Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey, everybody. Welcome to Episode 49. This week is just myself, Michael and Gladys. Sarah and Mark are taking some time off for spring break. We also have a guest this week. We have Jason Zahn, who's here to talk to us about risk IQ. But before we get to Jason, let's take a little lap around the news. Gladys, why don't you kick things off?
Well, I want to talk a little bit about risk detections before I mention my news related to this topic. As you may be aware, Azure AD Identity Protection identifies suspicious actions related to user accounts. Risk can be detected at the user or signing level and can happen at real time or offline. For example, leak credentials may be found in the dark web, and compare against the Azure AD user current credentials.
If they are found too much, the account is marked risky, which then triggers a set of remediation activity. Well, Microsoft Defender for Cloud Apps, formally MCAS, has added two new detections in the identity protection area. This shows the cross collaboration that we have between services. The first detection is called mass access to sensitive files, which profiles your environment and triggers alerts when users access multiple files from Microsoft SharePoint, Microsoft OneDrive.
For example, an alert is triggered only if the number of access file is uncommon for the user and files, which may contain sensitive information. This may be helpful, especially when having ransomware attacks or an attacker trying to ex-filtrate data out of the environment. The other detection is on usual additions of credential to auth app which detects suspicious service principal activity.
Again, this is trying to detect whether an attacker or a malicious attempt has been done to change a service principal and run behind an application without being noticed. The next set of news that I want to talk about is sensitive labels. For those that are not familiar with these, sensitive labels is a way to tag information and allow a customer to require different configuration, depending on the tag provided to a file.
For example, the customer may decide that the file must be encrypted, and only internal employees can access it, or maybe they may select a way for external users to access it, but it must be stored in a particular location. Well, before sensitive labels was incorporated within Office 365 for Microsoft 365, it was a separate service called Azure Information Protection.
Because Microsoft has deprecated Azure Information Protection and no new customers can get it, there's new guidance about how to, and why would you want to use the sensitive labels that are part of the Microsoft Information Protection Strategy over the Azure Information Protection.
Also, there are new settings for auto-labeling policies, and if you're not familiar with auto-labeling, basically, this is a functionality that can auto-mark a file depending on content found, a social profanity, whether it finds the word resume or health-related information, or others in a file. So a few things took my interest the last couple of weeks. The first is that Azure Private Links are now supported as your API management.
Now, some of you may say, well, hang on, didn't API management already have that? Well, the answer is, kind of yes. It was only the developer and the premium tiers. Well, now it's available in developer basic standard and premium. This is fantastic because it allows you to essentially have API management just listening on a private network. The next one is, Azure Monitor Agent now supports Private Links, and that is now generally available.
So we talked about this a few weeks ago on the podcast, but that feature is now generally available. So now you can have front-ends to Azure Monitor, running on a private network so that way that data isn't exposed. I mean, in theory, that data shouldn't be exposed anyway, because it could be aggregate, but some people like to make sure that data is kept on a private network. The third one isn't really news at all.
It's really just a consequence of some events that happened over the last few weeks. I've been working with a customer over the last few weeks on Secure Score. In other words, how to take the current environment and their current Secure Score, look at the recommendations, come up with a plan for essentially remediating some of those recommendations so that Secure Score can go up.
Now, I've said this a few times, but I'll say it again, I'm not a fan of just raising Secure Score just for the sake of raising Secure Score. I think you've really got to focus on the actual things you're really mitigating and are they worth it? A lot of them are worth it, don't get me wrong, but some security mitigations carry a much heavier weight than other ones, so are you mitigating the right things? Now, with that said, one thing we found is that overnight, there are Secure Score dropped.
Now, don't get me wrong, it's expected as you're making changes and you're moving new resources in, and perhaps you don't have as your policies in place to deny certain settings and so on. The Secure Score is going to go up and down. That's just perfectly natural. I mean, the trend over time should be upward, but don't get too caught up in the day-to-day pendulum swings.
Well, one day it dropped a lot, and the reason was because some items that were in preview, some checks are in preview, became generally available and we hadn't mitigated those. So, the Secure Score took a hit. So, the next question was, well, how do we know when these things that are in preview, these checks that are in preview, when are they going to be available? Because that way we can work out which things we need to work on as soon as possible.
So, I emailed Eurydiauginus and Eury sent me a link back of basically the calendar for upcoming recommendations and when they will go GA. So, I will provide a link for that in the show notes. I think that's a critically important resource. It's not just what things are changing, it's also what things are coming up. So, make sure you take a look at that. All right. So, now that we've got the news out of the way, let's turn our attention to our guest.
This week we have Jason Zan, who's here to talk to us about Risk IQ. Jason, hey, thank you so much for joining us this week. We'd like to take a moment and introduce yourself to our listeners. Thank you very much, Michael. Thank you for giving me the opportunity here today. So, my name is Jason Zan. I came into the Microsoft family via Risk IQ, which was an acquisition that was made by Microsoft probably, I want to say it was August of 2021.
So, it's been about six months now that we've been on board. We've had a partnership with Microsoft on a number of different levels over the past several years. And this just seems to be like a natural step that's kind of moving forward here. Risk IQ, for those of you that may not know, we've developed a technology probably about 10 years ago to be able to understand and organize the internet at scale.
And the real value that we bring to the table is the capability of being able to understand what an organization looks like from the outside looking in. And subsequent to that, we also have a very powerful threat hunting and threat intelligence platform that actually looks at an adversaries organization and basically the infrastructure that they're using to be able to leverage to do unwanted things across the internet.
What is the vision that Risk IQ had to help with all the security out there in the internet? Yeah, that's a very fun question. It's actually got a very deep history within Risk IQ's ethos. Way back in the early days when the company was starting, we kind of took a step back and we said, what's really a mission statement that we can use to be able to kind of project a vision, something that we can always kind of strive after?
And we came down to a very simple statement saying make the internet a safer place. And we realized that that was a very lofty and very a very multi-dimensional problem set to be able to solve for. And as we started analyzing it, we said, well, what is the biggest problem that's actually keeping the internet from being a safer place? The way that we looked at it was there just wasn't enough good guys in the game, right?
And so if you, like when we looked at our capabilities as we started to come to market, as we started working with customers, the real question was how do we take the complexities and nuances of the internet and all of its forms as it's been manifested over time and actually make it more accessible so that more people can get in the fight essentially.
And so if you look at the traditional models that have been available over time, you can either, number one, take very junior level analysts and have them do extremely senior level internet correlations by training them in terms of how the plumbing of the internet works, with the artifacts of the internet work, how they work in relationship to each other, et cetera.
That's a lot of what we baked into our technology was the capability of taking those complexities and boiling it down and placing it into products, placing it into other capabilities and other security investments that organizations have already made. And the second piece of that is very senior level operators that are in threat intelligence or in network defender type of scenarios, giving them the capability of doing very consistent work.
A lot of the challenges that needing to take, needing to look at the internet requires, usually multiple different sources of data, multiple different capabilities, and then some system or capability to be able to bring all of this together. And what we aimed for was to be able to create a basically centralized repository and a single pane of glass to be able to operate at these internet scale problems.
Security as a whole has always been really interesting to me because unlike any engineering discipline, it's not really a problem that you solve, it's a game that you play. And if you think about traditional engineering disciplines, even in the physical world, if you're gonna build a bridge, it's like you have a train, you have maybe a river that you wanna be able to cross, you take some measurements, you get some concrete, some sticks, and you put it together and you make a bridge.
And if you can imagine, there's a steep learning curve at the beginning in terms of a steep work curve at the beginning in terms of being able to actually design an architect a bridge, and then it kind of drops off, right? You have to maintain the bridge, maybe you have to like fix some potholes or put some different signs on it over the course of time. But if you think about that in the world of cybersecurity, it's, there's actually an adversary on the other side of the equation.
So for every motion that you make, there's almost like a counter motion that is made to be able to circumvent. And those are one of the things that really kind of got me excited very much my early days of working in cyber. But when you start working at that at an internet scale, it poses a whole different set of challenges because the internet's constantly in flux, it's constantly moving.
So the ability to be able to kind of take those premises and be able to make them more accessible to more people more often has been a large charter of us. And it's been a lot of fun like kind of going down this path. So one of the things that I keep putting emphasis when presenting my news is the value that cross service collaboration provide to help automate activity required to protect, detect, respond and recover.
So what are the integrations your team is doing as you get more incorporated into the stack? Yeah, so that's a very good question. I mean, I think cybersecurity has largely been challenged with this since its inception. If you look at entire industries, like for example, the SOAR industry that popped up within cybersecurity, it was actually like designed to be able to arbitrage a deficiency that existed within security products and being able to have them work together.
And if you think about this, if you think about this problem set inside the firewall, you have endpoints or maybe network devices, you have different systems and operating systems and capabilities and so forth that are built up and it's often very difficult to be able to reconcile all of that. If you take that conversation and move it out to the internet, one of the advantages of the internet is the same internet for everybody.
Good guys, bad guys, partners, employees, they're all kind of operating around the same first principles of how connectivity and exposure on the internet works. And so as we started to look at it from a macro perspective, there's really kind of three general sources of data that you're working with. You have internal data, so you can think of like Syslog, Barlog, different logs that are coming off of various systems that you have internally.
And then on the other side of the equation, you have this deep, dark, spooky web, whatever we're calling it this week. And then kind of in the middle of all of that is the internet. And that is what we primarily focused on is not only the ability to be able to collect and organize internet-scale data, but actually be able to unlock it inside of an organization. So if you can imagine that the internet for many organizations has become an extension of their network.
It's an extension of the data center, how employees work, how customers interact, et cetera. And the decision calculus that is actually required to be able to effectively manage an internal network is largely predicated on being able to infuse or basically harness the knowledge of the internet at any particular point in time in order to make a lot of these decisions.
So the integration paths that we worked on were largely based around being able to create one plus one equals three type of scenarios. So for us, it was very, very important not just to integrate into or just throw data back and forth with a particular partner and put each other's logos on each other's websites, but actually peeling that onion back and saying, what's the problem that we're actually trying to solve?
I think one of our most critical integrations that we started, I guess it was a couple of years ago now, but continue to reinforce is like, for example, our integration to Defender or even Sentinel. If you look at Sentinel, for example, you could have an incident that comes into your sock.
And then if any incident, any part of that incident has an intersection point or a nexus that actually exists on the internet, the playbooks in the background actually go out and not only decorate that incident with internet data and the historical aspects and so forth, but also brings in what we call observables, which means what's happening with this domain name, this IP address, this certificate, et cetera, that's actually placed inside of that incident.
And if in fact it's currently being observed to, for example, being relaying malware, in the background, the playbook will actually promote from maybe a medium flagged incident into being maybe a high level incident. And then when you think of the actual sock analyst, whoever actually opens that incident, there's usually one of two things that they traditionally end up doing.
Number one, that they wanna know as much information as they can get about that particular incident, which that is what the purpose of the playbook is, is to be able to keep the analyst from having to alt tab to another system or maybe even multiple systems or be able to cross reference it with multiple systems where all of that information is really at their fingertips and really in their field of view when they're making a decision about triaging an incident
or suppressing it or maybe creating an internal ticket. The second thing that normally comes off of a well-decorated incident is you might, instead of having a sock analyst that's trying to triage it, you may have a threat hunter that wants to go investigate it further. Maybe they wanna understand, am I a targeted chance or a targeted choice? Is this something that's rather prolific across the internet or is this a singular incident?
And so the capability of being able to systematically go directly from that alert, directly into the depths of the internet research and kind of what the internet has to say about that information or that particular incident becomes a very fluid transition for whoever's working. Hey Jason, you said whether someone has a target of choice. Could you explain what you, and you had some other stuff in there? Target of chance or targeted choice? Yeah, can you just explain that a little bit?
That sort of piqued my interest. Yeah, so one thing that we've found, and you see this replicated with a whole kind of classes of incidents that we've seen across the internet. So a target of chance is I'm gonna create a piece of malware or I'm going to look for a particular vulnerability and I'm just gonna mass exploit it across the internet. I don't care like who you are in terms of industry vertical. I don't care in terms of who you are in terms of sophistication.
If you have this particular exposure and if I do have access to it, I will subsequently go ahead and compromise or at least interrogate that particular target for the purposes of being able to understand if I have a second or third order event that I can place on top of it. A target of choice is the bad guy's not gonna go away. They're gonna go another way.
For whatever reason, you either have PII that has a specific interest to them or you have a political leaning as an organization that is of specific distaste for a set of bad actors. And you can look at even the bad actor cases of e-crime. You could look at in a nation state lens. You could look at in a hacktivism lens. You could look at people that are just like basically just out to cause problems. And we just take one of those, for example, like e-crime.
It kind of goes back to that old Willie Sutton explanation when he got arrested and people were asking, like, why are you always trying to break into banks? And he's like, because that's where the money is. So when you look at that paradigm of target a chance versus target a choice, I think it's pretty safe to say that a bullet can kill you regardless.
But you as an organization, understanding if that bullet's being fired from a sniper or if it's just a random projectile that's thrown out from a drive-by, those are two very different response characteristics that you probably would end up employing internally. So about a month ago, I was watching a webcast that the Sentinel team, Regina Kapoor and Brandon Dixon from your team were presenting as part of the Microsoft security community.
They were explaining how to ingest the threat intelligence data or all this information that you're talking about, right? This has become really important because there have been several executive office mandates and guidance being put out there and a lot is talking about threat information. Can you talk a little bit about how do you come up with this threat information sharing?
And I think you have a Section 52 team that is actually mistaking, that is helping sometimes with the information that you're putting, plus you have your own analysts or researchers that are putting this information. Yes, absolutely. So for Risk IQ, and this has pretty much been, since the beginning of us as an organization, we've largely been based around visibility in terms of being able to not necessarily focus as much on who's doing something, as much as where is it.
So if you think about this in the context of, I was just going through a whole series of vulnerabilities, one in particular, with regards to OpenSSL yesterday. And it appears to be a pretty significant issue that will require a handful of patch, or quite a bit of patching, but the question is not necessarily whether or not that OpenSSL issue is bad. I think everybody can look at the information about the exploit itself and say that it's probably not good at a minimum.
But the real question is, where is that within my environment? Where is that across my attack surface? In terms of what I'm responsible for on the internet as an organization, do I have any of these libraries that are natively incorporated? Then you can take the kind of second tertiary conversations with that of saying like, I may have 10 or 100 or 1,000 critical vendors. And I've leveraged different parts of the digital footprint or the attack surfaces of these different vendors.
So which one of those actually have this SSL vulnerability put inside of it? So that visibility component, and probably the easiest way to think about it, in the world of threat intelligence, there's really kind of two flavors of threat intelligence that are out there. And I generally put them into the Doppler radar versus the meteorologist. And a meteorologist says, you should bring an umbrella tomorrow. It's gonna be bad, or it might rain in the afternoon.
Where a Doppler radar actually says, over the course of the next 24 hours, this is what the precipitation will be. This is the confidence that's associated with it. This is the empirical data that actually presents that. And that's a lot of what risk IQ has, what our focus is, is really the quality of internet data and being able to surface that at the point in time that it's actually needed in order to be able to make a decision.
So when you think about like, how that data actually comes into play, it really has to do with the core underpinnings of our system. Because we control all of our collections infrastructure. We control the entire analysis layer. This isn't leveraged based on partnerships and so forth. This is just raw telemetry of what the internet looks like. And through a series of products as well as APIs, the way we go to market, et cetera, those are exposed then to customers.
And so when you think about the integrations that are, I'm sorry, the way that that visibility ends up working, it provides a very unique vantage point to risk IQ as well as our customers. And if you look across our customer base, we have a number like in the tens, like the high tens of global cybersecurity organizations.
And you'll notice like, they will write research papers and say, here's a bad guy, here's why he's picking on you, here's an example, here's every place else on the internet that this exact thing is happening, that's normally us. And then normally they close out with buying more of their products or configuring it differently for the purposes of being able to maybe respond to a particular threat or an unwanted event.
Well, that visibility, that capability of being able to take a singular thread on a sweater, and if you will pull an unravel it and be able to see it, is something that is not very common, if at all within the cybersecurity industry. So when we have within risk IQ, prior to the acquisition, it's just been bolstered quite a bit more with the acquisition by Microsoft.
We have a tier one threat intelligence team that is constantly looking for bad actors, bad infrastructure, bad associations, et cetera, across the internet. And normally the original piece, the original thread that's pulled, if you will, is actually directly related to a specific observed event that occurred.
And then once you find that piece of infrastructure, the capability of being able to expand the aperture and say, okay, this isn't just one of one, this is one of a hundred different things that are happening exactly like this across the internet, so that when you're making a decision of alerting, when you're making a decision about blocking, you're actually doing it with the confidence of what the internet as a whole looks like, not just what a singular event is. Does that make sense?
It does, actually. This is something that I've been talking recently, especially about data quality, because there's many vendors and many talks out there of how to increase the amount of thread intelligence that is shared. And sometimes I am concerned about the noise that it will be introduced if the people do not have the expertise to share quality data to the rest of the community, and how that data can be used across the security solutions.
Yeah, that's actually a very good point, Glydez, because imagine that you received a piece of intelligence, whether it could be sensitive source reporting, whether it could be from another system that you have inside of your environment, or if a peer of yours in the industry comes to you and says, here's a bad IP. Well, what does that mean? Is it always bad and it's just continuing to be bad? Is it bad, is it normally good and it's just bad right now? Is it from Russia?
And right now, anything from Russia is bad. And then once you make that determination for today, what happens in an hour from now, or a day or a week? What does the entropy of that actually end up looking like?
And so, you know, because, as I was mentioning earlier, because we own our own collections infrastructure, and this is a systems, assistance, petabytes of petabytes type of problem set that we're dealing with here, but because we own that entire collections infrastructure, we have the capability of being able to provide the providence of what that IP addresses in this example, the reputation of what that IP address is, that reputation over time, the history of it,
like what else was it related to? And what that does is it surfaces all of that content in context. And when that context is actually directly related to a particular issue that you are attempting to triage right now, that becomes invaluable. If you think about it generally, just look at the amount of news and research and source reporting that is happening on literally a daily basis now across cybersecurity.
And a lot of them are interesting, a lot of them, a lot of the information that comes off is actually, you know, quite battle tested and relevant and so forth. But the real question that you have is, so what? What does this mean to me? You know, that's good that these bad guys are using this infrastructure to attack these kinds of targets. I generally aligned to that target, but am I specifically aligned?
And the ability to be able to tease that out in real time, the ability to be able to dynamically understand as your priorities change, as your security programs change, as threat adversaries change, you know, how that constantly relates to you. When I was doing a little bit of research on risk IQ, I noticed that there's actually a risk IQ connector for the power platform and for logic apps. Yes. Can you explain kind of where would somebody use, you know, that connector?
Well, generally, the primary benefit of having these connectors is to being able to, to be able to ingest the specific components related to the internet that has to do with your particular business application. So prior to the acquisition, we were primarily, and we still are very, very heavily focused on the threat intelligence world and how to be able to provide internet scale data sets to provide a decision advantage.
But if you think about it, the extensibility that goes beyond threat intelligence for internet scale data is almost infinite. If you imagine like yourself as a CIO versus a CISO, you may have a simple question of what technologies that you're leveraging. You may have like very firm understanding of the assets that you have within your organization, whether it's, you know, desktops or workstations or servers or licenses, bandwidth, rack space, et cetera.
But what do you have in terms of a digital asset management system? Because if you think about the fundamental components of digital assets, they're different than what exists inside the firewall. In a very simple example, you could have one singular IP address that maybe has 100 websites behind it, or you could have 100 IP addresses that all go back to a singular website.
And then once you go to a singular website, well, what CDNs are actually being used to transmit traffic basically across the internet to your organization? You could look at it in terms of CMSs or maybe third party components or widgets or different functionality that's pulled in from across the internet at runtime. And if you look at the charter of like CIOs, I mean, effectively, they get paid to do one very simple but very far reaching thing.
And that's to take the blinking lights in the data center and tie it to earnings per share. And the reality is that those blinking lights in the data center are now becoming elements of the web or partially on the web or partially in the cloud and partially on the web or partially in your data center as well. So the way that that problem needs to be solved has changed.
And so as a result of changing that, the capability of being able to take this level of data and being able to infuse it into other IT operations provides a very, very interesting future, I think, for Microsoft and RISC-IQ. Yeah, I think you basically just said that it sounds like I could consume one of these APIs, call out to RISC-IQ, and I could use the response that you give me. Let's just take a real simple example. Let's say someone connects to my logic app from some IP address.
I could call the RISC-IQ stuff and give me all the information that I need to know about that IP address. So I could take the information about that IP address and then start to make decisions about whether I'm going to accept that connection, for example. Correct. And I think in your example there of making a decision, the capability of being able to do that on a case by case or a singular, like, does this work type of instance, but as well as being able to automate it.
Because having the power of the internet basically harnessed into a singular collective data set with all the associated relationships packed onto it, there may be ways that that decision ends up maturing over time as you end up adding more or different types of data into the pipelines to be able to make that decision. So again, when I was looking at stuff about RISC-IQ, I noticed that RISC-IQ occupies a niche within the environment called Enterprise Attack Surface Management.
It's interesting that I see the term Attack Surface in there, because I've used the term Attack Surface for a long time as has the industry to understand how exposed, for example, an operating system is.
Like, if I have an operating system and it's got, I don't know, let's make up a number, 20 open ports, and seven of those ports are open to the internet, and although seven one is unauthenticated, then that particular port has a very high Attack Surface, because it's basically accessible to anybody on the internet.
And one thing that we focus on a lot back in the early days of Windows, especially with the delta between Windows XP Service Pack 2 and Windows Vista was reducing the operating system to Attack Surface. In fact, a Microsoft Attack Surface analysis and Attack Surface reduction is a critical part of designing any system. It's a major part of the Microsoft Security Development Lifecycle. So it's really kind of interesting when I saw this term, Enterprise Attack Surface Management.
Could you just give us the elevator pitch of what Enterprise Attack Surface Management actually is? The way to think about this is that the same elements that you described with regards to the attack surface of a particular desktop that had maybe ports and services that were open to the internet, that is now at a completely different level when you start talking about Enterprise Attack Surface Management from an industrial strength, kind of global organizational vantage point.
And there's two primary differences that are nuanced, even though the underlying premise is still the same. First of all, the underlying premise being you can't protect what you don't know.
So if you don't know something exists, if you don't know that a business unit went out and registered a website on a service provider and maybe put it up on a different cloud hosted provider and is offering some kind of services to customers, if something goes sideways with that, if something gets hacked within relationship to that, how do you even know where to start to respond?
The way that this is manifested on the corporate side and basically on the enterprise or organizational sides, whether you're looking in governments or whether you're looking in a specific commercial entity is that everybody came on the internet a little bit differently. Some people started off day one with a web server and a firewall and got going from there. Some people immediately went to a co-location facility.
Some people started to outsource it to third parties to be able to manage all aspects of it. And over the course of time, organizations have started to adopt and move from the inside to the outside or moving within their data center to cloud providers. Some have elected to go from co-location facilities into the cloud or maybe back into a data center.
And the primary difference that starts to surface here is that if you look at the whole reason that you have a website to begin with, it's actually not for the host organization. It's to be able to service your customers. So the question becomes on one side, how do I protect myself? Because that's important. I don't want somebody to take PII or PCI type data out of my environment.
But how of your security stack and the whole reason that you have a website to begin with is for your customers, how do I know my customers aren't getting hacked? If you look at some rather large incidents that have happened over the past several years, it's actually not an instance of the host company being attacked. It's the host company's website providing a mechanism for their customers to be attacked.
So a simple example of this is you may have some widget, maybe a third party shopping cart application that you have on your website. And that shopping cart application is actually being hosted somewhere else on the internet. It's not within any of your positive control points. And an adversary could try to hack your particular organization and maybe take credit cards out of your organization, or they could hack that third party.
And they could hack that third party so that any time that somebody went to your website and put in their name and their credit card number and their CVV and expiration date, et cetera, that when they hit that submit button, not only does it go internally to your organization to process, but it also goes to an adversary's website where they can house and subsequently end up using that credit card information in this example in a fraudulent manner.
And if you look at how attack surface management has grown up over the past 10 years or so, we didn't really even know what to call it when we first saw it, right? It's like we knew we had this capability. We knew that it was something the customers wanted. We knew that providing an attack surface to a customer provided ways to be able to augment or subsequently enhance anything from their bug bounty programs, from their vulnerability management programs, app sec, pen testing, et cetera.
But there also was this element of being able to provide a confidence that their customers, in fact, weren't taking advantage by utilizing their web services.
And as that scenario started to grow over the course of time, it kind of went from a fringe, like if I have time, yes, we'll do attack surface management for our digital enterprise, for the digital state that we've created and being able to have visibility to this the same way that users do, the same way that adversaries do, the same way that partners and customers, et cetera, have with my environment, and then being able to crystallize that.
And as we noticed probably about four or five years ago, this started to catch a lot of traction, for example, with analyst firms. It started to become more top of mind topics that we've seen covered in a number of different forums, like conferences and webinars, et cetera.
And the ability for this to become a foundational component, the ability for attack surface management to become a foundational component of any contemporary enterprise security program has gone from the early adopters into, I would say, more of a critical mass of organizations. And these are not just very large multinational global organizations, though they were probably more in the early adopter camp.
But think of organizations that have disproportionately smaller security teams to disproportionately large digital presences that they have. You see this a lot of time in multinational or even domestically conglomerates, where they're more of a combination of a bunch of smaller brands and organizations that roll up under a centralized organization from an accounting perspective. So how can somebody see how this looks like? Do you have demos, some videos? Yeah, so a very good question.
Gladys, it actually takes us right back to the beginning of the conversation. Rizky Q said that we wanted to make the internet a safer place. And we came to the realization that the biggest challenge that we had to make in the internet a safer place was there wasn't enough good guys in the game.
And then bringing the capability of complex internet investigations and visibility and so forth down to a more consumable level that allowed anybody to interact with that, that led us down the path of actually creating an entire freemium model. So today, you can go to community.riskyq.com. You can set up a free account. Everything that we've been talking about here today can be unlocked within that account itself.
We have a little over 110,000, 120,000 different analysts across about 15,000 organizations today that are using it. It is, but arguably, one of the most prolific freemium SaaS-based offerings that exist on the internet. And it also has a number of additional value ads that we look at in terms of being able to provide visibility and capabilities to organizations. We have Threat Hunter workshops. For example, we do them about once a month.
We usually get hundreds and hundreds of people from across the globe on these Threat Hunter workshops. And what we do is we actually take things that are in the news. We take technologies that customers are the market that are using. We take concepts that are very basic to very complex. And we actually show how within the product itself, you can solve for a lot of these problems. So yeah, if you're looking for a way to be able to get in the game right now, you can go set up an account.
And you can reach out to your Microsoft Contact, and we can give you extended access and more visibility and take a lot of some of the limitations that we have within the product and the freemium side and actually provide a full enterprise version.
And then I would also offer if you wanted to either sign up and look at some of our historical Threat Hunting workshops that we've done, where we've taken very robust infrastructure that has been set up by bad guys and systematically decompose it, you can sign up for those, or you can sign up for new Threat Hunting workshops that we have coming up in the future. Yeah, originally when I started learning about RISC-Q, I signed up for some of those workshops.
I think it's every other Thursday for a couple of hours. And they were awesome. It just got me started. So I really recommend that. Yeah, it's a lot of fun. I mean, what has traditionally been types of access and types of visibility that have been relegated to a very small niche of cybersecurity professionals that largely learned how to do it over years and years of research and being practitioners, et cetera. Being able to bring that down to be able to have individuals.
I mean, we've got programs that we've done for high school kids, where we've taken very simple articles that show up in mainstream news that have either a singular domain name or a singular IP address in them and actually expand all of that and be able to say, this is what this infrastructure looks like on the internet right now. And this is the story behind everything that you just read in that news article. This has been really great. I learned a ton.
I mean, I just understood a little bit of what risk IQ is, but certainly learned one heck of a lot more. So Jason, one thing we'd like to ask our guests is if you had one thought to leave our listeners with, what would it be? If I could leave any kind of parting thoughts with anybody, it would be around not needing to wait until some additional technology comes along or some future state occurs. The capabilities are there now, and the entry point is far easier than it's ever been in the past.
In closing, I'd really like to thank you for the time here today. And this is a topic that's very exciting to me, and I'm very passionate about. And it's very personal to me. So anything I could do to help, please feel free to reach out. I'm sure maybe we can do this again sometime. So again, thanks so much for joining us this week, Jason. I know Gladys and I really appreciate you taking the time. And to our listeners out there, thank you also for listening.
Stay safe, and we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website, azsecuritypodcast.net. If you have any questions, please find us on Twitter at azurecenter.com. And other resources on the website is from ccmixter.com. And licensed under the Creative Commons license. If you have any questions, please find us on Twitter at azuresetpod. Background music is from ccmixter.com.
And licensed under the Creative Commons license.