David Finn, Judson Althoff: Convergence 2015 (Day Four)

ANNOUNCER:  Ladies and gentlemen, please welcome President Microsoft North America Judson Althoff.

JUDSON ALTHOFF:  Good morning and welcome to our final keynote session of Convergence 2015.  I would like to just say one last word about our conference band The Groove Merchants.  You probably don’t know this, but they start in here when it’s completely empty and we open the doors.  And I think it’s just pretty awesome to come out here with that much energy and sing to a bunch of nothingness and really fire up the crowd as you all come in.  So how about another big round of applause for The Groove Merchants.


Speaking of bands, how did you like One Republic last night?  (Cheers.)  Our little way of saying thank you to all of you for spending your time with us here at Microsoft.

So this morning’s topic is pretty intense.  It’s a significant topic that I know is top of mind for many of you.  It’s on cybersecurity.  And in just a few moments David Finn is going to come out and tell you about all of the important work that Microsoft is doing in this space.

But before he does that, let me kind of recap the week for you as well as tell you a little bit about what you’ll see from Microsoft in the coming months.  It was a fabulous week here at Convergence, and I hope you truly felt how we’re making this our premiere event for business.  At our core, Microsoft is the productivity and platform company for the mobile-first, cloud-first world.  And our mission is to empower every person and every organization on the planet to achieve more.

Satya in his keynote talked about how we’re evolving from systems of record and systems of engagement to systems of intelligence, and how our core assets, our three big, bold ambitions of more personal computing, reinventing productivity and business processes, and building the most intelligent cloud enable you to do more within your organizations.

In personal computing, we’re bringing out innovations in Windows 10 and Cortana to help you better interact with technology.  You heard about our announcements of Office 2016 and Delve, Skype for Business, Azure IoT Services to help you reinvent productivity in your business processes.  We talked a lot about Dynamics CRM and the coming of AX 7.  All of these innovations are meant to foster this culture of empowerment to empower you as individuals, to empower your organizations, and to empower your industries.

Kirill then brought up some awesome customer examples.  I hope you enjoyed them as much as I did.  We showcased everything from Office 365 to Dynamics to Azure, and we had tons of new product announcements.  But what was best was to see them all come to life through these fantastic examples.  And we hope that what you took away from that is that we at Microsoft are changing the way that we think about innovation in technology so that we can work together with each of you to bring those kinds of experiences to life in your environments.

The general sessions throughout the week covered a variety of topics.  We unpacked how to harness big data and how to reinvent productivity within your organizations as well as how to maximize all of the customer engagements that you have through sales and marketing.  If you missed some of the general sessions, they’re all recorded online.  So we encourage you to go back and follow-up on them.  We know we had a ton of content for you to soak in this week, so we want to make sure that you’ve got the ability to take it all in.

Again, this is our premiere event for business.  Convergence will continue to evolve in the coming years.  What you’ll see next from us on the event horizon is our premiere event for IT professionals.  May 4th through the 8th, we’re holding Microsoft Ignite.  It’s in Chicago, and Satya will be unpacking all of our technology innovations for your IT professionals to come and see.  So whether it’s you, your peers within your organization, please do join us for that event.  It’s sure to be a fantastic opportunity.

For this group we want you to stay connected.  We want to keep the conversation going.  So we’ve built all kinds of Convergence social channels on Facebook and Twitter, and LinkedIn.  And we want you to stay active within the community and participate in these conversations.  We also have Dynamics User Group Summits that are kicking off in Reno and Tahoe later this year.  They’re actually run by you.  They’re run by users for users and they offer deep dive technical and business information on how to use Dynamics business solutions and we’ve listed some of the events here on the charts behind me.

So for Convergence, I’m excited to announce we have two coming up Convergence events, one that will be held in EMEA in Barcelona, Spain, November 30th through December 3rd, and then Convergence 2016.  Next year we’ll be headed to New Orleans April 4th through the 7th, and we look — (audience response.)  All right, it seems like that was a popular choice, great.

So we look forward to seeing you all there and we really, really promise to deliver a fantastic event for business users.  So let me unpack the main event here this morning.  I’m going to talk a little bit about cybersecurity.  Microsoft is dedicated to data privacy and security.  And for us it goes beyond protecting our customers from threats.  We’re investing in core technologies and businesses processes to help you understand the true threat from cybercriminals.  And we’re making investments that enable advanced threat detection, as well as what we call damage mitigation, because unfortunately sometimes these attacks are unavoidable and we need to help you empower your users and protect your company assets in the inevitable and unfortunate event of an attack.

Basically we’re attempting to stop these individuals and organizations behind cybercrime from impacting your business and your customers.  We do this using our technologies, but also our partnerships with commercial and public sector organizations and with the law.  We’ve actually gathered some of your questions in advance of this presentation this morning and I will actually come back out here with David Finn to have a bit of a fireside chat with him to talk through some of those questions.

Listen, this is a serious topic.  It’s an unfortunate topic in many ways that we have to worry about how people will take innovations and something that is pure, a pure statement of empowerment around empowering individuals and organizations and industries and use it to bring harm.  But, the best way to handle it is to increase your awareness, get smart on the topics, and be prepared.  So I hope you enjoy this next session.

(Video segment.)

ANNOUNCER:  Ladies and gentlemen, please welcome Executive Director Microsoft Digital Crimes Unit, David Finn.  (Applause.)

DAVID FINN:  Thank you very much.  Good morning everybody.  Wow, it’s really a great privilege to get to talk this morning, to share with you the work Microsoft is doing to fight cybercrime around the world and protect people.  It’s especially exciting, because virtually all of the work we do is in partnership with others, in partnership with our customers, in partnership with industry, with academic researchers at colleges and universities, and with law enforcement.

I’ve had the opportunity over the last year or so to meet with customers around the world, and if there’s one thing I’m seeing clearly it’s that cybersecurity is no longer an issue just for the server room.  It’s an issue for the boardroom.  Our customers know that there’s just an enormous amount at stake.  You can lose the value of your brand, if there’s a hack, an attack on your organization.  You can lose your reputation.  You can lose your customers.  Senior executives can lose their jobs.  And the very thing that makes you competitive, that differentiates you in the marketplace, your intellectual property, can be taken.

If the cybercriminals have their way they will inject malware and viruses into your computing devices and they will take your confidential information, steal your passwords, drain your bank accounts, even turn on your webcam all without your knowing it.  So there is a lot that we need to do, and we are working very hard to do that in partnership around the world.

Now a year ago or so McKinsey came out and said cybersecurity is a CEO-level issue.  That’s clear to everybody, as I just said.  But, one of the things I’d really point your attention to of the sort of data points on the screen right now is the first one, that the median number days before an organization is even aware that it’s been attacked is 243.  Eight months going by before an organization knows it’s been compromised.  So there can just be catastrophic harm to that company when it takes that long to figure out that it’s been compromised.

But, it’s against this backdrop, this rising issue for customers, and in the industry that we at Microsoft opened 16 months ago the Microsoft Cybercrime Center.  The Cybercrime Center is based at our headquarters in Redmond.  It’s where I work with the Digital Crimes Unit.  We’re a team of about 100 people, former prosecutors like me, I worked at the United States Attorney’s Office in New York City before joining Microsoft 15 years ago, former law enforcement officials, investigators, big data specialists, intelligence analysts, lawyers, paralegals, business professionals, software engineers, and we’re focused on creating a safer digital world so that everybody can use the Internet safely.

The way we do this and the way we’re driving towards that vision is fighting really two types of cybercrime. The first are technology-facilitated crimes that really target the most vulnerable members of the population, so particularly children and the elderly.  The second area of cybercrime we’re focused on is fighting malware and reducing digital risk.  And over the course of the next 30 minutes or so I’m going to talk about the work we do in both of these two areas.

But before I do that I actually want to give you a sense of the how, how we do what we do, because it’s really a blend of some 21st century techniques, and some techniques that are as old as time, 15th century techniques.  So on the one hand, we’re using big data and technologies and visualization and mapping to understand and track and trace the cybercriminals.  And that is absolutely critical because there is something special about cybercrime that differentiates it from conventional crime.

Crime on the streets is generally one or a group of criminals targeting one or a group, small group, of victims.  But cybercrime is very different.  The attackers are often thousands, hundreds of thousands, millions of computers or computing devices that have been hijacked and act as a drone army on the behalf of cybercriminals to attack.  And they don’t just attack one or a small group of people, they attack thousands, sometimes hundreds of thousands, sometimes millions of users of computing devices.

So it’s a many-to-many kind of crime and not a one-to-one kind of crime.  And what that means is if you’re in an area of many, and many, boy, we have got to figure out how to use data, how to use big data and analytics to disrupt those cybercriminals, and we are making tremendous strides.  I can tell you the work we are doing is really — the work we’re doing in big data and technology is absolutely revolutionized the work we do in the Digital Crimes Unit.

Aside from that 21st century piece, I said there’s a 15th Century piece.  There is no substitute for good, old-fashioned, hard-scrabble, gumshoe investigations, just really tenacious investigators following the traces of the cybercriminals and working hand-in-hand with law enforcement to see that we bring them to justice.

And then the third area is using laws.  We are a team of many lawyers around the world.  I said we had 100 people, 35 of the team is based at the Cybercrime Center in Redmond.  The remaining 65 or so are distributed in 30 different countries around the world.  And we’re leveraging civil and criminal laws, sometimes old laws, sometimes new laws, to apply to this 21st century crime.  And it’s really this blend, I think it’s this diversity of skills, of technology, and law, and engineering, and investigations that is critical if we’re going to do an improved job of disrupting the cybercriminals and protecting people.

So now turning to the crimes, I want to first start with the work we’re doing in the vulnerable population space, particularly child exploitation.  You know, it’s a huge, huge societal problem all around the world, sexual abuse.  We know that one in five girls around the world will be sexually abused before they reach the age of 18, and it’s one in ten for boys.  And unfortunately this wonderful technology we have, this fantastic thing that is a great — something that can be used for so much good, the Internet technology, is sometimes unfortunately distorted and leveraged by the cybercriminals to do great harm.   And child predators certainly are using the Internet to do that very thing.

And what they do is they trade in images of sexually abused children, 500 images of child exploitation will be traded online basically every minute of every day.  And looking at this problem, we at Microsoft were thinking is there a way that we can reduce that, that we can essentially prevent the revictimization of children?

And it’s a hard problem because there’s 1.8 billion innocent images that are put up on the Internet every single day.  So trying to ferret out those awful, evil, criminal images from the wonder that is in the Internet every day is a real difficult challenge.  But it’s a challenge that if we use great minds and come together I think we can do some great things.  And that’s, in fact, what happened.

Microsoft researchers worked with some researchers at Dartmouth College to develop a technology called PhotoDNA.  And what PhotoDNA does is essentially just as the name sounds, it gets to basically the underlying genetics, if you will, of a photograph.  If a photograph has been deemed illegal by the National Center of Missing and Exploited Children or law enforcement, that photograph there’s a unique digital signature that’s created of that photograph, and if it appears anywhere else on the Internet and an organization has licensed PhotoDNA from us, then that image is — the match is made and the photograph is taken down. The technology is so good that it actually defeats efforts by the cybercriminals to modify those photographs, to modify those images, precisely because even to the naked eye there may be a change, but the underlying DNA of the photograph is not changed.

So we have licensed PhotoDNA to over 50 organizations around the world, including some of our competitors, because we believe strongly that this is an issue that absolutely transcends competition.  And we’ve implemented it in our products, and I’m proud to say that just in 2014 alone this technology not only created a safer online experience for our customers, but it led to the arrest of 58 individuals, child predators, in the United States.  (Applause.)

Thank you.

Now as proud of that as I am, I’m more excited about the fact that millions of images were taken down.  So it’s one thing to say there are arrests.  It’s another thing to say millions of incredibly awful, criminal images were removed from the Internet virtually instantly.  So this is a really exciting development.

But we at Microsoft, if I hope that there’s one thing you’ve learned this week, it’s that we keep pushing forward.  We know we can do more.  And I’m just thrilled to announce that we’re now launching PhotoDNA in the cloud.  And what that means, everybody, is the one thing that was difficult about PhotoDNA in the on-premises solution was that it wasn’t easy to implement.  But now with PhotoDNA in the cloud, you can implement it in your own organization so much easier than we could before.  So instead of 50 organizations using PhotoDNA, I’m really hoping we can get to 50,000 organizations.  And I would just ask all of you in the audience today, please consider adopting PhotoDNA in your organization. You can do your own part, because it’s not very difficult.  I invite you all to go to the Microsoft.com/PhotoDNA website, you can learn more.

And you can do even more while you’re here in Atlanta. At 11:30 there’s going to be a session led by two Microsoft technologists, Greg Clark and Mike McCarder, and they’ll be joined by really one of the pioneers in this space, and that’s Ernie Allen who used to work at the International Center for Missing and Exploited Children.  The three of them will lead a session in the Thomas Murphy Ballroom.  Please consider going there.  Please consider adopting this technology in your organization.  If you do, you have an opportunity to have all the images that are put up in your workspace that you don’t know about and you don’t see, if there are any inappropriate images that match the database, then those will be taken down as well.  So please think about that.

The second area I said we’re focused on is fighting malware and reducing risk.  Now the way the cybercriminals largely at the moment inflict criminal harm on a massive scale is through the use of what are called botnets.  And a botnet is short for robot network of infected devices.

And the way this works essentially is you have cybercriminals at the top who draft and deploy and disseminate malicious software through a variety of means.  Maybe it’s through unlicensed software, maybe it’s through luring a person to click on a website he or she shouldn’t click on, maybe it’s in an e-mail attachment.  But one way or the other, the cybercriminals manage to inject malware in computing devices. That’s often not just hundreds or thousands, sometimes it’s hundreds of thousands, millions of computers that now have malware at the bottom.  So cybercriminal at the top, a robot network or botnet of infected devices.

And what the cybercriminals at the top now do, they have this army, essentially they’ve hijacked computing devices to inflict criminal harm.  They might use that botnet to steal financial information, to rob banks electronically, essentially a kind of 21st Century digital robbery.  They might use the botnet to send spam, spam that drives fraudulent revenue that lines the pockets of the cybercriminal.  They might use the botnet to launch denial of service attacks, essentially destabilizing organizations with making their computers crash by a simultaneous barrage of a botnet sending electronic signals.  And they might use the botnet to engage in click fraud.

You’re all familiar with the online click model.  It’s essentially a human being looks at an advertisement, clicks on it, and that click drives revenue.  The advertiser pays for the click, and the revenue is generated, a nice stream of commerce.  Unfortunately the way the cybercriminals hijack that process is they use the botnet to drive millions and millions of automated clicks at one moment.  So now you have many, many clicks, not human eyeballs, you have advertisers paying for those clicks, and you have fraudulent revenue that is generated that ultimately benefits the cybercriminals.

So what we do at Microsoft is we work with law enforcement and industry partners to disrupt these botnets.  And the central thing that we do at Microsoft that is really leveraging both of the civil laws both old and new is go before a judge and ask to sever the link between the cybercriminals at the top and that botnet.  We go before a court and ask to sever that link, cut the cord, really, so to speak, between the command and control layers that the cybercriminals use to drive their organization and all of those infected machines.

Working with law enforcement, law enforcement will take out the servers physically, the command and control servers that may be located in areas across the world and then we get an order that redirects all those infected machines to Microsoft at the Cybercrime Center.  So those infected machines that had been talking to the cybercriminals at the top, asking for instructions, what bank account should I steal from, what denial of service attack should I launch, are now coming to us.  They’re still asking the question, but we’re not cybercriminals.  We share that information immediately with law enforcement.  We share it with Internet service providers.  We share it with computer emergency response teams and the computer emergency response teams, or SERTs for short, the way to think of them is if the army protects the land and the navy protects the sea, and the air force protects the sky, the SERTs, their job is to protect the critical computer infrastructure of a country.

By sharing this information with these organizations we can then move very quickly to try to get these machines cleaned as quickly as possible.  Our folks in Windows Security in Microsoft work with those organizations where there are Windows machines that are involved to get those machines cleaned.  Typically within two months or so after an operation about 30 to 40 percent of those devices are clean.  But, it’s a massive scale problem, so many of these machines remain infected.  The users have no idea and if they’re infected with that piece of malware we know they’re much more likely to be infected with others, as well.

Now we’ve worked on a number of these botnet disruption cases over the years.  The last three years we’ve done about a dozen of these cases.  You may have read about some of them.  We’ve worked with our customers on some of these cases, particularly financial institution customers who sat with us weeks at a time to understand and track and trace what the cybercriminals are doing.

We’ve worked with industry partners, and of course we’ve worked with law enforcement, with Interpol, with Europol, with the FBI, with law enforcement recently in Germany and Italy and the UK and the Netherlands.  And I’ll talk about that case in a few minutes.  But, essentially what we’re doing is coming together to try to disrupt the cybercriminals so that we can protect our customers and people around the world.

I thought I would talk about one case and actually show you a little bit about how we marry up visualization and big data to generate insights that enable us to do our work better.  So I want to talk about a case called the Citadel malware case.  This is a case from June of 2013.  This was one of the biggest botnets in history.  We worked on this case with the FBI.  At its peak the Citadel had more than 1,600 separate botnets that were at work in support of the cybercriminals.

The way Citadel worked is it actually took keystroke from the users of the computers without them knowing it.  And it enabled the cybercriminals to steal money from individuals and small businesses all over the world.  At its peak more than 5 million devices were infected in 91 countries.  And the financial institutions we worked closely with estimated that more than $500 million, that’s half a billion dollars, was stolen over an 18-month period.

Now, what we did was work closely with law enforcement and FBI in particular, and some industry partners, to disrupt that, to basically sever that communication link and end the victimization of those people.  And what I want to do now actually is show you how we married up big data and visualization in this case in particular.

So I’m going to walk over to the PPI and I will just say that this device has changed everything in the Cybercrime Center for us, because it is such a fantastic tool for collaboration.  People on my team they don’t really even want to work in their offices anymore, they just want to work with the PPI, because it generates so much great cooperative learning.  But, what I want to do now is actually show you the visualization of the Citadel case.

So what you’re going to see on the screen is the infection pattern of those 5 million devices.  The redder it is the more infections there are.  Not surprisingly, when you look at the United States where there are big cities there’s a lot of red.  There were a lot of infections in those big cities.  But, one of the things that was interesting was when we looked at Europe we saw something interesting.  A lot of red, as you would expect, but whereas the population of Europe extends from the western most part of Portugal through east of Moscow, it appeared that the infection in Citadel didn’t.  That is to say the infection pattern seemed to stop on a national border.

So you can see right here there seems to be a pretty sharp line there.  We just couldn’t understand why that would be.  If you think about human disease, human disease doesn’t tend to stop at a human-generated frontier, a boundary.  Why would the Citadel malware stop on a border?  We didn’t know.  So after we looked at this visualization our forensic engineers took another look at the malware.  They went into the malware lab and they tore apart the code.  And what they discovered was it was no accident.  In fact, the malware had been written so that it would not infect computing devices formatted in Russian Cyrillic or Ukrainian language.

Now, we’ve been fighting cybercrime for a long time, and we knew pretty much immediately what was going on once we discovered that.  It’s that the cybercriminals in this case were based in Russia and Ukraine, and they knew that if there were fewer victims in their countries, it would be less likely that Russian and Ukrainian law enforcement would prioritize this case, and they would be more likely to evade accountability for their actions.

Now, I showed this very demo a year ago in February in Redmond in the Cybercrimes Center.  We hosted a cybercrime enforcement summit.  We had officials from Interpol, Europol, the FBI, Secret Service, law enforcement from all over the world.

And I showed it for two reasons.  One was to really illustrate the fact that when you’re dealing with cybercriminals who are this crafty, this cunning, this sophisticated, boy, we have got to figure out new ways to work across borders.

The second reason I showed it was to really illustrate the power of using big data and visualization and bringing them together, because I really don’t think we would have seen this.  I don’t think we would have had this insight had we just been looking at a list, a table of the numbers of infections country by country.  It was actually bringing that data and marrying it with visualization that led us to this kind of eureka moment.

And by the way, some of you may notice that Moscow has some red.  The reason for that is Moscow has a lot of expatriates living in it.  Those are devices running English, French, Italian, and other languages.

But what I want to do now is actually shift from showing you the visualization from one case to showing you the visualization from all the cases we have done over the last several years.

So instead of just 5 million IP addresses associated with infected devices, you’re now looking at 70 million IP addresses associated with infected devices.

The rainbow, the colors represent the different cases we have worked on.  So the purple one is Citadel, the one I just mentioned, but what you’re looking at is lots of different colors representing different cases.

What’s really exciting about this is we can see infections at the country level, the state level, the city level, but we can do better than that.  We can drill down right down to a few blocks of where you’re sitting right now.

So this is the infection pattern in Atlanta right new the Phillips Arena.  And what you see, I mentioned Citadel, you see that there are 10 IP addresses associated with infected machines in this area.  And you should know that we at Microsoft can’t see the IP address down to the individual residence or business, we see the ISP consolidation point.  That’s one of the reasons it’s so critical that we share this information and work with ISPs, because they can identify end users with a degree of particularity.

You can also see that this other case, B106 in yellow.  That’s a case we did last summer.  But, you know, it’s exciting to be able to see this level of granularity, this level of detail.

And you know what we did just did for Atlanta we can do for any city in the world.  So here’s the view of New York City, and you can see in New York, you know, I’ve illustrated the numbers for Citadel and B106.  And we can go look anywhere else.  I knew that there’d be a lot of people here from around the world, so right before I came I used London, looked at London and Ramnit is one of the biggest ones.  I’ll talk about that case in a moment.  That was a malware case that actually targeted UK banks.

We can look at Sydney, again get to look and see Sirefef.  That’s one of the biggest ones.  Sirefef was a malware case that involved click fraud.

And then we can finish up with Rio de Janeiro.

The thing that’s exciting is to be able to go city by city and look.  You know, in the world of conventional crime, different cities have different kinds of crimes, owing to a host of factors, and the same thing applies to cybercrime.

So it’s really been amazing to have the capability to use big data and visualization to understand how the cybercriminals do what they do.

Now, I said it was big data, it is big data, 70 million IP addresses currently in our Azure database, but those 70 million IP addresses reflect a very, very efficient criminal army.

The cybercriminals have such an efficient army that the computing devices that are infected are repeatedly every day asking for instructions from their master.  What bank should I drain, what span should I send, what click fraud should I engage in?  Five hundred million times a day there is an electronic signal from those machines that we see at the Cybercrime Center.  You know, that’s really all we see is that electronic signal.  We can’t see any content, we can’t see — there’s no deep packet inspection, we’re just seeing those signals.  But 500 million times a day, that is a huge amount of information.

And the volumes are constantly changing.  As I said before, our goal is to get these machines cleaned, so we want the numbers to go down.  But we also do these actions repeatedly, and want to increase the number of these actions we do.  So that increases the number of IP addresses.

Significantly, and I think really critical, is that we do intelligence sharing.  We reach bi-directional intelligence sharing agreements with our customers and industry so that we can also learn more about the cybercriminals operate.  And when we do that, we also increase the size of the database.

Now, as I’ve said, this has really revolutionized what we do, and I know I’m enormously thankful to the folks on the Cloud and Enterprise team, the technologists inside Microsoft who are building magical products and services that are helping us do this.

But, again, we’ve got to get better.  The fact is, as good as this is, until very recently, we couldn’t see this until 36 or 48 hours after an operation.

So imagine, working with law enforcement around the world, we’re trying to understand what just happened after an operation has commenced, investigators in law enforcement control rooms, we’re at the Cybercrime Center, and we have to wait for a day and a half to two days to see how many and what kinds of machines have been infected and are talking to us in the Cybercrime Center.

It’s just not good enough.  We need speed, we need data analysis, but if it’s slow, we can’t do as well.

And I’m just absolutely delighted that I can tell you all that we have made tremendous progress over the last year.  We don’t have to wait 36 to 48 hours anymore because we have been on our own technology journey.

We started — I said I’ve been at Microsoft for 15 years.  We have used great products to help us understand what cybercrime criminals do.

I am a data junkie.  I believe that data makes you better, makes you smarter, whatever you’re doing.  I will say that my favorite day in my 15 years at Microsoft was last April when Satya Nadella stood up and talked about the data culture.  I practically did a jig on my kitchen table.  I just felt like, wow, there’s just so much you can do with data, and we’re using it every day.

And I know he talked about it again on Monday.  But as much as we’ve done over the years, we’re doing so much more now because we have taken our capabilities to the cloud.  We run our cybercrime fighting business on the cloud.

We are using — Satya talked about — the suite.  The Internet of Things suite.  We are using three parts of that suite today in the Cybercrime Center:  Power BI, Event Hubs, and HDInsight.  We are using Parallel Data Warehouse.

I showed you already, the map I showed you was Power Maps.  That comes with Office 365 for free.  But what’s happened now is we’ve moved in recent months to this Internet of Things capability.  We are now able to see things in near real time.  Instead of waiting 36 to 48 hours, we are seeing things instantly.  And that is pretty amazing when you’re talking about the kinds of volumes of data we’re talking about.  And I’ll show you what I mean in a minute.

And in the future, we’re going to keep pushing.  I know if we use machine learning, which I think is the next real big step on our journey, we are going to be able to do a better job anticipating the next move of the cybercriminals.

And we’re going to use Azure Stream Analytics, and that will help us as well.  So as excited as I’ve been by the journey and how much progress we’ve made, I know we’re going to get to go even further in the weeks and months to come.

But I want to show you now what I mean about using these technologies and how far it’s taken us.

About a month ago, I said before that we worked on a case called the Ramnit case.  So Ramnit was malware that was targeted on U.K. banks.  So banks that were based in the U.K., but account holders all over the world.  And there are actually quite a number of account holders based in India and Indonesia in particular.

So we worked on this case, worked with law enforcement, very, very closely.  In fact, the day that the servers were ripped out physically in the Netherlands, Germany, the U.K., and Italy, we had an investigator, one of our members of our investigative team in Europe was very closely aligned with the folks in Europol and our folks in the Cybercrime Center were working at the exact same time.

But unlike some of those other previous cases, this time, the minute those servers were ripped out and the orders from the judges were executed immediately, redirecting those infected devices to us at the Cybercrime Center, we saw them right then.

Using Event Hubs, we had instant insight.  We could see immediately the number of devices touching us.  Not only that, we could actually do analysis on those devices.  Just as human diseases have strains, infected devices in Ramnit, there are different strains of the Ramnit malware.

So those colors you see, the green, the yellow, the blue, those represent different strains of the Ramnit malware.  And think about it, we’re getting 500 million pings a day, now the Ramnit case comes online, because we’re using Event Hubs and able to generate, ingest the data and analyze it immediately, we’re practically instantly not only taking in the data, but quickly distinguishing which data is which.  Just an incredible, incredible step forward for us.

And then we could see later on one of the things that happens in these cases given it’s a global situation, sometimes it takes a while for all of the authorities to do what it takes with Internet traffic to resolve the IP addresses to send them to us at the Cybercrime Center.  We then had a big spike at one point in Asia, and we saw those instantly.

And we can see also, again, almost virtually instantly where the devices are coming from.  So there’s a tally, a running tally, which cities have most of the infections.  And that’s valuable because we want to get these devices clean.  And knowing which cities have the most infections allows us to prioritize, to work more quickly with different cert and ISPs around the world.

So it’s really valuable.  It’s leading to changes in the way we act so that we can then protect people.  And that’s because we’ve moved to Event Hubs and are using this technology to do our work better.

The other thing, another example, the way we use Parallel Data Warehouse.  So we’re absorbing this data instantly, but we’re also essentially at the same time doing open source research to determine where these IP addresses come from, what sectors.

So think of it as kind of like using the old brick and mortar world, a quick Yellow Pages search, which IP addresses belong to which sectors.  We’re able to do that instantly because of the power of the Internet of Things suite that we’re using.

So we were able to see — you see the purple are the number of IP addresses that are touching us, but we’re instantly able to do that search and see that, you know, there were 2,397 IP addresses associated with infected devices, apparently behind firewalls of schools and colleges and universities.

We could see the number for Internet hosting services, for financial institutions.  Essentially, we’re able to see there are infected devices that probably these organizations have no idea about, and we’re seeing that in near real time that there were devices that were infected with Ramnit behind the firewalls in those institutions.  That comes from having great technology, big data, and combining it with the legal work and the investigations and the partnerships with law enforcement.

But probably more than anything, the thing I’m most excited of all about is that we’re now bringing this database, those 70 million IP addresses to our products and services to protect our customers.

So you may have heard this week about the Enterprise Mobility Suite.  It’s one of the most exciting offerings we have in the Microsoft Cloud.  Azure Active Directory Premium is a part of EMS.  And Azure Active Directory Premium has a console for the IT administrator that allows him or her to see if their sign-ins from customers or employees or partners, if they come from IP addresses with suspicious activity.

And one of the key ways to see if there’s suspicious activity now is using our 70-million-strong IP addresses.

So if an employee of a customer using Azure Active Directory Premium logs in, there’s a quick scan against the 70 million.  And you might see, whoa, that IP addresses matches the Zero Access or Conficker or Bamital IP address.  Those are three of the malware disruption cases we’ve done over the last few years.

So the IT administrator can now basically have a warning system that can tell him or her, hey, maybe I shouldn’t allow this user in.  Maybe I should get this device cleaned first.  Now, that’s really an exciting thing to be able to bring to our customers.  There is no silver bullet when it comes to cybersecurity.  But to be able to take this massive volume of IP addresses associated with infected machines and build that into our products and services to keep our customers safer, well, that’s really something to celebrate.  (Applause.)

And if we have that in our cloud services, we don’t stop there.  We’re working very closely with our partners in Microsoft Consulting Services.  We have a terrific cybersecurity practice there.  They’re also using this intelligence.  They’re using it in the way they do assessments.  They get brought in to help customers understand the security situation in those customer environments, and they’re also leveraging this data.

So they can work with a customer.  All the customer has to do is give us the precise IP address range.  Before I said you can see some open source intelligence that can give you some indication, but of course, there’s no substitute for the exact range that a company can give us.  And we can run that IP address range against the 70-million-strong IP address database we have.

And you remember when I first walked out, I talked about the 243 days.  Eight months before an organization even knows it’s been compromised.  Well, think about what this is now bringing to our customers.  In the cloud and our consulting services, we have an opportunity to use this data to help you know much sooner than 243 days that you have infections and that you might have been compromised.  So that also is a really, really exciting thing for us.

And MCS uses that both in proactive and reactive offerings.  So you can hire MCS to come in and look at your environment and see what the security situation is.  And in the unfortunate event, if you have been attacked, MCS can come in in a reactive way and use intelligence.

And we have, in fact, they have been using this intelligence now, and they’ve had customers who have learned as a result of this intelligence about infections they didn’t know about.  So it’s really a great thing, and we’re really excited to bring that to our customers.

Now, I said I work in the Cybercrime Center in Redmond.  I would invite all of you to come to the Cybercrime Center in Redmond, but I know not all of you can.  We’ve had hundreds of customers visit us since we opened in November of 2013.  But we know that doesn’t work for everybody.  Lots of people don’t live in the Pacific Northwest and don’t get a chance to go there.

So we’ve opened Cybercrime Center satellites around the world.  The fourth and fifth one, Singapore and Tokyo, just went live in the last month.  Think of the Cybercrime Center satellites as kind of mini Cybercrime Centers.  Really, invite you to work with your Microsoft representatives to come to the satellites to see more about the work that we’re doing and more that we can do in partnership.  As I said, cybercrime is way too big for any one organization to handle, it’s something we’ve just got to work on together, so please take us up on this offer.

And besides the Cybercrime Center satellites, we have Microsoft Technology Centers, so the MTCs.  We have DCU, Digital Crimes Unit, and Cybercrime Center content now built into 30 different Microsoft technology centers around the world.  Please come visit there, work with your Microsoft contacts to get to know more about some of the stuff I’ve talked about today if you’re interested.

Now, it’s a chance for you to explore more about that work and really exploring is a lot of what this work is about.

We’ve made a lot of progress, but we have a long way to go.  And we are going to continue to explore.  One of the things that makes me so excited about working at Microsoft is that we’re constantly innovating.  And we’re going to constantly innovate when it comes to learning and following and tracking and tracing the cybercriminals, too.

We’ve used a lot of data visualization.  We’ve used some great technologies, but we are going to partner with anybody who can help us understand how the cybercriminals work.  And we’re going to experiment.

My father was a professor.  I grew up in North Carolina.  And he was experimenting all the time.  And when you do experiments, you learn from them.  And Microsoft, our research, our approach to understanding is all about experimentation.  And we’re experimenting in the Digital Crimes Unit.

We recently hired an outside group called the Office for Creative Research.  We wanted to do some new experimentation with visualization and big data.

So what we did was we actually worked with OCR to build a new visualization model.  So if we could go to the video on that, please.

What you’re looking at now is sort of a 24-hour view, new visualization that we worked on with OCR.  I mentioned the Citadel botnet.  This is a 24-hour view.  You’re basically seeing from the outer rim to the inner rim of that dial is the frequency of calls from infected devices to us at the Cybercrime Center.  The colors represent that.  Around the dial is basically 24 hours, midnight to midnight, around the world.

We’re also able to look back and look historically.  Just look at a day and compare one other botnet.  Waledac was another case we did.  We can just look at different slices of the infections using the colors, seeing if we can generate insight.  See if there are anomalies just helping us perhaps learn new things about what the cybercriminals did.

And we worked with them also on some new kinds of visualizations beyond looking back, actually looking at our live feed.

So this is not a live feed here, it’s a video, but this is the feed that we were working on.  So we’re now looking at 13 different strains of some of the malware we’ve worked on.  The dots represent different locations where calls are coming in, the frequency of those dots represents the frequency of calls.

Again, we’re exploring, experimenting, seeing what we can learn from new kinds of visualization.  And you see the cities called out so we can see where those calls come from.

And one of the things we did with OCR was we said, “Hey, we’re learning by marrying big data with visualization.”  But what if we tried something new?  What if we tried not just visualization, but audification?  Actually sound.  What if we actually tried to do something where we listened?  Maybe we could generate insights by listening.

And so we basically asked the question:  What does a botnet sound like?

(Break for sound clip.)

DAVID FINN:  So the pings represented an individual location in the world.  And that static sound were the calls to the Cybercrime Center.  Now you’re going to hear an audification for calls — the live feed.  And you’ll hear the cities where the infected devices came from.  You’ll hear those names called out as well.

(Break for sound clip.)

DAVID FINN:  And now, bringing the audification, the bid data, and the visualization together.

(Break for video clip.)

DAVID FINN:  Now, I have to tell you, everybody, we don’t have any “eureka” moments yet from this experiment.  We had that eureka moment from the Citadel case where we used visualization and it helped us discover new things and gain insights.  And we’re getting those sorts of insights every day.  But this latest experiment, we don’t have them yet.  But that’s not the point.  The point is that we are exploring.  We will be unbounded in the way we approach this because that’s what it’s going to take to do a better job tracking and tracing the cybercriminals.

And I know if we do that, we will generate insights.  We will learn about the anomalies.  We will do a better job.  And most importantly, we’ll then be able to protect our customers more and keep you safe and secure.  Thank you very much.  (Applause.)

JUDSON ALTHOFF:  A great talk, David.

So, David, I’m just curious to maybe start off here.  I mean, you’ve got a really background in legal and technology.  How does one actually get into the study of digital cybercrime?

DAVID FINN:  Well, I mean, in my case, I don’t really know the answer.  I can only answer about myself.  As I said, I was a data junkie.  I grew up and was a huge sports fan.  I loved college basketball.  I grew up in Chapel Hill, North Carolina.  People here may know that Dean Smith, who recently passed away, was a great coach.

And one of the things Dean Smith did, he was a pioneer in using data.  And when I started watching baseball and all the other sports, basketball, hockey, tennis, every sport, it’s about information and analytics.

And for me, it was just natural to use analytics in everything I did.  I played chess as a kid, in college and law school, I played backgammon and poker for money.  And all of that was about using data.

So I was also interested in being a prosecutor.  I became a prosecutor.  But it was using data and the law was just natural for me.  And then when I joined Microsoft, it was just this perfect marriage.  And it’s just been really exciting to work in a place where data is central.  I think data helps you get insights, and I think it helps insights fighting cybercrime, too.

JUDSON ALTHOFF:  Cool.  Good combination of skills to help protect everybody from all of these folks that are really using technology in a way that’s just terribly disruptive.

So the next question I have for you is:  You know, you read a lot about cybercrime.  And you read a lot about the negative impact that it has on people, individuals, as well as businesses.  But we don’t often hear enough about what happens afterwards.  What happens to the prosecution of these cybercriminals?  Can you tell us a little bit more about what you’re seeing and how that’s evolving?

DAVID FINN:  Yeah, I mean, I think it’s a great question and something people ask about because, you know, we do these malware disruption cases.  But we’re not law enforcement.  There are things that law enforcement can do and only it can do, and that includes arresting people and convicting them and sending them to jail.

But, in fact, there have been a number of cases that we’ve worked on.  One of the cases is this Gameover Zeus and Spy Eye.  This was a case in which actually two of the defendants, one was based in Russia named Aleksandr Panin, he was actually stopped in the Dominican Republic while on vacation.  He was eventually brought to the United States, arrested.  He actually pled guilty and is awaiting sentencing right here in Atlanta.

There’s a second defendant in that case from Algeria, he’s also been charged and is awaiting trial.  So some of these cases do lead to prosecutions.

Of course, it is critical that there be more of them.  You want to basically remove the profit, and where appropriate, take people’s liberty.  So that’s one of the reasons we work so closely with law enforcement in a really deeper and more embedded way so that we can make it more likely that money is taken from the cybercriminals, and their liberty, where appropriate, as well.

JUDSON ALTHOFF:  Sounds like if you’re a bad guy, you don’t go on vacation because that tends to be when they catch these folks.

DAVID FINN:  Well, you know, one of the things, the visualization that I showed about Russia and the Ukraine, there are some havens in the world that are safer for cybercriminals.  And they know that.  But they also know that if they travel, and some of them can’t resist the temptation, they’re going to be more likely to be intercepted.

JUDSON ALTHOFF:  So one of the most-shocking statistics, I find, in this area, cybercrime, is that so many of the cases originate from an internal breach, some mistake that an internal employee may have either made unknowingly or, unfortunately, deliberately.  Can you tell us a little bit more about how companies should evolve their practices and policies to guard against internal threats or threats that may begin from some sort of internal accident?

DAVID FINN:  Well, I think there are a number of things an organization can do.  I mean, one of them is to really teach employees about basic computer hygiene and basically being more savvy.

You know, don’t use nongenuine software.  You’re much more likely to have malware if you do.  Use updated software.  Use current software.  Don’t use software that’s 10 years old that doesn’t have the same security capabilities.

Be careful where you sit on the Internet.  You know, all these people, you all came to Atlanta.  Some of you haven’t been to Atlanta before.  You don’t just go to any street.  You think about where you go.  So the same thing with the Internet.

And, you know, you just have to do some basic computer hygiene.  Run antivirus software.  So there are some basic things, Judson, that I think every person can do and companies need to train their personnel.

One of the things, we hosted a digital crimes consortium last week in Miami.  This is an annual conference that DCU hosts bringing in academics, industry, and security professionals from around the world.  And I learned a lot about some things companies are doing to train their employee force.

Some of them are doing things where they sort of do fire drills.  They basically test their employees.  They run phony phishing attacks.  And they see how the employees respond and they measure it.

JUDSON ALTHOFF:  Makes sense.

DAVID FINN:  So they’re really training their employees to be more savvy.  I think that’s one of the most important things.  And, of course, they’ve got to do due diligence when they hire because there can always be integrity problems.

JUDSON ALTHOFF:  Yeah.  Yeah.  Makes a ton of sense.  I mean, when we talk about leveraging technology through advanced threat detection and sort of mitigate the damages that occur, but the fact of the matter is some of these attacks are inevitable.  I mean, if you don’t have a plan, if you don’t actually rehearse the plan, it’s hard for employees to react appropriately in a time of need.

DAVID FINN:  Yeah, I mean, this idea of rehearsing a plan, you should do — just like you’re careful in your home.  You lock your doors, you’re careful with your car, you’re careful with your residence, your treasured belongings.  But nobody can guarantee you won’t get attacked.

But if you’re an organization, you do the things to reduce the likelihood, and then you have a crisis plan, as you said, Judson.  A plan is kind of a playbook so that if and when what you don’t want to happen happens, you’re ready to move appropriately.

JUDSON ALTHOFF:  That’s right.  That’s right.  You know, one of the things you said earlier, David, is that cybersecurity is a boardroom problem, it’s on the boardroom’s agenda.  It should be on the agenda of every CEO.  It’s not just the CIO’s challenge anymore.

I think it’s important for everybody to understand a little bit more about how to build stakeholdership inside of an organization.  Maybe you can talk a little bit about what we do at Microsoft to own the cybersecurity agenda.

DAVID FINN:  Yeah.  I mean, I talk to customers, but what I know best, of course, is Microsoft.  And I can tell you that we have made tremendous strides in the last few years, particularly bringing together the many groups who do great work in this space.

So I’ve spoken today about what the digital crimes unit does.  But we have a full mosaic of professionals at Microsoft.  I mean, over a decade ago when Bill Gates wrote the “Trustworthy Computing” memo and basically paused development for 11 months at Microsoft while we basically drove a security culture in our company.

Our engineers, all of our products, security is at the core.  We have red and blue teams testing Azure 365 days a year doing kind of war games to see if we can find the vulnerabilities.  We have great people in Microsoft IT who we share information with.  We have great people working in the cloud data centers and working on other aspects to keep our cloud safe.

We have brought all of these people together more and more so we are aligned, so we can share information, so we can do a better job.

And while I don’t know all the organizations, that idea of bringing the stakeholders together and being sure it’s at the CEO level, that’s the way you reduce the likelihood of catastrophic attacks.

JUDSON ALTHOFF:  That’s right.  So it’s about aligning on the agenda and actually bringing together different lines of business, the people who make the products, the finance teams, the legal teams, the customer-facing teams, so that actually everybody has an alignment on the cybercrime agenda.

DAVID FINN:  Absolutely.  And as I said, that’s the internal side.  You can learn much from working with outside groups, too.  Our customers have taught us a lot, law enforcement has taught us a lot, certs have taught us a lot.

Every year when we do this Digital Crimes Consortium, I learn so much.  And it’s really why I said, and I meant it, we really want to meet with people more.  We learn and we can do better when we bring our minds together.

JUDSON ALTHOFF:  Okay.  So, listen, as I said when I opened up this morning, this is kind of a heavy topic.  And in many ways, it can actually be kind of scary.  I mean, I’ve got to be honest with you, you played the botnet music video in the background there, it kind of sounded a little bit like Darth Vader was coming to get us.

How can everyone develop more competence around data privacy and security and feel like we can mitigate the threat of cybercrime?

DAVID FINN:  Yeah, I mean, actually, I’m really quite optimistic despite the Darth-Vader-sounding music.

You know, I just think the bad news, it is true that the cybercriminals are more sophisticated and craftier than ever, but so are our tools and technology.  So are our partnerships.  And even having events like this where more people get a chance to learn about this, you know, we have more capability to understand how the cybercriminals operate, more capabilities to protect people than we’ve ever had before.

And as more and more companies and individual users of computing devices understand what’s at stake, I think you’re going to see tremendous progress.

So I am hugely confident because I know where we’re going with our tools, with our technologies, with the law, and the people who are really focusing on this.

A month ago, I attended — President Obama had a White House Cyber Security Summit.  Just the very fact that the President of the United States in a speech used the word “botnet” is significant.


DAVID FINN:  I think more and more people are understanding it, and the more awareness is, the more likely we’re going to make progress.

So, please don’t be so glum, everybody.  There really is just tremendous progress we’re making.  I’m really quite confident.

JUDSON ALTHOFF:  Great, good.  So it sounds like it’s key to have awareness, it’s key to have alignment across lines of business to understand the cybersecurity agenda.  It’s key to use technology to harness bid data for advanced threat detection.  And it’s also critical to have a plan.

DAVID FINN:  Absolutely.

JUDSON ALTHOFF:  So that when the inevitable occurs, that you actually know what to do.  You remain calm, you execute your plan, and you mitigate damages.

DAVID FINN:  All those things are dead right.  And I know also, Judson, you know, people are making choices between having an on-prem environment or a cloud environment.  You know, the one thing I would say to folks out there thinking about this, you know, if you go to the cloud with a provider like Microsoft, I mean, this is our core business.  We are investing tremendously in our cloud and in security.  This is what we do.

I’m one part of the group focused on that at Microsoft.  But, you know, I think about what the cloud can bring in terms of security and privacy, and I just think — you know, I’m not a deep technologist by any stretch, but I think back to once upon a time people put money under their pillows.  And then they realized, you know what?  I should probably give this to the bank.

JUDSON ALTHOFF:  That’s right.

DAVID FINN:  And I do think people should be thinking about that when they consider security and privacy in the cloud.  We’re just making tremendous investments, it’s our core business.

JUDSON ALTHOFF:  It’s a great point.  I know, in fact, in working closely with Microsoft Consulting Services, a number of the cases that we’ve handled for customers have actually involved moving their infrastructure to the cloud because it’s better professionally managed.

So maybe if we were to try to wrap this up.  If you were to give sort of a call to action to even on how to best protect themselves, protect their organizations from cybercrimes, what would your thought be?

DAVID FINN:  Well, I think basic computer hygiene, some of the things I talked about.  Have a plan so you’re ready in case of a crisis.  Really think hard about going to the cloud and really whether you’re in the best position to control your data and your privacy or whether there’s a cloud provider who can help you do that better.

And be aware and really be aware and partner with Microsoft, partner with others so you can use this intelligence and use the technology to keep yourselves safer.

JUDSON ALTHOFF:  Awesome.  David, thank you so much for sharing all the great work you do at Microsoft and everything we’re trying to do to advance work against cybersecurity and cyberthreats.  Thank you so much.

DAVID FINN:  My pleasure, thank you very much.


DAVID FINN:  Thank you all.  (Applause.)

JUDSON ALTHOFF:  Thanks, everyone.  Enjoy the rest of your morning.  Enjoy the rest of Convergence, we’ll see you back here again in New Orleans in the future.  Take care, see you.