< Back to podcasts archive

Security Now

May 1, 2019

Join us as we dig into all things security in this two-part episode of the Windows Insider Podcast. Jason chats with David Westin, group security manager for operating systems, about big picture security, including red team versus blue team operations, the importance of securing public infrastructure, and the future of AI. Plus, get an inside look at how Insiders make his job easier.

Then, Jessica Payne, a senior security researcher for Microsoft Defender, joins us for a conversation about how you can stay secure. She shares a peek into how attackers in the current landscape are taking advantage of vulnerabilities and walks us through what Microsoft’s doing to protect you and what you can do to protect yourself.

Windows Insider Podcast Episode 18

 (Music)

JASON HOWARD:  Welcome to the Windows Insider podcast, where leaders at Microsoft and Windows Insiders discuss the latest in tech trends, careers, and innovation.  You're listening to episode 19, Security Now.

The topic of security has become more important than ever in the modern computing landscape.  With high-profile data breaches continuously in the news, alongside countless hacking attempts across a variety of platforms, it seems as though security has become an ever-present topic in our daily lives.

It is now discussed not only with Microsoft customers at large, including Windows Insiders, but across a wide breadth of industries from banks and hospitals all the way to advertisers and social platforms, security is now becoming a design consideration rather than an afterthought when it's time to recover from a breach.

This shift has changed the way individuals think about their personal data and information, driving an increased interest in the importance of safety and security at every level.

As we jump into this episode, we'll be talking to two security superstars here at Microsoft.  First up is David Weston, partner Enterprise and Security group manager, to discuss security as a whole.  Followed up by Jessica Payne, senior security researcher, who will share insights on what you can do to improve your personal security.

Before we get started, here's a quick reminder that if you're not a Windows Insider yet, you can register for free at Insider.Windows.com.  You'll get access to upcoming Windows features that haven't been released yet, plus exclusive opportunities to learn, grow your network, and experience more of Microsoft.  On to the show.

(Music.)

JASON HOWARD:  Hi, David, welcome to the podcast.

DAVID WESTON:  Hey, happy to be here.

JASON HOWARD:  Can you tell our listeners a little bit about yourself and your job here at Microsoft?

DAVID WESTON:  Yeah, my official title is Grand Poohbah of OS security.  (Laughter.)  That translates to the – I'm a group security manager responsible for operating systems, which means not only do I do Windows, but increasingly, Linux. Since our charge is really to protect all the operating systems that run on the Microsoft cloud and intelligent edge devices, increasingly, that is a focus on Windows, but additional devices.

One interesting thing is besides just being responsible for building security technology and these operating systems, I also have a red team that reports to me who hacks my stuff.  So, the goal there is to say, hey, I'm pretty certain before I ship it out to customers who are going to use it as the kind of end user, that we've hacked it, we've pounded on it, and we're confident it's going to live up to the security guarantees that people expect.

JASON HOWARD:  Interesting, so jumping in and talking about red teams.  So, there is this kind of, you know, industry-wide concept of red teams versus blue teams.

DAVID WESTON:  Yeah.

JASON HOWARD:  Right?  Can you share a bit about the difference between the two and kind of what, you know, what each one does?

DAVID WESTON:  Yeah, the analogy is actually pretty simple.  So, you know, a blue team there is the blues representing that they're part of the good folks and their goal is really to detect, respond, or prevent cyber-attacks.

And the only way you can know if you're any good at that is by actually testing yourself.  This is sort of similar to the way a boxer might call in a buddy and say, hey, we're going to spar a little bit.  We're not going to hit each other full hard, we're going to hit each other hard enough to sort of sharpen our skills.

And red team/blue team exercises are kind of intuitively you've got a red team who's playing the role of the bad people, the hackers, the attackers, and the blue team was trying to detect them.  And it's a great way for you to test sort of operationally, are things working well, is my detection working as expected?  Do I know who to call when this alert fires off?  Do I know how to respond to this?  Can I detect this certain technique they're using?  And so by kind of doing that continuously, not only are you getting a set of learnings out of that, but you're sharpening both the blue team and the red team's skills, so over time it gets more and more sophisticated.

And so every year on the Microsoft sort of corporate network, we have one big, you know, for lack of a better term, "war games" where all the red team and blue teams kind of come together, segregated in different places on campus where we're supposed to not know each other, but of course everyone is trying to use their intelligence sources for that.  A lot of hijinks happen, but in the end, we actually learn quite a bit about how ready we are to detect and respond to a cyberattack and what we need to do to improve.  And so in that way, it's a very transparent and useful exercise.

JASON HOWARD:  So, obviously, without getting too deep into the tricks of the trade, right, you know, you don't want to tell people some of the secrets that we've learned over the course of time.  Obviously, there's you know new and different you know attack surfaces that show up.

DAVID WESTON:  Sure.

JASON HOWARD:  You know, over the course of time.  And how has that evolved internally, right?  Obviously, some of these things you take and you learn.  What do we do with it internally?  Obviously, we're going to harden our own systems to some extent.

DAVID WESTON:  Yeah.

JASON HOWARD:  But do we also kind of share some of these learnings externally with partners and vendors that we use, so on and so forth?

DAVID WESTON:  Yeah, absolutely.  I mean, in the end, it's actually a really fun exercise, because I would say both the blue teams and the red teams, everyone wants to show off their skills, right?  So, that's actually the perfect place to do it.  So, by breaking out something that's never been seen before to try to say, smoke the blue team, you're actually driving them to be better over time.

And the outcome there, I would say not only do we share the learnings, but we share the learnings in what I think is the best possible way by actually making updates and upgrades to our software.  So, I would say there's rarely a Windows release in the last couple years that didn't include something that we learned on actually one of these operations.

So, the end user is totally benefiting from that not only in just like we could write a blog about it, but in reality, what they really care about is that the product is evolving.  And every time we do an out brief where we look at sort of one of these red team operations like the one hunt that happens on our network, there's a list of work items and bugs that are fixed and things that are improved in terms of monitoring the services, and we have products out in market like Defender and Defender ATP, they have better detections based on these exercises. So, there's just actually a huge gamut of that stuff.

And I would refer people to a couple years ago, I did a talk at Ignite, where we went into detail on some of those attacks and how we made improvements.  Another Black Hat talk where we've talked about that.  So, there's numerous places where we do that and it's pretty regular that we would engage with customers directly about specific topics and how red teams have helped influence them.

JASON HOWARD:  So, obviously, looking kind of external a little bit more, right?  So, Microsoft, whether now into the future, right, we kind of stay in the news, right?  But, you know, you can look back in the recent months and, you know, we've participated and helped bring to the forefront some major hacking attempts.

DAVID WESTON:  Absolutely.

JASON HOWARD:  Other security risks that have come to light.  What can you tell me about some of these efforts and like what – how this is prioritized from our perspective as well as, you know, what we're doing for customers as we move forward?

DAVID WESTON:  Yeah, I think one of the best tools we have for improving our products, and more importantly, leveraging our cloud and AI and tool sets to benefit customers on the cybersecurity front is our threat intelligence.

So, threat intelligence is really the process for us, monitoring the global threat landscape, identifying individuals or groups who are perpetrating some of these attacks, learning as much as we can about them, understanding their attack techniques, their philosophies, the victims they choose, et cetera, et cetera.  And we use that not only to make sure that we're keeping tabs on them and staying ahead of them, not only to make sure we're keeping tabs on them and staying ahead of them, but also watching what they do and sort of bringing that back in.

Now, I would equate it to, you know, someone who's building a safe should probably know a lot about what good cat burglars kind of do, right?  Or safe – or people doing sort of bank robberies.  And so, it's very similar to us, like, we've got you know, the sheets out there of the different groups, and we actually name them by the element table.  And we use that, and we use our optics to watch what they do.  And, regularly, we'll see things that they're doing that we should alert other people about, whether that's something to do with elections or they're targeting a certain group, you know?  It's sort of our job as a member of the defense community and we owe that to our customers to make sure that the people who can action on that information get it.

So there's been several news stories recently sort of highlighting some of that stuff.  And I think that's a big part of Microsoft's commitment to the entire sort of internet and information security ecosystem, make sure that information's out there so people can protect themselves.

That is regularly highlighted in blogs, but that is happening hourly, daily, every few seconds where we're exchanging information, threat intelligence, things we call indicators of compromise that you can use to uniquely identify, are you under attack from a certain individual or group?

And so that is just sort of naturally happening across company, across industry all the time.

JASON HOWARD:  Something that I think's a little bit interesting and hopefully you can kind of share some insights on –

DAVID WESTON:  Sure.

JASON HOWARD:  – is the difference between knowing something's taking place and trying to react to it, right?  Where it feels like you're kind of in second place because something's already – something's already transpiring at that point.  Versus trying to get ahead and figure out what's going to happen next, and make sure that you're ahead of them and kind of head them off at the pass, so to speak, so that they don't even have the ability to succeed at whatever that attempt's going to be.

DAVID WESTON:  Yeah, the Minority Report thing is actually (laughter) quite hard to do, obviously, in practice, which is, what I would say is we start to understand, what are the tendencies of the adversaries?  Again, this is no different than like sort of Bill Belichik saying, like, "What are the Rams going to do in the Super Bowl?"  They like to throw to such-and-such on third down.  So, we build profiles.

And most importantly, if we know that there's a technique that's their go-to that they have a high success rate for, we look across the board and say, "How can we disrupt this?"  Right?  Because every time we disrupt an adversary, it means that people have a safer experience.

And so, if they're doing something like a certain malware technique, we might look in the operating system, we might look in Defender, we might look in our cloud, we might look in our email systems.  What can we change or improve that would really set them back quite a bit and make them go back to the drawing board?

And if we can keep them in that permanent state of disruption, it's not so much that we predicted them, but we're really just driving their costs way up and making their lives miserable and maybe they go somewhere else that's less secure.

I like to say I don't think they're going to give up and get a job at McDonald's, but certainly, we can make it rare or much more expensive for these kinds of attacks to happen, and that's when our customers can really feel the difference.

JASON HOWARD:  Nice.  So, obviously, security being the topic that it is, right, we've talked about it at multiple events, right?

DAVID WESTON:  Yeah.

JASON HOWARD:  We'll talk about it more at Build, we've talked about it at Ignite in the past, we've talked about it at Inspire, pretty much any conference Microsoft does, it becomes a topic in one way or another, somebody gives either a TED Talk or there's something included in one of our big, you know, presentations and keynotes.

So, there's projects like the pipeline, cybersecurity initiative that's about nation-state infrastructure, electrical grids, railways, things like that.  Can you tell me a little bit more about why Microsoft's making infrastructure security a priority as we kind of move forward?

DAVID WESTON:  It's actually a pretty simple answer, which is all of us like to have electricity, all of us understand civilization needs certain things to continue, whether those are hospitals or power plants or, you know, there's life and safety at risk.

And when there are people who are willing to do that kind of damage, you know, it's Microsoft's responsibility as one of the top tech companies out there with the right talent to try to solve this.  This is our contribution back to our fellow humans.  And I really look at it that way.  And I know my team who works on a lot of these things look at it that way.  This is our contribution.  This is what we are uniquely able to help with, and so looking at how we can help with infrastructure is kind of a natural progression.

The cool thing is a lot of the investigations we've done into things like IoT or edge devices or cloud, a lot of that is extremely relevant when we start to look at how to secure infrastructure.   A good example of that is, right, there are lots of power companies and industrial applications for IoT where we want to deploy sensors that will help with availability, up time, diagnosis of problems, but each of those is, obviously, a potential attack point for someone who wants to do nefarious damage.

And so we've got solutions out there like the Azure Sphere is a favorite of mine.  That is a hardware-secured device that has sort of really cool vertical fusion between the operating system, which is ironically Linux, and hardware we've designed that work together to have an extremely high security guarantee. And so, Sphere is a great example of something Microsoft maybe made for commercial purposes, but actually has tons of application in helping to secure particularly modern infrastructure.

And those are the kinds of things that we could use to help around the HS initiatives in the United States and obviously globally to make sure that that infrastructure gets a lot more hardened, and we won't have events where you have blackouts or other things that come from nation-state attacks.

JASON HOWARD:  Stepping away from kind of the Microsoft perspective for a moment, one of the things that's come up in some recent articles is, as you mentioned, IoT, right?

DAVID WESTON:  Yeah.

JASON HOWARD:  Becoming more and more an increasing part of everyday life between cameras and, you know, like pretty much anything you could think that's showing up –

DAVID WESTON:  Absolutely.

JASON HOWARD:  – that's not just your prototypical PC that helps make life, you know, a little bit easier.

There's the questions around keeping these updated, keeping them secure, what firmware did they come with?  How easy is it to attack and gain access?  You know, is it connected to somebody's home network?  Then do you jump from this device to their network?  What else can you find?

Kind of speaking broadly, right, what are some of the things that technology companies as a whole need to focus on in helping secure some of these platforms?

DAVID WESTON:  I think a lot of this is what you hit on of security fundamentals, which is there's sort of a race to get out there to hungry consumers who want, you know, smart light bulbs, smart this, smart that.  And while it's very attractive to get that stuff out there, and at the end of the day a product is purchased because of the value it has to the consumer, the reality is we're not doing ourselves any favors by skipping over the security fundamentals.

So, an example, I would say, is if you're putting out a product that can't be updated, you're just setting yourself up for disaster.  We all know there are going to be vulnerabilities, nobody ships a product without vulnerabilities.  So, if you haven't done sort of the fundamentals to set up a product for security success, you're just moving towards disaster. And, unfortunately, we've seen some examples like that.

The good news is I think the industries and product makers are realizing consumers want both.  They want a cool light bulb or a cool thermostat, but they also want that thing to be secure.  And so I think the smart manufacturers are capitalizing on that, making sure that they have security as part of their value proposition towards customers in telling that story.  I think we're starting to see some changes there where we're moving away from just sprinting to market with whatever you have towards more mature devices.  And that's exciting to see, and Microsoft's played a role there.

We've got, you know, lots of different operating systems we support, we've got things like the IoT Edge that can do security monitoring, updates, authentication from the cloud.  So, that's great.  And I think we were sort of in the early days, similar to PCs.  You know, PCs didn't – had a rocky early days with respect to security.  And now we're seeing these IoT and edge devices and embed devices sort of maturing, so I think that's good.

And most of that is just starting with the fundamentals.  Don't have a default password with exposed ports.  (Laughter.)  You know, things we learned long ago on PCs, you know, I question why we had to start with such hard knocks, but the good news is I think we're starting to see an up trend there, and that's great for all of us.

JASON HOWARD:  So, it sounds like you would agree that at least having taken some of those early lessons, right, rather than security being kind of an afterthought, it's becoming more of the design process along the way?

DAVID WESTON:  I think it's starting.  (Laughter.)  You know, this might be the security cynical, but there are certainly some products out there that I think have a very mature feature set.  There are others that are, you know, just getting started, but I think as a whole, I think we're starting to see people take it more seriously.

JASON HOWARD:  So, I'm going to shift topics on you again a little bit, right?

DAVID WESTON:  Sure.

JASON HOWARD:  I love doing this, right?  Keep things fresh.

DAVID WESTON:  I can gab security all day.  (Laughter.)

JASON HOWARD:  So, here's a name that you might have heard before, Bill Gates, right?

DAVID WESTON:  Once or twice.

JASON HOWARD:  You know, it's – people around Microsoft –

DAVID WESTON:  Seen him around.

JASON HOWARD:  – they seem to know him, you know?

DAVID WESTON:  Burger Master, you know, Dick's.  (Laughter.)

JASON HOWARD:  It's funny, I read an article where it was talking about – he just goes and stands in line quietly waiting for his food like everybody else.

DAVID WESTON:  He's a cool guy, yeah, I love it.  I love it.

JASON HOWARD:  People are, like, "Hey, that's Bill Gates."

DAVID WESTON:  Yeah.

JASON HOWARD:  Yeah, he's got to eat.

DAVID WESTON:  Who doesn't want a Dick's burger or some, you know, fries that lives in Seattle?

JASON HOWARD:  Oh, man, those Burger Master fries.

DAVID WESTON:  Oh –

JASON HOWARD:  Off the hook.

DAVID WESTON:  Really good, and you don't have to leave your car.  (Laughter.)

JASON HOWARD:  So, speaking of Bill, right?  He recently said that AI is both promising and dangerous, right?

DAVID WESTON:  Yeah.

JASON HOWARD:  And that's a pretty impactful statement when you stop and think about, you know, kind of the crux of what it means.

So, in looking at AI, like, why is AI potentially considered a security concern and then, you know, if you look at it from obviously the Microsoft perspective, like, what are we doing to try to make sure that AI is handled responsibly?

DAVID WESTON:  I mean, that's a tough question because AI has a broad set of applications and a lot of the security concerns depend on how you use it, right? If you're using it in, let's say, a medical or in a life-and-safety application and someone can do what we call "adversarial machine learning" or sort of trick the algorithm into doing things that are unexpected, that's a problem.

I think we're in very early days there.  So, I would say – I wouldn't generally say AI – in my opinion, and Bill's a lot smarter than me, so he's probably got a lot more ideas there, but in my estimation, most of the problems related to AI today are around the infrastructure. So, AI takes a lot of computing power.  It might mean you need to move very quickly.  And so, again, similar to IoT, in some cases, we've seen a lack of fundamentals around people building up the systems that are required to do this, in the race to do something innovative.

For the long term, I think AI has some interesting technology challenges.  I'll give you a very simple example.  Lots of training and inference happens on specialized processors – GPUs, TPUs, things like that.  I would say that, again, we're early days there where the maturity around the security, especially at the operating system and hardware level, is just growing, right?

Because the general maturing sort of lifecycle is, get something working and then figure out how to make it secure.  So, I would say for example we have lots of ways to create secure, isolated, and confidential compute workloads with hardware today, examples are things like Intel's SGX or Microsoft's VSM.  I know this might seem like acronym soup for those out there, but these are technologies that allow you to segment a particularly sensitive workload, maybe working on private data from the operating system, such that if you get a piece of malware on your operating system, it can't touch that private data. One of the challenges we have is how do we have that technology catch up to all these specialized processing and AI devices around things like TensorFlow or GPUs?

So, there's a lot of just, hey, this technology evolves at breakneck speed, and the security architecture has to keep up as the innovators do their thing. I think that's not specific to AI, that's just kind of natural evolution of things.

But I also do think like as we start to rely on artificial intelligence and statistical methods for things like malware detection or attack detection, there's certainly opportunities for combat to occur. I'm not a marketing person, per se, but there's certainly a lot of discussion out there about how people are using artificial intelligence to detect attacks.  But it's absolutely true that attackers could use artificial intelligence to modify their malware to bypass the good AI.

And so I do think we're in some interesting sort of Skynet days where it is absolutely practical for an attacker to get a lot of computing power in the cloud and sort of blue team folks to have that and there to be combat.  Like, some of that is starting to run into the realm of sci-fi, but I don't think we're that far away from that actually being a practical reality.

JASON HOWARD:  I think you're chasing after Elon Musk's heart here, yeah.

DAVID WESTON:  A little bit, yeah, yeah.  (Laughter.)  The singularity is near, for sure.

JASON HOWARD:  I think it would be interesting to get the two of them in the studio together and let them kind of chat back and forth on their thoughts of AI in the future and, hey, maybe that's an idea for a future podcast, we'll see what happens.

DAVID WESTON:  Hopefully, they can AI clone me and I can just go to Burger Master all day.  (Laughter.)  That would be awesome.

JASON HOWARD:  Looking at the field broadly, right, you've been doing this for a while.  Microsoft on the whole has, you know, developed what they do, how they approach it.  Obviously, there's tons of smart folks here working on this on a daily basis trying to drive this to, you know, more cutting edge as we can get it, right?

So, for any security IT professionals in other companies or other industries, right?  Especially like you mentioned earlier banks and healthcare, obviously, very secure.

DAVID WESTON:  Yeah, absolutely.

JASON HOWARD:  Being secure is very important, right?

DAVID WESTON:  Absolutely.

JASON HOWARD:  Like, for those companies that are – that have that high level of need, what are they doing to reduce their vulnerability to – you know, to like other security concerns like cybercrime?

DAVID WESTON:  Yeah.  I'll start with what I think they should be doing, which is the vast majority of security attacks are prevented by fundamentals.  That's just an empirical truth. When we look – we step back and look statistically at why attacks happen, it's almost always because someone didn't apply a patch or they're missing a basic security control like running a standard user instead of admin, or they should have been running only sine code instead of random code from the internet that said they were going to get free iPhones or something like that.  (Laughter.)

And so if you follow those very basic – let's just call it "hygiene" steps, you're basically making your attack profile so small that only really sophisticated attackers can target you, and that's usually enough for them to look past you, right?  You don't want to be that sickly antelope at the back of the pack that the wolves are going to hit, you want to be that one out front with the big horns charging fast.  And so what I'd like to see is more folks focusing on the ugly fundamentals.

Unfortunately, I think in some cases, people are looking for magical solutions.  They want to buy a specific product, they want to use some great technology that's going to allow them to have basic sloppy practices but be magically impenetrable.

To me, that's a lot like overnight diets.  At the end of the day, you're going to have to eat healthy and you're going to have to work out.  There is no, you know, diet in a can that's going to solve your – all your woes.  And it's very similar in security, which is you need to move into an environment where you're not using passwords and you're using two-factor auth.  You need to stay up to date.  You need to have practices that curate the applications that can be run.

If you can do those things, it doesn't matter what industry you're in, you're going to have a much better security profile and a smaller attack surface.

JASON HOWARD:  So, having just talked about making sure that, you know, folks are up to date and they are implementing the fundamentals.

DAVID WESTON:  Sure.

JASON HOWARD:  Speaking broadly, right, I'm not asking for, you know, an exact scientific research paper on this, but what percentage of attacks would you say are people exploiting known vulnerabilities versus somebody found something new – the whole zero-day type concept?  Like –

DAVID WESTON:  Zero days are incredibly rare.  They are in double digits for the entire year.  So, every year, there's less – again, speaking in broad terms, around a dozen, maybe up to two dozen zero-day vulnerabilities found.  The number of victims actually targeted with those is very small. In fact, I often say to people when they say, "I'm really worried about zero days," I'm like, you're not that important.  (Laughter.)  Like, if someone's in – again, this is a broad-spectrum statement, there are – have been broad zero days, but generally, zero days are incredibly expensive and the people who spend the money to develop them are using them in very rare cases and they're being very protective of them because they're very valuable.

The vast majority of attacks are coming in two ways, one is phishing, and that is easily mitigated by using multi-factor authentication, ideally even using things like FIDO hardware tokens, where you just don't have a password, things like Windows Hello.  That is going to get you a ton of ROI and bang for the buck in terms of mitigating attacks.

The second way that people get owned is basically they get tricked into running stuff.  Whether that comes through an attachment or a pop-up, et cetera, the vast majority of attacks fit into those two categories.

There's a third category, which is people who just don't update their Java or Flash, which is insane to me.  (Laughter.)  Or their Windows or their browsers, and those – there's a small section of people who get targeted there.  Zero day, I don't know, it's point – you know, it's very, very, very rare.

Now, it's exciting for everyone to talk about how their product mitigates the zero day, or security people thinking it's a big deal, but in reality, it's an extremely rare event.

JASON HOWARD:  At least what I take away from that is, you know, an individual consumer – like, obviously, you know, like Insiders, right?

DAVID WESTON:  Yep.

JASON HOWARD:  Make sure you're keeping your computer updated.  Which, you know, one of the things we do with Insider builds, of course, is, you know, as we release patches that go out, you know, quote/unquote patch Tuesday, Insiders stay updated, we release those same security, you know, patches out if something is discovered during testing while we're developing, those things get patched as well.

We don't leave Insiders insecure –

DAVID WESTON:  Absolutely not.  And, in fact, you know, I run Insider builds as the, you know, engineering manager here on Windows Security and the reason is all the newest cool stuff that my red team like taught the blue team how to build is in the Insider preview builds. And, like, if you follow my Twitter feed at all you'll see, you know, during any given development cycle I'll say, build this week has new feature FU.

And so, you know, speed kills.  If you can stay up to date and you can constantly get those new layered defenses, you're staying one step ahead.  Again, you're not the sick llama or whatever at the back (laughter) of the pack, you're up there running with the buff chest, ready for the fight.

Basically, what you're doing is allowing our security teams to understand what are the latest attacks and give you mitigations or options to stay ahead of that.  And that is a really important security property.

JASON HOWARD:  Speaking of, you know, kind of consumer world, right?  Here's a little bit of an interesting tidbit for you.  In the U.S., the Girl Scouts recently released merit badges for cybersecurity skills, right?  So, in the same way that like the tech community has been encouraging everybody to learn how to code, right, should we kind of be encouraging folks to learn more about cybersecurity?

DAVID WESTON:  Absolutely.  I think fundamentals are the key word anywhere.  If you're learning development, you should be learning performance, security – all of those things.

And I think the cool thing is, is obviously, cybersecurity is a really fascinating field and it's one of those places in technology where you have a real passion and you can focus, you can really help people, right? You can help healthcare stay secure, you can help industry stay secure, so it's really great to see folks engaged there.

The thing I always love to see is when it's mixed together with engineering fundamentals, right?  I don't ever want to say enterprise cybersecurity separate from general engineering, I love to see them mashed together because in the practical sense, if we could get every engineer out there writing new lines of code to put on the two hats of the software developer and the cybersecurity person, we'd be in a much better spot.

So, I love seeing the Girls Scouts doing that, I'm also hoping that the Girls Scouts who are learning coding and other STEM programs are also getting security woven in across the board, because what I'd love to see is that just become the DNA of how we develop software in the future.

JASON HOWARD:  As we leave Insiders with kind of like a take-away, right, Insiders tend to be very tech forward.

DAVID WESTON:  For sure.

JASON HOWARD:  You know, you know, on the cutting edge.  They obviously take, you know, preview builds, they get – they stay up to date, they're the ones who are constantly updating drivers and everything.  Very, very technology, you know, driven, very tech savvy.

DAVID WESTON:  Yeah.

JASON HOWARD:  What can they do broadly to help folks in their family, their friends, who either don't know that cybersecurity really is such a concern, or maybe, unfortunately, are a bit lax about it.

DAVID WESTON:  Yeah, I think keeping things simple.  And one of the biggest issues I think facing folks who are security evangelists, including myself, is we made things way too hard.  We sit down, we say, you can't click this, you've got to do this, you've got to keep your AV up to date.

You know, I'll give an example.  My parents, I just say, run 10 S, because it's bulletproof.  Right?  Like, the reality is you can click whatever you want, it's like using your phone.  Poke whatever you want, click whatever you want, there's no password, code can't run unless it came from the store.  That makes things very simple. And so I think if we reduce things back to simplicity and we focus on the fundamentals, that is what's going to be the net improvement.

I think Insiders and folks who are kind of black belts when it comes to Windows, they know all the cool, whiz-bang features, so they're like in GPO edits turning on things.  I always point people to 10 S.  10 S has had really that focus from the entire security teams, layering on all their favorite stuff.  We've worked really hard on making it as secure as possible, but the cool thing is it's just super simple. And I think as the store grows, as we open up more and more scenarios there, that's an awesome foundation.  And I find for my family and friends who are not the super, super power users, it does the vast majority of what they need to do and it has a security profile that's as hardened as anything I've seen on the Windows side.

JASON HOWARD:  Awesome.  Well, as we wrap here, are there any final tidbits, words of advice?

DAVID WESTON:  No, I got kind of hungry when we were talking about (laughter) (inaudible)

JASON HOWARD:  I'm really – I'm telling you – I'm want some French fries, man.

DAVID WESTON:  I've actually gotten really concerned about Skynet and drones.  So, I'm actually worried about AI rather than trying to curb your fears, I'm a lot more concerned.

But it's been fun.  I always like talking about security.  And I'm stoked that there are so many people who are interested in trying out our builds.  I want to kind of send a shout-out to the Insider community as somebody who's constantly shipping new things, it's really only possible because there are people out there willing to try our features and give us feedback.

You know, my boss isn't going to let me ship something unless the Insiders have used it and proved that it's not going to break stuff.  And that's super important in security where we're really trying to push the edge at all times and sometimes when we ship a new security feature, maybe it could potentially have an impact on performance or compatibility, so unless I have my Insiders out there pounding on it and proving that I've done my job, I can't ship it. And if I can't ship it, I can't help secure the world.

So, really, the Insiders are just as instrumental as my team and the engineering community in making things better.  So, when we're talking about secure infrastructure, some of the important things we've touched on today, really the Insiders, truthfully, are a huge part of that.

JASON HOWARD:  Well, thanks again, David.

DAVID WESTON:  Cool.  Thank you.

JASON HOWARD:  It's been fantastic chatting with you.  Thanks for stopping by the studio.

DAVID WESTON:  Fun times.  I'm going to go get a burger.

JASON HOWARD:  All right, man.  (Laughter.)

(Music.)

JASON HOWARD:  Next up, we're stepping into your shoes as unique end users to think about the importance of security at the individual level.  To help you learn more about protecting yourself on a day-to-day basis, let's bring on our next guest, Jessica Payne.

Hi, Jessica, welcome to the Windows Insider podcast.  Would you please introduce yourself briefly for our listeners?

JESSICA PAYNE:  So, normally, I introduce myself as a security person at Microsoft, but I don't think that's going to cut it today.

JASON HOWARD:  No, probably not.

JESSICA PAYNE:  So, my actual title is I'm a senior security researcher inside of Microsoft or Windows Defender Security Research, so my job is threat intelligence.  And unlike a lot of threat intelligence, we're not just interested in big old nation-state-sponsored activities, we're actually interested in you, the consumer, and the threats that affect you as well.  So, my job is to track those, learn how they work, and help you get protected.

JASON HOWARD:  Awesome.  Well, hey, speaking of Defender, let's jump right in and start with Windows Defender.  Well, what was Windows Defender?

JESSICA PAYNE:  That's right.  We're not just Windows Defender anymore.  We now actually are Microsoft Defender, and we have a Mac client.  So, if you are a Mac user and you would like to have some antivirus of the world class, you can now have that as well.  But we still have the Windows Defender core product as well.

JASON HOWARD:  Awesome.  Getting into it, like many of our Windows Insiders, they already have Defender set up.  But for those who don't or may not know what it is, can you share some insights on how to get started with it?

JESSICA PAYNE:  Absolutely.  So, Windows Defender is an antivirus agent or anti-malware agent that is included on Windows by default, it's already there for you.  And we have about half a billion endpoints checking in every day that are running Windows Defender.

JASON HOWARD:  Whoa.

JESSICA PAYNE:  That's right.  Yeah.  Half a billion.  (Laughter.)  So, from a visibility perspective and what we know about the threat landscape, that's unparalleled, right?  I can provide you insights into the malware activities on half a billion computers.

So, using that, what we do is when you have this built-in antivirus agent, this is not something else you have to go out and get.  It's already there, it's ready for you.  And we use something we call "cloud mode," where it's actually using machine learning and we actually use our cloud to do about 40 percent of the protections that come from that.

We've done some really cool things with that.  So, if you search for "Microsoft" and "dofoil," which is a type of malware, last year we actually did an effort where we stopped 400,000 endpoints from getting infected with a malicious coin miner from a compromised bit torrent package.  So, with that, that was actually what we call "block at first sight."  That malware had never been seen before.  We stopped a supply chain attack from affecting 400,000 consumers.  These were not big businesses, these were not people who had the pay product.  These were people in their homes who were using a download client and were taken victim of by people who wanted to do malicious activities on their computers.  So, this is there for you.  It's something that's ready to protect you and I think a lot of people probably don't understand what's going on with that.

When you do configure Windows Defender, it's going to protect you from a great variety of threats, and I think a lot of people aren't aware that it's actually a good anti-malware product. We may have gotten a bad rap in the past, but right now, if you look at the AV test scores, we actually topped them last month I think.  So, we actually were 100 percent score on AV test for Windows Defender and we put a lot of work into that.  So, with my team, with Threat Intelligence, as well as the people who actually build the detections and the engine, we've been driving to look at certain threats and just completely try to eradicate the way they behave because we want to look at how malware is behaving on your system and not just be playing catch-up.  And it's just – it's fantastic to see the scores rewarding all of our hard work on that.

JASON HOWARD:  Yeah, and as we get into this, right, so for anybody who doesn't have this enabled, it's just the user interface aspect of it, it's just in settings, in Windows settings.

JESSICA PAYNE:  It's just in settings, yeah.  Or, control panel.

JASON HOWARD:  So, as Defender is working and doing its job, obviously it's scanning local resources on the individual machines, or endpoints as you referred to them.  But while a user is actively browsing the internet, right, what type of protection is offered there?  What is Defender doing?  Can you share some insights about that?

JESSICA PAYNE:  Yeah, absolutely.  So, there's a component that you can actually enable right from settings, it's called Smart Screen, and this will actually protect you inside of Edge, Internet Explorer, and now we actually support Chrome and other browsers as well.

JASON HOWARD:  Wow.

JESSICA PAYNE:  So, Smart Screen actually does URL-based reputation.  So, if a URL you're attempting to browse to or a site you're attempting to browse to as been reported as ever having malware on it, Smart Screen will actually alert you and let you know this may be an unsafe site you're going to. So, that's right there for you ready to help protect you from maybe links that you've been sent or compromised websites, like sometimes e-commerce websites or websites you're shopping to, they will get compromised behind the back of the people who are running them.  They don't know what happened, and unfortunately, your credit card might get compromised when you go to it.  So, Smart Screen will actually help you with websites that might be compromised, as well as ones that are downloading malware.

And then the Windows Defender agent itself, as you encounter different code that's executing, because we have in-memory protection, so if you click on a link and it tries to download an executable and it's malicious, we will actually scan that right then before it hits your computer.  We'll actually look for the reputation and we will look at the attributes of the file.  We have this thing called Block at First Sight.  So, even if it's brand new malware and you've got that cloud mode enabled, before it ever actually hits your computer's disk, we've actually taken a look at it and we may have blocked it for you, because there's this whole new class of stuff that's supposedly super cool and super unstoppable – note that I said "supposedly" there, called file-list malware, where everything just happens in the memory of your computer and that's where we're scanning, that's what we're looking for.

So, we integrate with the browser, we integrate with third-party browsers, and we're there to protect you.

JASON HOWARD:  Wow.  And so, the process of learning, right?  You talked about using machine learning during this process.  So, the links that are marked, you know, for lack of a better way of saying at least on my end, you can fill that in for the listeners here, of links that are marked good versus bad, you know, whatever terminology may apply here.  Are they categorized by AI machine learning?  Are they categorized by users?

Like, what are all the end points that kind of categorize the good versus the bad?

JESSICA PAYNE:  Yeah, so first off, we will use the actual malware reputation of the site.  So, with the machine learning looking at all the different payloads that get scanned by defender, what site did they come from?  Because if you are downloading something that's in the class we call like a banking trojan, where it's going to steal your financial information and drain your bank account, if it's been downloaded from a website, we will now automatically tick up that website because we will know where it came from. And then we will stop being as respectful to that website, so to speak, you know, but when we think about the Smart Screen, it's doing the categorizations based off of that as well as other lists that are provided.

So, you can actually submit a site that you think is suspicious.  We have – it's called the Windows Defender Security Intelligence portal, that's quite a mouthful, I'm sure that you can find it, though. Where, if you have a website that you want to tell us about that we're not noticing, you could submit it there as well.  So, if you do have something, that'll help us learn and that'll help us build on it, and you can also submit malware samples there, too, by the way, in case there was something, anything we missed.  So, we do look at that, but we do also build off of the work that my team does with the threat intelligence and different open-source feeds that we will get into, and then we will use the machine learning on top of that to categorize different behaviors as you visit the website.

It's a multi-pronged approach, because if we waited and just did one thing or the other, you would be less safe, and we don't want that.

JASON HOWARD:  So, for some of the users who haven't used this before, to kind of give them – paint a little bit more of a picture of it.  Is there something that an end user will see, like when they attempt to navigate to a bad site, you know, something that's got a worse score than something like Bing.com, which obviously is going to have a good score, what is it that the end user is going to see so that they know that they're treading into potentially dangerous waters?

JESSICA PAYNE:  It's a big, red screen, so it's kind of hard to miss.  If you attempt to navigate to a website and Smart Screen's got it marked as bad – the whole – it'll actually stop you from going to the URL, and it'll display a red error message that says this site may be potentially unsafe for the reason that it's unsafe.  So, it's pretty easy to figure out, it's pretty intuitive, I think.

JASON HOWARD:  All right.  We talked a bit about being on the web, right?  So, let's scale back and look back at the individuals, their end point, their machine, you know, what they're actually doing their productivity tasks and everything on, right?

So, what is it about Defender as a whole, in that regard, that makes Windows 10 the most secure Windows ever?

JESSICA PAYNE:  I would have to say that it's because of the approach that we take.  So, we're looking for behavioral patterns.  We're not just looking for malware samples and kind of how the particular threat is looking.  We're actually trying to learn from attacker behavior.  So, it's not just this particular malware threat is creating a new entry in your startup folder or trying to persist in this way, or it's being delivered by a Word document with a certain name or something like that.  We're actually looking at like, well, what is it that is a behavior, and can we categorize that behavior as bad? And then not have to be chasing after particular families.

It's kind of an oversimplified explanation here, but we are trying to get ahead of it because what we've found is we can classify different behaviors of what is good computing and bad computing, and you as an end user will never do certain things. You as an end user will never put a Base-64-encoded PowerShell script in your run key.  Would you?  Jason?

JASON HOWARD:  I mean, I surely wouldn't.  (Laughter.)

JESSICA PAYNE:  Okay.  So, since you would never do that, that's actually quite a common persistence mechanism.  And that's how the malware will execute and that's what that file-less malware is.  So, if you do not know what Base-64 PowerShell script in a registry key in a run key is, I'm protecting you from that, along with everyone else that works in the Defender org because we know that's a bad behavior and it's something that doesn't happen in normal things.

So, that's a relatively simplified version of how I think that building off of that and then building off of other components in the operating system, this is more enterprise grade, but we do have these things called attack surface reduction rules where we actually configure the operating system to prevent certain behaviors.

This, building off of that, I think that knowing that we have a super-secure platform already, the platform, if you don't touch it, is really, really great just out of the box.  That's something that I think people don't understand as well as I would like them to, but we're building off of that super-secure platform where a lot of services are disabled by default.  The Windows firewall is on by default.  I love the Windows firewall, you should love the Windows firewall, too.  (Laughter.)  It's in block mode, by default.  Yeah, so that's a super-important thing.  Don't turn that off.

So, if you take a Windows 10 install out of the box, everything is pretty secure.  You put Windows Defender on it, where we know what a bad behavior is, and you've sort of like frozen yourself in carbonite, where you're in a good state, right?  And so anything that changes is, you know, you getting thawed in a bad way, like Jabba the Hut.

JASON HOWARD:  It helps put the user in a position to where they are knowingly making changes as opposed to being in a more open state, where changes are being made without their knowledge, and all of a sudden they're in a state where they're like, "I don't know what's going on with you."

JESSICA PAYNE:  I like it, yeah, that's a great phrasing.  Yeah, because there's a lot of different configurations that will actually pop up Windows Defender alerts for changes to registry keys or some, you know, services or things like that that you would never change.  Now, admittedly, that may not pop up in words that say exactly what I said, it might say a behavioral detection or something like that, but you're going to know you didn't do that and that someone else is doing bad activities on your computer.

But I do think that you said, "making changes," because what we're really seeing in the threat landscape right now because Windows is so secure now and because antivirus is much more prevalent, the attackers who do this for a living, and they make quite a lot of money doing it, like you know, we've monitored the Bitcoin wallets of some of the attackers, and they're making $250,000 a week.

JASON HOWARD:  What?

JESSICA PAYNE:  Yeah.

JASON HOWARD:  Wait, hold on.

JESSICA PAYNE:  And that's definitely before taxes.

JASON HOWARD:  Are you serious?

JESSICA PAYNE:  I'm dead serious.

JASON HOWARD:  Oh, my goodness.  (Laughter.)

JESSICA PAYNE:  And now you have a new career, so –

JASON HOWARD:  So, I know what I'm doing after I retire from Microsoft.

JESSICA PAYNE:  There you go, yeah, yeah.

JASON HOWARD:  I'm totally kidding, by the way.

JESSICA PAYNE:  But, yeah, we've monitored the Bitcoin wallets and the financial transactions of these criminals and some of the activities that we've done, and they're doing really not sophisticated stuff at all.  Like, it's not incredibly sophisticated malware.  There are no zero days.  There's no new vulnerabilities being discovered.  They're just essentially a batch file.  Does everybody remember what a batch file was?

JASON HOWARD:  Oh, yeah.

JESSICA PAYNE:  That is one of the most profitable things that I'd seen recently.

JASON HOWARD:  Really?

 

JESSICA PAYNE:  It was a batch file that like launched a coin miner.  And it was super stealthy to an end user, and it did what it needed to do, and it launched like a Monero miner, and they made a lot of money.

I wish we had video of your face.  (Laughter.)

JASON HOWARD:  I know.  I'm genuinely – like, obviously, you work in a space that I don't dig into on a daily basis, so –

JESSICA PAYNE:  Yeah, yeah, yeah, yeah.  Would you like to, you know, chase criminals all day?

JASON HOWARD:  Oh, my goodness.  That was would be amazing.

JESSICA PAYNE:  You can come shadow me, yeah.  (Laughter.)

JASON HOWARD:  Yes, I will have to – seriously, I will have to come spend some time sitting side by side with you and learning some of this.  This is – I will say just generally, right, this is one of the fascinating things about doing podcasts –

JESSICA PAYNE:  You meet so many different people?

JASON HOWARD:  Yeah.

JESSICA PAYNE:  Yeah, yeah.

JASON HOWARD:  And you get to talk about the different things that they are doing across the company, and it's always something fascinating for me to learn.  And it's the same thing for Insiders, right?  Which, actually, leads me to the next thing I wanted to ask you, of course, is given what Insiders do as part of the program, right?  Installing preview builds and, in essence, being themselves, right?

JESSICA PAYNE:  Yeah.

JASON HOWARD:  Because you can put the build on your machine, you have certain things that you want to go and poke at, test, and be like, hey, was this bug fixed?  Is there a new bug here?  But the majority of the time, Insiders are just being themselves, doing the same things they do, whether they're playing games, surfing the web, being productive, using Office and other applications.

Are there specific things that would be beneficial if Insiders kind of poked and prodded at for you?

JESSICA PAYNE:  Yeah, actually, if you're feeling adventurous, poke and prod and make sure, one, first off, best practice is enable cloud mode, please, because that is going to make sure that you're that 40 percent more protected by the ML signatures.  So, if you haven't done that, do that.  If you haven't enabled Smart Screen, please enable Smart Screen because I'm also a Windows Insider.  I also run preview builds, and you will encounter bugs that the rest of our population aren't, that might encounter issues with the engine, right?  So, please, test it for us.  Make sure that you are in the "best practices" mode and that you're testing this out for us.

But from a security configuration standpoint, this kind of goes back to what I was saying about those attackers that are making lots and lots of money, right?  They're financially motivated to keep making money.

JASON HOWARD:  It sounds like it.

JESSICA PAYNE:  Right?  Yeah, exactly.  And so, when they know now that we're on half a billion endpoints and Windows 10 is super secure, they're now changing their business model to target people who are doing risky behavior.

JASON HOWARD:  Okay.

JESSICA PAYNE:  So, if you are, not that anyone that is a Windows Insider would ever do this, but if you are pirating software or pirating movies or pirating video games, you may be likely to disable your antivirus client.  You may be likely to be running as a local administrator instead of the default plain user mode. And those are the things that trying not to do those as a general purpose sort of thing, like even just running as administrator all day long, you know, you're going to be poking, you are going to be trying things out for us. But do it like we do here, you know, where you have an administrative account for changes and then you run as a regular user, because I have seen so much written by other vendors and, you know, news articles even talking about malware with elite disablement of Windows Defender. And it literally runs, like, SC stop WinDefend.  It stops the Windows service in the context of the user who executed the malware.

So, again, people that aren't very complicated are making $250,000 a week in Bitcoin.  So, you know, that's like the kind of lessons is like the attacker economics are shifting to targeting people who are willfully going to be disabling AV, willfully doing bad things because they don't want to be caught doing them type of thing, or people that are – people that are averse to machine learning, averse to cloud, averse to telemetry. And you as a Windows Insider understand that we're here to help you with that.  That's what helps make the product better.

JASON HOWARD:  Absolutely.

JESSICA PAYNE:  So, you probably are unlikely to do that. My advice probably there would be just, you know, make sure you're not running as admin, all day long.  (Laughter.)

JASON HOWARD:  Because it seems that it opens up another surface that makes it easier for some of the things that you don't want to happen, makes it easier for those things to transpire.

JESSICA PAYNE:  Yes, absolutely.  If I'm an attacker and if I have a goal of persisting on your computer and doing more advanced things or disabling your software, I either have to rely on the fact that you're running as administrator, or unleash some sort of vulnerability in your computer, so like something that's unpatched.  So, if you have something like WinRAR on your computer and it's out of date, right now, you're vulnerable to an attacker being able to automatically just give themselves administrative access essentially and use that vulnerability.

So, even if you're an Insider and you've got these third-party products, make sure you stay up to date.  Like, we definitely keep you up to date when we give you the Windows Insider builds or Office Update or Defender comes down the same way.  Your third-party software might not be doing that, and you should definitely make sure that you're keeping those up to date.  And there's auto updaters, don't be afraid of them.

JASON HOWARD:  It's funny that you mentioned that it comes down the same way that other updates come down.  Insiders, especially those that are in the Fast ring or in Skip Ahead, they tend to be the extremely eager group that are, like, I want a new build, and they're constantly checking for updates.

And I get screenshots all the time on Twitter from people who will be like, I went to scan for an update and all I got was this Defender update.  (Laughter.)  It's like one of those old –

JESSICA PAYNE:  You're welcome.

JASON HOWARD:  It's like one of those old tourist T-shirts that you take on a family vacation.  I went so-and-so place and all I got was this T-shirt.  Yeah, totally.

JESSICA PAYNE:  I love it.

JASON HOWARD:  So, looking at how Defender is perceived from an end user's perspective, right?  If we go a little bit old school, so let's think back, I don't know, let's think back a decade or even 15 years, right?  Because things have changed a lot in that time period.

It used to be that security software such as antivirus clients, it was an extra program that you installed, there was the perception that it chewed up a bunch of machine resources, so it always sat in CPU, it was always taking up a chunk of RAM, trying to do what it was doing, potentially interfering with other applications.  You were getting pop-ups of, hey, I need to update myself, please let me update, hey, you haven't installed the update, I need to reboot your machine.  So on and so forth right?

I could keep drawing it out, but I think you get the picture here.  Sum it up by saying it wasn't always necessarily the best user experience.

Windows Defender now, because it's built seamlessly into Windows 10, obviously, the updates come down through Windows Update, it kind of installs itself in the background, it's kind of a very seamless process, the updates – at least from – that I've seen, don't even require a machine reboot, they just kind of – it's like the process loads itself.

JESSICA PAYNE:  Yep.

JASON HOWARD:  It pulls up the new antivirus definitions and just keeps on going and you didn't even know it happened, which is really awesome, especially compared to the old way of doing it.

So, how or why – like, what was the big motivation is making this a priority, right?  Obviously, I'm – I'm going to – I'm going to jump ahead and assume that some of this was the end user's experience, right?  But what was this in the priority perspective for designing Defender?  And has it actually had an improvement on driving security forward for PCs in general?

JESSICA PAYNE:  Yeah, so, I'm going to start with story time a little bit, but I promise it's related.

So, in my day-to-day job, I deal with incident responses that are related to something like news-making events, different things that you see like you might read about a certain malware and be, like, oh, gosh, that's scary.

I deal with, you know, financial theft from banks and all sorts of different stuff.  And as I'm going through this, I would say at least 25 percent of those – so, these are big industries, these are big companies with a massive security investment.  I encounter at least one server-class system that doesn't have antivirus on it because they think it will slow down the feature of the service.

I like your face right now, it's like definitely the right reaction for this.  (Laughter.)

JASON HOWARD:  It's almost – it would be great if this was a webcast.

JESSICA PAYNE:  Yeah, exactly.

JASON HOWARD:  Because people could see –

JESSICA PAYNE:  Just imagine like the O-face emoji, the one that's like (gasps.)

So, but so these are like sometimes like internet-facing systems that like do important work and they're, like, "Oh, we can't have antivirus on it."  Well, if you're an internet-facing server and you have like remote desktop enabled or things like that, like people tend to find a way in, you know?  And we will watch these attackers through Windows Defender ATP, which is a different product, but we'll get to that sometime.  So, that's our, like, more enterprise version.  But we get a lot of telemetry from that.  So, I can watch an attacker, like, willfully drop something I know is malware that's detected by every malware vendor on the planet and use it to dump your credentials and then do bad things.

So, this perception that AV is going to prevent you from making money or that AV is spying on you or that AV is useless because you can defend your machine, is really, really what attackers are counting on.  So, yes, this was a priority for us to fix because if you're not running antivirus, there are no hurdles.  There are no hurdles.  You will get malware, end of story, right?

Because, like, there are injections into news – like news sites have ads on the side, like, so there's this stuff called "malvertising."  And it essentially just runs a script in the background.  And so like little JavaScript, just like the one that changes it from buy dog food to buy toilet paper or whatever is going on in the background in ads.  You can be browsing to a fully legitimate, wonderful website that is not going to hurt you at all.  And if you don't have antivirus and they've had a "malvertising" attack, you're going to get ransomware or whatever to happen to your machine.  This happens all the time.  Like, there's other, you know, ways like that.

Like, you don't have to be doing something bad to get malware, and if you're not running an AV, you have zero line of defense right there, because the landscape is such and it's so financially motivating for those attackers that it's just, you will encounter a malware in your day-to-day activities, even if you are just you know reading the news and buying the books and doing very boring things, right?  So, this is absolutely a priority.

And it was also a priority for us because the way we built our agent and the way we built how Windows Defender works, we didn't want to increase the attack surface of your computer.  And, you know, like, there's a lot of other ways that you can do antivirus, where it's a different agent that runs with really high privileges and it has to download text files that might be able to be edited and things like that.  Like, no, no, no, we wanted to make it as hardened as possible.  Like, we've just released a feature called anti-tampering for Windows Defender in the ATP space, so like, even if people have admin, it's harder to disable the antivirus and things like that.

So, it's absolutely critical that we made it perform better for you, and it's really performant when we did the AV test scores, we actually scored really high in performance now.  And a lot of that is based off of the cloud protect, because the scanning is actually happening just based off of attributes of the file that are being then sent to big, Azure data cloud stuff, amazingness – for lack of a better way to explain it.  So –

JASON HOWARD:  That's a good description.

JESSICA PAYNE:  Yeah, it's big data cloud amazingness.

JASON HOWARD:  So, obviously, there's a lot more to device security than just having a single antivirus client, right?  How does keeping your computer up to date, so, obviously, you have this glorious product of Defender that's actively working on your behalf as you're surfing the web, it's checking out the files that are on your machine, making sure that nothing has slipped past you and doing something you don't want it to do.

Obviously, there is still the important aspect of making sure that your computer stays up to date with just the standard updates, be it you know, running an Insider build and taking whatever newest update is available in the ring that you've selected.  But even just on standard retail builds, taking the monthly cumulative updates, taking the newest big feature update as those roll out every, at least at this point in time, every six months as we release them.

Windows, in and of itself, is continuously being updated and – I mean, you keep using the word "hardened," but it's actually – it's actually a very good term because it's, as you mentioned, reducing the attack surface, finding potential gaps, filling those potential gaps, so on and so forth.

It seems like in the end, this all just kind of rolls together to provide one kind of hopefully seamless landscape so that rather than a user having to keep it in the forefront of their mind and actively being like, okay, have I made this update?  Have I installed this latest thing?  That the majority of this will happen in a seamless fashion so that they can just get down to doing what they're trying to do.

JESSICA PAYNE:  Yeah, and that's why Insiders are awesome, because they love to update.

One of the things that happens with threat intelligence and what I do for a living is sometimes we learn very quickly about software that's being exploited or about zero days in a product. And we work with Microsoft Security Response Center, MSRC, that's where your monthly patches come from, you know, so we're involved in that process and it's super cool because there's a whole lot of people that care about you and a whole lot of people that lose sleep when somebody discloses their vulnerability on Twitter.  (Laughter.)  So, we got your back and a lot of coffee.

When we think about those updates, when an update is released, there are adversaries out there, even just those want to mine Bitcoin on your computer type of adversaries that actually reverse-engineer our patches, or they'll take a before-and-after snapshot of the computer, and they will figure out what changed, and then they will launch attacks using that.

JASON HOWARD:  Right.

JESSICA PAYNE:  So, it's really important to keep yourself updated because the attack landscape is based off of figuring out, not a zero day, that's hard, but if I can get a six-hour window between when you've released a patch and when you've updated your computer to figure that out, sometimes that's enough time in like a smaller patch or a smaller product.

Oh, even like a week waiting for a Windows update, there's probably somebody, if it's a major interesting update, who's out there trying to figure out how to use it, especially if it's "wormable," because you may have heard of Eternal Blue, and you may have heard of, you know, the SMV vulnerabilities that led to WannaCry.  It will probably shock you, it no longer shocks me, that I still encounter malware campaigns that are using Eternal Blue. There are still successful malware campaigns out there using Eternal Blue to navigate –

JASON HOWARD:  How far out of date are people's devices and machines that this is still effective?

JESSICA PAYNE:  A long time, like 2008-ish, so, I think – or whenever, but –

JASON HOWARD:  Again, I'm making one of those faces –

JESSICA PAYNE:  You're making a face, yeah.

JASON HOWARD:  – that the listeners can't see, but –

JESSICA PAYNE:  Yeah, so we see consumer-grade machines that are still getting hit by these things, and then we see inside of enterprises where they have a perimeter firewall, so they think they're safe, but then somebody gets in through a phishing email and then uses Eternal Blue inside the network. There are still, like, Windows 7 machines and things like that.

So, the lifetime usability of a vulnerability can be very high.  And patching – patching and patching quickly –  is a really great way to get ahead of that.  So, please, Windows Insiders, keep with us.  (Laughter.)  And don't reverse-engineer your patches. (Laughter.)

JASON HOWARD:  So, we've talked a bit about Defender, right?  And we've talked about staying up to date, you know, with builds and patches for the operating system itself.  Just in, speaking kind of in general terms, right, knowing that these two things are super important, are there any other, I don't know, little tidbits of awesomeness that you would offer to those who are listening to say, hey, if you're doing these two things, those are two very important things, and here's a couple other things you might want to keep in mind.

JESSICA PAYNE:  Okay, multi-factor authentication.

JASON HOWARD:  Okay.

JESSICA PAYNE:  So, if you are still signing into your email or your bank or whatever with just a password, please, either, you know, switch your provider, you know, there's lots of places that'll do it for you, but make sure that you enable multi-factor authentication.

Multi-factor authentication has actually personally saved one of my parents' accounts from getting attacked, and I was super happy that I'd informed them to do that.  Because there's financial motivation for not just like getting a bank account and draining the money out of it, but I can sell a Hotmail account. I can sell an Outlook account.  I can sell these things because the dark web attackers who do bad things, there's value to having a pre-established personality.  So, if I can steal my mother's Hotmail account, which has existed for years and years and years, and use the reputation of that to send spam, that's highly valuable, or I could ransom it to you.

Just personal security in general, if you don't have multi-factor on right now, you are probably going to experience something bad happening because a lot of the risk that's happening right now is that your password is going to get disclosed by a third-party company having a problem.  And so, your password's out there.  Please, don't reuse your password.  Like, if you're using a password manager, you don't have the same password everywhere, but there's a good chance that someone has your password. So, a password combined with multifactor authentication, like we support for Outlook and our e-mail services, is really going to help you there.

And a lot of people sort of shy away from – you know, there's obviously the authenticator version, where you've got an app and that's super robust and that's great.  But even if the multi-factor authentication that's available to you is through text message, please use that, because there are theoretical attack vectors – or, I'm sorry, real attack vectors that really, really sophisticated adversaries can use to intercept your text messages and do whatever.  You're better off having any multifactor than worrying that some sort of nation-state or super determined person is after you, because if that's in your threat model, you're probably out of luck anyway.  Right?  (Laughter.)

So, like, please, do the multi-factor, do the password manager. Kind of educate yourself on what your own personal threat model is.  This one's going to sound a little weird, but my threat model is not the same as your threat model.  Right?  And, you know, your and I's might compare differently to someone who doesn't have an internet presence, right?  I've got a Twitter account, you've got a Twitter account, people know what my face looks like, I show up at conferences, right?  And there's different risks that you might be able to avoid by streaming down your online profile.

For instance, someone in my family was helping me renovate my house.  And they posted pictures from my house.  I was no longer living there. There's location data that exists in your phone, and also exists in the social media services that you're posting from.

So, if you're not aware of this and you don't know that there's sometimes these privacy leaks just happening by default, you may inadvertently be leaving a bread crumb trail of where you're sleeping at night.  So, I would say multi-factor authentication, password manager, and understand the privacy of where you're posting things from.

JASON HOWARD:  Well, it's interesting that you mention the entire privacy sort of things, right?

JESSICA PAYNE:  Did I?

JASON HOWARD:  Because, obviously, getting outside of just the computer or somebody's phone or logging into an account and web surfing, right, there is a much broader picture, right?

It's super important for both, you know, the Windows product itself, but as well as the broader concept of Microsoft on the whole, right, of how we as a company protect customers and their personal information. I won't start naming names, but there have been several big names across the tech landscape industry as a whole that have undergone recent, shall we say, news events.  That's probably a polite way of putting it.  (Laughter.)  Where they get some not necessarily wanted press, draw some ire from users, and there's really some interesting things going on, right, kind of broadly.

So, I guess, circle back where I started this question is like, like, what are we as a company outside of some of these just basic products, like, what are some of the things that we are doing or, what are the things that we're focused on, really?

JESSICA PAYNE:  Yeah, it's a design decision for us to think about privacy first.  Like, there inside of what we do with threat intelligence and working on Defender and knowing that we have so many people's endpoints in our responsibility, and then we also have this thing called we call a managed hunting service, where companies will have us protect their networks and look for malware on them and things like that.

Our job is actually harder because of privacy.  We scrub that data.  We cannot figure out who our customer is.  There's like – we have made a design decision to make our lives harder and figure out how we can still protect customers without revealing your personally identifiable information.  There was an attack recently that involved attacking a certain class of hardware.

And they figured out whether or not to install it based off the MAC address or the hardware address of your network card.  Well, I can't see those.  That's PII.  That would identify you.

JASON HOWARD:  True.

JESSICA PAYNE:  So, I can’t – we have made a conscious decision that we are going to just not collect pieces of data, the pieces of data that other vendors are, and make their life easier.  So, this is like – you're like, wow, wow, Jessica, your life is hard.  Like, what does that mean for me?

It means that like I have – I have experience working with other data sets because I used to do incident response as a consultant.  I'm well aware what other vendors are collecting.  So, it's actually a really big thing for me to stand here and say that Windows Defender and what we've done in the Defender organization, willfully making sure that we follow compliance and that we avoid collecting certain data is something that a lot of our competitors would never, ever do.

And so, the fact that I'm standing here saying that we still made a world-class product, we're still making ranks and test scores with 100% AV test score type of thing, while we made that decision, that tells you how committed we are to it.

JASON HOWARD:  Yeah.

JESSICA PAYNE:  Because we could have gotten that score and ignored customer privacy.  We got that score while we did customer privacy.

JASON HOWARD:  So, as we wrap up here, I'm going to ask you one of my favorite questions, sometimes I get answers, sometimes I don't get answers.  We'll see what happens here, right?  I love taking the risk at least.

So, what's next for Microsoft Defender, a.k.a., the artist formerly known as Windows Defender?

JESSICA PAYNE:  I think you've nailed the picture right there, you've nailed it on the head.  So, so we are going to continue to invest in our third-party platform and we're going to continue to invest in making sure that we can secure people regardless of where they're competing from because customers, I have a Mac, I have a Mac and I have, Windows, right?  I shouldn't have to choose between my protection there.

So, we want to make sure we're coming to where our customers are computing.  We want to make sure that we continue to prioritize not sacrificing performance, getting those AV test scores, and continuing to protect you.  We've got a lot of hidden features on the back end that are continuing to protect you from new classes of threats, and you will never even know about them because we update our engine in the background.

But we're really, really committed to being there and being on your devices where you compute.

JASON HOWARD:  Awesome.  I have to say, this has been a completely fascinating conversation.  I know I mentioned some of this earlier, right?  But it's like every time I talk to a new team and make new acquaintances, right, I get something out of this, right?  I always learn something.  There's things that I think I know stuff about until I realize how much I, you know, actually don't know.  And this has absolutely been one of those conversations.  So, you know, you know, while I'm talking to you, absolutely, thank you for making the time to come to the studio.  We definitely appreciate it.

And I will absolutely take you up on that offer to come and spend some time shadowing with you.  I would love to see at least the things that you can show me, because I know there's probably some stuff that I won't get to see, but anything that I can do to learn that I can then share more broadly with the Insiders, obviously, they learn something, I learn something, it's kind of a win-win-win for everybody.

And you've actually –

JESSICA PAYNE:  I look forward to detecting you once you take up Bitcoin mining.

JASON HOWARD:  Uh-oh!  (Laughter.)  That secondary post-Microsoft job, right?

JESSICA PAYNE:  Exactly.

JASON HOWARD:  All right.  Well, again, thank you so much for the time today.

JESSICA PAYNE:  Thank you.

JASON HOWARD:  Appreciate you being in the studio with us.

(Music.)

JASON HOWARD:  Although security hasn't always received the attention it so richly deserves, the global computing community has taken the topic to heart, and you will undoubtedly hear even more on the topic as time goes on.

We hope this episode has been a good primer in understanding technical security and has shed some light on how to better protect yourself and your data.  And with that, we wrap up episode 19.

If you have other topics you'd like to hear us cover this season, let us know on Twitter.  The handle is @WindowsInsider.  If you liked this episode of the Windows Insider podcast, don't forget to subscribe via your favorite podcast app.

Thanks for listening, I'm your host, Jason Howard.  Until next time.

(Music.)

NARRATION: The Windows Insider Podcast is hosted by Jason Howard and produced by Microsoft Production Studios and the Windows Insider team, which includes Allison Shields, that’s me, Michelle Paison, and Kristie Wang. Moral support and inspiration come from Ninja Cat, reminding us to have fun and pursue our passions.

Listen to our previous podcasts and visit us on the web at insider.windows.com. Follow us @windowsinsider on Instagram and Twitter. Support for the Windows Insider Podcast comes from Microsoft, empowering every person and every organization on the planet to achieve more.

Join us next month for another fascinating inside look into Microsoft, tech innovations, careers, and the evolution of Windows 10.

End