Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to episode 101. This week is myself, Michael, with Sarah and Mark. Our guests this week are Wayman Ho and Mac Zorich who are here to talk to us about the Ghost Team. But before we get to our guests, let's take a little lap around the news. Sarah, why don't you kick things off?
I've just got one piece of news which is that AKS is now supporting FIPS mutability. So that means, of course, if you are doing US government things, you can now use those cryptographic modules to meet your FedRAMP and other federal government requirements. Yeah, I'm going overseas and talking about US government stuff today. That's me. I've got a couple of pieces of news in my area. So a couple of open group standards that I have been working on and contributing to have just released.
The first is security principles for architecture. I'll be honest, when I posted this, I thought this would be pretty boring and get like five, maybe 10 reactions on LinkedIn. 500 later, and like 50,000, 60,000 impressions later. I was like, oh, I guess people are thinking back to the basics and who knows it, maybe because of some security vendor fails recently. But yeah, that one's out.
It's just a simple, straightforward, solid set of security principles and you can copy paste this into your security architectures, your technology architectures, your enterprise architectures. It's really meant to just be that straightforward, simple, how to do security right, definitely aligns with zero trust principles and all that other stuff that we do. The open group, but it's just meant to be security principles.
Then similar and related to that is the zero trust commandments, the final version of that just came out about a week or two after the security principles. This is basically the rules of the road on what is good security or what is zero trust, really the same thing. Ultimately, these are must and shall statements. You must do this, this shall be one of the attributes of that. We're very, very specific and prescriptive on exactly what it is.
Two guiding sets of documents there from the open group. The other thing I had was that, and I'll send the link to the playbook on it. It was really interesting because one of the things we put in our zero trust playbook series, my co-author, Nikhil Kumar and I, who was on the show about a year ago, I think. But one of the things that's come up and become a really big deal, and this may be in the wake of SFI or what have you, I'm not quite sure, secure future initiatives.
Sorry, I have to do the acronym thing. But we've seen a lot more attention and focus starting to go to accountability, governance structure, how should we be structuring security, etc. That's actually one of the things that we're really focused on in that playbook is, how do we explain security, a modern approach to security called zero trust, and how to think about governance, accountability, and whose job it is to do what?
Because you can't just dump it on the security team and say, hey, it's your fault, wait what? I didn't make any of these decisions. I didn't implement any of this stuff. We spent a lot of time thinking through that for that Zero Trust Playbook series. And so, seen a bunch of interest in that. So just dropped a fresh link in there for that as well. That's all I got. I got a few items. The first one is there's some upcoming changes for Azure Event Grid around TLS.
Basically, at the end of the year, October 31st this year, 2024, support for TLS 1.0 and 1.1 will go away. And it will support TLS 1.2 and later, which is great to see. You'll see more and more services support that as well, which is great to see. Next thing is NetApp Files now supports double encryption for data at rest. This is there in case there's a single key compromise, those kinds of things.
So now you've got the option for custom managed keys and platform managed keys to be used together. And the last one is a good friend of the show, which is Azure Chaos Studio. They've now got a new fault that they support for virtual machines which is network isolation, which essentially allows you to isolate the VM to see what happens when all network traffic is cut off completely from the VM to see what happens.
So that's really good for just testing the resilience of the VM and the applications running inside of the VM. So that's all the news I have for today. Let's turn our attention to our guests. As I mentioned before, we have Wayman Ho and Matt Zorich who are here to talk to us about the Ghost team. So gentlemen, would you mind just taking a moment and introduce yourself to our listeners? Hi everyone. My name is Wayman Ho. I'm a Senior Security Research Manager on the Ghost team at Microsoft.
And yeah, my name is Matt Zorich. I'm also a Research Manager in the Ghost team based out of Australia. All right. Let's kick it off with a really dumb, stupid, simple one. What is Ghost and don't say something that looks like Casper. Yeah. So the Ghost team is the global hunting oversight and strategic triage team. We often joke internally that what we call it backronym, which is we came up with Ghost first, and then came up with some words that fit Ghost to make it sound cool.
What our team was is our team was essentially built from some of the people who are originally in Dart. So Dart is our detection and response team at Microsoft. As part of what Dart was doing, we had a whole group of people doing things outside of just IR. So we were doing things like internal hunting at Microsoft and kind of working with our partner teams and doing some software development work. So things that were really important, but not core to Dart's mission.
So they took originally 30 of us and moved us over to the Ghost team. So we could focus on those things and leaving Dart to focus on what Dart does best, which is being really great at customer incident response. So Matt, I mean, you've been on the show before and you've talked about Dart. But what is Ghost remit then compared with Dart? What do you do that's different because you're a brand new team in Microsoft? Yeah, definitely. So brand new team in Microsoft.
I think the difference between Dart and Ghost is that our team in Ghost is almost exclusively focused on protecting Microsoft. So the original kind of 30 people all came across with a really strong IR background. And we had skills in hunting and forensics and digital forensics and running all our tooling and things like that. We also have like a lot of platform experts in our team. So we have people that have written books on MDE and things like that. So we have a whole breadth of skills.
And our team has kind of stood up to help bring that set of skills across to Microsoft. So we do a lot of work with Microsoft First Party. Whereas Dart does third party incident response. So yeah, kind of a clear delineation in mission there. Can you talk a little bit about... So it sounds like it's pretty clear that Ghost essentially protects Microsoft and Dart protects our customers.
Can you talk about like, you know, any more differences between the teams and also just how that compares contrast to our Microsoft Threat Intelligence Center or Mystic? I think generally when you talk, when we look at Ghost, I remit, as Matt mentioned, is to protect Microsoft and keep Microsoft safe. That actually includes a lot of our products and services as well.
So kind of the key differences for Ghost across, you know, Dart and Mystic is, you know, we are kind of the more strategic threat hunting arm for Microsoft. We look a lot for adversary behaviors across our different environments, through our different products and services. And we help, you know, create things that will assist our product teams, inform their decisions to protect our customers overall.
One of the key differences, you know, Matt had already talked about the differences between Dart and Ghost. But from the Mystic side, which is our Threat Intelligence Center team, a team that I used to be part of, Mystic is involved in attribution and tracking adversaries. So in a sense, they're moving upstream to identify the adversary. From the Ghost perspective, we work really closely with Mystic, but we move downstream, meaning we try to identify kind of threats to Microsoft.
We also identify threats to our customers as well, a lot of our third party customers. So we fan out and investigate that behavior of our adversaries, taking the Threat Intelligence from Mystic and looking for that type of activity within our environment. We're also responsible for some of the other types of notifications to our customers, including something that we call the Nation State Notification Process, or NSN.
Gotcha. So it sounds like very similar to the way a mature Threat Intelligence function would interact with an instant response or threat hunting team. And it's just with the added Microsoft element of sharing learnings with our customers and whatnot. Yeah, totally. I think how our three teams work together is Mystic will be tracking the adversary. We, on the Ghost side, will hunt and identify the adversary behaviors. We can reach out and do notifications to some of our customers.
And then should they want to engage in instant response services, we will have Dart work closely with the customer in that angle. And then all of us kind of just work together to protect Microsoft and our customers that way. Something I announced about a month or so ago has actually joined a new team, which is actually the SFI team, Secure Future Initiative team. Actually, I'm sort of working Mystic as well, but on SFI, which is really kind of a bit confusing.
So it's confused things even more. So how does Ghost feed into Microsoft's Secure Future Initiative? Yeah, so we've been involved, I guess, as kind of like we're providing guidance and insight to SFI. We're not the team that goes and makes those changes, of course. But I think like taking the perspective of a hunt team to securing Microsoft's like a really good win for Microsoft is that, as Wayman said, we look at things from a particular perspective.
So we're looking at adversary behaviour and how adversaries kind of compromise systems, abuse systems. And a big one is from our side is we're obviously very big data focused and logs and telemetry play a huge part of our life. So a lot of the kind of guidance we're providing to SFI is around log retention, log visibility.
How do we get access to telemetry? Again, not just for first party, but we always say is we want to take our learnings from protecting Microsoft to help protect our customers as well. I guess we're in a very unique position at Microsoft in that we're a big target ourselves and then our customers are also a target as well. So we want to help both first party and we want to help our customers. And we bring a particular perspective, I think, to SFI as a threat hunting function.
So we're obviously really fortunate to be a part of that process and give our perspective on it. Yeah, actually, I can add a little bit more context to this because actually, even though I asked you the question, I actually knew the answer as well. But so I'm on the receiving end of a lot of your data, right? So as well as other teams as well to help work out, OK, so what sorts of things do we need to do in SFI? I mean, it's all very well coming up with a list of things that can be done.
But at the end of the day, if it's not sort of rooted in reality, like what's actually happening out there, you know, it's not really that useful. So, yeah, a lot of the information that we sort of feed into SFI comes from you guys, a lot of other people as well. But that helps us make the decisions about, OK, what are we going to do for the next, you know, end months, work on different parts of the product? So, yeah, we appreciate the guidance and the help that you guys give us, by the way.
We talked about, well, Michael just asked, how does Ghost feed into SFI, the secure future initiative that Microsoft's doing? But for folks listening who maybe are not Microsoft, how does what Ghost does feed into the things that our customers might use? So, you know, our products, do you feed into that? Yeah, I can probably handle this one. And yeah, absolutely. So as part of a threat hunt team, like we're we're obviously looking for adversary behaviour.
We're looking for that in Microsoft. We're looking for that in our customer environments as well. And and Wayman mentioned we we deliver our nation state notifications when we do detect that activity. But ultimately, we want to help our product teams come up with better detections, better heuristics and things like that to really help our customers. And, you know, Microsoft's kind of at the forefront of that. Like I say, we're one of the biggest targets. Our customers are targets as well.
So, you know, if we're being targeted by something, there's a good chance that our customers are also being a target of that. So if we can help detect that and help kind of drive product improvement, detection logic and things like that through our product suite, that's really the ultimate goal is we want to protect our customers. So, you know, we work closely with our product team. So defender teams, the various defender for X. So, you know, defender for identity, defender for office.
We work closely with all those teams, just showing them the novel things we're saying. Like you mentioned, Sarah, the things based in reality that adversaries are actually doing and seeing if they can build detections into the products or improve the products. And and those teams are always really receptive to that feedback. As mentioned, we have a unique perspective of the world, seeing what's actually occurring. So hopefully it means the products reflect those kind of attacks we see as well.
Yeah, just to add a little bit onto that as well, right? Like we are servicing a lot of these things internally, but outside of that, we also work with these product teams to say, hey, like, is this actually easier or harder for a customer to see it themselves? If it's harder, how do we make it easier for them in the future?
How do we implement these things so that our customers can better protect themselves without us, for example, having to notify them without us having to be part of the process? How can we make it better for them overall? Tell me what a day in the life of Ghost is and if there's different sort of roles and responsibilities, like what would be like the difference between I'm just kind of curious what it was like to to sit in the seat. Yeah, I guess start off with this one.
A day in the life for me as a HUN manager, I think Matt had probably has a different perspective in the Australia time zone. But typically for Ghost, we have two types of what we call engagements that pop up for us. They're either reactive where some major engagement pops up, whether it's high profile or something that's urgent, that's coming from our different teams, from an external party, etc. And we're reacting to it.
It would mean typically myself and a few hunters on Ghost will deploy either remotely or on site and assist with that. Outside of that, we have kind of proactive engagements where we are looking for adversary behavior actively within our own environment, trying to build better detections, better understanding of threats that may target us either in the future or something that we're anticipating. So it actually changes very often day to day, week to week.
Our engagements vary from we can be working nation state one day, we can work to switch over to cybercrime or some other major fraud and abuse case another day. We get pulled into all sorts of different directions. But I would say from a manager perspective, we have several engagements that we lead on a week by week basis.
We answer questions related to any security issues our other product teams have or our threat intelligence teams have, or even just working directly customer facing engagements alongside with Dart or other teams. I know it's like super broad. I think one day I could be hunting on our back end data using Cousteau. The other day I can be on some customer portal assisting them with their hunting queries. It really just depends.
And then the great thing about our team is we have kind of a global presence. So when my day ends, I get to dump all of my work onto Matt and Matt can take over while I'm asleep. So yeah, but I say I get the we get the advantage down here. And Sarah would know this is that like Monday is essentially an extra day because the US is asleep. There's no meetings. It's nice and quiet. Everything works quickly. It's just the best.
But yeah, like Wayman says, we take over and we, you know, we're a global team. So we're not like regionally focused in our hunting. We we hunt globally. Sometimes we'll be time-zoned aligned with customers, of course, but it's a really dynamic environment. I guess in terms of the structure of the team, we have our threat hunters. We have our hunt managers. We have a group of like technical program managers that help us prioritize and triage work. And they're also kind of platform experts.
So then we have a layer of leadership and things like that. But, you know, my people that report to me, we don't kind of hunt necessarily as one team. We might have someone in my team that's an expert in a particular skill set. So they're helping Wayman, for instance. So, yeah, super dynamic, a really great, great group of individuals as well, all kind of working towards the same goal. Matt, I can definitely tell you that I am a big fan of Quiet Monday, which is my favorite day of the week.
It is. It's the best. You just wake up and they're all watching football and Sunday and everything works and everything's quick. It's the best. And then you see them on a Saturday morning. It's kind of Friday afternoon and it's hectic for them trying to get things squared away. And, you know, I'm having my coffee. Just watching the chaos. It's amazing. I recommend working in, you know, Australian time zones for a US company. I do, too. It's great.
I was actually when I lived in the US, one of the things that made me really sad was that I had all these meetings on Mondays because I was like, what is this? I don't have meetings on Mondays because most people are not awake or at least not at work. It was it was something I found very sad. My Monday meetings when I lived in the US. We said Ghost is a new team and you're growing quite quickly. And a little bit tells me you still might be hiring. So tell me about that.
Yeah, definitely. As mentioned, we're a relatively new team. We started with just the 30 of us. We've definitely grown since then, but still hiring. So we recommend you check out the careers page. So if you check out aka.ms slash ghost jobs, you know, those jobs kind of come and go as they're filled and as we're doing interviews. But definitely worth keeping an eye on.
And as mentioned just before, we have hunters, we have technical program managers and actually forgot to mention our very amazing development team earlier. So we have a group of software developers that help build our tools as well. So if you don't come from like a threat hunting background, but you come from a developer background, but interested in kind of that intersection of development work and cybersecurity, we have roles there as well.
Yeah, jump on like I can tell you all the interviewers are really lovely. My experience interviewing at Microsoft was amazing, like really conversational, not confronting at all. So we'd love for you to apply. All right. So one thing we ask all our guests is if they had just one final thought to leave our listeners with, what would it be? I think I can jump in here. Like I mentioned earlier, we kind of hunt across both nation states, cybercrime and a whole lot of different things.
And I think one interesting thing we're seeing kind of at the moment in reality is that, you know, we often talk about like technical vulnerabilities in our software and things like that, but we're definitely seeing adversaries kind of exploiting what we call like business vulnerabilities. So understanding how kind of businesses work, whether that's social engineering, help desks, whether it's like inserting themselves into the hiring process and things like that.
So it's definitely really novel to see that kind of attack, which is not technically focused. But yeah, so have a think. I guess the takeaway would be is like have a think in your business, how you're onboarding staff, how you're having your staff enroll in MFA and things like that and how you're verifying them, because there's certainly some novel things in that space that we're seeing. All right. So let's bring this episode to an end.
Gentlemen, thank you so much for joining us this week. I know you're both really, really busy. Yeah, it's always useful. I always learn something new. Again, I sort of mentioned the top of the Mystic team, but I still have historically been a little bit confused about Dark, Ghost and Mystic. So thank you for clearing some of that up. And to all our listeners out there, we hope you found this episode of use. Stay safe and we'll see you next time.