Skip to Main Content

Following the clues as a digital detective

My specialty is incident response, as a lead investigator for our detection and response team and longtime cyber forensic investigator. My career started when I moved to the UK from Southern Africa many years ago now. I and took up cybersecurity as a passion – probably after watching too many movies – and ended up working with customers compromised by sophisticated attackers, helping them figure out what to do next. And I haven’t looked back since!

My role is to stay abreast of the latest threats in cyberspace, and to help our customers respond when they come under attack. This starts with understanding the challenges we are facing ourselves at Microsoft. Much like putting on your own oxygen mask first when you are on a plane, you need to secure yourself before you can help others.

Getting our own house in order means thinking about the products and capabilities we have, any gaps in our defenses, and what new solutions we need to bridge those gaps. Machine learning is playing an increasingly important role with our own preparedness and ability to extend these protections to our customers.

We gather more than 8 trillion signals of security-related data on a daily basis. It just wouldn’t be feasible to process this through manpower alone, never mind generate actionable insights.

With machine learning, we can automatically cross-correlate malicious cyber activities to identify patterns and detect when different activities are part of that same incident. This enables us to understand how the attackers were able to get inside the organization in the first place, how they are moving around and even what end objective they are working towards.

The ability to do this kind of cyber detective work in real time is hugely valuable when you consider that a global organization can be taken out in as little as 18 minutes; even faster if the attacker compromises a privileged user such a domain administrator.

The average time it takes for an organization to figure out that they have been compromised is actually increasing; currently it’s around 200 days.

You can only imagine the kind of damage that may have been done, and how hard and costly it is to push the attacker out, after that period of time. That’s why the detection of attacks is probably one of the biggest challenges facing the industry. After all, if you don’t know there’s a problem, how can you even begin to tackle it?

When done thoughtfully and in a way that reassures people, sharing what you’re doing can help rebuild trust. To address this, my team proactively trains customers to think about what they would do in an incident by presenting them with certain scenarios and asking them to think through exactly what steps to take. This can be anything from immediate actions to considering who should be woken up in the middle of the night.

I always stress how important communication is: having the right people involved and the right processes established, rehearsed and embedded into your organization’s institutional memory can be the difference between recovering from an incident or not. This also applies to external communications. Traditionally, organizations have been reluctant to disclose when they’ve been compromised, but I’ve seen some great examples lately of organizations using social media, for instance, to let people know they were under attack.

It’s always a question of ‘if, not when’ for cybersecurity, and this is why the industry has moved to an assume compromise mindset.  For responders, it’s a bit like being in a fire station: you’re waiting on the bench, then the call comes, and you have to just drop everything. That’s why I actually keep several pre-packed suitcases intended for different climates and lengths of stay, so I can grab one and go! Of course, I’m not travelling a lot right now, given the ongoing pandemic, but I’m just as busy. Fortunately, the vast majority of incidents can be investigated using data uploaded to our Azure platform.

When a customer is dealing with a cyber-incident, it can be a highly emotional time for everyone involved. Customers that deal with these situations well are those who already have a structured plan in place, which helps them stay focused on ensuring business continuity, rather than just reacting to the incident at hand.

I believe that automated threat detection and response capabilities, underpinned by tools like machine learning, have real potential to help us and our customers stay ahead of cyber threats. I’d like to see them adopted more widely as we face new challenges around defending democracy, fighting misinformation, and dealing with deep fakes. We should take whatever gives us an edge over the attackers.