Barclays Global Tech Conference
Tuesday, December 12, 2024
Charlie Bell, EVP, Microsoft Security
Transcript
Who: Charlie Bell, EVP, Security
Event: Barclays Global Tech Conference
Date: December 12, 2024
Raimo Lenschow: All right. Hey, thanks for joining us. Welcome to our next session. I'm really happy to have Charlie Bell here from Microsoft.
Charlie, one of the big questions I got from investors was when you moved to Microsoft a few years ago, that was obviously big news, given where you came from. What was the motivation back then? And how's been your Microsoft journey so far?
Charlie Bell: I mean, what happened was Jeff came to Andy and I and said he was retiring, which was a huge shock. Nobody thought that was going to happen. Nobody saw that coming.
I had a moment where I thought, well, okay AWS is doing pretty well and is going to do really well. I was having fun. But if this was a – if I was going to do anything else, now was the moment, because I've got probably enough time to do one more big thing. I'd been 23 years at Amazon, and I just started thinking, well, if I did something else, what would it be? The thing that hit me was security. Because when you run a cloud, you start to see kind of where it's all going, and it didn't look good. Like, things are getting worse, not better.
And so, I thought, well, where would I work on it? And one of the ideas I had was, well, could I do it here? And I thought, no, that's not going to work because we're an infrastructure player, and a huge portion of the security problem sits above the infrastructure. It's in end user and productivity and identity and everything else. And in fact, AWS saw a whole bunch of the identity being done by Microsoft.
So, I thought, well, I could do different things. I could start a company. I talked to my wife a little bit. She goes, "Well, you should talk to Satya." She knew Satya from back in 2008, before Satya was Satya. And she picked up the phone and called over at Microsoft and said, "Hey, Satya, Charlie should talk to you." And Satya said, "Sure. Come in on a weekend and we'll have a chat." So, Saturday, I went over there, spent a lot of time with him.
What I loved about Satya, he's incredibly curious. He doesn't – he wasn't selling me anything. He wouldn't say, "Hey, you need to be at Microsoft." He was just – we were talking about security and AI and other things. And I just realized, yes, first of all, he's an engineer. He's curious. And so, I said, well, we'll talk to a few other people. So, I talked to Scott Guthrie, who runs Azure, and Rajesh Jha, who runs the productivity side.
And what I realized was a few things. One is Microsoft's an engineering company from the start. It's a place where a lot of innovation has happened, and it's a place where there was going to be a lot of innovation happening, going forward.
And so, I thought about it a lot. I thought, well, if I'm going to work on security, what better place? Like, Microsoft has arguably the largest security business in the world. They have the biggest footprint. They have the most signal of anybody across the whole landscape. And so, yes, I came over.
Raimo Lenschow: And how's been your journey so far compared to what you thought you wanted to do, where we are now?
Charlie Bell: Oh, it's been a blast. I mean, the one thing that I – I knew AI was going to be really important, and I saw it could be really important in security. And we started working on GPT-3.5 right away. But when – so, we had a – it was late August, I think, end of August. We had a dinner at Bill's house, and Sam Altman's there. And we go into the study – this is Scott, Rajesh and I and Satya over there – and we go into the study, and Sam starts showing off GPT-4. And our jaws were – Bill's jaw was on the floor. I mean, to get Bill's jaw on the floor is quite an effort. He's seen a lot of things.
And what we realized is, okay, this is an inflection point in what AI is going to be capable of doing. And so, so we went back, and yes, it was – I mean, it's been a lot of fun.
And also, just anticipating the change. It's such a massive change on the world, what's going to happen. And trying to get ahead of it and understand the problems we're about to see, that's what we do in security. That's really how you get ahead of it. You think ahead and what attackers are going to do with it. But it's been a lot of fun. It really has.
Raimo Lenschow: I can't imagine. And the one question I get a lot of the time is you obviously have the software security companies industry trying to do endpoint, network, et cetera. How do you think about security at Microsoft versus kind of the industry that was there or is still there?
Charlie Bell: I think one of the things that – it stuck with me even before I came to Microsoft, is watching the security industry. There were two things about it that bothered me. One is it was so fragmented. There were so many specialties. And when you see how these attacks happen, they move across those specialties. Somebody compromises an end point and uses it to get some malware in place so that they can compromise a credential or an identity and then use the identity to increase the privilege and go somewhere else. They move across the environment.
One of the things John Lambert, who runs the threat intelligence organization – he's a fellow – been actually at it since around 2000, he says the defenders think in terms of lists. They have their category and they think in a list and they work off their list. The attackers think in terms of a graph. They think of the connection of everything and they move across.
And so, I think one of the things that's exciting about Microsoft is we have products in these areas, but we also have platform that we can offer to the ecosystem. Because there's going to be a lot of innovation out there. It's not all going to happen at Microsoft. A key part, though, is not to fragment the data and the signal and make sure we can share it. So, partners and us can share what we're seeing. And the customer doesn't have to stitch all this stuff together, which is where CISOs have been for a long time.
Raimo Lenschow: And then the – if you think about it – and almost I feel embarrassed to ask the next question because it's – but there has been a lot of progress in the different kind of points. Like, if you think a Defender on the endpoints, if you look at your sim offering, et cetera. Can you talk a little bit about an evolution of that portfolio on the kind of almost point solution side? But how does it also fit into the bigger picture?
Charlie Bell: Well, the evolution of the portfolio, I think the real – the kernel of the security business really started with the productivity side, which isn't surprising, because bad actors are going after people. And Defender, Intune, protecting devices.
But I think what you start to realize is you have to bring it together. The Sentinel solution that we came up with was the first run at, okay, this is what a platform has to look like. You have to be able to bring anything. You have to – customers have lots of different things in their environment, and they needed a place to bring it together.
And so, one of the things when I came in, those were being centered in two different organizations. Scott Guthrie's team was working on Sentinel, and the Defender teams were all under Rajesh. And so, when I took those teams, the first thing I did is I started re-orging it and bringing the teams together so that they share – one is to share the knowledge that they have. So, share the research. So, we shared research across everything, shared the threat intelligence, shared the data that we have. And then – and also to get moving on API strategy, because Microsoft's not going to do everything. There are going to be a lot of innovation out there.
And then, of course, AI just puts a huge exclamation on that, because AI is going to be great at looking across the entire environment and it doesn't have silos. We have – in the security industry, we have a lot of specialization in skills. It's not just the product. You could argue the two of them is Conway's law, the two of them feed each other. The fact that we have fragmented security solutions means we're going to have fragmented experts in different areas. But we do. We have experts who understand reverse engineering and understand identity and understand malware on an endpoint and phishing and all of that. Each of these is an area of expertise.
The thing about AI is it doesn't care about – it doesn't have – it doesn't look at its org chart. It doesn't say, "Oh, I report to so-and-so. That's what I do." It can do pretty much any of it. And now we can break down the barriers. We had the data. We couldn't really harness the data in that way. We now have the ability to get across it all.
So, yes, that is where we've been able to take these products and put them together and then go after the unification.
Raimo Lenschow: And if you look at AI – sorry, it's more a non-techy question. But if you think about it, both sides will use AI, the bad guys and the good guys. How should we think about what's going to come our way? In simple terms, we could say, oh, yes, they kind of infiltrate through using some LLM models, but it's kind of difficult. How do you think about it? And maybe you've probably thought a lot more than when we did. But I'm having a tough time imagining it.
Charlie Bell: They'll use it in all ways. I mean, I had kind of a fun time with the sales team. The sales leader asked me if he could do this. He took a quick video with me on Teams. And he says, "I'm going to train up an LLM. We're going to surprise everybody at the little sales kickoff." And I hadn't seen it until he did it on stage, before I walked on stage with him. And he had me telling him what a great job he was doing, and then asking him to click on a link. And I've got to tell you, there's nothing more disturbing than seeing yourself trying to manipulate somebody to do something evil. Like, it's a very disturbing experience.
Deep fakes are going to be a big thing. And it'll be – we've already seen them. But they'll be used in many ways, I think: voice, video. And we're doing a lot of work in Teams to prevent that.
But they'll use it for – I mean, they're using it today for spear phishing, just targeted phish. I mean, with an LLM, I can create emails that look really like they're coming from somebody you know, and they talk about things you already know about. So, they'll use it on the attack side in the same specialized ways we're going to use it on the defense side.
They'll also use it to – as the reasoning gets better. And this is what's happening right now. The LLMs are getting much better at reasoning. They'll use it for orchestrating attacks. So, today, a hands-on keyboard kind of attack, somebody works on breaking their way in and they work on – once they're in, they work on living off the land, they call it. "What's in this environment that I can exploit? Oh, wait a minute. This is a privileged account. Okay. This has – oh, wait, this one has access to a development account. In that development account, there's an application and that application has some privilege and that same privilege exists in a production environment. Oh, yes, they left that open. Okay. Great. I'll move there." They work their way through on the keyboard.
Well, the reasoning engines within LLMs can do that automatically. So, now the tremendously labor intensive process of breaking in becomes way easier for an attacker. They'll be able to move through an environment. There are already companies out there that are doing pen-tests-as-a-service kind of things with LLMs, basically running through the catalog of potential vulnerabilities and seeing what could happen.
So, yes, the attackers will be doing an awful lot on their side to employ the technology.
Raimo Lenschow: And then from your side, on the other side then, so using Gen AI more on the protection side, for us, we then get, okay, GitHub, Copilot. So, your developers are getting a little bit more productive. But we probably have to think bigger at the picture here.
Charlie Bell: Yes, Well, I think we've known for a long time that the game of reactive defense, it's important, you have to do it, because there will be constant innovation on the attacker side, but it really won't diminish the problem. The way you diminish the problem is defense and depth. The analogy I use is, imagine the one advantage you have is you own the rules of the game and you own the field. So, we'll use the European football term. So, I'm playing football. I have this field.
Raimo Lenschow: I get that. I'm German.
Charlie Bell: And I suddenly make it 20 miles long, and I make the goal two feet wide. Well, the scores are going to be pretty low in that game. And so, because I own the playing field, I can change the rules, it means I can go through the environment.
So, this is what we're doing right now. We have this thing we call the Secure Future Initiative, which, having watched some of the nation states – the Storm-0558 issue we had the summer before last, actually – and understanding what the attacker did – they're called Advanced Persistent Threats, and the "P" in there is "persistent." They do it over many, many, years. But it helps you understand how an attacker might in the future try to exploit an environment.
So, what we did is we said, okay, let's start thinking many steps ahead. Let's start thinking about all the things that we need to do in the environment to make it extremely difficult for an attacker. The term in security is we say "assume breach," assume somebody broke into you. You should always do that. Because it's probably true. I think somebody once said there's two kinds of companies: those that know they've been breached and those that have been breached and don't know it.
But by assuming that, then you take – and this is the other thing that we got out of the Secure Future Initiative, is the understanding that the best source of how attackers might do things is probably our own red team that's trying to break things. And they were very good. They were keeping a graph of everything that existed visible to them in the environment, and they were using that graph when they wanted to try to break things.
And so, what we understood is that if you can take this same approach, where you look at the entire environment as a graph and you begin clipping the connections between the nodes in the graph and just keep clipping and get down to only the minimum that you need to run the business, you make it extremely difficult for an attacker.
And that's really how we're, I think, going to turn the tables on the – because the other thing we can do is we can employ AI in that game. So, AI can assess your environment. We recently announced some things in Exposure Management, but it's still – we're at the very beginning of what LLMs are going to be able to do on the defense side.
And the reason that I'm really optimistic is if you go back to what the attackers can do, they can employ LLMs, they have access to the technology, but the one thing they don't have is they don't have full visibility of the entire environment. They get to see the surface of it, they come in at the edge of it, and they poke at it, and they have to work their way in, they have to learn about the environment. We know where everything is. So, we have essentially a data advantage.
And one of the things I love about Microsoft is we have two kinds of data advantages. One is we get to see more attacks than anyone else, because we're sitting on the largest cloud. So, we see all these things going on. But the other thing – and so, we get a lot of, what I would call, when you're training AI, you get a lot of, call it, the negative examples, the terrible events, the things that the AI has to learn.
But the other thing we have are a lot of the good examples. We have the day-to-day. We know what people are doing. We know what clouds do. Clouds are executing every second. And we know what good behavior looks like, too. And when you – it's a – one of the things we learned, for example, people are trying to apply LLMs to phish detection. So, phishing is when somebody sends you an email and tries to get you to click on a link. Well, it turns out that the LLMs are often cranking out false positives. They have a little trouble identifying what's really bad because they've been trained on a whole bunch of just negative examples. All they've been trained on, if you go out on the internet, what you find is a whole bunch of examples that are terrible. But they're not trained on good examples. And so, they're biased to tell you that this thing is a phish, and there's lots of examples where it isn't. And that's, in fact, one of the largest problems that customers have with that particular area, is false positives. Their security operation centers get overwhelmed by having to chase down all kinds of false alarms.
And so, by training models on good examples and bad examples, you get better models.
Raimo Lenschow: And then how do you bring that then –? You talked about the graph and reducing the touch points on the graph. How do you bring that whole security framework then into the whole of Microsoft? Because there's so many parts of Microsoft that are impacted or could be entrance things. How is that kind of filtering through the organization?
Charlie Bell: Well, I think one of the principles of our Secure Future Initiative is standard work. And in fact, this is – it's actually bigger than the Secure Future Initiative at Microsoft, is we have a whole quality push which is really about standardizing how we do everything. Because if you go back to what Toyota did, the key to "kaizen" was relying on standards, just doing everything the same way.
So, we bake it into – so, a good example would be one of the things that we had that we're now pushing back through all the legacy code is a thing called managed identity, which is my identity team manages the identity for the application that some other team is developing, so that when they authenticate and authorize people, an identity, coming in to do something, that's handled by a section of code that's managed by the central team and monitored and logged and all the – and the team that uses that does nothing. They basically just use managed identity. Up till now, if you go very deep into the past, there were many things built where they had to build their own version of it. And having many versions of it, every one of those is an opportunity to make a mistake and get something wrong.
So, getting everything standard is the way that we take this knowledge that we have and promulgate it into the rest of the – and by the way, for our customers. One of the things we've talked about with the Secure Future Initiative is that it's not just about us. It's about what we export through our customers. So, for example MFA, making sure that multi-factor authentication is turned on for every tenant. So, you light up a tenant, you have to have multi-factor authentication turned on or we won't accept it. Or if you're an enterprise and you require and you have some other form of authentication, you'll have to do some work to turn it off.
Raimo Lenschow: Okay. And you mentioned several times now Secure Future Initiative. If you think about it, I get the core idea now. But when you started it, was that a "you" initiative? Or was that a Microsoft kind of top-down initiative? How do we have to think about it?
Charlie Bell: Microsoft always had a pretty robust focus on security. If you go back to Bill wrote a famous Trustworthy Computing note to the company, and basically there were a lot of worldwide standard security practices developed at Microsoft.
But the one thing that I think we did that was different with the Secure Future Initiative is we kind of turned it into a much more rigorous cultural kind of approach. It started with Satya standing up in front of all the corporate vice presidents and saying, "You're going to think of security above all else. You build a product, you're going to think about security while you're building the product." Somebody in the audience raised their hand and said, "Well, what about...," and he said, "You're going to think about security first. Security, above all else."
And I think having it – and by the way, we incorporate it in what we call a core priority. So, when you do your performance review, you talk about your core priorities. There's now a security core priority that people talk about. One of the key things about security in companies is often everybody in the company thinks somebody in security is going to be the protector. "I'm going to make sure that you're secure." And it turns out everybody has a hand in making sure you're secure. And so, having those things...
And then I think the programmatic, understanding that it's programmatic and it will go on forever and that we will now take some of these things that we're learning. And the thing that we're doing over time is gradually absorbing security capability as we created it into our legacy. Here, we're intentionally going back and retrofitting on everything we discover, which I think is a stronger approach. And then thinking about how we do that with the products we put out in front of customers.
Raimo Lenschow: Are there certain –? If you think about it, when you announced it, are there certain – do we have to think about certain components that are part of it?
Charlie Bell: Yes, it's broken into pillars. So, we started out with three pillars, and we added more after Midnight Blizzard, after we learned more from that attack.
But within each pillar – there's an organizational aspect to it, too, which is we have pillar owners who own each of these, for example, network security or monitoring. And the pillar owners are technical experts in their areas and report into business leaders. So, the pillar owner for networking reports to Scott Guthrie, for example. And this gives us kind of a deep technical grounding in all the things that have to happen across the company, as well as ownership. And also flexible. We can add more pillars if we run into something that we're not – we don't think we're covering correctly.
Raimo Lenschow: And how – is this a Microsoft initiative? Or I mean, I could see that that kind of could be a framework for the whole industry.
Charlie Bell: I do a lot of meetings with customers, and they're all thirsty for how do you – this problem is very difficult. Because security isn't – you have customers yelling at you every day. Really, you have other customers out there – I call them anti-customers – who are going to do terrible things to you, that you don't see every day. And unless you think about them at the same time you're thinking about your customers – and this is hard for companies. What happens typically is the CISO is out begging the business units to do something, and they're really busy and they're solving their customer problems. So, they don't pay attention.
So, organization is really critical. In addition to the pillar owners, one of the things that Igor Tsyganskiy did – he's my CISO – he created deputy CISOs who live under Rajesh and Scott and in the various parts – Judson – in the various parts of the organization, and they do the risk management. Basically, they look at – and because they're sitting at the staff table and they have accountability to Igor and they meet as a team, they get to assess the risk. And by the way, they don't do it independently. They review it with at least two of their peers. And he's got a structure, an organizational structure, for making sure that as an organization we're constantly thinking about security has a seat at the table. And a lot of customers are wrestling with that problem of how do you bring that into your environment.
Raimo Lenschow: And have they – does that mean also some of the point solution providers, are you inviting them to join in? Because security is a bigger problem. It's just not the points of the problem, it's not a point problem. You need to have almost like a framework. How does that play out?
Charlie Bell: So, I'm a firm believer that organization follows technology, technology follows organization, if you don't build things actually that bring people together...
One of the things that we've been working on as part of all of this is how would – it's both for the present. So, just from a data perspective, how do people connect with us? How do we share threat intelligence, for example, across providers like Cisco and OneTrust and others who see things? They see – it's a fragmented world. Everybody has their piece of it. But if we want to get past the fragmentation, we have to be able to share. And so, how do you bring partners – Netskope is another, we work with Netskope.
It's going to be an ecosystem that really gets the tables turned on the attackers here. It's not going to be one company. There's going to be a lot of innovation going on. But I see Microsoft as being in a great position to lead, just by the weight of the signal and the fact that we can provide sort of the meat around it. And then when we get to AI, everybody's going to be innovating agents for us, and these agents are going to have to cooperate. And so, having the ability for us to come together with various...
And it'll be. Each company, it's just like customers. You go to meet the customers where they are. Each company is in a certain place in their market. They have a certain responsibility to their customers, things that they do for their customers. They're going to have a certain ability to work with us at a certain level, and we're going to meet them where they are, as much as they can do or as little as they can do.
Raimo Lenschow: I wanted to go back to on the Gen AI – well, Gen AI, but then also on the cloud side. In a way, the security landscape to some degree is changing, because one of the classic break-ins was you had an on-premise solution and it was sitting on a non-patched kind of version of some whatever, and then someone broke in there. But that's not the case in cloud. Because in Azure, you want to be always on the latest and greatest. So, that's a different thing. How do you – how's the conversation with customers going around, "Okay. Well, here's Azure. And from the outset, we have a different and better security framework than you do on-premise. Should you not kind of join us more?" Does that play part of the conversation as well?
Charlie Bell: I mean, look, I've always been a cloud optimist, obviously. It's because it's just – it gets harder and harder to solve the problems of not just security; availability, how do I make things work, how do I manage costs. We have a deflating world in technology. How do I take advantage of that and refresh?
The ability to refresh your organization on the things that actually don't matter to your customers. Your customers don't care what data centers you run and what servers you have, what operating system you're running. They have no idea. And so, the ability to move fast to refresh and stay current.
And in security, it becomes acute. We saw that with Hafnium, which was a Chinese threat actor that was going after on-premise Exchange, and they were exploiting a bug. And in the cloud, you can patch that in hours. The Storm-0558 attack, we patched within hours. If you're on-premise, some customers can't patch, because they're sitting on old hardware that can't run the new thing. So, they literally can't. They're trapped. And so, the way that you defend is much more difficult in that world.
And so, being able to – there's a tough game in the vulnerability world, where we have to publish vulnerabilities. So, a CVE – that's the prefix for a vulnerability, CVE-1, -2, -3, -4, -5 – will come out, and it'll say, "This is a critical vulnerability and you need to patch it immediately." Well, guess who gets to see that?
Raimo Lenschow: Yes, the bad guys.
Charlie Bell: And they're immediately saying, "Well, go to town. I see this vulnerability. Where can I use it?" So, now there's a foot race that goes off.
Now, the world has to patch faster than the attackers can find it and do something with it. And it's just long. The cloud, you just patch it immediately. In fact, you can patch it simultaneously with telling people that there's – by the way, we've also, I think, innovated here. Cloud providers tend to be a little bit secretive on these things. We've been really transparent. We co-publish with researchers. We've created these cloud vulnerability things, where we talk about the vulnerabilities discovered in the cloud.
But the thing is, we can do it immediately. We don't have to wait. And for some of these things, it can take months. And in the meantime, companies are vulnerable.
Raimo Lenschow: Hey, I see our time is up, but I could talk for hours. It's so interesting chatting with you. And there's such a great new world out there. Or it's not always great, but it's an amazing world out there. So, thanks for joining us here. Really insightful. Thank you.
Charlie Bell: Thank you. Thank you for having me.
