1 00:00:00,000 --> 00:00:06,200 Welcome to the Azure Security Podcast, 2 00:00:06,200 --> 00:00:09,380 where we discuss topics relating to security, privacy, 3 00:00:09,380 --> 00:00:13,720 reliability, and compliance on the Microsoft Cloud Platform. 4 00:00:13,720 --> 00:00:16,920 Hey, everybody. Welcome to Episode 49. 5 00:00:16,920 --> 00:00:19,640 This week is just myself, Michael and Gladys. 6 00:00:19,640 --> 00:00:23,120 Sarah and Mark are taking some time off for spring break. 7 00:00:23,120 --> 00:00:24,740 We also have a guest this week. 8 00:00:24,740 --> 00:00:26,400 We have Jason Zahn, 9 00:00:26,400 --> 00:00:28,920 who's here to talk to us about risk IQ. 10 00:00:28,920 --> 00:00:30,840 But before we get to Jason, 11 00:00:30,840 --> 00:00:32,760 let's take a little lap around the news. 12 00:00:32,760 --> 00:00:34,480 Gladys, why don't you kick things off? 13 00:00:34,480 --> 00:00:39,040 Well, I want to talk a little bit about risk detections 14 00:00:39,040 --> 00:00:42,480 before I mention my news related to this topic. 15 00:00:42,480 --> 00:00:44,580 As you may be aware, 16 00:00:44,580 --> 00:00:47,740 Azure AD Identity Protection identifies 17 00:00:47,740 --> 00:00:51,520 suspicious actions related to user accounts. 18 00:00:51,520 --> 00:00:56,720 Risk can be detected at the user or signing level and can happen 19 00:00:56,720 --> 00:00:59,280 at real time or offline. 20 00:00:59,280 --> 00:01:04,480 For example, leak credentials may be found in the dark web, 21 00:01:04,480 --> 00:01:09,680 and compare against the Azure AD user current credentials. 22 00:01:09,680 --> 00:01:11,680 If they are found too much, 23 00:01:11,680 --> 00:01:14,240 the account is marked risky, 24 00:01:14,240 --> 00:01:18,480 which then triggers a set of remediation activity. 25 00:01:18,480 --> 00:01:21,360 Well, Microsoft Defender for Cloud Apps, 26 00:01:21,360 --> 00:01:25,740 formally MCAS, has added two new detections in 27 00:01:25,740 --> 00:01:28,360 the identity protection area. 28 00:01:28,360 --> 00:01:31,680 This shows the cross collaboration 29 00:01:31,680 --> 00:01:34,200 that we have between services. 30 00:01:34,200 --> 00:01:37,240 The first detection is called 31 00:01:37,240 --> 00:01:40,760 mass access to sensitive files, 32 00:01:40,760 --> 00:01:45,080 which profiles your environment and triggers alerts when 33 00:01:45,080 --> 00:01:49,440 users access multiple files from Microsoft SharePoint, 34 00:01:49,440 --> 00:01:51,040 Microsoft OneDrive. 35 00:01:51,040 --> 00:01:55,400 For example, an alert is triggered only if the number 36 00:01:55,400 --> 00:02:01,040 of access file is uncommon for the user and files, 37 00:02:01,040 --> 00:02:03,840 which may contain sensitive information. 38 00:02:03,840 --> 00:02:05,560 This may be helpful, 39 00:02:05,560 --> 00:02:10,120 especially when having ransomware attacks or 40 00:02:10,120 --> 00:02:14,920 an attacker trying to ex-filtrate data out of the environment. 41 00:02:14,920 --> 00:02:16,680 The other detection is on 42 00:02:16,680 --> 00:02:19,720 usual additions of credential to 43 00:02:19,720 --> 00:02:24,720 auth app which detects suspicious service principal activity. 44 00:02:24,720 --> 00:02:30,000 Again, this is trying to detect whether an attacker or 45 00:02:30,000 --> 00:02:32,440 a malicious attempt has been 46 00:02:32,440 --> 00:02:36,760 done to change a service principal and run 47 00:02:36,760 --> 00:02:40,440 behind an application without being noticed. 48 00:02:40,440 --> 00:02:45,600 The next set of news that I want to talk about is sensitive labels. 49 00:02:45,600 --> 00:02:48,080 For those that are not familiar with these, 50 00:02:48,080 --> 00:02:51,720 sensitive labels is a way to tag information and allow 51 00:02:51,720 --> 00:02:54,960 a customer to require different configuration, 52 00:02:54,960 --> 00:02:58,040 depending on the tag provided to a file. 53 00:02:58,040 --> 00:03:02,840 For example, the customer may decide that the file must be encrypted, 54 00:03:02,840 --> 00:03:06,480 and only internal employees can access it, 55 00:03:06,480 --> 00:03:10,280 or maybe they may select a way for 56 00:03:10,280 --> 00:03:12,240 external users to access it, 57 00:03:12,240 --> 00:03:16,560 but it must be stored in a particular location. 58 00:03:16,560 --> 00:03:21,520 Well, before sensitive labels was incorporated within Office 365 59 00:03:21,520 --> 00:03:23,720 for Microsoft 365, 60 00:03:23,720 --> 00:03:27,960 it was a separate service called Azure Information Protection. 61 00:03:27,960 --> 00:03:31,000 Because Microsoft has deprecated 62 00:03:31,000 --> 00:03:35,280 Azure Information Protection and no new customers can get it, 63 00:03:35,280 --> 00:03:38,520 there's new guidance about how to, 64 00:03:38,520 --> 00:03:40,800 and why would you want to use 65 00:03:40,800 --> 00:03:43,040 the sensitive labels that are part of 66 00:03:43,040 --> 00:03:45,920 the Microsoft Information Protection Strategy 67 00:03:45,920 --> 00:03:48,480 over the Azure Information Protection. 68 00:03:48,480 --> 00:03:52,640 Also, there are new settings for auto-labeling policies, 69 00:03:52,640 --> 00:03:55,280 and if you're not familiar with auto-labeling, 70 00:03:55,280 --> 00:03:59,080 basically, this is a functionality that can auto-mark 71 00:03:59,080 --> 00:04:01,760 a file depending on content found, 72 00:04:01,760 --> 00:04:03,800 a social profanity, 73 00:04:03,800 --> 00:04:09,040 whether it finds the word resume or health-related information, 74 00:04:09,040 --> 00:04:10,600 or others in a file. 75 00:04:10,600 --> 00:04:13,040 So a few things took my interest the last couple of weeks. 76 00:04:13,040 --> 00:04:16,600 The first is that Azure Private Links are now 77 00:04:16,600 --> 00:04:19,000 supported as your API management. 78 00:04:19,000 --> 00:04:20,160 Now, some of you may say, 79 00:04:20,160 --> 00:04:22,280 well, hang on, didn't API management already have that? 80 00:04:22,280 --> 00:04:24,120 Well, the answer is, kind of yes. 81 00:04:24,120 --> 00:04:26,320 It was only the developer and the premium tiers. 82 00:04:26,320 --> 00:04:30,080 Well, now it's available in developer basic standard and premium. 83 00:04:30,080 --> 00:04:32,960 This is fantastic because it allows you to essentially have 84 00:04:32,960 --> 00:04:36,200 API management just listening on a private network. 85 00:04:36,200 --> 00:04:38,000 The next one is, 86 00:04:38,000 --> 00:04:40,520 Azure Monitor Agent now supports Private Links, 87 00:04:40,520 --> 00:04:41,760 and that is now generally available. 88 00:04:41,760 --> 00:04:44,880 So we talked about this a few weeks ago on the podcast, 89 00:04:44,880 --> 00:04:47,240 but that feature is now generally available. 90 00:04:47,240 --> 00:04:49,840 So now you can have front-ends to Azure Monitor, 91 00:04:49,840 --> 00:04:53,480 running on a private network so that way that data isn't exposed. 92 00:04:53,480 --> 00:04:56,000 I mean, in theory, that data shouldn't be exposed anyway, 93 00:04:56,000 --> 00:04:57,360 because it could be aggregate, 94 00:04:57,360 --> 00:05:02,120 but some people like to make sure that data is kept on a private network. 95 00:05:02,120 --> 00:05:04,040 The third one isn't really news at all. 96 00:05:04,040 --> 00:05:06,080 It's really just a consequence of 97 00:05:06,080 --> 00:05:08,200 some events that happened over the last few weeks. 98 00:05:08,200 --> 00:05:12,000 I've been working with a customer over the last few weeks on Secure Score. 99 00:05:12,000 --> 00:05:15,400 In other words, how to take the current environment 100 00:05:15,400 --> 00:05:17,760 and their current Secure Score, look at the recommendations, 101 00:05:17,760 --> 00:05:20,600 come up with a plan for essentially 102 00:05:20,600 --> 00:05:24,560 remediating some of those recommendations so that Secure Score can go up. 103 00:05:24,560 --> 00:05:26,240 Now, I've said this a few times, 104 00:05:26,240 --> 00:05:27,360 but I'll say it again, 105 00:05:27,360 --> 00:05:31,920 I'm not a fan of just raising Secure Score just for the sake of raising Secure Score. 106 00:05:31,920 --> 00:05:33,840 I think you've really got to focus on 107 00:05:33,840 --> 00:05:36,800 the actual things you're really mitigating and are they worth it? 108 00:05:36,800 --> 00:05:38,520 A lot of them are worth it, don't get me wrong, 109 00:05:38,520 --> 00:05:41,840 but some security mitigations carry a much heavier weight 110 00:05:41,840 --> 00:05:44,480 than other ones, so are you mitigating the right things? 111 00:05:44,480 --> 00:05:46,040 Now, with that said, 112 00:05:46,040 --> 00:05:48,640 one thing we found is that overnight, 113 00:05:48,640 --> 00:05:50,720 there are Secure Score dropped. 114 00:05:50,720 --> 00:05:51,720 Now, don't get me wrong, 115 00:05:51,720 --> 00:05:56,440 it's expected as you're making changes and you're moving new resources in, 116 00:05:56,440 --> 00:06:00,360 and perhaps you don't have as your policies in place to deny certain settings and so on. 117 00:06:00,360 --> 00:06:01,960 The Secure Score is going to go up and down. 118 00:06:01,960 --> 00:06:03,600 That's just perfectly natural. 119 00:06:03,600 --> 00:06:05,160 I mean, the trend over time should be upward, 120 00:06:05,160 --> 00:06:09,360 but don't get too caught up in the day-to-day pendulum swings. 121 00:06:09,360 --> 00:06:11,160 Well, one day it dropped a lot, 122 00:06:11,160 --> 00:06:15,080 and the reason was because some items that were in preview, 123 00:06:15,080 --> 00:06:16,160 some checks are in preview, 124 00:06:16,160 --> 00:06:19,480 became generally available and we hadn't mitigated those. 125 00:06:19,480 --> 00:06:22,680 So, the Secure Score took a hit. 126 00:06:22,680 --> 00:06:23,800 So, the next question was, 127 00:06:23,800 --> 00:06:28,720 well, how do we know when these things that are in preview, 128 00:06:28,720 --> 00:06:29,880 these checks that are in preview, 129 00:06:29,880 --> 00:06:31,080 when are they going to be available? 130 00:06:31,080 --> 00:06:35,840 Because that way we can work out which things we need to work on as soon as possible. 131 00:06:35,840 --> 00:06:40,200 So, I emailed Eurydiauginus and Eury sent me a link back 132 00:06:40,200 --> 00:06:46,640 of basically the calendar for upcoming recommendations and when they will go GA. 133 00:06:46,640 --> 00:06:49,760 So, I will provide a link for that in the show notes. 134 00:06:49,760 --> 00:06:52,760 I think that's a critically important resource. 135 00:06:52,760 --> 00:06:54,720 It's not just what things are changing, 136 00:06:54,720 --> 00:06:57,360 it's also what things are coming up. 137 00:06:57,360 --> 00:06:59,840 So, make sure you take a look at that. 138 00:06:59,840 --> 00:07:01,800 All right. So, now that we've got the news out of the way, 139 00:07:01,800 --> 00:07:03,320 let's turn our attention to our guest. 140 00:07:03,320 --> 00:07:05,040 This week we have Jason Zan, 141 00:07:05,040 --> 00:07:08,200 who's here to talk to us about Risk IQ. 142 00:07:08,200 --> 00:07:10,640 Jason, hey, thank you so much for joining us this week. 143 00:07:10,640 --> 00:07:13,800 We'd like to take a moment and introduce yourself to our listeners. 144 00:07:13,800 --> 00:07:15,720 Thank you very much, Michael. 145 00:07:15,720 --> 00:07:18,920 Thank you for giving me the opportunity here today. 146 00:07:18,920 --> 00:07:20,880 So, my name is Jason Zan. 147 00:07:20,880 --> 00:07:24,240 I came into the Microsoft family via Risk IQ, 148 00:07:24,240 --> 00:07:27,440 which was an acquisition that was made by Microsoft probably, 149 00:07:27,440 --> 00:07:30,280 I want to say it was August of 2021. 150 00:07:30,280 --> 00:07:33,200 So, it's been about six months now that we've been on board. 151 00:07:33,200 --> 00:07:36,360 We've had a partnership with Microsoft on a number of 152 00:07:36,360 --> 00:07:38,640 different levels over the past several years. 153 00:07:38,640 --> 00:07:41,520 And this just seems to be like a natural step 154 00:07:41,520 --> 00:07:43,760 that's kind of moving forward here. 155 00:07:43,760 --> 00:07:47,320 Risk IQ, for those of you that may not know, 156 00:07:47,320 --> 00:07:50,160 we've developed a technology probably about 10 years ago 157 00:07:50,160 --> 00:07:54,320 to be able to understand and organize the internet at scale. 158 00:07:54,320 --> 00:07:56,000 And the real value that we bring to the table 159 00:07:56,000 --> 00:07:58,480 is the capability of being able to understand 160 00:07:58,480 --> 00:08:01,520 what an organization looks like from the outside looking in. 161 00:08:01,520 --> 00:08:03,320 And subsequent to that, 162 00:08:03,320 --> 00:08:05,880 we also have a very powerful threat hunting 163 00:08:05,880 --> 00:08:08,040 and threat intelligence platform 164 00:08:08,040 --> 00:08:12,360 that actually looks at an adversaries organization 165 00:08:12,360 --> 00:08:14,720 and basically the infrastructure that they're using 166 00:08:14,720 --> 00:08:18,200 to be able to leverage to do unwanted things 167 00:08:18,200 --> 00:08:19,240 across the internet. 168 00:08:19,240 --> 00:08:23,480 What is the vision that Risk IQ had 169 00:08:23,480 --> 00:08:27,920 to help with all the security out there in the internet? 170 00:08:27,920 --> 00:08:29,760 Yeah, that's a very fun question. 171 00:08:29,760 --> 00:08:32,240 It's actually got a very deep history 172 00:08:32,240 --> 00:08:35,040 within Risk IQ's ethos. 173 00:08:35,040 --> 00:08:38,720 Way back in the early days when the company was starting, 174 00:08:38,720 --> 00:08:41,600 we kind of took a step back and we said, 175 00:08:41,600 --> 00:08:44,880 what's really a mission statement that we can use 176 00:08:44,880 --> 00:08:47,440 to be able to kind of project a vision, 177 00:08:47,440 --> 00:08:50,520 something that we can always kind of strive after? 178 00:08:50,520 --> 00:08:53,760 And we came down to a very simple statement 179 00:08:53,760 --> 00:08:55,960 saying make the internet a safer place. 180 00:08:55,960 --> 00:08:58,520 And we realized that that was a very lofty 181 00:08:58,520 --> 00:09:01,680 and very a very multi-dimensional problem 182 00:09:01,680 --> 00:09:03,480 set to be able to solve for. 183 00:09:03,480 --> 00:09:06,040 And as we started analyzing it, we said, 184 00:09:06,040 --> 00:09:08,120 well, what is the biggest problem 185 00:09:08,120 --> 00:09:09,680 that's actually keeping the internet 186 00:09:09,680 --> 00:09:11,360 from being a safer place? 187 00:09:11,360 --> 00:09:13,400 The way that we looked at it was 188 00:09:13,400 --> 00:09:15,880 there just wasn't enough good guys in the game, right? 189 00:09:15,880 --> 00:09:20,800 And so if you, like when we looked at our capabilities 190 00:09:20,800 --> 00:09:22,160 as we started to come to market, 191 00:09:22,160 --> 00:09:24,120 as we started working with customers, 192 00:09:24,120 --> 00:09:27,480 the real question was how do we take the complexities 193 00:09:27,480 --> 00:09:31,560 and nuances of the internet and all of its forms 194 00:09:31,560 --> 00:09:34,240 as it's been manifested over time 195 00:09:34,240 --> 00:09:35,960 and actually make it more accessible 196 00:09:35,960 --> 00:09:40,400 so that more people can get in the fight essentially. 197 00:09:40,400 --> 00:09:42,440 And so if you look at the traditional models 198 00:09:42,440 --> 00:09:44,880 that have been available over time, 199 00:09:44,880 --> 00:09:49,280 you can either, number one, take very junior level analysts 200 00:09:49,280 --> 00:09:51,720 and have them do extremely senior level internet 201 00:09:51,720 --> 00:09:54,840 correlations by training them in terms of how 202 00:09:54,840 --> 00:09:56,200 the plumbing of the internet works, 203 00:09:56,200 --> 00:09:57,840 with the artifacts of the internet work, 204 00:09:57,840 --> 00:10:00,960 how they work in relationship to each other, et cetera. 205 00:10:00,960 --> 00:10:03,160 That's a lot of what we baked into our technology 206 00:10:03,160 --> 00:10:05,320 was the capability of taking those complexities 207 00:10:05,320 --> 00:10:08,440 and boiling it down and placing it into products, 208 00:10:08,440 --> 00:10:11,560 placing it into other capabilities 209 00:10:11,560 --> 00:10:13,920 and other security investments that organizations 210 00:10:13,920 --> 00:10:15,480 have already made. 211 00:10:15,480 --> 00:10:20,480 And the second piece of that is very senior level operators 212 00:10:20,560 --> 00:10:22,640 that are in threat intelligence 213 00:10:22,640 --> 00:10:25,960 or in network defender type of scenarios, 214 00:10:25,960 --> 00:10:29,080 giving them the capability of doing very consistent work. 215 00:10:29,080 --> 00:10:32,360 A lot of the challenges that needing to take, 216 00:10:32,360 --> 00:10:35,040 needing to look at the internet requires, 217 00:10:35,040 --> 00:10:37,000 usually multiple different sources of data, 218 00:10:37,000 --> 00:10:39,880 multiple different capabilities, 219 00:10:39,880 --> 00:10:42,080 and then some system or capability 220 00:10:42,080 --> 00:10:44,200 to be able to bring all of this together. 221 00:10:44,200 --> 00:10:46,160 And what we aimed for was to be able to create 222 00:10:46,160 --> 00:10:48,680 a basically centralized repository 223 00:10:48,680 --> 00:10:52,200 and a single pane of glass to be able to operate 224 00:10:52,200 --> 00:10:54,320 at these internet scale problems. 225 00:10:54,320 --> 00:10:57,880 Security as a whole has always been really interesting to me 226 00:10:57,880 --> 00:11:00,400 because unlike any engineering discipline, 227 00:11:00,400 --> 00:11:02,920 it's not really a problem that you solve, 228 00:11:02,920 --> 00:11:04,720 it's a game that you play. 229 00:11:04,720 --> 00:11:07,680 And if you think about traditional engineering disciplines, 230 00:11:07,680 --> 00:11:09,600 even in the physical world, 231 00:11:09,600 --> 00:11:10,960 if you're gonna build a bridge, 232 00:11:10,960 --> 00:11:13,120 it's like you have a train, 233 00:11:13,120 --> 00:11:15,960 you have maybe a river that you wanna be able to cross, 234 00:11:15,960 --> 00:11:17,360 you take some measurements, 235 00:11:17,360 --> 00:11:19,880 you get some concrete, some sticks, 236 00:11:19,880 --> 00:11:22,040 and you put it together and you make a bridge. 237 00:11:22,040 --> 00:11:22,960 And if you can imagine, 238 00:11:22,960 --> 00:11:26,440 there's a steep learning curve at the beginning 239 00:11:26,440 --> 00:11:29,600 in terms of a steep work curve at the beginning 240 00:11:29,600 --> 00:11:32,240 in terms of being able to actually design 241 00:11:32,240 --> 00:11:35,160 an architect a bridge, and then it kind of drops off, right? 242 00:11:35,160 --> 00:11:37,560 You have to maintain the bridge, 243 00:11:37,560 --> 00:11:39,720 maybe you have to like fix some potholes 244 00:11:39,720 --> 00:11:42,760 or put some different signs on it over the course of time. 245 00:11:42,760 --> 00:11:45,680 But if you think about that in the world of cybersecurity, 246 00:11:45,680 --> 00:11:47,920 it's, there's actually an adversary 247 00:11:47,920 --> 00:11:49,800 on the other side of the equation. 248 00:11:49,800 --> 00:11:52,040 So for every motion that you make, 249 00:11:52,040 --> 00:11:54,560 there's almost like a counter motion 250 00:11:54,560 --> 00:11:57,400 that is made to be able to circumvent. 251 00:11:57,400 --> 00:11:59,160 And those are one of the things 252 00:11:59,160 --> 00:12:01,880 that really kind of got me excited 253 00:12:01,880 --> 00:12:05,640 very much my early days of working in cyber. 254 00:12:05,640 --> 00:12:09,520 But when you start working at that at an internet scale, 255 00:12:09,520 --> 00:12:13,080 it poses a whole different set of challenges 256 00:12:13,080 --> 00:12:14,920 because the internet's constantly in flux, 257 00:12:14,920 --> 00:12:16,760 it's constantly moving. 258 00:12:16,760 --> 00:12:21,760 So the ability to be able to kind of take those premises 259 00:12:21,760 --> 00:12:25,480 and be able to make them more accessible to more people 260 00:12:25,480 --> 00:12:28,760 more often has been a large charter of us. 261 00:12:28,760 --> 00:12:31,640 And it's been a lot of fun like kind of going down this path. 262 00:12:31,640 --> 00:12:34,760 So one of the things that I keep putting emphasis 263 00:12:34,760 --> 00:12:37,880 when presenting my news is the value 264 00:12:37,880 --> 00:12:40,480 that cross service collaboration provide 265 00:12:40,480 --> 00:12:43,280 to help automate activity required 266 00:12:43,280 --> 00:12:46,960 to protect, detect, respond and recover. 267 00:12:46,960 --> 00:12:49,880 So what are the integrations your team is doing 268 00:12:49,880 --> 00:12:53,080 as you get more incorporated into the stack? 269 00:12:53,080 --> 00:12:55,080 Yeah, so that's a very good question. 270 00:12:55,080 --> 00:12:58,080 I mean, I think cybersecurity has largely been challenged 271 00:12:58,080 --> 00:13:00,160 with this since its inception. 272 00:13:00,160 --> 00:13:02,080 If you look at entire industries, 273 00:13:02,080 --> 00:13:04,320 like for example, the SOAR industry 274 00:13:04,320 --> 00:13:06,880 that popped up within cybersecurity, 275 00:13:06,880 --> 00:13:10,880 it was actually like designed to be able to arbitrage 276 00:13:10,880 --> 00:13:13,880 a deficiency that existed within security products 277 00:13:13,880 --> 00:13:16,080 and being able to have them work together. 278 00:13:16,080 --> 00:13:18,360 And if you think about this, 279 00:13:18,360 --> 00:13:22,120 if you think about this problem set inside the firewall, 280 00:13:22,120 --> 00:13:25,280 you have endpoints or maybe network devices, 281 00:13:25,280 --> 00:13:29,720 you have different systems and operating systems 282 00:13:29,720 --> 00:13:33,160 and capabilities and so forth that are built up 283 00:13:33,160 --> 00:13:35,000 and it's often very difficult 284 00:13:35,000 --> 00:13:37,200 to be able to reconcile all of that. 285 00:13:37,200 --> 00:13:40,680 If you take that conversation and move it out to the internet, 286 00:13:40,680 --> 00:13:42,160 one of the advantages of the internet 287 00:13:42,160 --> 00:13:43,760 is the same internet for everybody. 288 00:13:43,760 --> 00:13:46,480 Good guys, bad guys, partners, employees, 289 00:13:46,480 --> 00:13:51,480 they're all kind of operating around the same first principles 290 00:13:51,480 --> 00:13:55,880 of how connectivity and exposure on the internet works. 291 00:13:55,880 --> 00:13:59,280 And so as we started to look at it from a macro perspective, 292 00:13:59,280 --> 00:14:02,280 there's really kind of three general sources of data 293 00:14:02,280 --> 00:14:03,120 that you're working with. 294 00:14:03,120 --> 00:14:06,280 You have internal data, so you can think of like Syslog, 295 00:14:06,280 --> 00:14:09,160 Barlog, different logs that are coming off 296 00:14:09,160 --> 00:14:11,280 of various systems that you have internally. 297 00:14:11,280 --> 00:14:13,040 And then on the other side of the equation, 298 00:14:13,040 --> 00:14:16,160 you have this deep, dark, spooky web, 299 00:14:16,160 --> 00:14:18,040 whatever we're calling it this week. 300 00:14:18,040 --> 00:14:20,920 And then kind of in the middle of all of that is the internet. 301 00:14:20,920 --> 00:14:23,520 And that is what we primarily focused on 302 00:14:23,520 --> 00:14:25,720 is not only the ability to be able to collect 303 00:14:25,720 --> 00:14:28,480 and organize internet-scale data, 304 00:14:28,480 --> 00:14:31,480 but actually be able to unlock it 305 00:14:31,480 --> 00:14:33,600 inside of an organization. 306 00:14:33,600 --> 00:14:37,240 So if you can imagine that the internet 307 00:14:37,240 --> 00:14:40,360 for many organizations has become an extension of their network. 308 00:14:40,360 --> 00:14:42,000 It's an extension of the data center, 309 00:14:42,000 --> 00:14:47,000 how employees work, how customers interact, et cetera. 310 00:14:47,160 --> 00:14:50,400 And the decision calculus that is actually required 311 00:14:50,400 --> 00:14:55,240 to be able to effectively manage an internal network 312 00:14:55,240 --> 00:14:58,520 is largely predicated on being able to infuse 313 00:14:58,520 --> 00:15:01,280 or basically harness the knowledge of the internet 314 00:15:01,280 --> 00:15:03,120 at any particular point in time 315 00:15:03,120 --> 00:15:05,600 in order to make a lot of these decisions. 316 00:15:05,600 --> 00:15:07,920 So the integration paths that we worked on 317 00:15:07,920 --> 00:15:11,040 were largely based around being able to create 318 00:15:11,040 --> 00:15:15,040 one plus one equals three type of scenarios. 319 00:15:15,040 --> 00:15:16,960 So for us, it was very, very important 320 00:15:16,960 --> 00:15:22,040 not just to integrate into or just throw data back and forth 321 00:15:22,040 --> 00:15:24,960 with a particular partner and put each other's logos 322 00:15:24,960 --> 00:15:26,360 on each other's websites, 323 00:15:26,360 --> 00:15:29,080 but actually peeling that onion back and saying, 324 00:15:29,080 --> 00:15:32,520 what's the problem that we're actually trying to solve? 325 00:15:32,520 --> 00:15:35,720 I think one of our most critical integrations 326 00:15:35,720 --> 00:15:39,720 that we started, I guess it was a couple of years ago now, 327 00:15:39,720 --> 00:15:42,640 but continue to reinforce is like, for example, 328 00:15:42,640 --> 00:15:45,160 our integration to Defender or even Sentinel. 329 00:15:45,160 --> 00:15:47,720 If you look at Sentinel, for example, 330 00:15:47,720 --> 00:15:52,720 you could have an incident that comes into your sock. 331 00:15:53,360 --> 00:15:56,040 And then if any incident, any part of that incident 332 00:15:56,040 --> 00:15:58,080 has an intersection point or a nexus 333 00:15:58,080 --> 00:16:00,880 that actually exists on the internet, 334 00:16:00,880 --> 00:16:03,000 the playbooks in the background actually go out 335 00:16:03,000 --> 00:16:07,080 and not only decorate that incident with internet data 336 00:16:07,080 --> 00:16:09,560 and the historical aspects and so forth, 337 00:16:09,560 --> 00:16:13,400 but also brings in what we call observables, 338 00:16:13,400 --> 00:16:16,160 which means what's happening with this domain name, 339 00:16:16,160 --> 00:16:19,280 this IP address, this certificate, et cetera, 340 00:16:19,280 --> 00:16:22,080 that's actually placed inside of that incident. 341 00:16:22,080 --> 00:16:25,360 And if in fact it's currently being observed to, 342 00:16:25,360 --> 00:16:27,960 for example, being relaying malware, 343 00:16:27,960 --> 00:16:31,640 in the background, the playbook will actually promote 344 00:16:31,640 --> 00:16:35,640 from maybe a medium flagged incident 345 00:16:35,640 --> 00:16:38,360 into being maybe a high level incident. 346 00:16:38,360 --> 00:16:41,480 And then when you think of the actual sock analyst, 347 00:16:41,480 --> 00:16:44,080 whoever actually opens that incident, 348 00:16:44,080 --> 00:16:45,680 there's usually one of two things 349 00:16:45,680 --> 00:16:47,400 that they traditionally end up doing. 350 00:16:47,400 --> 00:16:50,760 Number one, that they wanna know as much information 351 00:16:50,760 --> 00:16:53,480 as they can get about that particular incident, 352 00:16:53,480 --> 00:16:56,040 which that is what the purpose of the playbook is, 353 00:16:56,040 --> 00:16:59,400 is to be able to keep the analyst from having to alt tab 354 00:16:59,400 --> 00:17:02,360 to another system or maybe even multiple systems 355 00:17:02,360 --> 00:17:04,720 or be able to cross reference it with multiple systems 356 00:17:04,720 --> 00:17:08,120 where all of that information is really at their fingertips 357 00:17:08,120 --> 00:17:10,320 and really in their field of view 358 00:17:10,320 --> 00:17:13,920 when they're making a decision about triaging an incident 359 00:17:13,920 --> 00:17:18,280 or suppressing it or maybe creating an internal ticket. 360 00:17:18,280 --> 00:17:21,360 The second thing that normally comes off 361 00:17:21,360 --> 00:17:24,800 of a well-decorated incident is you might, 362 00:17:24,800 --> 00:17:27,720 instead of having a sock analyst that's trying to triage it, 363 00:17:27,720 --> 00:17:29,040 you may have a threat hunter 364 00:17:29,040 --> 00:17:31,240 that wants to go investigate it further. 365 00:17:31,240 --> 00:17:33,560 Maybe they wanna understand, am I a targeted chance 366 00:17:33,560 --> 00:17:34,920 or a targeted choice? 367 00:17:34,920 --> 00:17:37,520 Is this something that's rather prolific across the internet 368 00:17:37,520 --> 00:17:39,520 or is this a singular incident? 369 00:17:39,520 --> 00:17:43,320 And so the capability of being able to systematically 370 00:17:43,320 --> 00:17:44,960 go directly from that alert, 371 00:17:44,960 --> 00:17:49,000 directly into the depths of the internet research 372 00:17:49,000 --> 00:17:52,880 and kind of what the internet has to say about that information 373 00:17:52,880 --> 00:17:57,880 or that particular incident becomes a very fluid transition 374 00:17:58,560 --> 00:18:00,760 for whoever's working. 375 00:18:00,760 --> 00:18:04,240 Hey Jason, you said whether someone has a target of choice. 376 00:18:04,240 --> 00:18:05,360 Could you explain what you, 377 00:18:05,360 --> 00:18:07,200 and you had some other stuff in there? 378 00:18:07,200 --> 00:18:09,160 Target of chance or targeted choice? 379 00:18:09,160 --> 00:18:11,240 Yeah, can you just explain that a little bit? 380 00:18:11,240 --> 00:18:12,440 That sort of piqued my interest. 381 00:18:12,440 --> 00:18:15,760 Yeah, so one thing that we've found, 382 00:18:15,760 --> 00:18:20,000 and you see this replicated with a whole kind of classes 383 00:18:20,000 --> 00:18:24,080 of incidents that we've seen across the internet. 384 00:18:24,080 --> 00:18:29,080 So a target of chance is I'm gonna create a piece of malware 385 00:18:29,120 --> 00:18:31,840 or I'm going to look for a particular vulnerability 386 00:18:31,840 --> 00:18:34,640 and I'm just gonna mass exploit it across the internet. 387 00:18:34,640 --> 00:18:38,840 I don't care like who you are in terms of industry vertical. 388 00:18:38,840 --> 00:18:41,440 I don't care in terms of who you are 389 00:18:41,440 --> 00:18:43,040 in terms of sophistication. 390 00:18:43,040 --> 00:18:45,280 If you have this particular exposure 391 00:18:45,280 --> 00:18:47,320 and if I do have access to it, 392 00:18:47,320 --> 00:18:51,920 I will subsequently go ahead and compromise 393 00:18:51,920 --> 00:18:53,960 or at least interrogate that particular target 394 00:18:53,960 --> 00:18:56,920 for the purposes of being able to understand 395 00:18:56,920 --> 00:18:59,000 if I have a second or third order event 396 00:18:59,000 --> 00:19:00,880 that I can place on top of it. 397 00:19:00,880 --> 00:19:04,360 A target of choice is the bad guy's not gonna go away. 398 00:19:04,360 --> 00:19:05,880 They're gonna go another way. 399 00:19:05,880 --> 00:19:09,000 For whatever reason, you either have PII 400 00:19:09,000 --> 00:19:10,720 that has a specific interest to them 401 00:19:10,720 --> 00:19:14,240 or you have a political leaning as an organization 402 00:19:14,240 --> 00:19:18,840 that is of specific distaste for a set of bad actors. 403 00:19:18,840 --> 00:19:23,840 And you can look at even the bad actor cases of e-crime. 404 00:19:23,840 --> 00:19:26,080 You could look at in a nation state lens. 405 00:19:26,080 --> 00:19:28,480 You could look at in a hacktivism lens. 406 00:19:28,480 --> 00:19:31,000 You could look at people that are just like basically 407 00:19:31,000 --> 00:19:33,120 just out to cause problems. 408 00:19:33,120 --> 00:19:37,920 And we just take one of those, for example, like e-crime. 409 00:19:37,920 --> 00:19:41,680 It kind of goes back to that old Willie Sutton explanation 410 00:19:41,680 --> 00:19:43,920 when he got arrested and people were asking, 411 00:19:43,920 --> 00:19:46,800 like, why are you always trying to break into banks? 412 00:19:46,800 --> 00:19:48,720 And he's like, because that's where the money is. 413 00:19:48,720 --> 00:19:50,360 So when you look at that paradigm 414 00:19:50,360 --> 00:19:53,480 of target a chance versus target a choice, 415 00:19:53,480 --> 00:19:55,680 I think it's pretty safe to say that 416 00:19:55,680 --> 00:19:57,880 a bullet can kill you regardless. 417 00:19:57,880 --> 00:19:59,400 But you as an organization, 418 00:19:59,400 --> 00:20:01,760 understanding if that bullet's being fired from a sniper 419 00:20:01,760 --> 00:20:06,000 or if it's just a random projectile 420 00:20:06,000 --> 00:20:07,800 that's thrown out from a drive-by, 421 00:20:07,800 --> 00:20:11,760 those are two very different response characteristics 422 00:20:11,760 --> 00:20:14,200 that you probably would end up employing internally. 423 00:20:14,200 --> 00:20:18,080 So about a month ago, I was watching a webcast 424 00:20:18,080 --> 00:20:23,080 that the Sentinel team, Regina Kapoor and Brandon Dixon 425 00:20:23,320 --> 00:20:26,240 from your team were presenting as part 426 00:20:26,240 --> 00:20:29,480 of the Microsoft security community. 427 00:20:29,480 --> 00:20:32,160 They were explaining how to ingest 428 00:20:32,160 --> 00:20:33,800 the threat intelligence data 429 00:20:33,800 --> 00:20:37,240 or all this information that you're talking about, right? 430 00:20:38,200 --> 00:20:41,160 This has become really important because 431 00:20:41,160 --> 00:20:45,520 there have been several executive office mandates 432 00:20:45,520 --> 00:20:48,560 and guidance being put out there 433 00:20:48,560 --> 00:20:52,320 and a lot is talking about threat information. 434 00:20:52,320 --> 00:20:55,880 Can you talk a little bit about how do you come up 435 00:20:55,880 --> 00:20:58,240 with this threat information sharing? 436 00:20:58,240 --> 00:21:02,320 And I think you have a Section 52 team 437 00:21:02,320 --> 00:21:04,560 that is actually mistaking, 438 00:21:04,560 --> 00:21:08,600 that is helping sometimes with the information 439 00:21:08,600 --> 00:21:11,200 that you're putting, plus you have your own analysts 440 00:21:11,200 --> 00:21:15,240 or researchers that are putting this information. 441 00:21:15,240 --> 00:21:16,720 Yes, absolutely. 442 00:21:16,720 --> 00:21:21,480 So for Risk IQ, and this has pretty much been, 443 00:21:21,480 --> 00:21:23,520 since the beginning of us as an organization, 444 00:21:23,520 --> 00:21:26,960 we've largely been based around visibility 445 00:21:26,960 --> 00:21:31,600 in terms of being able to not necessarily focus 446 00:21:31,600 --> 00:21:35,520 as much on who's doing something, as much as where is it. 447 00:21:35,520 --> 00:21:37,960 So if you think about this in the context of, 448 00:21:37,960 --> 00:21:41,280 I was just going through a whole series of vulnerabilities, 449 00:21:41,280 --> 00:21:45,200 one in particular, with regards to OpenSSL yesterday. 450 00:21:45,200 --> 00:21:50,080 And it appears to be a pretty significant issue 451 00:21:50,080 --> 00:21:51,920 that will require a handful of patch, 452 00:21:51,920 --> 00:21:53,600 or quite a bit of patching, 453 00:21:53,600 --> 00:21:57,120 but the question is not necessarily whether or not 454 00:21:57,120 --> 00:22:00,920 that OpenSSL issue is bad. 455 00:22:00,920 --> 00:22:05,080 I think everybody can look at the information 456 00:22:05,080 --> 00:22:06,600 about the exploit itself and say 457 00:22:06,600 --> 00:22:09,640 that it's probably not good at a minimum. 458 00:22:09,640 --> 00:22:11,000 But the real question is, 459 00:22:11,000 --> 00:22:12,960 where is that within my environment? 460 00:22:12,960 --> 00:22:15,160 Where is that across my attack surface? 461 00:22:15,160 --> 00:22:17,800 In terms of what I'm responsible for on the internet 462 00:22:17,800 --> 00:22:19,960 as an organization, 463 00:22:19,960 --> 00:22:21,840 do I have any of these libraries 464 00:22:21,840 --> 00:22:23,720 that are natively incorporated? 465 00:22:23,720 --> 00:22:26,480 Then you can take the kind of second tertiary conversations 466 00:22:26,480 --> 00:22:27,880 with that of saying like, 467 00:22:27,880 --> 00:22:32,040 I may have 10 or 100 or 1,000 critical vendors. 468 00:22:32,040 --> 00:22:35,080 And I've leveraged different parts 469 00:22:35,080 --> 00:22:37,480 of the digital footprint or the attack surfaces 470 00:22:37,480 --> 00:22:39,400 of these different vendors. 471 00:22:39,400 --> 00:22:43,520 So which one of those actually have this SSL vulnerability 472 00:22:43,520 --> 00:22:44,760 put inside of it? 473 00:22:44,760 --> 00:22:46,520 So that visibility component, 474 00:22:46,520 --> 00:22:49,680 and probably the easiest way to think about it, 475 00:22:49,680 --> 00:22:51,160 in the world of threat intelligence, 476 00:22:51,160 --> 00:22:53,720 there's really kind of two flavors 477 00:22:53,720 --> 00:22:56,040 of threat intelligence that are out there. 478 00:22:56,040 --> 00:22:58,600 And I generally put them into the Doppler radar 479 00:22:58,600 --> 00:23:00,600 versus the meteorologist. 480 00:23:00,600 --> 00:23:03,440 And a meteorologist says, 481 00:23:03,440 --> 00:23:05,080 you should bring an umbrella tomorrow. 482 00:23:05,080 --> 00:23:06,800 It's gonna be bad, 483 00:23:06,800 --> 00:23:10,360 or it might rain in the afternoon. 484 00:23:10,360 --> 00:23:12,720 Where a Doppler radar actually says, 485 00:23:12,720 --> 00:23:15,960 over the course of the next 24 hours, 486 00:23:15,960 --> 00:23:17,520 this is what the precipitation will be. 487 00:23:17,520 --> 00:23:20,840 This is the confidence that's associated with it. 488 00:23:20,840 --> 00:23:23,920 This is the empirical data that actually presents that. 489 00:23:23,920 --> 00:23:27,240 And that's a lot of what risk IQ has, 490 00:23:27,240 --> 00:23:28,320 what our focus is, 491 00:23:28,320 --> 00:23:31,440 is really the quality of internet data 492 00:23:31,440 --> 00:23:34,880 and being able to surface that at the point in time 493 00:23:34,880 --> 00:23:36,760 that it's actually needed in order to be able 494 00:23:36,760 --> 00:23:39,960 to make a decision. 495 00:23:39,960 --> 00:23:43,440 So when you think about like, 496 00:23:43,440 --> 00:23:46,000 how that data actually comes into play, 497 00:23:46,000 --> 00:23:48,320 it really has to do with the core underpinnings 498 00:23:48,320 --> 00:23:49,440 of our system. 499 00:23:49,440 --> 00:23:53,120 Because we control all of our collections infrastructure. 500 00:23:53,120 --> 00:23:55,680 We control the entire analysis layer. 501 00:23:55,680 --> 00:23:58,920 This isn't leveraged based on partnerships and so forth. 502 00:23:58,920 --> 00:24:02,320 This is just raw telemetry of what the internet looks like. 503 00:24:02,320 --> 00:24:06,840 And through a series of products as well as APIs, 504 00:24:06,840 --> 00:24:08,240 the way we go to market, et cetera, 505 00:24:08,240 --> 00:24:11,800 those are exposed then to customers. 506 00:24:11,800 --> 00:24:15,960 And so when you think about the integrations that are, 507 00:24:15,960 --> 00:24:19,200 I'm sorry, the way that that visibility ends up working, 508 00:24:19,200 --> 00:24:23,440 it provides a very unique vantage point to risk IQ 509 00:24:23,440 --> 00:24:25,200 as well as our customers. 510 00:24:25,200 --> 00:24:28,160 And if you look across our customer base, 511 00:24:28,160 --> 00:24:31,120 we have a number like in the tens, 512 00:24:31,120 --> 00:24:35,080 like the high tens of global cybersecurity organizations. 513 00:24:35,080 --> 00:24:36,440 And you'll notice like, 514 00:24:36,440 --> 00:24:39,080 they will write research papers and say, 515 00:24:39,080 --> 00:24:40,280 here's a bad guy, 516 00:24:40,280 --> 00:24:41,680 here's why he's picking on you, 517 00:24:41,680 --> 00:24:43,040 here's an example, 518 00:24:43,040 --> 00:24:45,200 here's every place else on the internet 519 00:24:45,200 --> 00:24:47,880 that this exact thing is happening, that's normally us. 520 00:24:47,880 --> 00:24:50,440 And then normally they close out with 521 00:24:50,440 --> 00:24:51,720 buying more of their products 522 00:24:51,720 --> 00:24:53,800 or configuring it differently for the purposes 523 00:24:53,800 --> 00:24:58,800 of being able to maybe respond to a particular threat 524 00:24:58,840 --> 00:25:00,680 or an unwanted event. 525 00:25:00,680 --> 00:25:03,520 Well, that visibility, 526 00:25:03,520 --> 00:25:07,160 that capability of being able to take a singular thread 527 00:25:07,160 --> 00:25:08,000 on a sweater, 528 00:25:08,000 --> 00:25:11,040 and if you will pull an unravel it and be able to see it, 529 00:25:11,040 --> 00:25:14,920 is something that is not very common, 530 00:25:14,920 --> 00:25:17,800 if at all within the cybersecurity 531 00:25:17,800 --> 00:25:18,800 industry. 532 00:25:18,800 --> 00:25:22,320 So when we have within risk IQ, 533 00:25:22,320 --> 00:25:23,360 prior to the acquisition, 534 00:25:23,360 --> 00:25:25,920 it's just been bolstered quite a bit more 535 00:25:25,920 --> 00:25:28,600 with the acquisition by Microsoft. 536 00:25:28,600 --> 00:25:32,280 We have a tier one threat intelligence team 537 00:25:32,280 --> 00:25:36,160 that is constantly looking for bad actors, 538 00:25:36,160 --> 00:25:38,280 bad infrastructure, bad associations, 539 00:25:38,280 --> 00:25:40,240 et cetera, across the internet. 540 00:25:40,240 --> 00:25:44,280 And normally the original piece, 541 00:25:44,280 --> 00:25:47,280 the original thread that's pulled, if you will, 542 00:25:47,280 --> 00:25:49,640 is actually directly related to 543 00:25:49,640 --> 00:25:52,640 a specific observed event that occurred. 544 00:25:52,640 --> 00:25:56,000 And then once you find that piece of infrastructure, 545 00:25:56,000 --> 00:25:58,760 the capability of being able to expand the aperture 546 00:25:58,760 --> 00:26:02,000 and say, okay, this isn't just one of one, 547 00:26:02,000 --> 00:26:04,440 this is one of a hundred different things 548 00:26:04,440 --> 00:26:07,480 that are happening exactly like this across the internet, 549 00:26:07,480 --> 00:26:09,720 so that when you're making a decision of alerting, 550 00:26:09,720 --> 00:26:11,800 when you're making a decision about blocking, 551 00:26:11,800 --> 00:26:13,800 you're actually doing it with the confidence 552 00:26:13,800 --> 00:26:16,720 of what the internet as a whole looks like, 553 00:26:16,720 --> 00:26:18,880 not just what a singular event is. 554 00:26:18,880 --> 00:26:19,880 Does that make sense? 555 00:26:19,880 --> 00:26:21,760 It does, actually. 556 00:26:21,760 --> 00:26:24,960 This is something that I've been talking recently, 557 00:26:24,960 --> 00:26:27,400 especially about data quality, 558 00:26:27,400 --> 00:26:31,320 because there's many vendors and many talks out there 559 00:26:31,320 --> 00:26:35,040 of how to increase the amount of thread intelligence 560 00:26:35,040 --> 00:26:36,120 that is shared. 561 00:26:36,120 --> 00:26:40,680 And sometimes I am concerned about the noise 562 00:26:40,680 --> 00:26:43,600 that it will be introduced if the people 563 00:26:43,600 --> 00:26:47,640 do not have the expertise to share quality data 564 00:26:47,640 --> 00:26:49,520 to the rest of the community, 565 00:26:49,520 --> 00:26:52,880 and how that data can be used 566 00:26:52,880 --> 00:26:56,400 across the security solutions. 567 00:26:56,400 --> 00:26:58,640 Yeah, that's actually a very good point, Glydez, 568 00:26:58,640 --> 00:27:03,640 because imagine that you received a piece of intelligence, 569 00:27:04,840 --> 00:27:06,720 whether it could be sensitive source reporting, 570 00:27:06,720 --> 00:27:08,880 whether it could be from another system 571 00:27:08,880 --> 00:27:11,440 that you have inside of your environment, 572 00:27:11,440 --> 00:27:14,480 or if a peer of yours in the industry comes to you 573 00:27:14,480 --> 00:27:16,760 and says, here's a bad IP. 574 00:27:16,760 --> 00:27:19,200 Well, what does that mean? 575 00:27:19,200 --> 00:27:22,400 Is it always bad and it's just continuing to be bad? 576 00:27:22,400 --> 00:27:26,120 Is it bad, is it normally good and it's just bad right now? 577 00:27:26,120 --> 00:27:27,680 Is it from Russia? 578 00:27:27,680 --> 00:27:30,120 And right now, anything from Russia is bad. 579 00:27:30,120 --> 00:27:33,240 And then once you make that determination for today, 580 00:27:33,240 --> 00:27:36,080 what happens in an hour from now, or a day or a week? 581 00:27:36,080 --> 00:27:39,480 What does the entropy of that actually end up looking like? 582 00:27:39,480 --> 00:27:43,600 And so, you know, because, as I was mentioning earlier, 583 00:27:43,600 --> 00:27:46,640 because we own our own collections infrastructure, 584 00:27:46,640 --> 00:27:48,520 and this is a systems, assistance, 585 00:27:48,520 --> 00:27:51,200 petabytes of petabytes type of problem set 586 00:27:51,200 --> 00:27:53,720 that we're dealing with here, 587 00:27:53,720 --> 00:27:57,160 but because we own that entire collections infrastructure, 588 00:27:57,160 --> 00:27:59,120 we have the capability of being able to provide 589 00:27:59,120 --> 00:28:03,680 the providence of what that IP addresses in this example, 590 00:28:03,680 --> 00:28:06,320 the reputation of what that IP address is, 591 00:28:06,320 --> 00:28:09,600 that reputation over time, the history of it, 592 00:28:09,600 --> 00:28:11,800 like what else was it related to? 593 00:28:11,800 --> 00:28:14,280 And what that does is it surfaces 594 00:28:14,280 --> 00:28:17,160 all of that content in context. 595 00:28:17,160 --> 00:28:20,120 And when that context is actually directly related 596 00:28:20,120 --> 00:28:23,120 to a particular issue that you are attempting 597 00:28:23,120 --> 00:28:26,560 to triage right now, that becomes invaluable. 598 00:28:26,560 --> 00:28:27,960 If you think about it generally, 599 00:28:27,960 --> 00:28:30,680 just look at the amount of news and research 600 00:28:30,680 --> 00:28:33,400 and source reporting that is happening 601 00:28:33,400 --> 00:28:37,600 on literally a daily basis now across cybersecurity. 602 00:28:37,600 --> 00:28:39,240 And a lot of them are interesting, 603 00:28:39,240 --> 00:28:42,800 a lot of them, a lot of the information that comes off 604 00:28:42,800 --> 00:28:45,880 is actually, you know, quite battle tested 605 00:28:45,880 --> 00:28:47,760 and relevant and so forth. 606 00:28:47,760 --> 00:28:50,840 But the real question that you have is, so what? 607 00:28:50,840 --> 00:28:52,200 What does this mean to me? 608 00:28:52,200 --> 00:28:54,520 You know, that's good that these bad guys 609 00:28:54,520 --> 00:28:57,640 are using this infrastructure to attack these kinds of targets. 610 00:28:57,640 --> 00:28:59,400 I generally aligned to that target, 611 00:28:59,400 --> 00:29:01,760 but am I specifically aligned? 612 00:29:01,760 --> 00:29:06,760 And the ability to be able to tease that out in real time, 613 00:29:06,920 --> 00:29:11,080 the ability to be able to dynamically understand 614 00:29:11,080 --> 00:29:15,560 as your priorities change, as your security programs change, 615 00:29:15,560 --> 00:29:18,240 as threat adversaries change, you know, 616 00:29:18,240 --> 00:29:20,360 how that constantly relates to you. 617 00:29:20,360 --> 00:29:22,480 When I was doing a little bit of research on risk IQ, 618 00:29:22,480 --> 00:29:25,080 I noticed that there's actually a risk IQ connector 619 00:29:25,080 --> 00:29:27,920 for the power platform and for logic apps. 620 00:29:27,920 --> 00:29:29,040 Yes. 621 00:29:29,040 --> 00:29:31,400 Can you explain kind of where would somebody use, 622 00:29:31,400 --> 00:29:32,560 you know, that connector? 623 00:29:32,560 --> 00:29:36,240 Well, generally, the primary benefit 624 00:29:36,240 --> 00:29:39,640 of having these connectors is to being able to, 625 00:29:39,640 --> 00:29:43,240 to be able to ingest the specific components 626 00:29:43,240 --> 00:29:45,560 related to the internet that has to do 627 00:29:45,560 --> 00:29:47,800 with your particular business application. 628 00:29:47,800 --> 00:29:52,520 So prior to the acquisition, we were primarily, 629 00:29:52,520 --> 00:29:54,760 and we still are very, very heavily focused 630 00:29:54,760 --> 00:29:56,480 on the threat intelligence world 631 00:29:56,480 --> 00:30:01,160 and how to be able to provide internet scale data sets 632 00:30:01,160 --> 00:30:04,280 to provide a decision advantage. 633 00:30:04,280 --> 00:30:07,000 But if you think about it, the extensibility 634 00:30:07,000 --> 00:30:10,120 that goes beyond threat intelligence 635 00:30:10,120 --> 00:30:14,040 for internet scale data is almost infinite. 636 00:30:14,040 --> 00:30:18,520 If you imagine like yourself as a CIO versus a CISO, 637 00:30:18,520 --> 00:30:22,000 you may have a simple question of what technologies 638 00:30:22,000 --> 00:30:23,720 that you're leveraging. 639 00:30:23,720 --> 00:30:26,360 You may have like very firm understanding 640 00:30:26,360 --> 00:30:29,360 of the assets that you have within your organization, 641 00:30:29,360 --> 00:30:33,320 whether it's, you know, desktops or workstations 642 00:30:33,320 --> 00:30:38,080 or servers or licenses, bandwidth, rack space, et cetera. 643 00:30:38,080 --> 00:30:40,680 But what do you have in terms of a digital asset management 644 00:30:40,680 --> 00:30:41,480 system? 645 00:30:41,480 --> 00:30:43,560 Because if you think about the fundamental components 646 00:30:43,560 --> 00:30:47,120 of digital assets, they're different than what 647 00:30:47,120 --> 00:30:49,560 exists inside the firewall. 648 00:30:49,560 --> 00:30:52,720 In a very simple example, you could have one singular IP 649 00:30:52,720 --> 00:30:56,160 address that maybe has 100 websites behind it, 650 00:30:56,160 --> 00:31:00,280 or you could have 100 IP addresses that all go back 651 00:31:00,280 --> 00:31:01,840 to a singular website. 652 00:31:01,840 --> 00:31:04,200 And then once you go to a singular website, 653 00:31:04,200 --> 00:31:10,200 well, what CDNs are actually being used to transmit traffic 654 00:31:10,200 --> 00:31:14,160 basically across the internet to your organization? 655 00:31:14,160 --> 00:31:17,840 You could look at it in terms of CMSs or maybe third party 656 00:31:17,840 --> 00:31:22,960 components or widgets or different functionality that's 657 00:31:22,960 --> 00:31:27,040 pulled in from across the internet at runtime. 658 00:31:27,040 --> 00:31:31,360 And if you look at the charter of like CIOs, I mean, 659 00:31:31,360 --> 00:31:37,200 effectively, they get paid to do one very simple but very far 660 00:31:37,200 --> 00:31:37,880 reaching thing. 661 00:31:37,880 --> 00:31:40,240 And that's to take the blinking lights in the data center 662 00:31:40,240 --> 00:31:42,040 and tie it to earnings per share. 663 00:31:42,040 --> 00:31:44,600 And the reality is that those blinking lights in the data 664 00:31:44,600 --> 00:31:47,040 center are now becoming elements of the web 665 00:31:47,040 --> 00:31:50,040 or partially on the web or partially in the cloud 666 00:31:50,040 --> 00:31:52,800 and partially on the web or partially in your data center 667 00:31:52,800 --> 00:31:53,680 as well. 668 00:31:53,680 --> 00:31:59,280 So the way that that problem needs to be solved has changed. 669 00:31:59,280 --> 00:32:02,040 And so as a result of changing that, 670 00:32:02,040 --> 00:32:05,640 the capability of being able to take this level of data 671 00:32:05,640 --> 00:32:10,760 and being able to infuse it into other IT operations 672 00:32:10,760 --> 00:32:14,160 provides a very, very interesting future, I think, 673 00:32:14,160 --> 00:32:16,560 for Microsoft and RISC-IQ. 674 00:32:16,560 --> 00:32:19,840 Yeah, I think you basically just said that it sounds like I 675 00:32:19,840 --> 00:32:23,440 could consume one of these APIs, call out to RISC-IQ, 676 00:32:23,440 --> 00:32:25,600 and I could use the response that you give me. 677 00:32:25,600 --> 00:32:27,200 Let's just take a real simple example. 678 00:32:27,200 --> 00:32:29,360 Let's say someone connects to my logic app from some IP 679 00:32:29,360 --> 00:32:30,280 address. 680 00:32:30,280 --> 00:32:33,280 I could call the RISC-IQ stuff and give me all the information 681 00:32:33,280 --> 00:32:35,600 that I need to know about that IP address. 682 00:32:35,600 --> 00:32:37,640 So I could take the information about that IP address 683 00:32:37,640 --> 00:32:39,440 and then start to make decisions about whether I'm 684 00:32:39,440 --> 00:32:41,320 going to accept that connection, for example. 685 00:32:41,320 --> 00:32:42,480 Correct. 686 00:32:42,480 --> 00:32:47,000 And I think in your example there of making a decision, 687 00:32:47,000 --> 00:32:49,200 the capability of being able to do that 688 00:32:49,200 --> 00:32:51,880 on a case by case or a singular, like, 689 00:32:51,880 --> 00:32:55,920 does this work type of instance, but as well as being 690 00:32:55,920 --> 00:32:57,200 able to automate it. 691 00:32:57,200 --> 00:33:00,800 Because having the power of the internet basically 692 00:33:00,800 --> 00:33:04,120 harnessed into a singular collective data 693 00:33:04,120 --> 00:33:08,880 set with all the associated relationships packed onto it, 694 00:33:08,880 --> 00:33:12,800 there may be ways that that decision ends up 695 00:33:12,800 --> 00:33:18,000 maturing over time as you end up adding more or different types 696 00:33:18,000 --> 00:33:21,080 of data into the pipelines to be able to make that decision. 697 00:33:21,080 --> 00:33:23,160 So again, when I was looking at stuff about RISC-IQ, 698 00:33:23,160 --> 00:33:27,600 I noticed that RISC-IQ occupies a niche within the environment 699 00:33:27,600 --> 00:33:30,240 called Enterprise Attack Surface Management. 700 00:33:30,240 --> 00:33:32,400 It's interesting that I see the term Attack Surface in there, 701 00:33:32,400 --> 00:33:36,280 because I've used the term Attack Surface for a long time 702 00:33:36,280 --> 00:33:40,720 as has the industry to understand how exposed, for example, 703 00:33:40,720 --> 00:33:42,280 an operating system is. 704 00:33:42,280 --> 00:33:44,240 Like, if I have an operating system and it's got, 705 00:33:44,240 --> 00:33:46,760 I don't know, let's make up a number, 20 open ports, 706 00:33:46,760 --> 00:33:49,440 and seven of those ports are open to the internet, 707 00:33:49,440 --> 00:33:52,040 and although seven one is unauthenticated, 708 00:33:52,040 --> 00:33:55,680 then that particular port has a very high Attack Surface, 709 00:33:55,680 --> 00:33:58,640 because it's basically accessible to anybody on the internet. 710 00:33:58,640 --> 00:34:01,080 And one thing that we focus on a lot back in the early days 711 00:34:01,080 --> 00:34:05,840 of Windows, especially with the delta between Windows XP 712 00:34:05,840 --> 00:34:08,840 Service Pack 2 and Windows Vista was reducing the operating 713 00:34:08,840 --> 00:34:10,240 system to Attack Surface. 714 00:34:10,240 --> 00:34:13,160 In fact, a Microsoft Attack Surface analysis and Attack 715 00:34:13,160 --> 00:34:15,600 Surface reduction is a critical part 716 00:34:15,600 --> 00:34:16,760 of designing any system. 717 00:34:16,760 --> 00:34:19,120 It's a major part of the Microsoft Security Development 718 00:34:19,120 --> 00:34:19,880 Lifecycle. 719 00:34:19,880 --> 00:34:21,480 So it's really kind of interesting when 720 00:34:21,480 --> 00:34:24,480 I saw this term, Enterprise Attack Surface Management. 721 00:34:24,480 --> 00:34:26,040 Could you just give us the elevator 722 00:34:26,040 --> 00:34:29,440 pitch of what Enterprise Attack Surface Management actually 723 00:34:29,440 --> 00:34:30,240 is? 724 00:34:30,240 --> 00:34:35,160 The way to think about this is that the same elements 725 00:34:35,160 --> 00:34:38,120 that you described with regards to the attack 726 00:34:38,120 --> 00:34:41,640 surface of a particular desktop that had maybe ports 727 00:34:41,640 --> 00:34:43,920 and services that were open to the internet, 728 00:34:43,920 --> 00:34:47,120 that is now at a completely different level 729 00:34:47,120 --> 00:34:49,280 when you start talking about Enterprise Attack Surface 730 00:34:49,280 --> 00:34:53,120 Management from an industrial strength, 731 00:34:53,120 --> 00:34:55,760 kind of global organizational vantage point. 732 00:34:55,760 --> 00:34:58,960 And there's two primary differences that are nuanced, 733 00:34:58,960 --> 00:35:02,040 even though the underlying premise is still the same. 734 00:35:02,040 --> 00:35:04,120 First of all, the underlying premise being 735 00:35:04,120 --> 00:35:05,880 you can't protect what you don't know. 736 00:35:05,880 --> 00:35:07,400 So if you don't know something exists, 737 00:35:07,400 --> 00:35:09,360 if you don't know that a business unit went out 738 00:35:09,360 --> 00:35:13,280 and registered a website on a service provider 739 00:35:13,280 --> 00:35:16,560 and maybe put it up on a different cloud hosted provider 740 00:35:16,560 --> 00:35:21,320 and is offering some kind of services to customers, 741 00:35:21,320 --> 00:35:23,160 if something goes sideways with that, 742 00:35:23,160 --> 00:35:26,960 if something gets hacked within relationship to that, 743 00:35:26,960 --> 00:35:28,920 how do you even know where to start to respond? 744 00:35:31,480 --> 00:35:36,680 The way that this is manifested on the corporate side 745 00:35:36,680 --> 00:35:40,160 and basically on the enterprise or organizational sides, 746 00:35:40,160 --> 00:35:41,640 whether you're looking in governments 747 00:35:41,640 --> 00:35:46,400 or whether you're looking in a specific commercial entity 748 00:35:46,400 --> 00:35:48,640 is that everybody came on the internet 749 00:35:48,640 --> 00:35:50,240 a little bit differently. 750 00:35:50,240 --> 00:35:55,480 Some people started off day one with a web server 751 00:35:55,480 --> 00:35:57,680 and a firewall and got going from there. 752 00:35:57,680 --> 00:36:00,720 Some people immediately went to a co-location facility. 753 00:36:00,720 --> 00:36:04,360 Some people started to outsource it to third parties 754 00:36:04,360 --> 00:36:07,040 to be able to manage all aspects of it. 755 00:36:07,040 --> 00:36:08,440 And over the course of time, 756 00:36:08,440 --> 00:36:10,520 organizations have started to adopt 757 00:36:10,520 --> 00:36:13,240 and move from the inside to the outside 758 00:36:13,240 --> 00:36:16,640 or moving within their data center to cloud providers. 759 00:36:16,640 --> 00:36:20,320 Some have elected to go from co-location facilities 760 00:36:20,320 --> 00:36:23,240 into the cloud or maybe back into a data center. 761 00:36:23,240 --> 00:36:28,160 And the primary difference that starts to surface here 762 00:36:28,160 --> 00:36:30,240 is that if you look at the whole reason 763 00:36:30,240 --> 00:36:32,320 that you have a website to begin with, 764 00:36:32,320 --> 00:36:35,800 it's actually not for the host organization. 765 00:36:35,800 --> 00:36:38,040 It's to be able to service your customers. 766 00:36:38,040 --> 00:36:41,320 So the question becomes on one side, 767 00:36:41,320 --> 00:36:43,160 how do I protect myself? 768 00:36:43,160 --> 00:36:44,400 Because that's important. 769 00:36:44,400 --> 00:36:49,280 I don't want somebody to take PII or PCI type data 770 00:36:49,280 --> 00:36:50,680 out of my environment. 771 00:36:50,680 --> 00:36:53,600 But how of your security stack 772 00:36:53,600 --> 00:36:57,320 and the whole reason that you have a website to begin with 773 00:36:57,320 --> 00:36:58,920 is for your customers, 774 00:36:58,920 --> 00:37:01,200 how do I know my customers aren't getting hacked? 775 00:37:01,200 --> 00:37:04,160 If you look at some rather large incidents 776 00:37:04,160 --> 00:37:06,320 that have happened over the past several years, 777 00:37:06,320 --> 00:37:09,960 it's actually not an instance of the host company being attacked. 778 00:37:09,960 --> 00:37:12,480 It's the host company's website 779 00:37:12,480 --> 00:37:16,160 providing a mechanism for their customers to be attacked. 780 00:37:16,160 --> 00:37:20,160 So a simple example of this is you may have some widget, 781 00:37:20,160 --> 00:37:22,800 maybe a third party shopping cart application 782 00:37:22,800 --> 00:37:24,560 that you have on your website. 783 00:37:24,560 --> 00:37:26,240 And that shopping cart application 784 00:37:26,240 --> 00:37:28,760 is actually being hosted somewhere else on the internet. 785 00:37:28,760 --> 00:37:31,640 It's not within any of your positive control points. 786 00:37:31,640 --> 00:37:35,920 And an adversary could try to hack your particular organization 787 00:37:35,920 --> 00:37:39,000 and maybe take credit cards out of your organization, 788 00:37:39,000 --> 00:37:42,440 or they could hack that third party. 789 00:37:42,440 --> 00:37:43,840 And they could hack that third party 790 00:37:43,840 --> 00:37:47,320 so that any time that somebody went to your website 791 00:37:47,320 --> 00:37:50,000 and put in their name and their credit card number 792 00:37:50,000 --> 00:37:52,920 and their CVV and expiration date, et cetera, 793 00:37:52,920 --> 00:37:54,880 that when they hit that submit button, 794 00:37:54,880 --> 00:37:57,880 not only does it go internally to your organization to process, 795 00:37:57,880 --> 00:38:01,640 but it also goes to an adversary's website 796 00:38:01,640 --> 00:38:04,400 where they can house and subsequently end up using 797 00:38:04,400 --> 00:38:07,720 that credit card information in this example 798 00:38:07,720 --> 00:38:09,360 in a fraudulent manner. 799 00:38:09,360 --> 00:38:12,800 And if you look at how attack surface management 800 00:38:12,800 --> 00:38:16,800 has grown up over the past 10 years or so, 801 00:38:16,800 --> 00:38:18,440 we didn't really even know what to call it 802 00:38:18,440 --> 00:38:19,960 when we first saw it, right? 803 00:38:19,960 --> 00:38:23,120 It's like we knew we had this capability. 804 00:38:23,120 --> 00:38:26,120 We knew that it was something the customers wanted. 805 00:38:26,120 --> 00:38:30,240 We knew that providing an attack surface to a customer 806 00:38:30,240 --> 00:38:32,720 provided ways to be able to augment 807 00:38:32,720 --> 00:38:37,120 or subsequently enhance anything from their bug bounty programs, 808 00:38:37,120 --> 00:38:39,160 from their vulnerability management programs, 809 00:38:39,160 --> 00:38:42,200 app sec, pen testing, et cetera. 810 00:38:42,200 --> 00:38:45,520 But there also was this element of being able to provide 811 00:38:45,520 --> 00:38:48,760 a confidence that their customers, in fact, 812 00:38:48,760 --> 00:38:52,200 weren't taking advantage by utilizing their web services. 813 00:38:52,200 --> 00:38:57,280 And as that scenario started to grow 814 00:38:57,280 --> 00:39:01,240 over the course of time, it kind of went from a fringe, 815 00:39:01,240 --> 00:39:04,080 like if I have time, yes, we'll do attack surface management 816 00:39:04,080 --> 00:39:09,040 for our digital enterprise, for the digital state 817 00:39:09,040 --> 00:39:12,520 that we've created and being able to have visibility to this 818 00:39:12,520 --> 00:39:15,800 the same way that users do, the same way that adversaries do, 819 00:39:15,800 --> 00:39:19,600 the same way that partners and customers, et cetera, 820 00:39:19,600 --> 00:39:21,920 have with my environment, and then being 821 00:39:21,920 --> 00:39:23,560 able to crystallize that. 822 00:39:23,560 --> 00:39:27,520 And as we noticed probably about four or five years ago, 823 00:39:27,520 --> 00:39:29,880 this started to catch a lot of traction, 824 00:39:29,880 --> 00:39:31,680 for example, with analyst firms. 825 00:39:31,680 --> 00:39:35,880 It started to become more top of mind topics 826 00:39:35,880 --> 00:39:41,080 that we've seen covered in a number of different forums, 827 00:39:41,080 --> 00:39:44,280 like conferences and webinars, et cetera. 828 00:39:44,280 --> 00:39:50,600 And the ability for this to become a foundational component, 829 00:39:50,600 --> 00:39:52,200 the ability for attack surface management 830 00:39:52,200 --> 00:39:53,920 to become a foundational component 831 00:39:53,920 --> 00:39:57,000 of any contemporary enterprise security program 832 00:39:57,000 --> 00:40:02,320 has gone from the early adopters into, I would say, 833 00:40:02,320 --> 00:40:05,720 more of a critical mass of organizations. 834 00:40:05,720 --> 00:40:09,200 And these are not just very large multinational global 835 00:40:09,200 --> 00:40:12,120 organizations, though they were probably more 836 00:40:12,120 --> 00:40:13,800 in the early adopter camp. 837 00:40:13,800 --> 00:40:16,880 But think of organizations that have disproportionately 838 00:40:16,880 --> 00:40:20,680 smaller security teams to disproportionately large digital 839 00:40:20,680 --> 00:40:22,160 presences that they have. 840 00:40:22,160 --> 00:40:25,960 You see this a lot of time in multinational or even 841 00:40:25,960 --> 00:40:28,680 domestically conglomerates, where 842 00:40:28,680 --> 00:40:32,640 they're more of a combination of a bunch of smaller brands 843 00:40:32,640 --> 00:40:37,880 and organizations that roll up under a centralized organization 844 00:40:37,880 --> 00:40:39,680 from an accounting perspective. 845 00:40:39,680 --> 00:40:43,600 So how can somebody see how this looks like? 846 00:40:43,600 --> 00:40:47,280 Do you have demos, some videos? 847 00:40:47,280 --> 00:40:50,480 Yeah, so a very good question. 848 00:40:50,480 --> 00:40:52,040 Gladys, it actually takes us right back 849 00:40:52,040 --> 00:40:54,240 to the beginning of the conversation. 850 00:40:54,240 --> 00:40:58,600 Rizky Q said that we wanted to make the internet a safer place. 851 00:40:58,600 --> 00:41:01,960 And we came to the realization that the biggest challenge 852 00:41:01,960 --> 00:41:03,840 that we had to make in the internet a safer place 853 00:41:03,840 --> 00:41:06,280 was there wasn't enough good guys in the game. 854 00:41:06,280 --> 00:41:09,920 And then bringing the capability of complex internet 855 00:41:09,920 --> 00:41:13,400 investigations and visibility and so forth down 856 00:41:13,400 --> 00:41:18,120 to a more consumable level that allowed anybody 857 00:41:18,120 --> 00:41:21,560 to interact with that, that led us down the path of actually 858 00:41:21,560 --> 00:41:23,520 creating an entire freemium model. 859 00:41:23,520 --> 00:41:27,840 So today, you can go to community.riskyq.com. 860 00:41:27,840 --> 00:41:29,240 You can set up a free account. 861 00:41:29,240 --> 00:41:31,280 Everything that we've been talking about here today 862 00:41:31,280 --> 00:41:35,080 can be unlocked within that account itself. 863 00:41:35,080 --> 00:41:39,680 We have a little over 110,000, 120,000 different analysts 864 00:41:39,680 --> 00:41:43,560 across about 15,000 organizations today that are using it. 865 00:41:43,560 --> 00:41:49,800 It is, but arguably, one of the most prolific freemium 866 00:41:49,800 --> 00:41:53,840 SaaS-based offerings that exist on the internet. 867 00:41:53,840 --> 00:41:59,440 And it also has a number of additional value 868 00:41:59,440 --> 00:42:01,560 ads that we look at in terms of being 869 00:42:01,560 --> 00:42:09,560 able to provide visibility and capabilities to organizations. 870 00:42:09,560 --> 00:42:11,600 We have Threat Hunter workshops. 871 00:42:11,600 --> 00:42:14,440 For example, we do them about once a month. 872 00:42:14,440 --> 00:42:16,800 We usually get hundreds and hundreds of people 873 00:42:16,800 --> 00:42:21,280 from across the globe on these Threat Hunter workshops. 874 00:42:21,280 --> 00:42:25,080 And what we do is we actually take things that are in the news. 875 00:42:25,080 --> 00:42:27,600 We take technologies that customers 876 00:42:27,600 --> 00:42:29,160 are the market that are using. 877 00:42:29,160 --> 00:42:35,520 We take concepts that are very basic to very complex. 878 00:42:35,520 --> 00:42:39,680 And we actually show how within the product itself, 879 00:42:39,680 --> 00:42:42,960 you can solve for a lot of these problems. 880 00:42:42,960 --> 00:42:45,240 So yeah, if you're looking for a way 881 00:42:45,240 --> 00:42:47,040 to be able to get in the game right now, 882 00:42:47,040 --> 00:42:50,440 you can go set up an account. 883 00:42:50,440 --> 00:42:53,080 And you can reach out to your Microsoft Contact, 884 00:42:53,080 --> 00:42:56,520 and we can give you extended access and more visibility 885 00:42:56,520 --> 00:42:59,520 and take a lot of some of the limitations 886 00:42:59,520 --> 00:43:02,760 that we have within the product and the freemium side 887 00:43:02,760 --> 00:43:05,920 and actually provide a full enterprise version. 888 00:43:05,920 --> 00:43:07,680 And then I would also offer if you 889 00:43:07,680 --> 00:43:10,320 wanted to either sign up and look at some 890 00:43:10,320 --> 00:43:13,640 of our historical Threat Hunting workshops that we've done, 891 00:43:13,640 --> 00:43:18,280 where we've taken very robust infrastructure that 892 00:43:18,280 --> 00:43:23,000 has been set up by bad guys and systematically decompose it, 893 00:43:23,000 --> 00:43:26,600 you can sign up for those, or you can sign up 894 00:43:26,600 --> 00:43:29,920 for new Threat Hunting workshops that we 895 00:43:29,920 --> 00:43:31,480 have coming up in the future. 896 00:43:31,480 --> 00:43:35,680 Yeah, originally when I started learning about RISC-Q, 897 00:43:35,680 --> 00:43:38,520 I signed up for some of those workshops. 898 00:43:38,520 --> 00:43:42,160 I think it's every other Thursday for a couple of hours. 899 00:43:42,160 --> 00:43:44,280 And they were awesome. 900 00:43:44,280 --> 00:43:45,680 It just got me started. 901 00:43:45,680 --> 00:43:47,400 So I really recommend that. 902 00:43:47,400 --> 00:43:49,520 Yeah, it's a lot of fun. 903 00:43:49,520 --> 00:43:53,360 I mean, what has traditionally been types of access 904 00:43:53,360 --> 00:43:55,480 and types of visibility that have been relegated 905 00:43:55,480 --> 00:44:00,400 to a very small niche of cybersecurity professionals 906 00:44:00,400 --> 00:44:03,560 that largely learned how to do it over years and years 907 00:44:03,560 --> 00:44:08,200 of research and being practitioners, et cetera. 908 00:44:08,200 --> 00:44:09,840 Being able to bring that down to be 909 00:44:09,840 --> 00:44:11,560 able to have individuals. 910 00:44:11,560 --> 00:44:13,800 I mean, we've got programs that we've done for high school 911 00:44:13,800 --> 00:44:17,960 kids, where we've taken very simple articles that show up 912 00:44:17,960 --> 00:44:21,840 in mainstream news that have either a singular domain name 913 00:44:21,840 --> 00:44:26,080 or a singular IP address in them and actually expand all of that 914 00:44:26,080 --> 00:44:30,480 and be able to say, this is what this infrastructure looks 915 00:44:30,480 --> 00:44:32,680 like on the internet right now. 916 00:44:32,680 --> 00:44:36,880 And this is the story behind everything 917 00:44:36,880 --> 00:44:38,760 that you just read in that news article. 918 00:44:38,760 --> 00:44:40,240 This has been really great. 919 00:44:40,240 --> 00:44:41,560 I learned a ton. 920 00:44:41,560 --> 00:44:43,400 I mean, I just understood a little bit 921 00:44:43,400 --> 00:44:48,200 of what risk IQ is, but certainly learned one heck of a lot 922 00:44:48,200 --> 00:44:49,040 more. 923 00:44:49,040 --> 00:44:51,920 So Jason, one thing we'd like to ask our guests 924 00:44:51,920 --> 00:44:55,560 is if you had one thought to leave our listeners with, 925 00:44:55,560 --> 00:44:56,680 what would it be? 926 00:44:56,680 --> 00:45:01,320 If I could leave any kind of parting thoughts with anybody, 927 00:45:01,320 --> 00:45:07,280 it would be around not needing to wait until some additional 928 00:45:07,280 --> 00:45:11,440 technology comes along or some future state occurs. 929 00:45:11,440 --> 00:45:14,840 The capabilities are there now, and the entry point 930 00:45:14,840 --> 00:45:18,320 is far easier than it's ever been in the past. 931 00:45:18,320 --> 00:45:21,800 In closing, I'd really like to thank you for the time here 932 00:45:21,800 --> 00:45:22,280 today. 933 00:45:22,280 --> 00:45:24,600 And this is a topic that's very exciting to me, 934 00:45:24,600 --> 00:45:27,000 and I'm very passionate about. 935 00:45:27,000 --> 00:45:28,920 And it's very personal to me. 936 00:45:28,920 --> 00:45:35,320 So anything I could do to help, please feel free to reach out. 937 00:45:35,320 --> 00:45:38,040 I'm sure maybe we can do this again sometime. 938 00:45:38,040 --> 00:45:40,360 So again, thanks so much for joining us this week, Jason. 939 00:45:40,360 --> 00:45:42,880 I know Gladys and I really appreciate you taking the time. 940 00:45:42,880 --> 00:45:45,960 And to our listeners out there, thank you also for listening. 941 00:45:45,960 --> 00:45:48,200 Stay safe, and we'll see you next time. 942 00:45:48,200 --> 00:45:51,040 Thanks for listening to the Azure Security Podcast. 943 00:45:51,040 --> 00:45:54,800 You can find show notes and other resources at our website, 944 00:45:54,800 --> 00:45:57,840 azsecuritypodcast.net. 945 00:45:57,840 --> 00:46:00,160 If you have any questions, please find us 946 00:46:00,160 --> 00:46:01,840 on Twitter at azurecenter.com. 947 00:46:01,840 --> 00:46:03,600 And other resources on the website 948 00:46:03,600 --> 00:46:05,760 is from ccmixter.com. 949 00:46:05,760 --> 00:46:07,200 And licensed under the Creative Commons license. 950 00:46:07,200 --> 00:46:09,920 If you have any questions, please find us on Twitter 951 00:46:09,920 --> 00:46:11,920 at azuresetpod. 952 00:46:11,920 --> 00:46:14,880 Background music is from ccmixter.com. 953 00:46:14,880 --> 00:46:34,040 And licensed under the Creative Commons license.