Cultural Change: How to Work Together for Better Security

fantastic well thank you so much for joining us today we really appreciate it I'm sure everyone knows in this room that the security landscape is constantly evolving and the attacks are getting more sophisticated every line of code is an opportunity for an attacker so we need to have our Engineers prepared to build early in the process in the design phase not you know in the threat modeling phase to think about security they need to think about it a little bit earlier whenever we talk to engineers at Microsoft I'll ask them are you in security and they'll say no no I'm over in sou team and I say no actually you are in security because if

you're an engineer at Microsoft you need to be a security engineer and that's what we strive to do so my name is Stephanie calibri I'm a principal PM in msrc my name is Alex toner co-presenting with my boss Stephanie um we've been working together close to 5 years on some really impressive stuff really awesome programs uh our bread and butter we got started on a internal compliance program I'm going to name drop it called strike uh amazing program but we've been uh doing that for close to five years and we support our engineers and sort of that next step in their security training and that Evolution to train that Security Muscle uh beyond that I

also freelance and Dabble outside of our internal efforts I work at anyone been a blue hat in the room just had of curiosity blue at conference quite a few of you all our team puts that on and I also help out with third party sponsorship so if I'm not here presenting I'll be at the Microsoft Booth uh so come check us out uh outside of that we we really bring a special touch to what we do and we're going to kind of showcase some of the you know magic that we bring to security training but of course there's key challenges across the board we all face these every organization is probably familiar with this chat GPT most certainly was

familiar with these key challenges security training um but really this beyond the PSA everyone needs to have that awareness and there needs to be the buyin but also an investment from you know whoever it is that makes the calls for that time and resource you're going to be like Alex thanks gosh this would be a dream scenario and I agree I agree it's not black and white there's no perfect science to training but you've got to you've got to take this stuff seriously um beyond that I I really want to reiterate just a couple last few things on here the final one being culture a culture that Embraces security rooted in security is going to be your

best bet and we're going to walk you through a few of the ways we try and do that here at Microsoft but also out in the community um and the most important thing I'll let Stephanie actually take over it's the the fost of the the community so we often know that our Engineers are looking at the features or their delivery dates or things that they have to to hit and sometimes security is not top of mine but when you are dealing with a bug in production it's incredibly expensive and not just money right you're pulling people off features but also their morale right they're getting that call at 2 a.m. interestingly I was looking for memes for a 2 a

call none of them were negative about security incidents they were all everyone was happy to get a 2 a.m. call in all the memes but that's not reality for security folks right you see that 2 a.m. call and it's you you know you're going to maybe at least have a bad night if not a bad week and so what can we do to to help people Embrace a security culture so they are not having to get those 2 amm calls they want to avoid so has anyone here seen the digital defense report by Tom Bert if you haven't it's fabulous um October 2023 it came out and it really talks about the threats that we're seeing

today so one of the things that are highlighted here you'll see that we saw an increase in password and MFA attacks they are going to only get worse and the attackers are not going to stop now I would love to believe that all of our developers and Engineers are eagerly awaiting the release of this and devour the content as soon as it comes out but unfortunately that's not always the reality so what do we do a couple of years ago Tom Bert who's the one who released that for Microsoft came to us and said we'd really like to use you to help get this word out to the community so we put together a session Tom hits on

all of the highlights of what people should be thinking about and what we like to and then he's there for Q&A and he's telling the people what's really going on right now and it's great because it's a wonderful opportunity to really scare Inspire Inspire the engineers to care about security again early on in the design phase and so you might say you know I don't know all of the the inspiring stories to tell I don't necessarily know all the problems and that's okay but what you can do is you can leverage your resources so you have it's great because Tom now comes to US every year Tom's team comes and says hey we want to do

this let's prepare it it's fantastic but you don't have to be a CVP to do this you have smees all around you so your smees are going to be of course people in security if they're in security they're going to have something to say I guarantee you and maybe they're not ready to get on a big stage but there's other opportunities Alex will talk about in a little bit ways that you can engage with them but then you're also going to have people who are just passionate they love security they love crypto they love something lean into those people we've had great success with working with our interns we talk to them about their favorite courses they're taking their

favorite things that they've learned and we bring them in and they talk about that again it's a way for them to share their knowledge and to again hopefully keep the thec excitement going around security think we got build great so how do you get them to do this right because a lot of these people this is not their day job they actually have a day job so how do you get them to invest their time in something like this because as anyone knows who's ever stepped up on any type of stage virtual or in person there's a lot of preparation that goes into it so you want to make it really beneficial for them you want to be able to

demonstrate to them how they are scaling their knowledge how they are scaling their their impact across an organization one of the things that I often do is when people send me requests for feedback on their annual reviews I very glad to give it to talk about the number of people that they train their um satisfaction scores um the feedback that we actually get the verbatims that come from people and this is something that shows not only them but their leadership that they are invested in the community and invested into giving back and I will say it it does help to to get a little bit of budget to run these kind of programs but you don't

need budget this is something that you really can do Grassroots so we have three things highlighted up here that have been a really important part of what we do the first is our content enir board so whenever we have a session that's coming up we don't want to just say like oh great let's do your session no one else has to know what's going on we bring in other experts from around to review that content with them to provide them feedback to make sure one we're Landing the right messages and also you know security sometimes are things we don't necessarily want to stay say on a big stage so you want to make sure that

they are fully up for set up for Success we also have de deck design support so we always tell them you bring the knowledge we'll make it look pretty put all the content out there we will help your deck be accessible we'll help it look good we'll help it be engaging and then finally presenter coaching we have both of us and other people in the team have offered presenter coaching but we've had the luxury to being able a hire a presenter coach as well this helps them get up on stage and be their best self one of the best compliments I received I was in the um the coffee room if you will and someone came up to me

who was a pretty well seasoned presenter but he said this is the first time that I ever felt like I wasn't in it alone normally I get a talk accepted and then I do everything and then I show up and I hope it goes well by the time someone gets on our stage they've gone through content reviews they've gone through Drive runs they've gone through presenter coaching we should have done all of this I don't know why we didn't but uh so they're fully ready when they get up there to do those things um so yeah now with that said we we've kind of already addressed how to create awareness that Tom bird example great

example um but also how to invest you know investing in these SME all part of that key challenge as we stressed earlier but also you got to evolve and try new things I'm sure we've all done the click-through module based trainings yeah no maybe I've haven't seen a lot of head shaking yes but um you know don't make that the only thing you do especially when you have all these great opportunities like in-person events those are our bread and butter we almost host a mini Conference of sorts at Microsoft for thousands of people and we have that really you know we we have the white glove service throughout and it it it's just awesome it's our bread and butter but uh

diversify offer smaller talks lightning talks are like 15minute kind of Ted talkie uh as talks it's it's perfect for the normal attention span like mine about 15 minutes so you know just make that part of a track you know this might be the lightning track in this room a little smaller shorter condensed um but have fun too try Villages I don't know if this is your first time having a a chance to try Villages but we've started to offer those internally at Microsoft even and people just geek out to it and totally love it um and those smees they're stepping forward with those ideas which is even more cool because it's less for work for me the locksmith

people want to show up the red teamers want to do their pen texting exercise just give them a platform leverage those smees um or if you're kind of more looking for measured metrics try some targeted campaigns if there's one service that requires you know this group or this subset of employees to onboard to try a targeted event where by the time they leave there they have everything they need to check that official box and mark them compliant um it's a great one for sharing data with your higher ups to get further budget um no well that's a little cut and dry but uh I want to talk about capture the flags as well we actually have one of

our partners from the past security innovation in the room that does capture the flag events they've been a huge resounding hit across all of our audiences whether it be external or internal it's a really great way to train a muscle that not too many people get a you know uh play around with in their day jobs a lot of people like wow I got to do this on the clock like maybe don't download those tools and get flagged by Microsoft for looking like a inside hacker but um know that that skill set of uncovering this vulnerability leads into the products of them not you know allowing that vulnerability in so it's kind of like a backwards way of training

but it's super effective and a ton of people get inspired in that event and uh even get hired out of some of our competitions I don't think we're going to share that story later but um another super important thing is having a community Beyond you know a lot of those click-throughs you hit finish you get your compliance and you're done you have no one to respond to no one to ask a question to uh the community in essence is that continued conversation and one of the cool things that we do is our smees that are the ones presenting become sort of the main touch point for the people like even our videos that get posted online

like the person in the back we'd be the ones having to field the questions online in that Forum about our talk so it really connects the people to the content and you got to have that online space but one of the best things we do is offering in networking and Q&A opportunities are events you'll hear it all the time and it's one of my favorite things to hear is I haven't even seen my teammates like this was a full bonding experience like you'd be surprised if you made training fun the amount of people that would flock to you and consider it a bonding day and would spend their weekends Saturdays showing up to things like this that we do and be

inclusive offer everything virtually I love that they're recording this we tend to do the same at our events so if you're not able to make it in person you can check it out with that said though you got to evolve some of those ideas were unheard of when I first started on this team 5 years ago so you got to try new things but you've Al also got to cater to your your audience um I'm not technical a lot of people even in engineering at Microsoft are not going to be as technical so the diverse Workforce requires you know a a special attention and you've got to find ways to explain technical Concepts um you know in simple everyday language you

can't make assumptions that everyone knows the million acronyms that your company uses on a day-to-day basis uh you know use analogies uh for abstract Concepts even demos visual aids fun decks things that just get people and capture their attention but uh one last little tidbit is preface you know uh make sure people understand what they're about to view if it's a very technical talk let people know this is a 300 level course so you're not getting really bad feedback saying hey that was way over my head what was that training all about or vice versa and that comes into how we evolve and learn and we do that by feedback feedback is so crucial we we

live feedback is a gift we say feedback is a gift seriously a gift even if it's bad we we take it and stride but it helps us improve um no matter how you're collecting usually a form or live poll or in room feedback if you're like me and work at these conferences go talk to someone after the fact and see how you guys did um but that feed back often turns into a collection of praise for the people that participated in those SME that we leverage it's a thanks I never knew that was even possible and we get to share that with those managers and then they're lifelong advocates for us in our program and continue to come

back because they're seeing people you know flock to what they have to say and you know being wanted is a great thing um we have a lot of repeat presenters we actually have to say we need new presenters because we we do invest in them we work with them and we build the community and that's how you're a to continue to grow and and like I said with the villages uh those people came to me we crowdsourced the ideas from one question and a form hey what can we do next at our events oh bring workshops bring Villages let's try it they step forward like all right are you willing to do the red team Village sure yeah

let's do a red team Village and just bring it to life give people a chance get down here at that final bullet get behind and give a platform to secur security Enthusiast who are driving that change you got to do it uh they are are Lifeline so to speak um and Steph off to you yeah so these are all great strategies of things that you can do but let's talk about impact right at the end of the day we want to know how are we going to approve impact um and so I do not see him in here he might be avoiding it actually I want to talk about Arjun Gul karishna he is a an engineer at

Microsoft and he came to a strike event and he was which is sorry strike is our the internal training program that we we we run and he was inspired by that and so he decided to go spend some time learning offensive uh techniques and offensive strategies so he came to us a couple of months later and said hey I was inspired I learned these things I would love to do a talk called from engineer to hacker we're like yeah that sounds great let's do it so he follows the process he goes to the cab he gets great feedback he gets the deck help he gets the presenter coaching all of the things he does this talk it's amazing a

couple of months later we get an email and he's like hey I want to let you know that talk that you gave me I actually got it accepted at Defcon so the deck that we helped him do and all that presenter coaching he's getting to carry that on and represent our company out uh outside really well then he reaches us out to again he said hey one more time I got to tell you thank you remember those people that were on the cab these leaders that were in security I just accepted an offer on their team from them gives me chills just gives me chills thinking about it because he decided to pursue that passion and he

was introduced to people so again we've caught another fly in our Trap by you know again scaling our knowledge and getting people excited which is is really fun so that's here's a list of things of you know how can you create um impact right you have your reduced incidents you have hopefully people were saving money we have the the the the customer trust we building all of these things all are fantastic I don't know how many people are in here are from Microsoft can I ask okay well outside of Microsoft um maybe you're not familiar with reorgs but at Microsoft we like reorgs we do them it seems like you know often and every time

I get a new leader they ask me this is great Stephanie all of this is great but how are we going to measure impact and the truth is it's not a perfect science we have things that we do we have certain targets we hit like our satisfaction scores and the number of attendees that we want in a room but there's other ways that you can do you're going to get feedback that we talked about you look at that feedback you see how you change how you can grow um one of my favorite stories is it was very early on when I first started working on this program we're in a a room pretty small like this set in

classroom style and a presenter is standing up and giving a really great engaging talk and suddenly out of the blue a gentleman stands up quickly abruptly gets his stuff and runs out and at first I'm like gosh is everything okay with the taco bar what's happening why are they running out of here so quickly couple of hours later we get an email and he says I just have to let you know I knew that I had that problem in my service and I had to leave and go and fix it right away and that is the kind of story again little tears in my eyes as she brings we don't always get to know those things but if you keep

building it people will pay attention and it will in the long run create a positive security culture and community and when he left that's what we wanted him to do we give you something to do every time we're like this is your go do here's what we want from you that is right and I would expect him to have ran out of the room during the go do slide this is our final recommendation this is not as tangible as most of our security trainings but this is the little bullet pointed list that everyone gets to take back to their team and say hey look what I learned we should be doing this within our org so

today walking out of this room you got to identify and set your Smee up for Success they are your life line you'd be surprised at who these SME could even possibly be an intern um give those folks a say a small stage to start out host a brown bag for your team let them share some of the information they've you know captured throughout their their college uh years um and invest in those smees because those will be the people leading your program someday build a community of volunteers no training nothing we do in person is uh happening without volunteers it's my favorite work stream to work with the volunteers the people people you know showing up on a

Saturday uh they are your your final Lifeline I keep saying Lifeline um but try different uh events try capture the flags do unique and interesting things uh you'd be surprised at the the fanf fair around security if you have something fun they will participate and I even had to create a leaderboard for our capture the flags because it became such a crazy competition that they wanted to see where they stacked up against their peers so offer some fun stuff um oops and give direct access to those smees so I didn't mention this earlier in the Q&A portion but when we have a big conference like this pulling Tom BS on stage um he is in the back of the

room during our built-in like networking portion of the day to answer questions to have those conversations that you would never have if you showed up to you know Microsoft one day at work like we we position these smees to directly work with you if you're showing up to our events and having those conversations to continue the learning um capture and evolve from feedback you've got to you know figure out some way to capture that feedback and make sure to evolve the times are changing you got to stay ahead of your adversaries so start there um be inclusive not everyone's going to be a you know a PhD CS major with uh you know Masters in cyber security so understand

that anyone in engineering could be we we're all Targets but understand they'd need to hear the stuff just as much as anyone else um and lastly be the program for the people but by the people we're telling you leveraging Smee that's our secret sauce and it'll get the job done and it it surely helps out even at a large company like Microsoft um that's it from a go do standpoint let's stay in touch though uh Steph and I is LinkedIn as well as our X account mine has like no post and two followers so maybe not worth typing it in but um email me probably post for me the two posts are probably for me some guy found me on

blue hat and was like oh thanks for doing um anyway yeah don't look at my other twitters no I'm kidding um but thank you I really appreciate this is a great turnout for track five at bside Seattle we really appreciate you all being here um thanks to my co-presenter Steph and all of you thank you do we take we have to do questions or we have uh three minutes for questions as well we'd love some questions um two but they're probably short how large is your team for doing this um it's way too small we are definitely needing some new headcount thanks for asking no um for for we have a couple of different programs and for

our internal one um two people are dedicated to that and then I jump in and help staff with extra volunteers that's what I was saying it's so crucial like we have at least a dozen volunteers for every event we do how many events is that team um we do four main large ones a a year so about one a quarter and then we ideally we try to Target about 10 ctfs a year as well as um virtual events so the nice thing about doing a virtual event you know getting a big room of people together can be challenging but security doesn't wait for the quarter to end for the next event sometimes you're like we need to get this information out

those are a little bit um easier to pull together it's more like a virtual and still go through all the process but it's not as big of a deal that's also a great way we didn't mention this for people that maybe aren't ready to get on a stage yet they're not prepared for doing something virtual is a way great way to do that as well did you have a second question that way they were there together okay thanks any other questions thank you I know we'll take it 10 ctfs a year are people at Microsoft creating the the challenges or are you working with the third part company both we've done both we've done both and you'll you'd be surprised how

many people come with capture the flags they're not all but up and perfect but um yeah it it's a sport a lot of people are really into it yeah it's fun it's fun and we encourage people to come with us with challenges and then people will say like oh I want to do this at a village somewhere we're like well come and test it on us and we'll bring in people so it's kind of their their dry run for their events and for some of those ctfs we did a really cool challenge like a CTF challenge walkthr everyone's like oh how do you actually do this like I got stuck and that's a really cool event type to actually show

people how to do it um because ctfs are kind of like throwing bricks at a wall yeah for some people yeah definitely so if you if you don't know what you're doing like me most of the most of the time the walkthrough is a little more valuable for someone like me okay one minute any final questions yes sir what's your target audience for the CTF just for perspective like we have our it team and the other te technical completely different ways but we want to kind of show them like hey this is how it works this is the cool stuff you guys can do it too yeah so we target those in the engineering disciplines at Microsoft so

you look at all of the engineering disciplines um and so we we invite them we tell them you know you you need to know a little bit about technology but you don't have to be an expert that's why you're coming that's where you're there to learn and we actually do not do we try not to do it individually we try to build teams because some people are going to have a skill set that maybe others weren't so then they're able to learn from each other and again you're helping them build their communities and if you make a team scoring then it's pressure on the teammates to say Hey you haven't scored any points can I help you

learn a couple things and score some points for the team all right well the right we got to we got to keep this on schedule so thank you all so much we really do appreciate you coming and we'll be at the booth as Alex said let us know if you have any other questions I don't think I said that but yeah come by the booth did you not say that oops