Microsoft on CISOs: Thriving Community Means Stronger Security

BLACK HAT USA – Las Vegas – Wednesday, Aug. 7 – This week at Black Hat, Ann Johnson, corporate vice president and deputy chief information security officer (CISO) at Microsoft, and Sherrod DeGrippo, Microsoft's director of threat intelligence strategy, took to the main stage for their talk, "From the Office of the CISO: Smarter, Faster, Stronger, Security in the Age of AI." While attendees may have expected a discussion focused on ways that AI can help the effectiveness of cybersecurity tools, one could say that Johnson and DeGrippo decided to go off script.

"Does anyone remember a couple of weeks ago, there was like a little glitch?" DeGrippo asked the crowd, referring to the recent global CrowdStrike outage and earning a laugh in response.

The fault sensory configuration update to CrowdStrike's Falcon platform on July 19 triggered Microsoft outages for millions, and "blue screens of death" as far as the eye could see. As the days passed, the fallout continued to grow, with the estimated monetary loss amounting to roughly $5.4 billion, excluding Microsoft's own losses.

Johnson went on to give the audience the lowdown from someone who was there and witnessed the effects of the outage firsthand. The evening before the incident, Microsoft found itself dealing with a limited scope package in Azure in one of its US regions. 

"At 11:30 that night, it was remediated, was resolved, and I went to bed," Johnson said. "I was like 'OK, we're good.' At 1 in the morning, maybe 1:15, my phone rang with a customer [who] said 'Hey, I’m getting this blue screen of death.'"

Other calls started coming in, and she realized this wasn't connected to the Azure outage. Johnson explained that Microsoft then "rallied the troops" to face the problem.

"The pride I had, not just in Microsoft but those people that were literally working in shifts … these folks were working around the clock," she says. "The industry was working around the clock. And even though it was the operations folks that were most impacted, not the cyber folks, the resilience, the community, the things I saw in the industry were so powerful that yet again, it renews my faith that we all can win together."

Johnson’s take on the event is that the response to it from professionals was "incredible" to witness. However, what is the lesson to be learned?

Community Is No. 1

As DeGrippo detailed, the Microsoft Threat Intelligence Center (MSTIC) is focused on working closely with customers regarding intelligence briefings, and is "embedded" in its community of independent researchers, fellow vendors, and even colleagues at healthcare organizations and in other verticals.

For instance, Scattered Spider, a group responsible for a significant number of ransomware events in the past 18 months, is a persistent group that Microsoft has paid close attention to. Microsoft's community, from MSTIC to its Digital Crimes Unit (DCU), DeGrippo says, is eager to combat the group, helping law enforcement efforts. And it's not just Microsoft that does this, Johnson insists — its peers in the industry are also working with the public sector to defend people from the threat actor, sharing tactics and defense strategies. 

"For everything you see in the news, there are thousands of [malicious] things that haven’t happened because all the people in this room stopped it from happening," Johnson told Black Hat attendees. "Take a victory lap and a round of applause. Yeah, there’s bad things that are going to continue to happen. But all you stop the thousands of other things from happening, and that’s what community does."

AI in the Hands of Threat Actors & Defenders

Part of improving the community going forward is embracing technologies that make defenders' lives easier. For instance, as GenAI continues to grow in popularity, threat actors will use it to their advantage. According to Johnson, they'll use it to become more effective and efficient at what they do, making them more difficult to combat. What should defenders do in response? The exact same thing. 

"We want to use technology like AI or whatever the latest technology is to make you more effective, so you can take that time off," she said, referencing how new strategies and tools are needed to ensure that cyber defenders have less burnout. Events like the CrowdStrike Falcon update snafu and the resulting Microsoft outage should not require people to sacrifice their health or time with family while "working hours on end to combat the issues we’re collectively facing," Johnson said.

She added, "AI does have a very meaningful role in the world of the CISO and in the world of cyber defenders, but … we want to talk about the human beings, the community, the defenders."