Microsoft Security Researcher: A Tale of one Woman's Resilience and Ambition

1 00:00:00
Speaker 1: How's it going, miriam?

00:00:00
It's really good to finally have you on the podcast.

00:00:04
I feel like we tried to get this thing together a couple

00:00:07
times over the past like six months at this point, and you

00:00:11
know it's just been a mess in both of our schedules, I feel.

00:00:16
Speaker 2: Hey Joe, yeah, it's great to finally meet you and,

00:00:20
yeah, I don't know about way.

00:00:22
Yay, we finally made it so, so good to speaking to you.

00:00:27
Speaker 1: Yeah, absolutely so you know.

00:00:30
Miriam, before we dive into what a security researcher does

00:00:34
at Microsoft, I want to start off with your background, you

00:00:39
know.

00:00:39
How did you get into it?

00:00:41
What was that journey like for you?

00:00:43
What was that process like?

00:00:44
Did you have any mentors along the way to kind of, you know,

00:00:48
guide you down that path?

00:00:49
Or did you discover it and go down at all on your own?

00:00:54
Speaker 2: So I was kind of always interested in IT I when I

00:01:01
was a kid I was like, okay, I want to become a game developer

00:01:05
or a hacker, but hacker is illegal, so that was all the

00:01:09
table.

00:01:09
And surprisingly, I never became a game developer either.

00:01:12
So but somehow I always wanted to know how to communicate with

00:01:21
computers and I started programming very early.

00:01:27
I think I was eight years old or something like that, when I

00:01:30
developed my first game on my little learning laptop.

00:01:32
And later then, after I finished school, I was like,

00:01:33
okay, what do I do with my life?

00:01:34
And so I started programming very early.

00:01:36
I think I was eight years old or something like that when I

00:01:38
developed my first game on my little learning laptop.

00:01:39
And so I started programming very early.

00:01:40
I was like, okay, what do I do with my life?

00:01:42
And honestly, I had no idea, like everybody out there after

00:01:47
they finished school Maybe there are some people, but they are

00:01:50
very rarely, I think.

00:01:51
And so my, although my parents were quite against me playing

00:02:02
and working with computers, surprisingly it was my parents

00:02:07
who found, yeah, in the newspaper they found the call

00:02:17
for applications, so for an apprenticeship.

00:02:20
And this is when I originally got into IT.

00:02:24
Speaker 1: That's really interesting, you know.

00:02:25
So you're, you're, you're based out of Germany, right?

00:02:30
Speaker 2: Yes, so if I make any mistakes, I'm sorry.

00:02:34
I'm not a native speaker.

00:02:36
Speaker 1: No problem, you know, I've spent a decent amount of

00:02:40
time in Germany and I've I've always been surprised as to how

00:02:46
well everyone can speak English, and so, like, whenever I'm

00:02:50
there, I try to like ramp myself up on German and, you know,

00:02:55
speak German until I can't anymore, and then, like, when

00:02:58
the conversation gets to a point where I can't handle it, it's

00:03:01
like all right, I'm sorry, like I'm English native speaker and

00:03:05
they like test out there English on me and it's a.

00:03:08
It's a fun interaction.

00:03:11
Speaker 2: Nice, that's really cool.

00:03:12
Now you also have to deliver, so what's your favorite German

00:03:15
word?

00:03:17
Speaker 1: Oh, I don't know if I can even say that you know.

00:03:20
So this is the thing, right.

00:03:22
So I studied German in college as, like my four language, I had

00:03:27
to choose one and so I chose German.

00:03:28
I studied abroad in Germany for about six weeks and I was, I

00:03:34
was getting to the point where I could hear it and understand it

00:03:38
, like fluently pretty much, but responding was a little bit

00:03:42
slow and I was still, you know, getting used to it and whatnot.

00:03:44
And then I came back to the States and I've been back a

00:03:48
couple of times ever since, but it's like when I'm, when I get

00:03:53
there, you know there's such a huge gap.

00:03:56
But after about 10 days of being in Germany, I start, you know,

00:04:00
developing the skills of being able to hear it and understand

00:04:02
what's going on.

00:04:02
Like you know, last year I was in Germany with a friend for the

00:04:06
Tampa Bay Bucks game and and you know, in the beginning it

00:04:13
was difficult, like I, I knew what different words were and

00:04:17
whatnot, like if I was looking at, like the U-Bahn map or

00:04:19
whatnot, or the S-Bahn, like I knew what they were, right, I

00:04:24
knew which direction I was going , but like translating it just

00:04:28
didn't work in my brain.

00:04:28
And then, you know, like we were there for probably 10 days,

00:04:34
by the end of my stay, though, I was right back to hearing it

00:04:38
and understanding it and I was, like, translating it to my

00:04:41
friend, like, oh, this is what they mean, like we got to go

00:04:43
over here or do this, you know.

00:04:45
So it's just, it's.

00:04:47
It's a frustrating journey for me, because I wish I could just

00:04:49
move there.

00:04:53
Speaker 2: Wow, I did not know that you actually were in

00:04:59
Germany for some time.

00:05:00
Yeah, cool.

00:05:02
Speaker 1: Yeah, yeah, I've.

00:05:03
I've spent some time in Berlin, frankfurt, dusseldorf, munich,

00:05:11
I think.

00:05:11
I think I need to go other places other than other than

00:05:17
Germany for my next vacation, unless it's for Oktoberfest, and

00:05:20
then I'll go.

00:05:20
But yeah, it's, it's, I love it .

00:05:25
I love going there.

00:05:26
It's always a great time, great atmosphere.

00:05:30
Everyone's so friendly.

00:05:31
That's what always like threw me off in the beginning, it was

00:05:35
like everyone is so friendly.

00:05:38
Speaker 2: Yeah, and if you reconsider and plan your

00:05:42
vacation, your next vacation in Germany, give me a ping and let

00:05:46
me know.

00:05:47
Speaker 1: Yeah, absolutely so.

00:05:49
So you mentioned that you know you got your start as an

00:05:55
apprenticeship in IT, and is that, is that pretty typical for

00:06:02
apprenticeships in IT in Germany?

00:06:05
And I ask very specifically because you know, through my

00:06:10
studies, right, we learned about the education system in Germany

00:06:13
and how after school you typically, like for different

00:06:17
trades, you'll go and be an apprentice.

00:06:19
For you know, at a certain point in your education you

00:06:21
start being an apprentice and then you actually transition

00:06:22
into the, into the actual field.

00:06:26
I didn't realize that IT even had that option of being an

00:06:31
apprentice, right?

00:06:32
So is that a pretty typical path or is that, you know, an

00:06:37
outlying path?

00:06:38
I guess?

00:06:39
Speaker 2: I think back then it was quite a new thing.

00:06:42
So there were two paths.

00:06:45
So one path was working with the systems, the other path was

00:06:50
development and as I thought, okay, I already know how to

00:06:54
develop programs, I thought, okay, I want to learn about the

00:06:58
systems, and that was basically my direction.

00:07:01
But you asked me if that is a typical thing.

00:07:05
I would say it depends.

00:07:08
I still see that studying also brings you quite far.

00:07:15
In some companies, especially if it's a government or a public

00:07:22
sector, then you need to have studied.

00:07:25
But there are also a lot of people that are following

00:07:31
apprenticeship paths.

00:07:32
So and they look at me I was in luck and got in the best

00:07:38
position ever and I originally went to the school that would

00:07:45
have allowed me to study after.

00:07:46
But after school I was like I don't want to learn any longer

00:07:52
and so I started the apprenticeship and suddenly I

00:07:55
just started learning everything I could and I never stopped.

00:07:58
Yeah.

00:08:02
Speaker 1: Yeah, that's pretty funny.

00:08:03
You got out of it saying that you don't want to, you don't

00:08:07
want to learn anymore, and then you get into cybersecurity and

00:08:10
IT where, like, the learning never ends.

00:08:14
Speaker 2: Yeah, and I think it also really became my passion to

00:08:19
just learn and learn and learn everything I could find.

00:08:21
So, yeah, I also thought every time, okay, maybe studying at

00:08:28
some point would be beneficial, would be cool, but well, I never

00:08:34
studied and I never achieved it .

00:08:36
Because every time I thought, okay, now could be the time I

00:08:39
found a better opportunity, or I got hired at the role of my

00:08:44
dreams, or yeah, and somehow I never found the time to study.

00:08:51
Speaker 1: And yeah, yeah, that's really interesting.

00:08:57
So would you say that you kind of stumbled into it Honestly,

00:09:03
like you didn't, I don't know.

00:09:05
Like probably growing up or even earlier on in your

00:09:08
education, you probably didn't intend to go down that path,

00:09:12
right?

00:09:13
At least that's what it sounds like a little bit to me, Do you?

00:09:17
Because for myself, I guess I never intended to go into IT.

00:09:21
I thought it was the most boring thing in the world.

00:09:23
I thought if I'm stuck in IT like that would be the most

00:09:28
miserable thing ever, right, Right, and here I am so many

00:09:33
years later.

00:09:34
Was that the same sort of thought process for you as well,

00:09:38
that you might be bored in it?

00:09:40
Speaker 2: So I also somehow stumbled in it.

00:09:43
Or I see it as a puzzle.

00:09:45
I was always IT focused, but for me it was not the most

00:09:50
boring job, so for me it was the most exciting thing that I

00:09:54
could think of because, as I said, as a little girl I was so

00:09:58
interested in really understanding computers and

00:10:03
communicating with them and really getting to know how they

00:10:09
work deep inside, so I did not manage to really understand it

00:10:18
100% yet, but yeah.

00:10:22
So, for example, what I'm also super excited about is reverse

00:10:27
engineering and assembly, where I'm a beginner at, but I think

00:10:33
that leads into the direction of understanding computers.

00:10:36
So the dream I had as a little girl.

00:10:39
But yeah, basically I stumbled into IT security.

00:10:45
So I did not really know that I will be working in IT when I

00:10:50
grew up, but I was somehow always interested in but the IT

00:10:59
security part I think I stumbled in there.

00:11:02
So during my apprenticeship I worked at an institute for

00:11:07
foreign and international criminal law and they also had

00:11:10
cybersecurity researchers and I observed a lot of their work or

00:11:20
could attend even a local conference, which also got my

00:11:24
interest sparked.

00:11:25
And yeah, after my apprenticeship, by the way, I

00:11:30
worked as a developer, but not for games.

00:11:32
So and this was when I was already hooked on security and I

00:11:40
was literally a pain in the ass for everybody because I was

00:11:45
like we need to secure our code, we need to secure our systems.

00:11:48
And everybody was like, oh my God, it's Miriam again and she's

00:11:52
talking about security.

00:11:53
And in the end, I finally reached my current goal and they

00:12:01
got more aware about security and they even scanned our code

00:12:08
and when we found vulnerabilities, they let me fix

00:12:11
the vulnerabilities and I was even able to exploit them.

00:12:15
So that was really cool.

00:12:19
Speaker 1: Yeah, that's really interesting.

00:12:21
In the beginning of my career, I was working as basically a

00:12:27
help desk specialist for an application for a very small

00:12:32
company here in Chicago and I stumbled upon security and I

00:12:39
started to really dive into it because it really piqued my

00:12:42
interest and whatnot.

00:12:43
And so I started to look at the security of our application and

00:12:48
I found it to be really lacking , like really bad.

00:12:51
And so I started to vocalize it more and more of hey, we need

00:12:57
to be paying attention to this and all these different things.

00:13:01
And no one was paying attention .

00:13:04
Right, they were like, oh, we patched that, that's fixed, it's

00:13:08
not a big deal.

00:13:10
And it got to the point where I just sat down in my VP's office

00:13:14
who was telling me that everything was secure, when I

00:13:17
knew it wasn't.

00:13:18
And I was like, okay, you know this vulnerability that says

00:13:22
here that you can gain root via this method that we're

00:13:27
vulnerable to, like here's the scanner.

00:13:28
Okay, well, I'm gonna get root on this thing real quick, right

00:13:32
in front of you, and show you that we're not patched.

00:13:37
And I did it.

00:13:38
And he was very confused as to how I achieved that.

00:13:42
He immediately actually called in the lead developer.

00:13:47
It was like, hey, how did he just do this?

00:13:49
And they're like oh, he kind of done that, like it was patched,

00:13:52
like well, if it was patched I wouldn't be able to do it.

00:13:54
You know, it doesn't work out like that.

00:13:57
And that was really when I kind of, I guess, earned, I guess,

00:14:05
the respect of other people within the organization

00:14:09
regarding security so that they would actually take my

00:14:12
recommendations seriously and actually act on them and whatnot

00:14:16
.

00:14:16
But that was a long process of me getting so fed up to the

00:14:22
point where it was like, all right, I'm just gonna show this

00:14:24
guy and I'm not a good hacker or anything like that so me be

00:14:30
able to pull that off.

00:14:31
It was probably a pretty easy thing to do.

00:14:36
Speaker 2: But I think it is the most effective way to improve

00:14:39
your point Because I hope at least something happened after

00:14:44
that.

00:14:46
Speaker 1: Yeah, we definitely changed a lot of things about

00:14:49
how we handled security after that.

00:14:51
Luckily, I got to run all of that program.

00:14:56
I got to manage it from start to finish.

00:15:01
It was great experience and I was happy because it made my

00:15:08
customers more secure, made them happier.

00:15:10
It saved me a lot of headaches too, because I was going on site

00:15:15
to federal agencies and the DOD .

00:15:17
They would just be destroying me because the product was

00:15:24
insecure.

00:15:25
I was telling them that it was secure because that's what I was

00:15:28
being told.

00:15:29
This really alleviated a lot of headaches all over for me.

00:15:35
Speaker 2: Yeah, I can imagine.

00:15:37
But great thing, you improved it, so okay.

00:15:44
Speaker 1: Yeah, absolutely.

00:15:45
Currently you're a security researcher at Microsoft.

00:15:52
How did you get your start at Microsoft?

00:15:57
What does that process look like overall?

00:16:00
The reason why I ask is because in IT, you get into IT and all

00:16:09
that you hear about is big tech.

00:16:11
All that you hear about is going to work for a big tech

00:16:15
company and getting in the doors the hardest part.

00:16:19
What was that process like?

00:16:25
Speaker 2: Yeah, so don't hate me, I was at 100.

00:16:28
So before I joined Microsoft I was working as a system

00:16:37
administrator.

00:16:38
Since I was all about security it's so important In my spare

00:16:43
time I learned everything I could about penetration, testing

00:16:47
and hacking.

00:16:48
I was given the chance by a former employer to build my own

00:16:53
PAN testing department.

00:16:54
That went quite well.

00:16:56
I legally hacked the first customers.

00:16:59
That was the time when Microsoft approached me and

00:17:04
asked me if I wanted to work for them, since I just achieved my

00:17:09
dream having a PAN testing department.

00:17:11
I just said no.

00:17:13
I told my husband and he was like are you crazy just to

00:17:20
decline Microsoft?

00:17:21
Are you crazy?

00:17:22
He just couldn't take it and he told his best friend.

00:17:27
And then his best friend and my husband did an intervention.

00:17:30
They listed the positive arguments for Microsoft and the

00:17:36
negative against Microsoft.

00:17:37
They convinced me to at least speak to Microsoft.

00:17:43
I went into the interview process.

00:17:46
During this process I was convinced that Microsoft is

00:17:52
actually a really great employer and that you could really have

00:17:57
an impact also on security worldwide.

00:18:02
That was when I joined Microsoft as a Premier Field Engineer,

00:18:06
which is some kind of consultant .

00:18:08
You go to customers.

00:18:10
You have different tasks.

00:18:13
One of my tasks was to assess their environments for security

00:18:18
flaws, for example, active Directory Security Assessment or

00:18:23
Windows Server Assessment or other security assessments.

00:18:26
I also had some permanent customers I regularly worked

00:18:31
with and, depending on your work , we also had some freestyle

00:18:40
engagements that I worked with.

00:18:48
After this role, I worked as a Program Manager for Defender for

00:18:55
Endpoint.

00:18:56
Back then it was still called Windows Defender for Endpoint

00:19:00
and Microsoft Defender.

00:19:02
This was basically the role that, I was told, is the only

00:19:11
role that you could work with Corp or in Corp.

00:19:17
This was a Corp role from Germany.

00:19:20
I was told this is the only role that you will ever get when

00:19:24
you want to stay in Germany.

00:19:25
It was already a dream role back then because it was a great

00:19:31
role.

00:19:31
You had a lot of challenging tasks and got to see so many

00:19:37
environments and got to work with so great customers.

00:19:39
My dream was quite a long time to get back in red teaming or to

00:19:50
become a security researcher.

00:19:55
This was when I literally tried and brute-forced my application

00:20:03
in.

00:20:03
As a human brute-forcing.

00:20:05
I applied to every security researcher position I could find

00:20:12
within Microsoft.

00:20:13
I applied, applied, applied.

00:20:15
I got denied, denied, denied.

00:20:17
Basically, it was always the question are you willing to

00:20:24
relocate to Redmond.

00:20:25
For me it was like no, I don't want to relocate because I have

00:20:30
my family and friends here in Germany.

00:20:32
I applied a lot.

00:20:39
I think I applied for more than two years.

00:20:45
In the end, at some point, one person that already interviewed

00:20:51
me got promoted to be a manager.

00:20:54
It looks like I convinced this person in an interview before.

00:20:59
When he became a manager, he asked me hey, do you still want

00:21:06
to become a security researcher?

00:21:07
I was like oh, I'm Jamie.

00:21:10
My heart just stopped a beat.

00:21:12
I was like, of course, yes, I had to go through the entire

00:21:18
process again and got interviewed again.

00:21:22
I had the lack that also the interviewer had the impression

00:21:28
that I might fit into the team.

00:21:31
I was so obsessed with this role Somehow.

00:21:37
I was really really lucky that my manager and also his manager

00:21:44
and everybody in line was up to make an exception for me to work

00:21:51
in this role.

00:21:52
I was really really lucky, combined with a little bit of

00:21:56
human brute forcing.

00:22:00
Speaker 1: Yeah, that's great.

00:22:01
It's such a huge ask for someone to uplift their life and

00:22:08
move to another country.

00:22:10
For me it would be another state, but that's a huge, huge

00:22:17
ask.

00:22:17
I feel like in this current modern-day ecosystem that we're

00:22:24
in, where everything can be remote it was really well proven

00:22:29
out with COVID it's almost unreasonable to ask someone to

00:22:37
have to relocate for a role, especially if you're not an

00:22:42
executive.

00:22:43
You're not an executive, you don't have to talk with the

00:22:48
board, you don't have to talk with other executives.

00:22:50
It's not necessarily a collaboration thing, even.

00:22:58
It's just different, if that makes any sense at all.

00:23:03
Speaker 2: Yeah, so don't get me wrong, I really love visiting

00:23:06
the states, but I just did not want to leave my family and my

00:23:11
friends.

00:23:11
That was no option for me.

00:23:14
You said it.

00:23:17
We just proved it with COVID that it is possible.

00:23:20
And I still don't really understand what so many

00:23:24
companies are still trying to force that people relocate.

00:23:29
So I was really really happy that it worked out for me in the

00:23:36
end and I think now after the pandemic also, Microsoft got a

00:23:41
little bit looser with the relocation policies.

00:23:48
Speaker 1: Yeah, that's good to hear, because in security you

00:23:52
hear about other companies, like Amazon, demanding a three-day

00:23:56
workweek and internal memos coming out saying that it'll

00:24:01
take years for them to get back to a five-day in the office

00:24:05
workweek.

00:24:06
It just doesn't make any sense to me because if I was to work

00:24:13
for Amazon, they have a Chicago office.

00:24:15
I would go into the Chicago office, but how many other

00:24:18
people on my team are going to be in Chicago?

00:24:22
So if that answer is none, then why am I in?

00:24:28
Because everything else can be solved over a meeting.

00:24:32
It would be any other time.

00:24:36
The logic isn't there and I hope that companies are catching on

00:24:40
to that in some regard.

00:24:42
It sounds like Microsoft has.

00:24:44
Microsoft is probably one of the few big tech companies that

00:24:50
I haven't heard of a real big push to go back to the office,

00:24:53
which is it's refreshing because other companies really take

00:24:58
their lead off of big tech and what the big tech guys are doing

00:25:02
and what these other smaller companies should be doing and

00:25:06
whatnot, because they're really trying to keep up and keep their

00:25:10
talent and whatnot.

00:25:11
Speaker 2: Yeah, but I still think it will take some time

00:25:17
until also the smaller companies keep up, because usually it's

00:25:23
hard for them to just have the same policies and not only work

00:25:29
policy-wise, also security policy-wise or something like

00:25:33
that.

00:25:34
So they also need the people to get the work done and to have

00:25:43
the trust in their employees also.

00:25:45
Maybe.

00:25:50
Speaker 1: Hmm, so what's the day-to-day like as a security

00:25:54
researcher?

00:25:55
Is there any cool security researching areas or topics that

00:26:01
you have dove into that just like blew you away and really

00:26:06
opened your eyes to something, or what is that like?

00:26:10
Speaker 2: So, basically, every day or every project is

00:26:15
different, so you can't say this is 100% security research, and

00:26:20
even every role at Microsoft is different.

00:26:22
So I, for my part, I work in the Microsoft 365 Defender

00:26:28
Research Team, so we are the ones behind the Microsoft 365

00:26:33
Defender correlations and everything that is related with

00:26:40
this area, with this topic.

00:26:41
So if there is more than one, I used to call the sub-product

00:26:48
pillars.

00:26:48
So, for example, defender for Endpoint, defender for Identity,

00:26:52
defender for Office, and so on, I used to call those products

00:26:57
pillars of Microsoft 365 Defender.

00:26:59
And as soon as there is more than one pillar involved in this

00:27:06
project, this is our team who is working on it.

00:27:09
And yeah, so there were many, many cool projects so far, and

00:27:19
one of the latest is also related with AI.

00:27:23
So, yeah, for example, co-pilot , but I cannot tell you too much

00:27:29
about it.

00:27:30
Speaker 1: I'm sorry.

00:27:31
So something like Defender for AI is potentially coming or

00:27:37
being researched, looked into in some way.

00:27:40
Speaker 2: No, that's not what I say.

00:27:41
I don't know if that is something that is coming, but so

00:27:46
Security Co-Pilot was announced as your AI helper to help you

00:27:55
to answer questions or to just help you to see with one glance

00:28:02
what is the problem in your environment.

00:28:04
Because there are many companies that have too few

00:28:10
employees and also not the knowledge, because knowledge is

00:28:14
expensive and so they need the employees that they have to do

00:28:21
all the work, also security-wise .

00:28:23
But what if there is a really huge incident that you would

00:28:29
need hours to get an overview on ?

00:28:31
And using Co-Pilot, it can help you to get an overview within

00:28:38
minutes, within seconds, basically, and yeah, that's

00:28:44
really interesting.

00:28:46
Speaker 1: You know, with Microsoft, I look at their

00:28:54
security stack, I look at their tech stack and I try to picture

00:29:00
how it evolved over the years and overall it seems like

00:29:05
Microsoft's security is like night and day compared to what

00:29:09
it was even five to eight years ago, which is really saying

00:29:14
something you typically don't see.

00:29:17
Whole companies kind of revolutionize how they do, an

00:29:21
entire pillar of their business, slash something like security.

00:29:26
And even eight years ago it was kind of laughable if you said,

00:29:34
oh, I have Microsoft Defender.

00:29:36
You know, like everyone's just like, oh, OK, that's not going

00:29:38
to do anything for you.

00:29:39
But now you know that whole perception has completely

00:29:44
changed within the security community even is like, yeah, I

00:29:49
have Microsoft Defender and I'm protected, Like I'm

00:29:52
significantly protected with this solution and whatnot, and

00:29:56
it's, I feel like Microsoft creates a very interesting

00:30:00
scenario where you can go as far into Microsoft, like as you

00:30:05
want in terms of consuming services and, you know,

00:30:09
providing your whole tech stack for you, and they do offer other

00:30:15
avenues to bring in your own tech stack.

00:30:17
But it's just interesting to me that Microsoft offers, you know

00:30:22
, so many different services and whatnot.

00:30:25
Do you ever find that challenging internally,

00:30:28
potentially to, I guess stay on top of everything.

00:30:34
Speaker 2: Oh, yes, so I don't stay on top of everything.

00:30:37
So what I immediately thought about was, when you mentioned

00:30:45
all these technologies, was the time when I went out as a PFE,

00:30:50
so that some kind of security consultant at Microsoft and I

00:30:56
went to customers to assess their environments.

00:30:59
So basically I was focused on one technology like Active

00:31:04
Directory security or Windows Server security, and the

00:31:09
challenge, or one thing that I found funny, slash challenging,

00:31:14
was that when you come to a customer and you have the local

00:31:19
Microsoft on your back, they immediately assume that you need

00:31:23
to know everything that Microsoft ever did, that

00:31:26
Microsoft ever released and you are the expert of it.

00:31:30
And so when I came to customer and they were like, oh and, by

00:31:35
the way, I do have a problem with my team's installation, can

00:31:39
you help me?

00:31:39
And I was like I have no idea about teams, so I never worked

00:31:43
with that.

00:31:44
Sorry, I use it only as a user.

00:31:47
And they were like but you are Microsoft.

00:31:49
And then you had just to explain that, yes, but you are

00:31:53
specialized, so you have your areas of expertise and you don't

00:31:59
know everything that Microsoft ever did or you are not an

00:32:03
expert in everything.

00:32:04
So, yeah, so.

00:32:09
Speaker 1: Yeah, that's a really good point.

00:32:10
You know, even as a security professional, I feel like

00:32:16
sometimes we just assume right, like when a big tech consultant

00:32:21
is in the office it's like, ok, this is the time to bring up.

00:32:25
You know, absolutely everything that's going on, you know like,

00:32:30
but that's not the best way of going about it.

00:32:33
I have found, you know, from being on the other side and

00:32:37
actually providing services to customers is to, at least you

00:32:42
know, point them in the right direction.

00:32:44
You know, for me at least, right, I'm sure, at Microsoft

00:32:47
it's so much more difficult to even do that because you know it

00:32:52
could be a team within a team, you know, that handles this one

00:32:56
little thing that they know about right, like it's just a

00:33:02
complicated problem to even just do that, I would think.

00:33:05
Speaker 2: Yeah, so sometimes you don't even know who is

00:33:08
responsible for what when it's another product.

00:33:11
You know your peers.

00:33:13
You also might know, if you have worked with someone in the

00:33:18
past, that this is somebody you can go to and say hi, hi,

00:33:22
remember me.

00:33:23
Great talking to you again.

00:33:24
I want to work with this product that you are currently

00:33:28
working in.

00:33:29
Can you help me to find the right person?

00:33:31
And this is basically the only way that you get the right

00:33:36
person.

00:33:37
Or you ask people if they know people who know other people, or

00:33:41
you just browse internally if you find some key words

00:33:46
connected with some other projects.

00:33:48
But, yeah, so Microsoft is huge , and if you don't know the

00:33:54
right people, or try to connect to the right people, yeah, you

00:34:01
don't find it.

00:34:02
Speaker 1: Yeah, yeah, it's going to be a very difficult

00:34:04
time for you and you won't be able to provide that like that

00:34:07
next tier of support and service .

00:34:10
You know it's networking is a critical part.

00:34:14
That you know I bring up a good amount on this podcast is

00:34:18
because you know, it's not always about what you know, it's

00:34:22
more about who you know, and that's not necessarily.

00:34:25
You know.

00:34:25
Who you know is, you know, getting you the job or anything

00:34:28
like that.

00:34:28
But it's like you know you could be in a situation where

00:34:32
you know a customer has a question about something that's

00:34:34
like, well, I'm not the right person, but I know the guy, like

00:34:37
I can get you in front of them and typically, you know, maybe

00:34:40
they have a, you know, a backlog of like a month, right?

00:34:44
So you can't get on their calendar for a month.

00:34:46
It's like, well, I can get you in, you know tomorrow, right?

00:34:49
And those sorts of things really make the difference, because

00:34:54
you're not only leaving a good impression within your own

00:34:57
company for doing that right You're raising the bar for your

00:35:00
own company but you're also leaving a really good impression

00:35:03
with that customer, you know.

00:35:04
So you're making connections without even really having to do

00:35:08
that, which pays dividends.

00:35:11
You know, is that something that is kind of taught at

00:35:16
Microsoft or instructed upon at all, is that you know developing

00:35:21
your network and making sure you know that you're maintaining

00:35:25
it properly, and things like that.

00:35:27
Is that ever talked about?

00:35:29
Speaker 2: Yeah, so during my onboarding but this is sometime

00:35:33
ago so during my onboarding there were a lot of sessions

00:35:39
where they really advised us to network, to get to know other

00:35:44
people, to keep those connections alive.

00:35:47
And again, so when I, when I got involved with all of this,

00:35:50
yeah, I found it at first hard to have those enforced

00:35:57
networking sessions that they said, okay, go out and network.

00:36:01
But in the end it really made sense and keeping your

00:36:07
connections in your network is really beneficial.

00:36:11
So, as you said, it's not forgetting the job or something

00:36:14
like that, but it's to get things done and sometimes it can

00:36:20
be.

00:36:20
It can make the difference if a request just yeah, just sinks

00:36:27
down and drowns, or if you can fulfill the request or it's also

00:36:32
a matter of time.

00:36:33
So, if you are really eager to fulfill the request, the request

00:36:38
, and if you don't know anybody, it can still work out.

00:36:42
If you just do the work and, yeah, just browse for who can do

00:36:48
that and ask who can do that, but if you already know the

00:36:52
people and have sense of direction, that is way faster

00:36:57
than just asking around.

00:36:58
So therefore, yeah, it's really beneficial to have your network

00:37:03
, to know your people and, yeah, it was encouraged in the

00:37:09
beginning, but I only found it's worth during the time and I

00:37:15
never I never networked for any reasons.

00:37:18
I try to keep it real because otherwise you don't, it's not

00:37:23
authentic, and you know what I mean.

00:37:25
I really try to keep authentic and genuine connections and not

00:37:30
just for the sake of it, because that's not not how I do it.

00:37:36
Speaker 1: Right, I think you know what important factor with

00:37:39
networking is being yourself.

00:37:41
You know, not trying to be something that you're not, or

00:37:44
someone that you're not, or trying to emulate someone else.

00:37:49
you know that stuff comes off, as you know, disingenuous and

00:37:54
yeah people will pull away, you know, and not want to, not want

00:37:58
a network, not want to be a part of your network and whatnot.

00:38:00
So it's extremely important to really, to really just be

00:38:05
yourself, right, and then live in the moment.

00:38:08
I guess you know you brought up that you work on the 0365

00:38:13
Defender team.

00:38:14
Can you?

00:38:16
Can you tell me anything at all about the, the, the?

00:38:22
What was it?

00:38:23
The Microsoft Outlook breach or attack that happened a couple

00:38:27
weeks ago?

00:38:28
And I'm not asking for anything , any internal information,

00:38:32
right, like because I, for me, right, I didn't even look into

00:38:37
it myself, I just saw that that happened and it's like, okay,

00:38:40
well, I'm heads down in this other thing, I can't worry about

00:38:43
that.

00:38:43
Can you talk to me about what it was or what you saw or

00:38:47
anything like that?

00:38:48
Speaker 2: I'm sorry.

00:38:49
I'm currently on parental leave and so also for the last weeks.

00:38:54
I just saw it, but I did not really dive deep into it because

00:38:59
my little one just does not leave me any time Completely

00:39:02
understandable.

00:39:02
Yeah, you are, I think, also a father and you know how it is.

00:39:09
And yeah, I just have some.

00:39:12
I just have some beautiful time with my son, and so I need to

00:39:19
catch up when I come back.

00:39:20
Yeah, yeah maybe we can cut that part out.

00:39:26
Speaker 1: It's fine, it's not a big deal.

00:39:27
I mean, you know, I bring on former spies, right, for

00:39:32
instance, and I'll ask them a question.

00:39:35
They'll say like, oh, I can't answer that, you know, it's just

00:39:37
onto the next topic.

00:39:38
It's not, it's not a big deal, right?

00:39:41
So you know, miriam, I also saw that you put together a book

00:39:46
pretty recently.

00:39:47
It was released.

00:39:49
It's a PowerShell automation and scripting for cybersecurity

00:39:53
which you know I find really interesting because you know,

00:39:58
I'm not a developer, right, I'm not a coder or a scripter,

00:40:01
really like.

00:40:02
I can read it most of the time, but, man, if you put me in

00:40:06
front of a terminal and say, go create this thing, I'm not going

00:40:09
to be able to do it.

00:40:09
You know, I just don't have that skill, probably because it

00:40:12
hasn't been, you know, ingrained into me and at one point in

00:40:15
time in my career I was actually I really put a lot of effort

00:40:20
into learning PowerShell and PowerShell seemed to be probably

00:40:25
the easiest I guess, you know, scripting language or whatever

00:40:30
might be right to learn for me to actually pick up.

00:40:33
And so I always, you know, really enjoyed doing anything in

00:40:37
PowerShell, and the power that PowerShell actually gives you on

00:40:41
a system is enormous, right and you don't realize that until

00:40:44
you start diving into it.

00:40:45
So what made you want to go down this path?

00:40:49
And one, why did you want to write a book?

00:40:52
Because that's a huge undertaking right there.

00:40:55
And why did you choose this topic?

00:41:00
Speaker 2: So basically, this is also something that I just

00:41:03
stumbled in.

00:41:04
I never planned it.

00:41:06
I always thought that it was really cool writing a book and I

00:41:12
thought I will never achieve it .

00:41:13
I thought this is really really big.

00:41:17
And I was very active in the PowerShell security community.

00:41:22
I presented at conferences like Blackhead or PSConf you are

00:41:28
others and I also wrote some open source tools using

00:41:33
PowerShell which I also presented at those conferences.

00:41:37
And somehow I think this was my footprint in the internet.

00:41:44
And one day I was contacted by the publisher, pact, and they

00:41:54
were like hey, we saw that you do a lot with PowerShell

00:41:57
security and we find that really interesting.

00:42:01
Would you be willing to write a book for us?

00:42:05
And I was so flattered at first and so I'm still flattered that

00:42:12
they chose me or picked me and approached me.

00:42:15
But my first thoughts were like oh, I'm gay, I will never be

00:42:22
able to write this book.

00:42:24
There's so much knowledge that you need to put into that book

00:42:28
and I don't have that knowledge.

00:42:29
At least, that was my first thought.

00:42:32
And then I just thought about it longer and longer.

00:42:37
So I really took my time to think about it, and the more I

00:42:42
thought about it I was like, oh, I would really like to read

00:42:46
that book and basically what would be needed for this book.

00:42:51
And I already structured it in my head and at some point I was

00:42:58
like, okay, basically you already have a lot of knowledge

00:43:02
regarding PowerShell security and there are, there might be

00:43:08
some topics that you need to research, but they are not it's,

00:43:12
it's, it's, not that much.

00:43:14
And so I, yeah, sometimes I say I made the worst mistake in my

00:43:22
life and agreed, but basically I'm still really happy that I

00:43:27
wrote this book, but it was so much work that it just joke

00:43:30
sometimes that I made the mistake and agreed and when I

00:43:39
agreed I did not know how much work there will follow.

00:43:44
And then, yeah, I just started structuring it and creating a

00:43:52
table of contents and just thinking about what could be in

00:43:56
the book and in which order, which structure, and in the end,

00:44:01
during the process, this also really changed Not too much, but

00:44:06
in the end I added two chapters that I initially did not think

00:44:10
about and I, when I was writing it, I could just add so much

00:44:17
more information that was not necessarily PowerShell related,

00:44:21
but security related, and at some point I was really, yeah,

00:44:28
just burning to write down all the knowledge and but in the end

00:44:34
you just have to make yeah, they cut at some point and

00:44:39
decide what belongs in this book and what doesn't.

00:44:42
And if there was some information that does not belong

00:44:47
in the book, because otherwise it would have become huge, and

00:44:50
it already is really really huge .

00:44:53
So I think almost 600 pages, 574, I think, or something like

00:45:02
that Don't don't pin me on this, but it's already really really

00:45:08
big and I would have also I could have added more months to

00:45:14
just make it even bigger.

00:45:16
And if there is some information in there that I

00:45:21
think is, or might be, interesting but not relevant for

00:45:25
this book, I also mentioned it and linked it or mentioned some

00:45:31
other sources.

00:45:33
Speaker 1: So so you dive into a lot with that, but I really

00:45:39
kind of want to break down the, the decision and what was going

00:45:43
through your head when you were offered this opportunity.

00:45:45
Right, because there's a lot of people out there I mean

00:45:49
probably, you know, 95%, if not more of people would have

00:45:54
probably said no.

00:45:56
You know, I'm okay, that's too hard of a task for me.

00:45:59
I don't know what that entails, or you know, there's a million

00:46:03
different excuses you come up with to get out of that.

00:46:05
Right Like.

00:46:07
I don't know what that entails.

00:46:08
I've never done that before, and this and that right, but you

00:46:12
won't know until you do it.

00:46:14
Speaker 2: Yes.

00:46:15
Speaker 1: And jumping into that unknown water is it's scary, to

00:46:20
say the least.

00:46:21
You know it's it's scary.

00:46:23
You know.

00:46:23
I remember when I accepted the contract to create my first

00:46:28
cybersecurity course on the three clouds and how they

00:46:31
compare to each other and whatnot, and you know I stayed

00:46:36
up that night, the night that I had accepted it, and I was like

00:46:39
why did I just do this?

00:46:40
Like this is dumb, I just made a mistake.

00:46:44
Now I'm bound by contract to complete this thing, Like, I

00:46:48
don't know how to create a table of contents, I don't know how

00:46:51
to create an introduction or like anything like that.

00:46:54
Right, and I got through it.

00:46:57
And you know it's funny.

00:46:59
I look back when I was recording my course and I was, I

00:47:05
was such like a nervous recorder, you know, I didn't

00:47:07
want to record or be on video or anything.

00:47:09
Now I have a podcast and I talk to people about things that I

00:47:13
know nothing about.

00:47:14
You know, it's such a night and day difference.

00:47:18
And now when I record courses it's it's totally different.

00:47:21
You know, it's easy.

00:47:22
I get through them pretty quick now.

00:47:24
But you know, what was that like for you?

00:47:27
Did you like also, you know, sign the contract, essentially?

00:47:31
And I was like, what the hell did I just do?

00:47:34
Like, what did I just sign?

00:47:36
Speaker 2: Several times, not only after signing.

00:47:40
So after signing I think I felt really good, but the next day I

00:47:45
was like, oh gee, why did I do that?

00:47:48
I'm not able to write that book .

00:47:50
And sometimes you really had those doubts in your head, and

00:47:56
not only at the beginning but also during the writing.

00:48:00
You had some really really deep , lows and I was thinking, okay,

00:48:05
I will never be able to achieve this, to finish the book.

00:48:09
And at some point I also had the thoughts about just, yeah,

00:48:15
just throwing it off, so that I just lay down the project and

00:48:20
say, okay, sorry, I can't finish it or whatever.

00:48:23
So, but in the end you can get yourself motivated again and

00:48:33
it's basically those challenges that you need to overcome.

00:48:38
It's all in your head.

00:48:40
So it's not that you are not able to do it, it's just in your

00:48:45
head.

00:48:45
And that's a tricky thing, because your head plays tricks

00:48:50
on you and you feel like you are not able to achieve your task.

00:48:55
And when you just look at it it looks so big.

00:49:00
But in the end you just need to start.

00:49:04
And if you just sit on your computer and don't get

00:49:10
distracted by, for example, your mobile phone or anything else,

00:49:18
then you just sit at your computer and you just write one

00:49:24
word and after that word follows another.

00:49:27
Or if you don't, if you are not in the mood for writing, you

00:49:31
maybe think about the illustrations for your book.

00:49:34
And suddenly you are there.

00:49:36
If you just said for yourself okay, I'm so demotivated today,

00:49:43
but I just have to just work at least half an hour on it just to

00:49:48
check my box, to check my checkmark.

00:49:52
I just need to work half an hour on it and then I can just

00:49:56
let it be and finish my day.

00:49:58
And then you just get started and work half an hour on it and

00:50:02
then you just hooked, you are right there in the writing and

00:50:06
then you are like, okay, now I can't finish, I need to finish

00:50:09
what I have started, and then you are in the floor again.

00:50:12
So sometimes you really have bad days, days when you can't

00:50:18
concentrate, but somehow you just need to pull through and

00:50:24
sit down and just get the work done.

00:50:28
Speaker 1: Yeah, that's a really good point.

00:50:30
You know, I wonder, when you so when you, when you embarked on

00:50:37
this journey of writing the book and now you have finished the

00:50:41
book, you've published it when you look back on it when you

00:50:45
started it, how much of the book did you already know?

00:50:49
You know how much of that knowledge did you already have

00:50:53
and then how much when you were going through it, where you're

00:50:56
like, oh, I need to research this a little bit more before I

00:50:58
put this into the book and, you know, kind of get that

00:51:01
information right in my head.

00:51:02
I would assume you know you probably had somewhere around

00:51:06
like 70, 85% of it of the knowledge that it was required

00:51:12
and the rest of it is probably fine tuning and adding a little

00:51:16
bit more color and things like that to it.

00:51:18
Is that, is that correct, or was it a different process for

00:51:21
you?

00:51:22
Speaker 2: That's a very good assumption.

00:51:23
So I think there were two topics that I thought, okay, I

00:51:27
really need to research them, and the rest I already had

00:51:33
knowledge about them.

00:51:35
But while you're writing, you are writing down your facts and

00:51:42
then you can either demonstrate it in your environment or, if

00:51:49
there are some background facts that you at some time may be a

00:51:54
heard of but you're not 100% sure, if that really was the

00:51:58
case, then you just have to get a source for that so that you

00:52:03
can say, okay, yes, All the content that I wrote down in

00:52:09
this book is 100% true and or yeah, so at least I hope so I

00:52:17
have some good technical reviews , I think, and I did my research

00:52:22
to make sure that everything I wrote down is 100% true.

00:52:26
But, as I said, even if you have the knowledge, sometimes

00:52:31
you just need to research to also have a source in your

00:52:37
backhand.

00:52:38
But for the actual research part so knowledge versus

00:52:46
research I would say that 80, 85% is a really good assumption.

00:52:52
So, yeah, as I said, I think there were two topics that I

00:52:56
needed to research.

00:52:57
I had some basic knowledge about it, but for going deeper I

00:53:04
needed the research and the rest.

00:53:08
Yeah, I think was knowledge.

00:53:15
Speaker 1: Does Microsoft offer, like a authors group to

00:53:20
internal employees or anything like that?

00:53:22
Because I asked?

00:53:24
Because I would assume that there's been several Microsoft

00:53:29
employees that have written books on topics that are

00:53:33
well-respected topics, you know, and well-respected books even,

00:53:39
and you know, when I look at some of the top authors from

00:53:43
within Microsoft, right, mark Rusunovic is right at the top of

00:53:47
that list.

00:53:47
You know, the value that he provides on the Windows

00:53:53
Internals series of books is it is extraordinarily valuable,

00:54:01
right?

00:54:01
Like, yeah, I mean, I have it, you know, behind me somewhere as

00:54:05
well.

00:54:05
It's one of those books where, like, if you're in IT, like you

00:54:09
need to pick it up.

00:54:09
You know, even if you're not going to read 80% of it, that

00:54:13
20% that you do read, like you're going to understand that

00:54:18
aspect of Windows so much more.

00:54:20
Is there anything like that at Microsoft that kind of supports

00:54:24
new authors or, you know, authors that are soon to be

00:54:27
published, or things like that?

00:54:28
Because I would assume that Mark Rusunovic, you know, has a

00:54:33
lot of experience that others could use and utilize and

00:54:38
whatnot, and I think that that would be helpful if something

00:54:42
like that existed.

00:54:44
Speaker 2: So I don't know if something like that exists, but

00:54:48
if it does, please let me know if you find out.

00:54:54
Speaker 1: Yeah, that would be.

00:54:55
That would be hard for me to find out, especially on the

00:54:57
outside of Microsoft.

00:55:00
Speaker 2: Sorry, I don't know honestly.

00:55:01
Oh, no worries yeah.

00:55:04
Speaker 1: Yeah.

00:55:05
So, miriam, you know we're right at the top of our time

00:55:08
here and I'm trying to be very conscious of everyone's.

00:55:10
You know schedules and whatnot.

00:55:11
But before I let you go, why don't you tell my audience, you

00:55:15
know where they could find you if they wanted to reach out to

00:55:17
you, where they could find you know, your book and any other

00:55:21
resources that you may want my audience to check out.

00:55:25
Speaker 2: So you can find me on Twitter and Miriam I will just

00:55:31
send link to you later and on my stoton I'm MW at Infosec

00:55:37
exchange and on LinkedIn you can find me on the Miriam or Miriam

00:55:44
see like on the book.

00:55:46
And you can get this book on Amazon or in the bookstore of

00:55:56
your choice.

00:55:57
And as we speak, I don't know when you will release this

00:56:02
episode, but now in October, until the 31st October, there is

00:56:10
Cyber Security Awareness Month, launched by PACT.

00:56:13
This means that you can get my book, as well as other

00:56:18
cybersecurity books, for 20% off with a code 20 cyber books, I

00:56:25
think.

00:56:26
Let me just check.

00:56:27
I will send the code to you.

00:56:29
Let me check.

00:56:31
Yes, 20 cyber books, it is.

00:56:35
Speaker 1: Okay, awesome, well, thanks, miriam.

00:56:38
I really appreciate you coming on and I hope everyone listening

00:56:41
enjoyed this episode.

00:56:42
All of the links that she mentioned will be in the

00:56:44
description of the episode.