Microsoft Live at the RSA Conference 2024
[Sherrod DeGrippo: Welcome to the Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage? Cyber crime? Social engineering? Fraud? Well, each week dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry. I'm your guide to the back alleys of the threat landscape. Hi. This is Sherrod DeGrippo with the Microsoft Threat Intelligence Podcast. And we are recording a special episode today at the RSA conference in San Francisco and I am joined by the legend David Weston, VP of operating system security at Microsoft. David Weston, thank you for joining me. How are you doing?
David Weston: I'm happy to be here. RSA day one.
Sherrod DeGrippo: RSA day one. How are you feeling? Do your feet hurt?
David Weston: I hate to say this, but I'm a little experienced at RSA. So I know day one's just, you know, slowly start to, you know, expend that energy. It's a marathon, not a sprint.
Sherrod DeGrippo: That's true. And speaking of marathons and sprints, you are wearing the most amazing Alexander McQueen sneakers. How do those feel on the feet?
David Weston: A little heavy.
Sherrod DeGrippo: They look really cool.
David Weston: You're paying for fusion, I'll trade it anything.
Sherrod DeGrippo: Okay.
David Weston: Right.
Sherrod DeGrippo: So you are heavily followed at Microsoft. You're at dwizzzle on Twitter. Everybody knows you. You've been around a long time. Tell me what's going on with the operating system security.
David Weston: Well, there's a lot going on. I think we've been spending quite a bit of time I think looking at the hardest problem. So I would say years ago our focus was giving our end users and our customers the controls to do it themselves. And it turns out that what customers really wanted was Microsoft to do it for them, to secure the operating system for them. And so for key I would say attack vectors that are really, you know, long running things like credential protection, multi factor authentication, getting rid of privileges you don't need, you know the milk and honey of basic security, that's something that we've been focusing on. And the reason it took us so long is frankly it's really hard. It's hard to keep things secure, make sure you can still play the games you want to play, you can open that spreadsheet when you need to, you can run that app you bought 20 years ago. And keeping it secure is really difficult. So that's been the focus really is not doing anything fancy, but doing those basics really well.
Sherrod DeGrippo: And you were telling me earlier that something is coming up with admin.
David Weston: Yeah. It's going away. So that's the cool part.
Sherrod DeGrippo: Tell me what are the impacts of that. And I also want to understand what decision making was needed to get to that point in Microsoft.
David Weston: Sure. So the big thing with admin is that it's the traditional attack vector. I would say it's like one of the key problems in the Windows operating system and operating systems outside of Windows as well. The idea is, right, the user has the power to do anything they want. They can be admin. They can install drivers. They can install printers. They can modify files. And so that comes with all the cool things that you can do with one is you can literally do anything with a Windows PC from games to run medical devices, etcetera. The flip side of that is if your machine gets owned they can literally do anything. They can dump credentials. They can install drivers, etcetera. And so the key is keeping what makes Windows cool. Right? This flexibility. This openness. While making sure if you get compromised you're safe. So I call admin sort of like running with scissors. If you know what you're doing, you're very careful, it's cool. But the second you trip, it's a bad day. And so the focus has really been coming up with an approach to enable that. And what has really helped with Windows 11 is we kind of made this cut off. We said you have to have a certain set of capabilities, hardware, software, and we're sort of going to fork. We're going to have a higher set of security capabilities with Windows 11. And one of the things Windows 11 had by default is Windows hello. So face, fingerprint, the ability to authenticate and have a good experience doing that. So that set us up really well for admin. Right? Cool. So everyone's gotten their thing. They can just either tap with their finger or use their face to authorize operations. This is great. This really sets us up along with cleaner drivers, etcetera, to have a good experience around removing some of these privileges. And so what we came up with is basically the ability to just in time authorize admin level things. You want to install a driver. You won't be running with scissors. Right? As admin all the time. But if you want to install a driver it's now simple. Tap your finger. Use your face. You can authorize that. That has a huge benefit from a security standpoint because now a macro that gets on your machine isn't running as admin, but you can still do all the things you need. And so there is this sort of build up of good hardware capabilities, cleaner driver and operating system, MFA, and that's brought us to the point of allowing us to do admin which is something we've been trying to do since the XP days. So I'm pretty excited about this journey towards, you know, making the operating system substantially more secure and actually having a good experience.
Sherrod DeGrippo: What do you think was like the ability to get everyone to decide and align on that in Microsoft?
David Weston: I -- well, it wasn't as sophisticated as you might think. I think with modern operation systems we get a lot of information about what applications are actually being used, what users actually want. Right? We can even get things like thumbs up and thumbs down on operations to basically understand the sentiment. And so the things that used to really be argued about, my subjective opinion is if we get rid of admin we're going to break everything, have become really simple data driven decisions. So it was literally a matter of getting some really smart folks to sit down and chew through the data and say, "So if we go adminless, how many people are going to see dialogs on any given day?" X amount of people. Well, that sounds like a great trade off for security. So actually the game changer here has been to actually have data, remarkably, and make decisions around that instead of a bunch of FUD. And I think just we've gotten better at doing that. And so we've been able to rapidly make these set of engineering decisions that seem really big and used to be scary, but are now like, "Well, we can see the data right there and we can reason about the trade off." And so that probably sounds simple to a lot of people, but you have to take into account the scale. Right? These are billions of devices. All sorts of different things happening. And just the scale to process that data and to get it to the simple like 98% of the time it will be fine has really been the change.
Sherrod DeGrippo: So I love -- when is that coming out?
David Weston: The next version of Windows we're targeting. Yeah.
Sherrod DeGrippo: Okay. And you also told me that you're doing something on the nerdiest side of AI. What does that mean?
David Weston: So one of the things we're looking at is how to make sure that we can secure models on the engine. Let me tell you what I mean by that. The more that people are using AI, and that's all sorts of different forms from LLMs to imaging models to you name it, the more we want to take advantage of it on your local computer for a couple reasons. One is modern computers, especially modern Windows computers, have things like TPUs or GPUs that have an incredible amount of power that's mostly just sitting there idle. The other issue we have is if you send things up to the cloud to do AI processing you have a lot of latency. You have now data control concerns around privacy, etcetera. So there are a bunch of reasons why for performance, for speed, and for privacy and compliance you want to keep the AI local. Now here's the problem. If a hacker gets onto your machine and that model's critical path is some sort of security decision, etcetera, now you've got to figure out a way to protect it. And so what I would say is as GPUs were rapidly being adopted for AI security wasn't necessarily the first thought, as many things are. And so in a lot of ways we're now saying now that we see this power, how do we secure it? And so I think one of the big things that I'm working on on a day to day basis as I mentioned is as we're getting more of these AI models locally, what are we going to do to make sure once it gets on the machine they're not going to be able to modify it? They're not going to be able to tamper with it. Etcetera. And that involves hardware changes to these GPUs and TPUs. It involves things like virtualization. It involves pretty substantial changes to the operating system to get to that level of capability.
Sherrod DeGrippo: And so you feel like that's coming along well. Anything interesting that like seems like it's going to mess it up?
David Weston: I think there's a few things that are challenging. One is the way we protect AI models today is largely keep it in the data center under lock and key. Someone might have spent hundreds of millions of dollars training a model and might be doing a very specific thing. And now it's in the back of a coffee shop. Right? And so a lot of traditional PCs, they're meant to be secure, but they may not be meant to be secure for someone tearing it apart and using like an electron microscope to make hardware modifications. So a lot of the things we have to think through are how do we keep kind of these AI weights and models secure even against physical attackers? We actually have experience doing this, this creating a product called X box where we don't want you to be at able to hack games or play games for free, etcetera. And so some of that thinking has first gone into Azure where we protect those models and customers like Open AI are leveraging that. And now we've got to bring a lot of those capabilities to the PC side. So I would say we've got some great capabilities coming, but it is by no means a simple we have it in the bag kind of thing. It's evolving. And frankly this is where research comes in at conferences like RSA is we've got to really keep an eye on what the attack community is going to do. They're going to teach us how well we're doing. So have to wait until that score card comes out to know how we're doing.
Sherrod DeGrippo: You also said something I thought was really interesting which is RSA conference is like seeing Twitter come to life.
David Weston: It's a bit of -- right? There's just information overload. There's sitting at breakfast. If you're sitting next to someone, you're hearing a hot take about some vendor here, how someone couldn't path. They're really living it just through like osmosis of what people are talking about.
Sherrod DeGrippo: And I bet a lot of people come up to you and are like, "Are you dwizzzle?"
David Weston: Actually yeah. So one interesting thing is today I was sitting next to a guy. One of the products I owned is Windows hello. And he was like a CSO and was talking about how difficult it was to deploy and I was in my gym shorts just coming back from the gym and I was like, "I think I can help you with that." So actually --
Sherrod DeGrippo: I love it. You engaged -- there are so many people.
David Weston: I'm very sorry to have overheard this, but --
Sherrod DeGrippo: There are so many people who would have overheard that and turned the other way and walked off. I love that you did that.
David Weston: No. I got his email. I understood the issue. It's actually a fairly simple issue. Something we can fix. So I mean that's why I come, to hear stuff like that. So.
Sherrod DeGrippo: And at the gym.
David Weston: Yeah. It was at breakfast after the gym. Everyone else is in their three piece suit. So I think he's like, "Who's this sweaty guy?" But I got him.
Sherrod DeGrippo: You're like, "I'm dwizzzle. I'm the VP of operations." Operating system security. >> David Weston. Yeah. He found the right person. Yeah. That's awesome. I love it. Thank you so much for joining us. This was David Weston, VP of operating system security at Microsoft. Thanks for joining us.
David Weston: Pleasure. Thank you. [ Music ]
Sherrod DeGrippo: Hi, everyone. This is Sherrod DeGrippo with the Microsoft Threat Intelligence Podcast. I am here with Jamie Williams, senior principal security operations engineer at the one and only MITRE. Hi, Jamie.
Jamie Williams: Hello. Thanks for having me.
Sherrod DeGrippo: Thanks for coming on. So we are still here at the RSA conference. What kind of weird stuff have you seen out there on the streets?
Jamie Williams: Oh. There's ninjas. There's fireworks.
Sherrod DeGrippo: Oh, that's right. There was a drone show.
Jamie Williams: Amazingness. And of course we had our magicians. It's like who doesn't love like a good card trick. But they stepped up their game. There's like invisible cards and you can write your name on stuff. I'm a little bit of a nerd for like not that magic kid, but I can appreciate the art.
Sherrod DeGrippo: So did you see a magician somewhere in the expo?
Jamie Williams: Yeah.
Sherrod DeGrippo: Oh. They're doing card tricks?
Jamie Williams: Card tricks.
Sherrod DeGrippo: That is cool. There is a lot of really creative stuff happening at some of the booths. Others are very boring. I kind of feel like there was one booth that had a customized pinball machine that you could play.
Jamie Williams: Well, how custom does a pinball machine get? Is it like the --
Sherrod DeGrippo: It was their logo and like a little -- it was like the bonuses were like cloud, email, network. Like it was a full on like security pinball game.
Jamie Williams: Okay. So like it's educational still.
Sherrod DeGrippo: I guess. I mean it was pretty cool.
Jamie Williams: I like to turn my brain off as much as I can. So I don't know. Power to them.
Sherrod DeGrippo: I love pinball. And I saw Mikko Hypponen there. And he was playing the pinball game. So that was kind of neat. A lot of stuff is happening out there.
Jamie Williams: A lot of people. A lot of faces.
Sherrod DeGrippo: How many times have you been to RSA conference?
Jamie Williams: That's a great question. Let's call it six to seven. I've never actually done the formal conference, though. I'm just like a booth --
Sherrod DeGrippo: Customer meetings.
Jamie Williams: Yeah. No.
Sherrod DeGrippo: Oh. A booth person.
Jamie Williams: Yeah. Booth duty. Handshakes in the hallway. Grab a coffee here and there. Just kind of love life.
Sherrod DeGrippo: I've spent a lot of today on the expo floor and I really enjoyed it. Tell me kind of what you're seeing on the threat landscape out there. Like what are the threat actors doing?
Jamie Williams: They're doing stuff.
Sherrod DeGrippo: At the RSA conference?
Jamie Williams: Yeah. Probably. I know. That's the big thing I love about this conference too is like I'm not a big tech product person. Like I don't come here to look for like products. I look for like more the like catalyst for the product. Like why did you think this was a good idea? Like what drove you to come here? And I think like this conference is kind of a good representation of where we are in the threat landscape where, you know, we feel like the pendulum swings and there's like huge bursts of like creativity and innovation. Like some people call it was it hot O day summer. And then like other times it feels kinds of slow and we're like, "Oh. Like what's happening?" And I think we're maybe in one of those lulls where like we've seen, you know, Edge devices and AI and all these things. For me it doesn't like strike that big like, "Oh. This is scary." It's like oh. Those things make sense. And I think this is where we see maybe an R and D cycle where adversaries are like digging deep of like, "Hey. Like AI's out there. It's possible." Like there's a couple ideas, maybe some different areas we could take it. But like how do I optimize that? What does like really like efficient use of AI look like? So like it's interesting because you're like the pieces maybe aren't moving too much, but it's also like wow. That's a little bit scary when you don't hear a lot of noise. You're like, "What's happening?" The bears are a little bit quiet. The --
Sherrod DeGrippo: The bears. The spiders. The pandas. The kittens. Everyone's a little quiet. No. I think the threat landscape is always moving, but I agree there are these sort of spikes in not necessarily activity, but spikes in novelty and spikes in new TTPs and spikes in like particular types of targets and things like that. So you mentioned Edge devices. What are your thoughts around the Edge device situation on the landscape right now?
Jamie Williams: It's interesting because I think adversaries are learning. Again there's classic targets of desktops and servers and obviously that kind of has a maturation curve, but also it's like, "Hey. Why don't we just target where the investment isn't?" And like how many more RSAs are we going to come to before Edge device security is like a headliner? And I think that's in itself a really interesting innovation of, "Hey, we all have these." Same thing we saw with like mobile devices and cloud and all these things. We all have these, but who's really putting the elbow grease into thinking about like what does good security actually look like. So it's a little bit of a fun kind of trade off of wow we -- and I've said this before in like other venues. But I think we're sometimes a little bit too smart for our own good. We always want new, new, new without looking back and saying like, "We're never really going to solve security. We're never really going to finalize things. But did we put enough time and attention?" And I think that's where some of these events and some -- bringing so many of these, hate to use the word, but like thought leaders together in the same space is really powerful because we can use some of these more innovative ideas like AI or generative language models, whatever it may be, and maybe take a look at yesteryear and say, "Well, we thought we were good over here." Or maybe this is emerging as a new area. Like hey Edge devices, logs, how are we even retaining those or are we storing them, etcetera, etcetera? Is there some way we merge those ideas into something that's a little bit more impactful and modern? But all of that's just kind of hand wave armchair quarterback. So.
Sherrod DeGrippo: Well, no. I think you hit on a good point which is like there is something that I've been obsessed with for probably -- I think that this piece came out in April 2000. So it's been 24 years I've been obsessed with the Bruce Schneier SA, "It's a process, not a product." And I think that has held so true. There's so many great points in that, but one of them is, hey, this is something we'll have to do continually. Like we're going to have to continue securing things all the time. Innovation requires additional security. And if we stop innovating, I mean technology is going to innovate and we've got to secure it. And I love that idea that like it's constantly happening and then you have to focus on if this is going to be perpetual where do I prioritize putting resources. And I think that's super important. Everyone does it different, but one of the ways I love it is thinking about people and thinking about like the most targeted people in an organization. The people who have maybe elevated access, elevated privileges. And another thing I really love is separating out somebody you might consider a VIP like a CEO. So a CEO's a VIP for sure. But he might not actually be the most attacked and I think that's one of the things that's really important to think about is --
Jamie Williams: Right. And I love that. Like I'm a big process nerd as well. That's why like I love tech, but I also like when I see like stuff I'm like, "Tell me about what good use of this looks like, but also like a failure." Like your product's awesome, but like procedurally how do I shoot myself in the foot with it? And like can you like learn that lesson? And I think to your point about adversary innovation is they're like targeting those systems. Like you said, like why would we target VIPs where we know the security is versus like let's think one hop? That executive. That VP. Like do they actually touch their keyboard very often or is it an admin or like hey there's all these sys admins that have all these credentials and all this like god level access. But there's also developers that log into that box and like maybe that's an easier path. So it takes us to take a step back and look at ourselves and say, "As a system and as a process, what does that threat landscape look like?" That flips the entire paradigm to, "Oh, crap. Edge devices. Mobile and GitHub keys." And all these things that we need to worry about that's just loose threads that are eventually going to get pulled.
Sherrod DeGrippo: It's like lint and pocket change that we have to sort through.
Jamie Williams: That's a good sticker. Yeah.
Sherrod DeGrippo: But I think that the true work of security is just like going through and doing the lists that need to be done and hardening the things. Like I was talking earlier about on the ransomware landscape living off land is huge. Right? So leveraging the applications and tools that are resident within a machine to get your objective done by a threat actor. A lot of the [inaudible 00:18:14] actors, and [inaudible 00:18:14] too. And somebody said to me, "Well, Sherrod, how do you protect from living off the land?" And I was like there are literally whole books about this. There are literally 40 page living off the land mitigation and hardening guides. Like this is a sit down and work the process situation. This is not a oh just flip that bit and you're cool.
Jamie Williams: Yeah.
Sherrod DeGrippo: And I think that's like one of the things that we're going to have to maybe even relearn in security culture is like you've got to sit down and do the hardening guide.
Jamie Williams: That's such an interesting topic too because I know like we as MITRE get stuck in that situation very often. We're like, "We'll just write you like a 100 page white paper about it." And they're like, "Yeah. Like that doesn't -- " I mean that's great. Like really great citation. But like from your opinion like who actions that? Is that from the bottom up? Is that vendor out? Like is that a little bit of both? Because I think the biggest problem we have in this space is that huge like it depends. And I think that's my answer to this.
Sherrod DeGrippo: Everybody says that about -- it depends.
Jamie Williams: Yeah. Because it's like living off the land. I'm like you could kind of -- I could think of a lot of strategies from both grassroots or like hey from a vendor there's a lot of stuff that could probably happen as well. Like do we just like pretend that we're all working in that soft medium? Or like who takes charge there?
Sherrod DeGrippo: I mean I think as you said it depends. That's the number one answer for everything. But I think ultimately one of the sort of initiatives that I have as a focus at Microsoft is putting practitioners first. The thing that I've said this week at RSA conference more than anything just to send the message home is analyst to analyst. I say it -- like everyone goes analyst to analyst. We want to share analyst to analyst. And we want the practitioners leading. So I think like who does that. I think that somebody who has the most to lose and that typically is the practitioners.
Jamie Williams: I love that philosophy because we've done something similar with attack of like I think it was attack con two or three. Like someone sent this amazing CFP and it was about how they were using attack to teach cyber to like middle schoolers. I was like holy crap. Like never thought about that. But it completely changed the way we thought about security content was this does not need to be targeted to cyber PhDs or like people who already know what they're doing. This is more inclusive of like how do I get people to see a problem they might not have thought about. So I love that philosophy. It's okay. Like practitioners, yes, but like what about like users? What do we do for like the people who are like, "I just want to send an email. I just want to write my doc." Like why does this bypass? What is a UAC? Like what's happening here?
Sherrod DeGrippo: I know I have a bit of a controversial opinion on this. I also don't know how this turned into you interviewing me, but thanks a lot because I don't get to give my opinion that much on the podcast. I really think that we as technologists need to take responsibility and bear the brunt. And I think we need to let our colleagues just do their work because -- oh man. This is industry hot takes. I don't really stomach well hearing researchers, intelligence analysts, detection engineers, telling me how incredibly sophisticated these threat actors are, how persistent they are, how much they work and how incredible they are. I'm in threat intelligence. That's all I talk about is how these threat actors are doing it. And then you want to look at somebody who's like a graphic designer in your marketing department and say, "Oh, by the way you're responsible for going head to head with Russian organized crime."
Jamie Williams: Good luck.
Sherrod DeGrippo: What is that? How can we hold those two thoughts in our head at once? It just doesn't make sense.
Jamie Williams: I hate how hot of a take that is.
Sherrod DeGrippo: It's really hot.
Jamie Williams: Because like links are meant to be clicked.
Sherrod DeGrippo: Links are meant to be clicked.
Jamie Williams: USBs get plugged in. Like that's just how technology -- especially thinking about form factor like as a non security practitioner like you're telling me not to use a thing. Like I'm not allowed to drive my car fast. I'm not allowed to like look in binoculars. Like --
Sherrod DeGrippo: That's what it's for. That's what it's for.
Jamie Williams: So it's like you're telling me I'm not supposed to put a spoon in my mouth. Like that's --
Sherrod DeGrippo: It's weird.
Jamie Williams: Yeah. It's very strange.
Sherrod DeGrippo: And it's hard to understand for people on the ground whose primary focus and the thing that makes them money is not security. Remember we're the minority. Those of us who are dedicated full time to this, there's just a tiny fraction of us.
Jamie Williams: Yeah.
Sherrod DeGrippo: Don't tell me you're under resourced either and then expect that everyone needs to also think like you.
Jamie Williams: Literally have drones in the sky. Like these problems can be solved if we just really put our head on and like think about it a little harder. Yeah.
Sherrod DeGrippo: But what do you think? I mean can you see the kind of way forward of saying, "Look. People need to take responsibility, need to have secure mindsets." And the human element is a really great target vector. But like I'll step up as a technologist working at Microsoft and say, "That's our problem."
Jamie Williams: Yeah.
Sherrod DeGrippo: Like --
Jamie Williams: So maybe a little bit of a pessimistic take, but I think we're very responsive in security. I think we see these problems and we're very like, "Oh." Predictive. It makes a lot of sense. But to your point about threat landscape, you kind of have to wait for the threat to go there. Like volt typhoon. Everyone was like, "Oh. Crap." Like OT's a big deal [inaudible 00:22:54] a big deal. And then we get that report and that event and everyone's like, "Oh. Now this money flows." And now we're like, "Oh cool. Let's go like fix stuff." And I hate to see it, but like how many individual users or journalists or dissidents or whoever it is, how many of them have to suffer before we're like, "Okay." Like checks are flowing and let's go. So kudos to you for like standing up now, but I just think it's markets drive impact. How do you establish a market before the cause or I guess the catalyst is realized? And I think that's the big challenge in our space. And what's why I think especially as we look forward it's going to take a lot more than engineering for like the future to look a lot better. It's going to be people who understand business and understand like how to actually keep the lights on and push R and D in the right direction. So I wish I had a better answer, but I just wish we -- generally wish we were a little bit willing to kind of step out and say, "Hey." Like I assess with high confidence that this is the next big thing and let's get into it.
Sherrod DeGrippo: Do you put confidence markers on everything now that you are --
Jamie Williams: I don't.
Sherrod DeGrippo: I do a lot. And I'll say like I have high confidence and then I'll stop for a second and go, "And, in fact, I'll bet money." That's the thing that I've started associating with confidence levels for attribution and intelligence is like would I bet money on this and how much. Yeah. And then I'm like, "Oh. You know, I'm going to put that in low confidence."
Jamie Williams: I think it's -- I treat it like akin to like poker where like especially like seeing the type of people we know. That's the right way. Like nothing's certain, but at the same time like no one wants to like go into a bar conversation. You're like moderate and you're like, "Oh. Whatever."
Sherrod DeGrippo: You want to say something.
Jamie Williams: Yeah. But I think you end up getting people's like tells. And you're like, "Oh. I can like read by your body language or your words or like oh you were really verbose about this because you're not sure. Versus like, "Hey, you said something really quick and distinct and discreet." Oh, this is high. Like you kind of have to feel things out.
Sherrod DeGrippo: I'll tell you for all of us that are in technical roles and doing technical work in threat intel and security we sure do love a subjective gray area. Right?
Jamie Williams: The nuance is where we live.
Sherrod DeGrippo: I love it. I know. And I meet so many people who are like, "No. I am data driven decision making and very technically astute about all these like it's either this or it's that." And then they start talking and they're like, "Well. I really -- " And it's like oh. You like the gray area. You like to say it depends. And I think that's kind of the super power.
Jamie Williams: Yeah. I'm going to quote ImposeCost Andrew Thompson here, but like --
Sherrod DeGrippo: I love him.
Jamie Williams: Best tweet I've seen in the last couple weeks is nuance doesn't scale.
Sherrod DeGrippo: Yeah.
Jamie Williams: I think that's our problem is how do you -- living off the land. Like rundle 32. Should you block it? Should you not? It's an attack technique. What do you see in the threat landscape?
Sherrod DeGrippo: How do I see the threat landscape? No -- So, as many people are aware, I love the crime landscape. Crime's my favorite.
Jamie Williams: Haven't read that before.
Sherrod DeGrippo: Oh. You haven't?
Jamie Williams: No. No.
Sherrod DeGrippo: Everyone knows I'm into crimes. The crime landscape I think is amazing because the creativity, the ability to pivot really quickly, and they are incredibly persistent a lot of times. Crime landscape. We're still seeing just identity being a massive target. Threat actors want identity. They package them up. They sell them. They use them. But I think really the ecosystem that makes up ransomware. You know we talk a lot about threat actors and threat actor groups. Tracking the ransomware ecosystem is much, much harder than tracking a threat actor group. So it's like there's all these supporting little mini cottage industries of, "Oh. They sell phish kits." Oh. They host phish kits. Oh. They gather the credentials and sell the credentials that came from the phish kits. So it's like this big ecosystem that it's really hard to track which is why when you hear things about the affiliate or the threat actor or a lot of organizations have different visibility there and it's hard.
Jamie Williams: That's the thing that's always fascinated me is like we've always kind of just for lack of a better word it's like dumped on crime. Of like oh it's simple. It's opportunistic. But to your point they're starting to converge. And, like you said, the formality and the money behind crime is like they're not only stealing ideas. They're probably innovating. Like I think interesting trend I saw was like we always associate like zero days with these like big scary labs and like they're somewhere out -- across the world. They're like doing all this hardcore research. But like you're seeing a lot of zero days come out of the crime space because they're like, "We're making millions of dollars and we can just buy this crap." And like sling it around because it's going to make a million more. So I think that's interesting too is like the -- I don't know if this is being tracked anywhere, but like the maturation of crime to like actually, like you said, like affiliates and hand offs. And like there's initial access and someone doing like the assessment. That's kind of under the hood probably what an APT looks like.
Sherrod DeGrippo: No. I think that level of operations and the professionalism of many of the crime groups absolutely I think it does rise to the level of a lot of nation sponsored groups. They're a little more rag tag. They're a little more like fake it until you make it occasionally with their attack, but I definitely think that there are crimeware groups that approach that level of efficacy.
Jamie Williams: Yeah. And I mean deservingly so. They have their own, what, like naming convention. Like the tempest.
Sherrod DeGrippo: Yeah. The tempest. So if you're not familiar with the Microsoft threat actor naming, the last word in the name references sort of the affiliation. So Russia's blizzard. China's typhoon. Etcetera. And then if you are crime affiliated you are tempest. Octo tempest also known as scattered spider UNC 3944 is the preeminent tempest right now. But my personal favorite, strawberry tempest, also known as lapsus.
Jamie Williams: Yeah. That I mean that's a whole scary threat vector of like calling you and -- it's like --
Sherrod DeGrippo: Text messages. Scary threats. Yeah.
Jamie Williams: And again it's like one of those like what do you do about it and you're like I've got to take my engineering hat off. Like this is not a bits and bytes problem. This is --
Sherrod DeGrippo: Generally it's physical threat. It's really scary. Well, Jamie Williams at RSA conference. Thanks for joining us.
Jamie Williams: Thanks for having me. Pleasure was all mine. [ Music ]
Sherrod DeGrippo: Hey. It's Sherrod. I am here at RSA conference and I am joined by Emma Stewart, chief power grid scientist at Idaho National Lab. Welcome, Emma.
Emma Stewart: Hi. Nice to be here.
Sherrod DeGrippo: It's so cool because Emma's my actual real life friend.
Emma Stewart: I am. It's wonderful.
Sherrod DeGrippo: I know. I love that I get to work with people who are my actual social friends as well as in the industry. It's so fun. So your title is chief power grid scientist. That is so cool. Tell me what that means.
Emma Stewart: That's a really good question. It's a question every day actually.
Sherrod DeGrippo: We're still figuring it out.
Emma Stewart: Yeah. No. I run a program that's about securing the digital energy transition. So the entire change of the electric grid and how we go from big spinny machines that are dirty to clean things that are better in future and making them more secure. So that's my entire program just is how we do that. So advising on how we get to this energy future that's better and more digital and works better.
Sherrod DeGrippo: So you're basically making energy better for everyone.
Emma Stewart: That's the goal.
Sherrod DeGrippo: That's amazing. I love that. And you're here at RSA conference. Have you seen anything interesting? Anything going on out there that's cool?
Emma Stewart: For me I'm entirely industrial control system world. I am not necessarily an IT person. I try actually to actively avoid it. But it seems like everything's -- there's more of that going on than there used to be here. That's been interesting for me. I usually come along because I like to see the people here, but it's definitely there's more been going on on the control side which is nice and interesting for me.
Sherrod DeGrippo: And you did a talk yesterday.
Emma Stewart: I did.
Sherrod DeGrippo: Tell me about your talk. What was the topic? How did it go?
Emma Stewart: It was my first ever one at RSA.
Sherrod DeGrippo: Congratulations.
Emma Stewart: -- person, that was weird.
Sherrod DeGrippo: You're still standing. You're here.
Emma Stewart: Just. I was talking about some work we're doing on how to get small utilities to responsibly use the cloud for their new control applications. So work on how do they look at the consequence of the things they're actually trying to deploy from a physical standpoint, not necessarily like their email. So we're talking about DER management systems. So when lots of renewable devices are on the grid they usually have these DER platforms to manage them like similar to managing lots of email users except they can control things and -- electrons on the grid. So we work with them to work out how they're going to do that, what they care about. Latencies of things. So some applications grid people work on actually have life saving capability as in you don't want people touching wires. And so we work on how do they understand what they're doing with that. So there's a framework we build for it.
Sherrod DeGrippo: And a lot of these utilities are moving their apps to the cloud? That's confusing to me. So what does that mean?
Emma Stewart: We've got 3,000 utilities in this country. Every range from like the giant IOUs investor owned that serve like whole states and then there's these small ones that have maybe 40,000 customers total. They're trying to modernize all at the same time. Most of them haven't done that.
Sherrod DeGrippo: Is that so easy and just simple and chill?
Emma Stewart: It's just fine. It's just going to be fine. It's totally well it's going to be fine.
Sherrod DeGrippo: It's going to be fine, but it sounds like a lot of work.
Emma Stewart: It is. But one of the things that's saving people work is trying to put things on the cloud because they're not going to go buy a giant data room. They're wanting to do these new applications. All of them have something cloud attached. So we're trying to make sure they understand what they're putting out there as well because it can be really easy to go, "Oh. This is a cloud application. I don't need to do X, Y, Z." And then they're hoping that people like Microsoft are taking care of everything that's going on and they're not necessarily there to manage their industrial control system. So that's how we're trying to make that work.
Sherrod DeGrippo: And I know that you are doing some cloud security projects with Microsoft within ICS. Can you kind of tell me about that?
Emma Stewart: The one I was talking about yesterday. My cloud framework for actually deploying cloud with these small utilities is we have Microsoft and a number of other people on the advisory board for it helping us do this right so that when you all are working with say a utility to deploy with them or deploy an application they can also talk the same language. So where a utility might be standing there saying, "Well, I'm worried about my 900 acronym letters that have MS at the end," their people are able to talk the same language. So one person's saying, "I'm worried about my DER management system." Someone from Microsoft is hopefully saying, "Well, here's the way we manage the latencies and things for that so that you get what you need out of it as well." So everyone understands is the goal. So.
Sherrod DeGrippo: What is a DER management system?
Emma Stewart: There's tons of DER. All your solar in your house or batteries or your EVs. It's a way utility sees all of those things and almost orchestrates them working properly.
Sherrod DeGrippo: Amazing. This stuff sounds so complicated. I find ICS super complicated. What drew you to doing this work?
Emma Stewart: I actually find IT applications super complicated. I understand controls more so. I understand electrons and physics more so than I'll ever understand the other side of it. So that's my I live over there. I try and ignore the other half, but it doesn't work. So it's --
Sherrod DeGrippo: And how did you get into this exactly?
Emma Stewart: My whole life has been working on power grid things as in before university, during university. Then I moved to the U.S and I've been working on electric grids the entire time. That's been my only field of work since I moved to the U.S. As well. And it's now got popular so I never --
Sherrod DeGrippo: Electricity's popular?
Emma Stewart: Electricity's popular everywhere.
Sherrod DeGrippo: I love it. I use it every day.
Emma Stewart: I know. Everyone seems to like it a lot right now.
Sherrod DeGrippo: It's like so hot right now, the electricity.
Emma Stewart: Super hot.
Sherrod DeGrippo: Yes. And tell me what are you looking forward to in the future. Are you going into anything cool at RSAC or --
Emma Stewart: I actually have to go home tomorrow. So I'm not going to be going to much else. I'm going to go to ICS village later. I think that's cool. I'm going to go play over there for a bit. And then I have to go home tomorrow sadly. So.
Sherrod DeGrippo: Maybe get a good dinner out in the city somewhere.
Emma Stewart: That's the plan.
Sherrod DeGrippo: Yeah?
Emma Stewart: I think I'm going to like colonial or something.
Sherrod DeGrippo: Oh. That's very good. Thank you so much for joining me. This is Emma Stewart, chief power grid scientist at Idaho National Lab, here with me at RSA conference. You are always a delight. I love hanging out. Let's do a full episode with you.
Emma Stewart: We should.
Sherrod DeGrippo: Okay.
Emma Stewart: Talk soon.
Sherrod DeGrippo: Thank you. [ Music ] And hello. I am here at RSA conference and I am joined by Joe Slowik, attack CTI lead at MITRE. How's it going, Joe?
Joe Slowik: It's going very well. It's another fun RSA week.
Sherrod DeGrippo: How many RSA conferences have you been to?
Joe Slowik: I think this is my seventh.
Sherrod DeGrippo: Yeah. Like a lot of people have been coming for years and years. Anything cool you're seeing out there?
Joe Slowik: I mean it's always interesting to see the newcomers or whatever. If I walk the expo floor I always like to kind of -- no. I mean seriously like I always try to stay towards the edges because I know everyone that's a big player already. Like I know what XYZ company or whatever like I know what you do.
Sherrod DeGrippo: I like that you've met the newcomers like the attendees being completely freaked out. No. No. You mean the new vendors. Okay. Yeah. Yeah.
Joe Slowik: And just to see what people are thinking about because there's a lot of interesting plays in -- AI's a big thing. It's all over the place.
Sherrod DeGrippo: I've heard about this AI thing.
Joe Slowik: Yeah. But also seeing folks who are doing things like a lot of cloud based security and cloud asset identification and all sorts of interesting like niche plays. And I think it's a really good indication for things that might be overlooked by a lot of the bigger organizations and then maybe setting up future acquisitions. Who knows? But just looking for where people think that there might be gaps in the overall security market I always think is a really good market intelligence thing to engage in when it comes to the expo floor.
Sherrod DeGrippo: Yeah. I've noticed that the focus on AI is huge. And I've also noticed something I really like which is a big focus on threat intelligence. We're seeing security vendors understand the value of putting intelligence into things.
Joe Slowik: Yes. And I'm a big proponent. I have been for many years of having a threat driven approach to security. A little weird with that because I sometimes think threat intel can almost be a dirty word depending upon how it's being applied. But having a threat driven approach to security decision making, like that's the only way to do things in my opinion. If it doesn't start with that then you're going to be off base in the end in some way because you're taking your eye off the ball so to speak.
Sherrod DeGrippo: Absolutely. Yeah. I think that's great. And I also heard you were working on something that I love which is a crime focus. Tell me about that.
Joe Slowik: Yeah. So within the attack framework for the CTI object, so groups, software, campaigns, we've done a really good job in covering all the major APT state sponsored state directed campaigns over time. Yeah. There's still some things that could be part of that framework, but attack as a framework has not done a very good job at capturing e-crime. The ransomware ecosystem and similar. Partly because it's hard looking at the relationships between different entities and how these things fit together. And just because it's hard doesn't mean we shouldn't do it. So [inaudible 00:37:41] released 15 which came out a couple of weeks ago. People who have been paying attention will see that, oh, akira's in here, dark gate's in here. We're seeing socgholish finally represented.
Sherrod DeGrippo: Wow. Socgholish is so old.
Joe Slowik: I know, but it wasn't in there. So really one of the things I'm striving to do from the CTI portion of the attack team is to make sure that we have coverage of these high profile important e-crime entities and using that as a branching off point so people can then have a better ability to map entities to what sort of behaviors they observed these entities engage in over time. So hopefully version 16 which will come out in the fall we'll see even further coverage. I'm not making any promises, but --
Sherrod DeGrippo: I demand promises, Joe Slowik.
Joe Slowik: We'll see some lockbit probably. We'll see some other ransomware entities pop up. And so forth. But, you know, as I say, for folks those community contributions really give us a strong demand signal for what people want to see and what we're missing. So if someone identifies a gap, just let us know and email attack@mitre.org.
Sherrod DeGrippo: I love that. MITRE has really done so much for the community. I think people really sort of like rally around making MITRE that applicable focused framework that attack people want to use it. People want to understand it. They want to know how things map. I think that's great that we'll start getting some more extensible things because ransomware really isn't a traditional threat actor group. It's like this big ecosystem of different players, some of whom aren't really actually involved in the ransomware part. Some of whom are just involved in things like initial access or things like buying and selling credentials that then flow down. So understanding that ecosystem's going to be really important for defenders as we go forward.
Joe Slowik: What are you looking to get out of RSA this year?
Sherrod DeGrippo: Oh. What am I looking to get? I just want to meet as many people as possible.
Joe Slowik: There you go.
Sherrod DeGrippo: And check out all of the new threat intelligence offerings from the other vendors and see where we can collaborate. I think RSA conference is a great place to meet people that have the same goals as you and the people that I want to meet are people that want to shut down threat actors.
Joe Slowik: There you go. That's what we're here for.
Sherrod DeGrippo: Yeah. I love it. All right, Joe. Thank you so much for stopping by. It was great to see you. Joe is my real friend IRL. So it's not just work. Thank you for stopping by. Have a great conference the rest of the time you're here.
Joe Slowik: Thanks, Sherrod. That was a pleasure. [ Music ]
Sherrod DeGrippo: Hey. This is Sherrod DeGrippo with the Microsoft Threat Intelligence Podcast. I am still here at the RSA conference. I hope someday I will get to go home, but I'm still here in San Francisco. And I am with Lindsey O'Donnell Welch, executive editor of "Decipher." Hi, Lindsey.
Lindsey O'Donnell Welch: Hi, Sherrod. Thanks for having me on today.
Sherrod DeGrippo: Thanks for coming. It's so cool to see you because we've been doing this stuff for a long time. How many RSAs have you been to?
Lindsey O'Donnell Welch: Well, it's weird because I think I've been to -- I took basically after COVID I haven't been since. So this is my first one since 2020. But I've been watching them virtually. So before that probably like fourish. So it's kind of weird with COVID in there.
Sherrod DeGrippo: So tell me like you're a journalist. You run "Decipher." What do you do at RSA conference? Like what is for a journalist? What's that experience?
Lindsey O'Donnell Welch: A lot of it is the ability to meet people in person because as a journalist I pick up the phone every single day and call people and this is really where I get to actually meet people face to face which is a really funny experience because I'll be walking down the street and I'll like spot a badge or something and I'll be like, "Hey. Like we talked about two factor authentication last week." Or something. "I'm Lindsey. How are you?" So it's -- that's always a great experience. The sessions are also really interesting. I think the U.S government has really put on a strong showing the past few years of like trying to utilize RSA sessions for kind of what they're doing and where they're coming from with cybersecurity. So it's always good to stand in on those and see what's going on there. And then of course just meeting people at receptions, at dinners, and being able to like talk to people about the challenges that they're seeing not even tied to any story that I'm writing is just so important. And I love it.
Sherrod DeGrippo: And did you go to any talks?
Lindsey O'Donnell Welch: Yeah. I went to a few. I went to the one today with U.S cyber command. So Jen Easterly. And --
Sherrod DeGrippo: Oh. Fun.
Lindsey O'Donnell Welch: Yeah. That was a great one. There have been a lot of really good ones. There was an interesting one too this morning about AI safety and it was a panel with a couple of different people including Heather Adkins with Google and Bruce Schneier. So there's a lot of interest in trying to navigate AI. So it's really been interesting to see different people talk about kind of what that means and the impact and what they're seeing in the field right now.
Sherrod DeGrippo: That's cool. What do you think as somebody who's covered cybersecurity as a reporter for so long? What do you think is the next steps with AI? Like what's going to happen there?
Lindsey O'Donnell Welch: It's hard because I feel like the media is in the same bucket as everyone else right now. We're trying to feel out where it's going to go. And when you talk about AI security, right, it's a broad term, but there's so much to unpack there. Like it's how are threat actors using -- leveraging AI in their attacks? How are defenders using it? But also how secure are the AI systems themselves? What can we do to better secure the systems and how they're developed, how they're deployed? There's so much there. I think journalists right now are trying to really navigate between the hype that we're seeing, and we're seeing a lot of that on kind of the expo floor here at RSA, and then that and like the practical use cases that we're seeing as well which I think that there's a lot of interest I think from CISOs and kind of how they can handle all of this. So that's what we're looking at really is trying to figure out what's real, what is happening in this space in the future because it is happening. And I know we've talked about this a lot for sure. So.
Sherrod DeGrippo: Tell me -- speaking of AI, I feel like AI's sort of the dominant topic on the show floor of the expo. And what I would love for you to do, Lindsey, is for any of our listeners who've never been to RSA conference before help them understand what the show floor is.
Lindsey O'Donnell Welch: How does one describe that? You go in and it's a bunch of huge booths and just whirligigs. Just things being thrown around. And all kinds of noises and craziness and it's very overwhelming. And I remember my first RSA stepping in there and just being like, "I don't even know where I am right now." So but it is interesting because you get a sense like we were talking about of what everyone is focusing on based on what the booths are talking about and the different things there. Personally I like to kind of stay away from the show floor and talk to people outside of the conference grounds, but it's always fun to take a roll through there. So.
Sherrod DeGrippo: I always say that I will go to the show floor once and really take it on. Like I'm going to go. I'm going to look at things. I'm going to talk to people. I'm going to get my badge scanned 100 times. I'm going to do it. And I did it today and there's some really cool things. Like there's a lot of really cool new companies coming up doing things. The CISA booth is massive. I was surprised. They have a lot of swag you can get.
Lindsey O'Donnell Welch: Yeah. I know in previous years they've had like rubric's cubes. They always have good stuff there. So.
Sherrod DeGrippo: They had a lot of neat stickers. They have t-shirts and things like that. But it's so interesting that MITRE also has a booth. We just talked to Jamie Williams from MITRE. These organizations are kind of part now of the vendor space. Like they're part of the conversation in a collective defense. And I think that we're -- I hope that we will see more and more as time goes on this concept of collective defense with vendors, public sector, private sector, partners, organizations like MITRE, and some of the others that do those things. And hopefully make the world a little more secure.
Lindsey O'Donnell Welch: Yeah. I see a lot of talk about -- especially from the government about private public sector collaboration right now. That's something that they're really trying to hone in on. And it makes sense because there's a lot of value in the private sector and you know trying to leverage that from a public sector standpoint and what they can give back is really going to hopefully make a difference in what we're trying to do in the cybersecurity industry. So.
Sherrod DeGrippo: Lindsey, it was so great talking to you. If listeners want to check out more, they can go to decipher.sc. And will I see you again at RSA conference?
Lindsey O'Donnell Welch: You will. Yes. Hopefully next year. So.
Sherrod DeGrippo: Great. I look forward to it. Thank you so much for joining us.
Lindsey O'Donnell Welch: Awesome. Thanks. [ Music ]
Sherrod DeGrippo: And well, well, well. I have another guest on the Microsoft Threat Intelligence Podcast here at RSA conference. It's Todd Pauley, deputy CISO of the Texas Education Agency. Todd, thank you for joining me.
Todd Pauley: Yeah. Thank you, Sherrod, for having me. It's great.
Sherrod DeGrippo: My podcasting strategy at RSA has just been to have my personal friends come. You like that?
Todd Pauley: Yeah. That's great.
Sherrod DeGrippo: So like if I know you personally it's just, "Hey."
Todd Pauley: It helps fill the calendar easier, I bet, too. Yeah.
Sherrod DeGrippo: It does. It does because I know so many people.
Todd Pauley: You're not like the salesperson that's knocking on everyone's email trying to get them to --
Sherrod DeGrippo: To go to the cocktail hour.
Todd Pauley: Exactly.
Sherrod DeGrippo: I know. I don't have a cocktail or cocktails at all and people still come on the podcast.
Todd Pauley: I can confirm this.
Sherrod DeGrippo: But I will tell you at the RSA conference expo there are cocktails at the Microsoft booth.
Todd Pauley: Oh. Okay.
Sherrod DeGrippo: I had one last night. It was actually delicious.
Todd Pauley: Duly noted.
Sherrod DeGrippo: So this is I heard your first RSA conference. And everyone's dying to know.
Todd Pauley: I'm a first timer. Yes. This is it. Yeah. I am breaking the seal.
Sherrod DeGrippo: How is it?
Todd Pauley: It's been really good. Yeah. It's been really great. Some great sessions. I was able to participate in the CISO boot camp which was phenomenal. Some really great speakers. Great leaders in the space. And that was really insightful, motivational, everything. And then good sessions this morning. Kind of continuation of some of those CISO boot camp sessions. Had a breakfast that was great. Also leaders in the space was really good. And saw the expo hall a little bit last night and just was completely overwhelmed.
Sherrod DeGrippo: It's too much, but there's a lot of free stuff down there. If you like t-shirts.
Todd Pauley: Yes. If you like t-shirts, cozies, all the things. And then all of the emails that come with that.
Sherrod DeGrippo: Yes. The emails are a requirement of the t-shirts and cozies. So if you're in a CISO boot camp, that makes me think there has to be a CISO drill sergeant. So what was your drill sergeant like?
Todd Pauley: No drill sergeants. There was a speaker named Kim Jones who was retired military and high energy which might have qualified for that. He might be classified as a CISO drill sergeant, but --
Sherrod DeGrippo: Did they yell at -- they didn't yell?
Todd Pauley: No. There was no yelling.
Sherrod DeGrippo: Yeah. That's -- I mean I don't think we necessarily should yell at CISOs, but maybe a little.
Todd Pauley: Sure. Let's give it a shot. Some of them probably need it. I probably need it at different times. So yeah.
Sherrod DeGrippo: I get that. And so like the Texas Education Agency where you work is doing some pretty cool stuff for your members.
Todd Pauley: ISDs.
Sherrod DeGrippo: For your ISDs. What is an ISD?
Todd Pauley: An independent school district.
Sherrod DeGrippo: Okay.
Todd Pauley: And so there are just over 1,200 of those in the state of Texas.
Sherrod DeGrippo: Wow. That's a lot.
Todd Pauley: 5 and a half million students. And about half are under 1,000 enrollment which basically means they only have 1 to 2 IT staff. And so prioritizing various cybersecurity initiatives is not necessarily high on their list sometimes. And the tools that go with that. And so two years ago we decided to petition the legislature for some funding to help them with some other things. So EDR and then some cybersecurity assessments to kind of give them a picture of where they are in their cyber space to help them prioritize and focus on things maybe they should. So trying to roll that out. We're offering that to schools that have 15,000 enrollment and less, trying to get those lower under served LEAs, local education agencies, sorry, for people that --
Sherrod DeGrippo: These government acronyms.
Todd Pauley: There are so many acronyms.
Sherrod DeGrippo: So what kinds of things are you seeing? I mean like are these tiny schools and school districts? In the security posture they probably need significant focus.
Todd Pauley: Some of them do. Some of them are doing great even for the small size. But there are a lot that just don't know they don't know. And so they need support. We do have regional education service centers that do support them. They act as resellers to get them better prices on different technologies and help them with the day to day technology knowledge that they don't have. They can fill those gaps. But there's still things that it's not free. Nothing's free. So they have to pay for those sources so sometimes there's still gaps that they need filled. So.
Sherrod DeGrippo: Got it. That's really cool. Did you see any cool panels?
Todd Pauley: I saw a really cool panel on North Korea stealing of cryptocurrency from some game. Oh. I forgot the name of it already.
Sherrod DeGrippo: Okay. So --
Todd Pauley: It was something. It was like little salamander game. And --
Sherrod DeGrippo: Was it a phone game? Or was it a console game? I bet it's a phone.
Todd Pauley: I think it's a -- honestly I thought it was a PC game actually.
Sherrod DeGrippo: Oh. A PC game. Okay.
Todd Pauley: And so the cool thing so kind of explain -- $625 million of Bitcoin.
Sherrod DeGrippo: That's a lot.
Todd Pauley: The largest single apparently theft in history. And inside the game they had lots of little things that were tied to cryptocurrency so they could share them. And they had almost kind of like NFTs that they could share these little things within the game. And so the game within itself had a cryptocurrency model with block chain. And they rectified that with the external. And so North Korea was able to hack in and compromise more than half of their block chain servers and therefore redirected all this in about a minute or so and steal $625 million in cryptocurrency a couple years ago. So.
Sherrod DeGrippo: That's amazing. So --
Todd Pauley: It was wild.
Sherrod DeGrippo: I feel like North Korea is the most interesting state sponsored actor because they have this overlap with stealing currency and money.
Todd Pauley: They're very ingenuitive. Yeah.
Sherrod DeGrippo: They're creative. They have a lot of innovative -- I don't know if they're necessarily innovative. They're creative and sort of surprising.
Todd Pauley: Yeah. There's no boundaries. They will they'll do anything.
Sherrod DeGrippo: I did a full podcast episode on this. So those listening if you want to hear an entire episode of North Korea threat landscape, I got two of the [inaudible 00:52:15] analysts. We mostly talked about jade sleet, ML sleet. So if you use the Microsoft naming scheme, North Korea is identified by sleet. It's they want all the crypto.
Todd Pauley: Yeah. Yeah. There's so many classified at this lazarus. So I don't know if that's --
Sherrod DeGrippo: Lazarus. I don't know the sleet name for lazarus, but lazarus is a very famous North Korea actor in fact. So lazarus in the Microsoft naming scheme is a threat actor that's called diamond sleet which is a pretty cool threat actor name.
Todd Pauley: That's pretty good.
Sherrod DeGrippo: Yeah. The sleets are North Korea. Todd Pauley, deputy CISO of the Texas Education Agency, thank you so much for joining me. Are you going to go back out into the fray of RSA conference?
Todd Pauley: Oh yeah. There's still more to be had out there for sure. So.
Sherrod DeGrippo: How many t-shirts is your goal?
Todd Pauley: My closet isn't big enough for more t-shirts so socks maybe. I could probably grab a couple more pairs of socks. We'll see. If I fill out all my surveys for RSA, I can get the RSA socks which may be worth it. We'll see.
Sherrod DeGrippo: Free socks.
Todd Pauley: Free socks are free socks.
Sherrod DeGrippo: Thanks for joining me, Todd.
Todd Pauley: Thanks, Sherrod.
Sherrod DeGrippo: Thanks for listening to the Microsoft Threat Intelligence Podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out. Msthreatintelpodcast.com for more. And subscribe on your favorite podcast app.
Microsoft Threat Intelligence