32,480
Sarah, why don't you kick things off?

12
00:00:32,480 --> 00:00:40,280
I've just got one piece of news which is that AKS is now supporting FIPS mutability.

13
00:00:40,280 --> 00:00:42,520
So that means, of course,

14
00:00:42,520 --> 00:00:45,560
if you are doing US government things,

15
00:00:45,560 --> 00:00:49,880
you can now use those cryptographic modules to meet

16
00:00:49,880 --> 00:00:53,800
your FedRAMP and other federal government requirements.

17
00:00:53,800 --> 00:00:58,640
Yeah, I'm going overseas and talking about US government stuff today. That's me.

18
00:00:58,640 --> 00:01:01,160
I've got a couple of pieces of news in my area.

19
00:01:01,160 --> 00:01:04,160
So a couple of open group standards that I have been working on

20
00:01:04,160 --> 00:01:06,880
and contributing to have just released.

21
00:01:06,880 --> 00:01:09,960
The first is security principles for architecture.

22
00:01:09,960 --> 00:01:12,320
I'll be honest, when I posted this,

23
00:01:12,320 --> 00:01:14,920
I thought this would be pretty boring and

24
00:01:14,920 --> 00:01:17,640
get like five, maybe 10 reactions on LinkedIn.

25
00:01:17,640 --> 00:01:21,360
500 later, and like 50,000, 60,000 impressions later.

26
00:01:21,360 --> 00:01:25,040
I was like, oh, I guess people are thinking back to the basics and who knows it,

27
00:01:25,040 --> 00:01:27,320
maybe because of some security vendor fails recently.

28
00:01:27,320 --> 00:01:30,760
But yeah, that one's out.

29
00:01:30,760 --> 00:01:33,120
It's just a simple, straightforward,

30
00:01:33,120 --> 00:01:38,000
solid set of security principles and you can copy paste this into your security architectures,

31
00:01:38,000 --> 00:01:40,880
your technology architectures, your enterprise architectures.

32
00:01:40,880 --> 00:01:43,480
It's really meant to just be that straightforward, simple,

33
00:01:43,480 --> 00:01:44,600
how to do security right,

34
00:01:44,600 --> 00:01:47,920
definitely aligns with zero trust principles and all that other stuff that we do.

35
00:01:47,920 --> 00:01:51,800
The open group, but it's just meant to be security principles.

36
00:01:51,800 --> 00:01:55,680
Then similar and related to that is the zero trust commandments,

37
00:01:55,680 --> 00:02:01,400
the final version of that just came out about a week or two after the security principles.

38
00:02:01,400 --> 00:02:07,600
This is basically the rules of the road on what is good security or what is zero trust,

39
00:02:07,600 --> 00:02:09,280
really the same thing.

40
00:02:09,280 --> 00:02:12,280
Ultimately, these are must and shall statements.

41
00:02:12,280 --> 00:02:17,280
You must do this, this shall be one of the attributes of that.

42
00:02:17,280 --> 00:02:21,720
We're very, very specific and prescriptive on exactly what it is.

43
00:02:21,720 --> 00:02:25,840
Two guiding sets of documents there from the open group.

44
00:02:25,840 --> 00:02:27,600
The other thing I had was that,

45
00:02:27,600 --> 00:02:29,680
and I'll send the link to the playbook on it.

46
00:02:29,680 --> 00:02:33,640
It was really interesting because one of the things we put in our zero trust playbook series,

47
00:02:33,640 --> 00:02:35,240
my co-author, Nikhil Kumar and I,

48
00:02:35,240 --> 00:02:37,880
who was on the show about a year ago, I think.

49
00:02:37,880 --> 00:02:41,120
But one of the things that's come up and become a really big deal,

50
00:02:41,120 --> 00:02:43,480
and this may be in the wake of SFI or what have you,

51
00:02:43,480 --> 00:02:45,920
I'm not quite sure, secure future initiatives.

52
00:02:45,920 --> 00:02:47,840
Sorry, I have to do the acronym thing.

53
00:02:47,840 --> 00:02:51,360
But we've seen a lot more attention and focus starting

54
00:02:51,360 --> 00:02:54,760
to go to accountability, governance structure,

55
00:02:54,760 --> 00:02:57,040
how should we be structuring security, etc.

56
00:02:57,040 --> 00:03:01,560
That's actually one of the things that we're really focused on in that playbook is,

57
00:03:01,560 --> 00:03:04,080
how do we explain security,

58
00:03:04,080 --> 00:03:06,440
a modern approach to security called zero trust,

59
00:03:06,440 --> 00:03:09,280
and how to think about governance,

60
00:03:09,280 --> 00:03:11,560
accountability, and whose job it is to do what?

61
00:03:11,560 --> 00:03:13,800
Because you can't just dump it on the security team and say,

62
00:03:13,800 --> 00:03:15,040
hey, it's your fault, wait what?

63
00:03:15,040 --> 00:03:16,200
I didn't make any of these decisions.

64
00:03:16,200 --> 00:03:17,880
I didn't implement any of this stuff.

65
00:03:17,880 --> 00:03:21,920
We spent a lot of time thinking through that for that Zero Trust Playbook series.

66
00:03:21,920 --> 00:03:24,760
And so, seen a bunch of interest in that.

67
00:03:24,760 --> 00:03:27,800
So just dropped a fresh link in there for that as well.

68
00:03:27,800 --> 00:03:28,760
That's all I got.

69
00:03:28,760 --> 00:03:29,840
I got a few items.

70
00:03:29,840 --> 00:03:35,600
The first one is there's some upcoming changes for Azure Event Grid around TLS.

71
00:03:35,600 --> 00:03:38,880
Basically, at the end of the year, October 31st this year, 2024,

72
00:03:38,880 --> 00:03:42,040
support for TLS 1.0 and 1.1 will go away.

73
00:03:42,040 --> 00:03:46,640
And it will support TLS 1.2 and later, which is great to see.

74
00:03:46,640 --> 00:03:50,040
You'll see more and more services support that as well, which is great to see.

75
00:03:50,040 --> 00:03:55,880
Next thing is NetApp Files now supports double encryption for data at rest.

76
00:03:55,880 --> 00:04:00,360
This is there in case there's a single key compromise, those kinds of things.

77
00:04:00,360 --> 00:04:02,040
So now you've got the option for

78
00:04:02,040 --> 00:04:05,160
custom managed keys and platform managed keys to be used together.

79
00:04:05,160 --> 00:04:09,400
And the last one is a good friend of the show, which is Azure Chaos Studio.

80
00:04:09,400 --> 00:04:12,320
They've now got a new fault that they support for

81
00:04:12,320 --> 00:04:14,560
virtual machines which is network isolation,

82
00:04:14,560 --> 00:04:19,400
which essentially allows you to isolate the VM to see what happens when

83
00:04:19,400 --> 00:04:23,400
all network traffic is cut off completely from the VM to see what happens.

84
00:04:23,400 --> 00:04:26,480
So that's really good for just testing the resilience

85
00:04:26,480 --> 00:04:29,280
of the VM and the applications running inside of the VM.

86
00:04:29,280 --> 00:04:32,080
So that's all the news I have for today.

87
00:04:32,080 --> 00:04:34,080
Let's turn our attention to our guests.

88
00:04:34,080 --> 00:04:36,080
As I mentioned before, we have Wayman Ho and

89
00:04:36,080 --> 00:04:39,440
Matt Zorich who are here to talk to us about the Ghost team.

90
00:04:39,440 --> 00:04:42,320
So gentlemen, would you mind just taking a moment and

91
00:04:42,320 --> 00:04:44,480
introduce yourself to our listeners?

92
00:04:44,480 --> 00:04:47,000
Hi everyone. My name is Wayman Ho.

93
00:04:47,000 --> 00:04:51,600
I'm a Senior Security Research Manager on the Ghost team at Microsoft.

94
00:04:51,600 --> 00:04:53,280
And yeah, my name is Matt Zorich.

95
00:04:53,280 --> 00:04:57,600
I'm also a Research Manager in the Ghost team based out of Australia.

96
00:04:57,600 --> 00:05:01,040
All right. Let's kick it off with a really dumb, stupid, simple one.

97
00:05:01,040 --> 00:05:04,480
What is Ghost and don't say something that looks like Casper.

98
00:05:04,480 --> 00:05:06,520
Yeah. So the Ghost team is

99
00:05:06,520 --> 00:05:11,240
the global hunting oversight and strategic triage team.

100
00:05:11,240 --> 00:05:14,800
We often joke internally that what we call it backronym,

101
00:05:14,800 --> 00:05:17,040
which is we came up with Ghost first,

102
00:05:17,040 --> 00:05:22,440
and then came up with some words that fit Ghost to make it sound cool.

103
00:05:22,440 --> 00:05:25,920
What our team was is our team was essentially built

104
00:05:25,920 --> 00:05:28,520
from some of the people who are originally in Dart.

105
00:05:28,520 --> 00:05:32,920
So Dart is our detection and response team at Microsoft.

106
00:05:32,920 --> 00:05:35,960
As part of what Dart was doing,

107
00:05:35,960 --> 00:05:40,720
we had a whole group of people doing things outside of just IR.

108
00:05:40,720 --> 00:05:44,080
So we were doing things like internal hunting at Microsoft

109
00:05:44,080 --> 00:05:49,240
and kind of working with our partner teams and doing some software development work.

110
00:05:49,240 --> 00:05:51,120
So things that were really important,

111
00:05:51,120 --> 00:05:53,160
but not core to Dart's mission.

112
00:05:53,160 --> 00:05:57,240
So they took originally 30 of us and moved us over to the Ghost team.

113
00:05:57,240 --> 00:06:02,160
So we could focus on those things and leaving Dart to focus on what Dart does best,

114
00:06:02,160 --> 00:06:05,280
which is being really great at customer incident response.

115
00:06:05,280 --> 00:06:07,120
So Matt, I mean,

116
00:06:07,120 --> 00:06:12,160
you've been on the show before and you've talked about Dart.

117
00:06:12,160 --> 00:06:17,400
But what is Ghost remit then compared with Dart?

118
00:06:17,400 --> 00:06:22,680
What do you do that's different because you're a brand new team in Microsoft?

119
00:06:22,680 --> 00:06:25,360
Yeah, definitely. So brand new team in Microsoft.

120
00:06:25,360 --> 00:06:29,280
I think the difference between Dart and Ghost is that

121
00:06:29,280 --> 00:06:33,920
our team in Ghost is almost exclusively focused on protecting Microsoft.

122
00:06:33,920 --> 00:06:39,920
So the original kind of 30 people all came across with a really strong IR background.

123
00:06:39,920 --> 00:06:44,360
And we had skills in hunting and forensics and digital forensics

124
00:06:44,360 --> 00:06:46,440
and running all our tooling and things like that.

125
00:06:46,440 --> 00:06:49,520
We also have like a lot of platform experts in our team.

126
00:06:49,520 --> 00:06:53,440
So we have people that have written books on MDE and things like that.

127
00:06:53,440 --> 00:06:55,000
So we have a whole breadth of skills.

128
00:06:55,000 --> 00:07:00,320
And our team has kind of stood up to help bring that set of skills across to Microsoft.

129
00:07:00,320 --> 00:07:03,760
So we do a lot of work with Microsoft First Party.

130
00:07:03,760 --> 00:07:07,240
Whereas Dart does third party incident response.

131
00:07:07,240 --> 00:07:11,640
So yeah, kind of a clear delineation in mission there.

132
00:07:11,640 --> 00:07:12,760
Can you talk a little bit about...

133
00:07:12,760 --> 00:07:17,200
So it sounds like it's pretty clear that Ghost essentially protects Microsoft

134
00:07:17,200 --> 00:07:19,560
and Dart protects our customers.

135
00:07:19,560 --> 00:07:23,160
Can you talk about like, you know, any more differences between the teams

136
00:07:23,160 --> 00:07:29,240
and also just how that compares contrast to our Microsoft Threat Intelligence Center or Mystic?

137
00:07:29,240 --> 00:07:32,160
I think generally when you talk, when we look at Ghost,

138
00:07:32,160 --> 00:07:37,320
I remit, as Matt mentioned, is to protect Microsoft and keep Microsoft safe.

139
00:07:37,320 --> 00:07:40,320
That actually includes a lot of our products and services as well.

140
00:07:40,320 --> 00:07:49,440
So kind of the key differences for Ghost across, you know, Dart and Mystic is,

141
00:07:49,440 --> 00:07:54,160
you know, we are kind of the more strategic threat hunting arm for Microsoft.

142
00:07:54,160 --> 00:08:00,080
We look a lot for adversary behaviors across our different environments,

143
00:08:00,080 --> 00:08:01,640
through our different products and services.

144
00:08:01,640 --> 00:08:06,880
And we help, you know, create things that will assist our product teams,

145
00:08:06,880 --> 00:08:10,760
inform their decisions to protect our customers overall.

146
00:08:10,760 --> 00:08:15,600
One of the key differences, you know, Matt had already talked about the differences between Dart and Ghost.

147
00:08:15,600 --> 00:08:19,920
But from the Mystic side, which is our Threat Intelligence Center team,

148
00:08:19,920 --> 00:08:27,040
a team that I used to be part of, Mystic is involved in attribution and tracking adversaries.

149
00:08:27,040 --> 00:08:32,720
So in a sense, they're moving upstream to identify the adversary. From the Ghost perspective,

150
00:08:32,720 --> 00:08:40,480
we work really closely with Mystic, but we move downstream, meaning we try to identify kind of threats to Microsoft.

151
00:08:40,480 --> 00:08:46,440
We also identify threats to our customers as well, a lot of our third party customers.

152
00:08:46,440 --> 00:08:53,040
So we fan out and investigate that behavior of our adversaries, taking the Threat Intelligence from Mystic

153
00:08:53,040 --> 00:08:57,680
and looking for that type of activity within our environment.

154
00:08:57,680 --> 00:09:03,680
We're also responsible for some of the other types of notifications to our customers,

155
00:09:03,680 --> 00:09:08,880
including something that we call the Nation State Notification Process, or NSN.

156
00:09:08,880 --> 00:09:14,720
Gotcha. So it sounds like very similar to the way a mature Threat Intelligence function

157
00:09:14,720 --> 00:09:19,000
would interact with an instant response or threat hunting team.

158
00:09:19,000 --> 00:09:25,200
And it's just with the added Microsoft element of sharing learnings with our customers and whatnot.

159
00:09:25,200 --> 00:09:32,800
Yeah, totally. I think how our three teams work together is Mystic will be tracking the adversary.

160
00:09:32,800 --> 00:09:37,560
We, on the Ghost side, will hunt and identify the adversary behaviors.

161
00:09:37,560 --> 00:09:40,920
We can reach out and do notifications to some of our customers.

162
00:09:40,920 --> 00:09:47,640
And then should they want to engage in instant response services, we will have Dart work closely with the customer

163
00:09:47,640 --> 00:09:53,600
in that angle. And then all of us kind of just work together to protect Microsoft and our customers that way.

164
00:09:53,600 --> 00:09:59,160
Something I announced about a month or so ago has actually joined a new team, which is actually the SFI team,

165
00:09:59,160 --> 00:10:05,920
Secure Future Initiative team. Actually, I'm sort of working Mystic as well, but on SFI, which is really kind of a bit confusing.

166
00:10:05,920 --> 00:10:13,520
So it's confused things even more. So how does Ghost feed into Microsoft's Secure Future Initiative?

167
00:10:13,520 --> 00:10:20,160
Yeah, so we've been involved, I guess, as kind of like we're providing guidance and insight to SFI.

168
00:10:20,160 --> 00:10:23,320
We're not the team that goes and makes those changes, of course.

169
00:10:23,320 --> 00:10:31,440
But I think like taking the perspective of a hunt team to securing Microsoft's like a really good win for Microsoft is that,

170
00:10:31,440 --> 00:10:35,800
as Wayman said, we look at things from a particular perspective.

171
00:10:35,800 --> 00:10:43,120
So we're looking at adversary behaviour and how adversaries kind of compromise systems, abuse systems.

172
00:10:43,120 --> 00:10:51,040
And a big one is from our side is we're obviously very big data focused and logs and telemetry play a huge part of our life.

173
00:10:51,040 --> 00:10:58,440
So a lot of the kind of guidance we're providing to SFI is around log retention, log visibility.

174
00:10:58,440 --> 00:11:02,680
How do we get access to telemetry? Again, not just for first party,

175
00:11:02,680 --> 00:11:09,760
but we always say is we want to take our learnings from protecting Microsoft to help protect our customers as well.

176
00:11:09,760 --> 00:11:18,400
I guess we're in a very unique position at Microsoft in that we're a big target ourselves and then our customers are also a target as well.

177
00:11:18,400 --> 00:11:22,800
So we want to help both first party and we want to help our customers.

178
00:11:22,800 --> 00:11:28,440
And we bring a particular perspective, I think, to SFI as a threat hunting function.

179
00:11:28,440 --> 00:11:34,640
So we're obviously really fortunate to be a part of that process and give our perspective on it.

180
00:11:34,640 --> 00:11:41,240
Yeah, actually, I can add a little bit more context to this because actually, even though I asked you the question, I actually knew the answer as well.

181
00:11:41,240 --> 00:11:45,360
But so I'm on the receiving end of a lot of your data, right?

182
00:11:45,360 --> 00:11:53,320
So as well as other teams as well to help work out, OK, so what sorts of things do we need to do in SFI?

183
00:11:53,320 --> 00:11:56,360
I mean, it's all very well coming up with a list of things that can be done.

184
00:11:56,360 --> 00:12:04,000
But at the end of the day, if it's not sort of rooted in reality, like what's actually happening out there, you know, it's not really that useful.

185
00:12:04,000 --> 00:12:10,560
So, yeah, a lot of the information that we sort of feed into SFI comes from you guys, a lot of other people as well.

186
00:12:10,560 --> 00:12:17,960
But that helps us make the decisions about, OK, what are we going to do for the next, you know, end months, work on different parts of the product?

187
00:12:17,960 --> 00:12:21,720
So, yeah, we appreciate the guidance and the help that you guys give us, by the way.

188
00:12:21,720 --> 00:12:28,680
We talked about, well, Michael just asked, how does Ghost feed into SFI, the secure future initiative that Microsoft's doing?

189
00:12:28,680 --> 00:12:39,680
But for folks listening who maybe are not Microsoft, how does what Ghost does feed into the things that our customers might use?

190
00:12:39,680 --> 00:12:44,160
So, you know, our products, do you feed into that?

191
00:12:44,160 --> 00:12:46,440
Yeah, I can probably handle this one. And yeah, absolutely.

192
00:12:46,440 --> 00:12:51,520
So as part of a threat hunt team, like we're we're obviously looking for adversary behaviour.

193
00:12:51,520 --> 00:12:56,000
We're looking for that in Microsoft. We're looking for that in our customer environments as well.

194
00:12:56,000 --> 00:13:02,480
And and Wayman mentioned we we deliver our nation state notifications when we do detect that activity.

195
00:13:02,480 --> 00:13:12,640
But ultimately, we want to help our product teams come up with better detections, better heuristics and things like that to really help our customers.

196
00:13:12,640 --> 00:13:16,400
And, you know, Microsoft's kind of at the forefront of that.

197
00:13:16,400 --> 00:13:20,320
Like I say, we're one of the biggest targets. Our customers are targets as well.

198
00:13:20,320 --> 00:13:26,480
So, you know, if we're being targeted by something, there's a good chance that our customers are also being a target of that.

199
00:13:26,480 --> 00:13:33,880
So if we can help detect that and help kind of drive product improvement, detection logic and things like that through our product suite,

200
00:13:33,880 --> 00:13:38,000
that's really the ultimate goal is we want to protect our customers.

201
00:13:38,000 --> 00:13:41,000
So, you know, we work closely with our product team.

202
00:13:41,000 --> 00:13:48,280
So defender teams, the various defender for X. So, you know, defender for identity, defender for office.

203
00:13:48,280 --> 00:13:53,160
We work closely with all those teams, just showing them the novel things we're saying.

204
00:13:53,160 --> 00:14:02,120
Like you mentioned, Sarah, the things based in reality that adversaries are actually doing and seeing if they can build detections into the products or improve the products.

205
00:14:02,120 --> 00:14:07,400
And and those teams are always really receptive to that feedback.

206
00:14:07,400 --> 00:14:12,360
As mentioned, we have a unique perspective of the world, seeing what's actually occurring.

207
00:14:12,360 --> 00:14:19,480
So hopefully it means the products reflect those kind of attacks we see as well.

208
00:14:19,480 --> 00:14:22,520
Yeah, just to add a little bit onto that as well, right?

209
00:14:22,520 --> 00:14:29,520
Like we are servicing a lot of these things internally, but outside of that, we also work with these product teams to say, hey, like,

210
00:14:29,520 --> 00:14:34,200
is this actually easier or harder for a customer to see it themselves?

211
00:14:34,200 --> 00:14:37,120
If it's harder, how do we make it easier for them in the future?

212
00:14:37,120 --> 00:14:46,000
How do we implement these things so that our customers can better protect themselves without us, for example, having to notify them without us having to be part of the process?

213
00:14:46,000 --> 00:14:49,760
How can we make it better for them overall?

214
00:14:49,760 --> 00:14:59,680
Tell me what a day in the life of Ghost is and if there's different sort of roles and responsibilities,

215
00:14:59,680 --> 00:15:05,120
like what would be like the difference between I'm just kind of curious what it was like to to sit in the seat.

216
00:15:05,120 --> 00:15:07,520
Yeah, I guess start off with this one.

217
00:15:07,520 --> 00:15:16,880
A day in the life for me as a HUN manager, I think Matt had probably has a different perspective in the Australia time zone.

218
00:15:16,880 --> 00:15:24,840
But typically for Ghost, we have two types of what we call engagements that pop up for us.

219
00:15:24,840 --> 00:15:33,120
They're either reactive where some major engagement pops up, whether it's high profile or something that's urgent,

220
00:15:33,120 --> 00:15:37,760
that's coming from our different teams, from an external party, etc.

221
00:15:37,760 --> 00:15:40,440
And we're reacting to it.

222
00:15:40,440 --> 00:15:50,120
It would mean typically myself and a few hunters on Ghost will deploy either remotely or on site and assist with that.

223
00:15:50,120 --> 00:16:00,280
Outside of that, we have kind of proactive engagements where we are looking for adversary behavior actively within our own environment,

224
00:16:00,280 --> 00:16:09,360
trying to build better detections, better understanding of threats that may target us either in the future or something that we're anticipating.

225
00:16:09,360 --> 00:16:15,320
So it actually changes very often day to day, week to week.

226
00:16:15,320 --> 00:16:27,520
Our engagements vary from we can be working nation state one day, we can work to switch over to cybercrime or some other major fraud and abuse case another day.

227
00:16:27,520 --> 00:16:31,560
We get pulled into all sorts of different directions.

228
00:16:31,560 --> 00:16:40,160
But I would say from a manager perspective, we have several engagements that we lead on a week by week basis.

229
00:16:40,160 --> 00:16:49,320
We answer questions related to any security issues our other product teams have or our threat intelligence teams have,

230
00:16:49,320 --> 00:16:57,040
or even just working directly customer facing engagements alongside with Dart or other teams.

231
00:16:57,040 --> 00:16:59,120
I know it's like super broad.

232
00:16:59,120 --> 00:17:04,360
I think one day I could be hunting on our back end data using Cousteau.

233
00:17:04,360 --> 00:17:11,720
The other day I can be on some customer portal assisting them with their hunting queries.

234
00:17:11,720 --> 00:17:12,880
It really just depends.

235
00:17:12,880 --> 00:17:18,400
And then the great thing about our team is we have kind of a global presence.

236
00:17:18,400 --> 00:17:24,440
So when my day ends, I get to dump all of my work onto Matt and Matt can take over while I'm asleep.

237
00:17:24,440 --> 00:17:28,560
So yeah, but I say I get the we get the advantage down here.

238
00:17:28,560 --> 00:17:34,960
And Sarah would know this is that like Monday is essentially an extra day because the US is asleep.

239
00:17:34,960 --> 00:17:37,840
There's no meetings. It's nice and quiet.

240
00:17:37,840 --> 00:17:39,880
Everything works quickly. It's just the best.

241
00:17:39,880 --> 00:17:45,120
But yeah, like Wayman says, we take over and we, you know, we're a global team.

242
00:17:45,120 --> 00:17:48,680
So we're not like regionally focused in our hunting.

243
00:17:48,680 --> 00:17:51,040
We we hunt globally.

244
00:17:51,040 --> 00:17:57,200
Sometimes we'll be time-zoned aligned with customers, of course, but it's a really dynamic environment.

245
00:17:57,200 --> 00:18:02,120
I guess in terms of the structure of the team, we have our threat hunters.

246
00:18:02,120 --> 00:18:04,360
We have our hunt managers.

247
00:18:04,360 --> 00:18:10,560
We have a group of like technical program managers that help us prioritize and triage work.

248
00:18:10,560 --> 00:18:12,520
And they're also kind of platform experts.

249
00:18:12,520 --> 00:18:15,800
So then we have a layer of leadership and things like that.

250
00:18:15,800 --> 00:18:22,760
But, you know, my people that report to me, we don't kind of hunt necessarily as one team.

251
00:18:22,760 --> 00:18:26,440
We might have someone in my team that's an expert in a particular skill set.

252
00:18:26,440 --> 00:18:28,680
So they're helping Wayman, for instance.

253
00:18:28,680 --> 00:18:38,880
So, yeah, super dynamic, a really great, great group of individuals as well, all kind of working towards the same goal.

254
00:18:38,880 --> 00:18:43,920
Matt, I can definitely tell you that I am a big fan of Quiet Monday,

255
00:18:43,920 --> 00:18:46,840
which is my favorite day of the week.

256
00:18:46,840 --> 00:18:48,360
It is. It's the best.

257
00:18:48,360 --> 00:18:55,600
You just wake up and they're all watching football and Sunday and everything works and everything's quick.

258
00:18:55,600 --> 00:18:58,920
It's the best. And then you see them on a Saturday morning.

259
00:18:58,920 --> 00:19:03,040
It's kind of Friday afternoon and it's hectic for them trying to get things squared away.

260
00:19:03,040 --> 00:19:04,720
And, you know, I'm having my coffee.

261
00:19:04,720 --> 00:19:06,880
Just watching the chaos. It's amazing.

262
00:19:06,880 --> 00:19:11,320
I recommend working in, you know, Australian time zones for a US company.

263
00:19:11,320 --> 00:19:15,360
I do, too. It's great.

264
00:19:15,360 --> 00:19:21,720
I was actually when I lived in the US, one of the things that made me really sad was that I had all these meetings on Mondays

265
00:19:21,720 --> 00:19:29,440
because I was like, what is this? I don't have meetings on Mondays because most people are not awake or at least not at work.

266
00:19:29,440 --> 00:19:31,800
It was it was something I found very sad.

267
00:19:31,800 --> 00:19:35,560
My Monday meetings when I lived in the US.

268
00:19:35,560 --> 00:19:40,080
We said Ghost is a new team and you're growing quite quickly.

269
00:19:40,080 --> 00:19:43,240
And a little bit tells me you still might be hiring.

270
00:19:43,240 --> 00:19:45,960
So tell me about that.

271
00:19:45,960 --> 00:19:48,680
Yeah, definitely. As mentioned, we're a relatively new team.

272
00:19:48,680 --> 00:19:50,520
We started with just the 30 of us.

273
00:19:50,520 --> 00:19:54,120
We've definitely grown since then, but still hiring.

274
00:19:54,120 --> 00:19:56,880
So we recommend you check out the careers page.

275
00:19:56,880 --> 00:20:05,200
So if you check out aka.ms slash ghost jobs, you know, those jobs kind of come and go as they're filled and as we're doing interviews.

276
00:20:05,200 --> 00:20:06,600
But definitely worth keeping an eye on.

277
00:20:06,600 --> 00:20:16,240
And as mentioned just before, we have hunters, we have technical program managers and actually forgot to mention our very amazing development team earlier.

278
00:20:16,240 --> 00:20:20,400
So we have a group of software developers that help build our tools as well.

279
00:20:20,400 --> 00:20:25,160
So if you don't come from like a threat hunting background, but you come from a developer background,

280
00:20:25,160 --> 00:20:32,320
but interested in kind of that intersection of development work and cybersecurity, we have roles there as well.

281
00:20:32,320 --> 00:20:37,360
Yeah, jump on like I can tell you all the interviewers are really lovely.

282
00:20:37,360 --> 00:20:43,360
My experience interviewing at Microsoft was amazing, like really conversational, not confronting at all.

283
00:20:43,360 --> 00:20:46,040
So we'd love for you to apply.

284
00:20:46,040 --> 00:20:53,480
All right. So one thing we ask all our guests is if they had just one final thought to leave our listeners with, what would it be?

285
00:20:53,480 --> 00:20:55,240
I think I can jump in here.

286
00:20:55,240 --> 00:21:01,760
Like I mentioned earlier, we kind of hunt across both nation states, cybercrime and a whole lot of different things.

287
00:21:01,760 --> 00:21:07,320
And I think one interesting thing we're seeing kind of at the moment in reality is that, you know,

288
00:21:07,320 --> 00:21:11,200
we often talk about like technical vulnerabilities in our software and things like that,

289
00:21:11,200 --> 00:21:16,080
but we're definitely seeing adversaries kind of exploiting what we call like business vulnerabilities.

290
00:21:16,080 --> 00:21:23,880
So understanding how kind of businesses work, whether that's social engineering, help desks,

291
00:21:23,880 --> 00:21:28,040
whether it's like inserting themselves into the hiring process and things like that.

292
00:21:28,040 --> 00:21:33,960
So it's definitely really novel to see that kind of attack, which is not technically focused.

293
00:21:33,960 --> 00:21:36,200
But yeah, so have a think.

294
00:21:36,200 --> 00:21:41,160
I guess the takeaway would be is like have a think in your business, how you're onboarding staff,

295
00:21:41,160 --> 00:21:47,040
how you're having your staff enroll in MFA and things like that and how you're verifying them,

296
00:21:47,040 --> 00:21:51,080
because there's certainly some novel things in that space that we're seeing.

297
00:21:51,080 --> 00:21:53,280
All right. So let's bring this episode to an end.

298
00:21:53,280 --> 00:21:56,320
Gentlemen, thank you so much for joining us this week. I know you're both really, really busy.

299
00:21:56,320 --> 00:21:58,680
Yeah, it's always useful. I always learn something new.

300
00:21:58,680 --> 00:22:01,600
Again, I sort of mentioned the top of the Mystic team,

301
00:22:01,600 --> 00:22:05,080
but I still have historically been a little bit confused about Dark, Ghost and Mystic.

302
00:22:05,080 --> 00:22:07,560
So thank you for clearing some of that up.

303
00:22:07,560 --> 00:22:10,760
And to all our listeners out there, we hope you found this episode of use.

304
00:22:10,760 --> 00:22:32,760
Stay safe and we'll see you next time.