Ever wonder how a young girl with an intense fascination for programming and computers catapults into the world of IT, becoming a crucial part of Microsoft's security research team? Let's navigate this riveting journey with Miriam, who shares her personal experiences of making her way into the IT realm via an unanticipated apprenticeship that turned her life around. From her childhood passion to her current role in the industry, we delve into her remarkable story.
Miriam's tale is one of determination and grit, with her unwavering perseverance finally landing her a position at Microsoft - an opportunity she initially turned down. Learn how a chance conversation swayed her to embrace this offer and how she finally achieved her ambition of joining Microsoft's red team. Here's a glimpse into her daily life, the challenges she tackled while relocating, and the company's evolution amidst the pandemic.
Apart from her inspiring journey, this episode brings into focus the significance of professional networking, with Miriam sharing how it can impact both the company and the customers positively. She also takes us through her experience of writing a book on PowerShell automation and scripting for cybersecurity, shedding light on the challenges she faced in the process. As a bonus, find out how you can benefit from her ongoing efforts to promote Cybersecurity Awareness Month, and grab a chance to get a 20% discount on her book! So, sit back, tune in, and get ready to be inspired.
LinkedIn: https://www.linkedin.com/in/miriamwiesner/
Website: https://miriamxyra.com/
Twitter: https://twitter.com/MiriamXyra
Mastodon: @mw@infosec.exchange
Book: https://www.amazon.com/gp/product/1800566379/ref=sw_img_1?smid=ATVPDKIKX0DER&psc=1
Packt Link: https://www.packtpub.com/product/powershell-automation-and-scripting-for-cybersecurity/9781800566378
Book Discount Code: 20cyberbooks
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: How's it going, miriam?
00:00:00
It's really good to finally have you on the podcast.
00:00:04
I feel like we tried to get this thing together a couple
00:00:07
times over the past like six months at this point, and you
00:00:11
know it's just been a mess in both of our schedules, I feel.
00:00:16
Speaker 2: Hey Joe, yeah, it's great to finally meet you and,
00:00:20
yeah, I don't know about way.
00:00:22
Yay, we finally made it so, so good to speaking to you.
00:00:27
Speaker 1: Yeah, absolutely so you know.
00:00:30
Miriam, before we dive into what a security researcher does
00:00:34
at Microsoft, I want to start off with your background, you
00:00:39
know.
00:00:39
How did you get into it?
00:00:41
What was that journey like for you?
00:00:43
What was that process like?
00:00:44
Did you have any mentors along the way to kind of, you know,
00:00:48
guide you down that path?
00:00:49
Or did you discover it and go down at all on your own?
00:00:54
Speaker 2: So I was kind of always interested in IT I when I
00:01:01
was a kid I was like, okay, I want to become a game developer
00:01:05
or a hacker, but hacker is illegal, so that was all the
00:01:09
table.
00:01:09
And surprisingly, I never became a game developer either.
00:01:12
So but somehow I always wanted to know how to communicate with
00:01:21
computers and I started programming very early.
00:01:27
I think I was eight years old or something like that, when I
00:01:30
developed my first game on my little learning laptop.
00:01:32
And later then, after I finished school, I was like,
00:01:33
okay, what do I do with my life?
00:01:34
And so I started programming very early.
00:01:36
I think I was eight years old or something like that when I
00:01:38
developed my first game on my little learning laptop.
00:01:39
And so I started programming very early.
00:01:40
I was like, okay, what do I do with my life?
00:01:42
And honestly, I had no idea, like everybody out there after
00:01:47
they finished school Maybe there are some people, but they are
00:01:50
very rarely, I think.
00:01:51
And so my, although my parents were quite against me playing
00:02:02
and working with computers, surprisingly it was my parents
00:02:07
who found, yeah, in the newspaper they found the call
00:02:17
for applications, so for an apprenticeship.
00:02:20
And this is when I originally got into IT.
00:02:24
Speaker 1: That's really interesting, you know.
00:02:25
So you're, you're, you're based out of Germany, right?
00:02:30
Speaker 2: Yes, so if I make any mistakes, I'm sorry.
00:02:34
I'm not a native speaker.
00:02:36
Speaker 1: No problem, you know, I've spent a decent amount of
00:02:40
time in Germany and I've I've always been surprised as to how
00:02:46
well everyone can speak English, and so, like, whenever I'm
00:02:50
there, I try to like ramp myself up on German and, you know,
00:02:55
speak German until I can't anymore, and then, like, when
00:02:58
the conversation gets to a point where I can't handle it, it's
00:03:01
like all right, I'm sorry, like I'm English native speaker and
00:03:05
they like test out there English on me and it's a.
00:03:08
It's a fun interaction.
00:03:11
Speaker 2: Nice, that's really cool.
00:03:12
Now you also have to deliver, so what's your favorite German
00:03:15
word?
00:03:17
Speaker 1: Oh, I don't know if I can even say that you know.
00:03:20
So this is the thing, right.
00:03:22
So I studied German in college as, like my four language, I had
00:03:27
to choose one and so I chose German.
00:03:28
I studied abroad in Germany for about six weeks and I was, I
00:03:34
was getting to the point where I could hear it and understand it
00:03:38
, like fluently pretty much, but responding was a little bit
00:03:42
slow and I was still, you know, getting used to it and whatnot.
00:03:44
And then I came back to the States and I've been back a
00:03:48
couple of times ever since, but it's like when I'm, when I get
00:03:53
there, you know there's such a huge gap.
00:03:56
But after about 10 days of being in Germany, I start, you know,
00:04:00
developing the skills of being able to hear it and understand
00:04:02
what's going on.
00:04:02
Like you know, last year I was in Germany with a friend for the
00:04:06
Tampa Bay Bucks game and and you know, in the beginning it
00:04:13
was difficult, like I, I knew what different words were and
00:04:17
whatnot, like if I was looking at, like the U-Bahn map or
00:04:19
whatnot, or the S-Bahn, like I knew what they were, right, I
00:04:24
knew which direction I was going , but like translating it just
00:04:28
didn't work in my brain.
00:04:28
And then, you know, like we were there for probably 10 days,
00:04:34
by the end of my stay, though, I was right back to hearing it
00:04:38
and understanding it and I was, like, translating it to my
00:04:41
friend, like, oh, this is what they mean, like we got to go
00:04:43
over here or do this, you know.
00:04:45
So it's just, it's.
00:04:47
It's a frustrating journey for me, because I wish I could just
00:04:49
move there.
00:04:53
Speaker 2: Wow, I did not know that you actually were in
00:04:59
Germany for some time.
00:05:00
Yeah, cool.
00:05:02
Speaker 1: Yeah, yeah, I've.
00:05:03
I've spent some time in Berlin, frankfurt, dusseldorf, munich,
00:05:11
I think.
00:05:11
I think I need to go other places other than other than
00:05:17
Germany for my next vacation, unless it's for Oktoberfest, and
00:05:20
then I'll go.
00:05:20
But yeah, it's, it's, I love it .
00:05:25
I love going there.
00:05:26
It's always a great time, great atmosphere.
00:05:30
Everyone's so friendly.
00:05:31
That's what always like threw me off in the beginning, it was
00:05:35
like everyone is so friendly.
00:05:38
Speaker 2: Yeah, and if you reconsider and plan your
00:05:42
vacation, your next vacation in Germany, give me a ping and let
00:05:46
me know.
00:05:47
Speaker 1: Yeah, absolutely so.
00:05:49
So you mentioned that you know you got your start as an
00:05:55
apprenticeship in IT, and is that, is that pretty typical for
00:06:02
apprenticeships in IT in Germany?
00:06:05
And I ask very specifically because you know, through my
00:06:10
studies, right, we learned about the education system in Germany
00:06:13
and how after school you typically, like for different
00:06:17
trades, you'll go and be an apprentice.
00:06:19
For you know, at a certain point in your education you
00:06:21
start being an apprentice and then you actually transition
00:06:22
into the, into the actual field.
00:06:26
I didn't realize that IT even had that option of being an
00:06:31
apprentice, right?
00:06:32
So is that a pretty typical path or is that, you know, an
00:06:37
outlying path?
00:06:38
I guess?
00:06:39
Speaker 2: I think back then it was quite a new thing.
00:06:42
So there were two paths.
00:06:45
So one path was working with the systems, the other path was
00:06:50
development and as I thought, okay, I already know how to
00:06:54
develop programs, I thought, okay, I want to learn about the
00:06:58
systems, and that was basically my direction.
00:07:01
But you asked me if that is a typical thing.
00:07:05
I would say it depends.
00:07:08
I still see that studying also brings you quite far.
00:07:15
In some companies, especially if it's a government or a public
00:07:22
sector, then you need to have studied.
00:07:25
But there are also a lot of people that are following
00:07:31
apprenticeship paths.
00:07:32
So and they look at me I was in luck and got in the best
00:07:38
position ever and I originally went to the school that would
00:07:45
have allowed me to study after.
00:07:46
But after school I was like I don't want to learn any longer
00:07:52
and so I started the apprenticeship and suddenly I
00:07:55
just started learning everything I could and I never stopped.
00:07:58
Yeah.
00:08:02
Speaker 1: Yeah, that's pretty funny.
00:08:03
You got out of it saying that you don't want to, you don't
00:08:07
want to learn anymore, and then you get into cybersecurity and
00:08:10
IT where, like, the learning never ends.
00:08:14
Speaker 2: Yeah, and I think it also really became my passion to
00:08:19
just learn and learn and learn everything I could find.
00:08:21
So, yeah, I also thought every time, okay, maybe studying at
00:08:28
some point would be beneficial, would be cool, but well, I never
00:08:34
studied and I never achieved it .
00:08:36
Because every time I thought, okay, now could be the time I
00:08:39
found a better opportunity, or I got hired at the role of my
00:08:44
dreams, or yeah, and somehow I never found the time to study.
00:08:51
Speaker 1: And yeah, yeah, that's really interesting.
00:08:57
So would you say that you kind of stumbled into it Honestly,
00:09:03
like you didn't, I don't know.
00:09:05
Like probably growing up or even earlier on in your
00:09:08
education, you probably didn't intend to go down that path,
00:09:12
right?
00:09:13
At least that's what it sounds like a little bit to me, Do you?
00:09:17
Because for myself, I guess I never intended to go into IT.
00:09:21
I thought it was the most boring thing in the world.
00:09:23
I thought if I'm stuck in IT like that would be the most
00:09:28
miserable thing ever, right, Right, and here I am so many
00:09:33
years later.
00:09:34
Was that the same sort of thought process for you as well,
00:09:38
that you might be bored in it?
00:09:40
Speaker 2: So I also somehow stumbled in it.
00:09:43
Or I see it as a puzzle.
00:09:45
I was always IT focused, but for me it was not the most
00:09:50
boring job, so for me it was the most exciting thing that I
00:09:54
could think of because, as I said, as a little girl I was so
00:09:58
interested in really understanding computers and
00:10:03
communicating with them and really getting to know how they
00:10:09
work deep inside, so I did not manage to really understand it
00:10:18
100% yet, but yeah.
00:10:22
So, for example, what I'm also super excited about is reverse
00:10:27
engineering and assembly, where I'm a beginner at, but I think
00:10:33
that leads into the direction of understanding computers.
00:10:36
So the dream I had as a little girl.
00:10:39
But yeah, basically I stumbled into IT security.
00:10:45
So I did not really know that I will be working in IT when I
00:10:50
grew up, but I was somehow always interested in but the IT
00:10:59
security part I think I stumbled in there.
00:11:02
So during my apprenticeship I worked at an institute for
00:11:07
foreign and international criminal law and they also had
00:11:10
cybersecurity researchers and I observed a lot of their work or
00:11:20
could attend even a local conference, which also got my
00:11:24
interest sparked.
00:11:25
And yeah, after my apprenticeship, by the way, I
00:11:30
worked as a developer, but not for games.
00:11:32
So and this was when I was already hooked on security and I
00:11:40
was literally a pain in the ass for everybody because I was
00:11:45
like we need to secure our code, we need to secure our systems.
00:11:48
And everybody was like, oh my God, it's Miriam again and she's
00:11:52
talking about security.
00:11:53
And in the end, I finally reached my current goal and they
00:12:01
got more aware about security and they even scanned our code
00:12:08
and when we found vulnerabilities, they let me fix
00:12:11
the vulnerabilities and I was even able to exploit them.
00:12:15
So that was really cool.
00:12:19
Speaker 1: Yeah, that's really interesting.
00:12:21
In the beginning of my career, I was working as basically a
00:12:27
help desk specialist for an application for a very small
00:12:32
company here in Chicago and I stumbled upon security and I
00:12:39
started to really dive into it because it really piqued my
00:12:42
interest and whatnot.
00:12:43
And so I started to look at the security of our application and
00:12:48
I found it to be really lacking , like really bad.
00:12:51
And so I started to vocalize it more and more of hey, we need
00:12:57
to be paying attention to this and all these different things.
00:13:01
And no one was paying attention .
00:13:04
Right, they were like, oh, we patched that, that's fixed, it's
00:13:08
not a big deal.
00:13:10
And it got to the point where I just sat down in my VP's office
00:13:14
who was telling me that everything was secure, when I
00:13:17
knew it wasn't.
00:13:18
And I was like, okay, you know this vulnerability that says
00:13:22
here that you can gain root via this method that we're
00:13:27
vulnerable to, like here's the scanner.
00:13:28
Okay, well, I'm gonna get root on this thing real quick, right
00:13:32
in front of you, and show you that we're not patched.
00:13:37
And I did it.
00:13:38
And he was very confused as to how I achieved that.
00:13:42
He immediately actually called in the lead developer.
00:13:47
It was like, hey, how did he just do this?
00:13:49
And they're like oh, he kind of done that, like it was patched,
00:13:52
like well, if it was patched I wouldn't be able to do it.
00:13:54
You know, it doesn't work out like that.
00:13:57
And that was really when I kind of, I guess, earned, I guess,
00:14:05
the respect of other people within the organization
00:14:09
regarding security so that they would actually take my
00:14:12
recommendations seriously and actually act on them and whatnot
00:14:16
.
00:14:16
But that was a long process of me getting so fed up to the
00:14:22
point where it was like, all right, I'm just gonna show this
00:14:24
guy and I'm not a good hacker or anything like that so me be
00:14:30
able to pull that off.
00:14:31
It was probably a pretty easy thing to do.
00:14:36
Speaker 2: But I think it is the most effective way to improve
00:14:39
your point Because I hope at least something happened after
00:14:44
that.
00:14:46
Speaker 1: Yeah, we definitely changed a lot of things about
00:14:49
how we handled security after that.
00:14:51
Luckily, I got to run all of that program.
00:14:56
I got to manage it from start to finish.
00:15:01
It was great experience and I was happy because it made my
00:15:08
customers more secure, made them happier.
00:15:10
It saved me a lot of headaches too, because I was going on site
00:15:15
to federal agencies and the DOD .
00:15:17
They would just be destroying me because the product was
00:15:24
insecure.
00:15:25
I was telling them that it was secure because that's what I was
00:15:28
being told.
00:15:29
This really alleviated a lot of headaches all over for me.
00:15:35
Speaker 2: Yeah, I can imagine.
00:15:37
But great thing, you improved it, so okay.
00:15:44
Speaker 1: Yeah, absolutely.
00:15:45
Currently you're a security researcher at Microsoft.
00:15:52
How did you get your start at Microsoft?
00:15:57
What does that process look like overall?
00:16:00
The reason why I ask is because in IT, you get into IT and all
00:16:09
that you hear about is big tech.
00:16:11
All that you hear about is going to work for a big tech
00:16:15
company and getting in the doors the hardest part.
00:16:19
What was that process like?
00:16:25
Speaker 2: Yeah, so don't hate me, I was at 100.
00:16:28
So before I joined Microsoft I was working as a system
00:16:37
administrator.
00:16:38
Since I was all about security it's so important In my spare
00:16:43
time I learned everything I could about penetration, testing
00:16:47
and hacking.
00:16:48
I was given the chance by a former employer to build my own
00:16:53
PAN testing department.
00:16:54
That went quite well.
00:16:56
I legally hacked the first customers.
00:16:59
That was the time when Microsoft approached me and
00:17:04
asked me if I wanted to work for them, since I just achieved my
00:17:09
dream having a PAN testing department.
00:17:11
I just said no.
00:17:13
I told my husband and he was like are you crazy just to
00:17:20
decline Microsoft?
00:17:21
Are you crazy?
00:17:22
He just couldn't take it and he told his best friend.
00:17:27
And then his best friend and my husband did an intervention.
00:17:30
They listed the positive arguments for Microsoft and the
00:17:36
negative against Microsoft.
00:17:37
They convinced me to at least speak to Microsoft.
00:17:43
I went into the interview process.
00:17:46
During this process I was convinced that Microsoft is
00:17:52
actually a really great employer and that you could really have
00:17:57
an impact also on security worldwide.
00:18:02
That was when I joined Microsoft as a Premier Field Engineer,
00:18:06
which is some kind of consultant .
00:18:08
You go to customers.
00:18:10
You have different tasks.
00:18:13
One of my tasks was to assess their environments for security
00:18:18
flaws, for example, active Directory Security Assessment or
00:18:23
Windows Server Assessment or other security assessments.
00:18:26
I also had some permanent customers I regularly worked
00:18:31
with and, depending on your work , we also had some freestyle
00:18:40
engagements that I worked with.
00:18:48
After this role, I worked as a Program Manager for Defender for
00:18:55
Endpoint.
00:18:56
Back then it was still called Windows Defender for Endpoint
00:19:00
and Microsoft Defender.
00:19:02
This was basically the role that, I was told, is the only
00:19:11
role that you could work with Corp or in Corp.
00:19:17
This was a Corp role from Germany.
00:19:20
I was told this is the only role that you will ever get when
00:19:24
you want to stay in Germany.
00:19:25
It was already a dream role back then because it was a great
00:19:31
role.
00:19:31
You had a lot of challenging tasks and got to see so many
00:19:37
environments and got to work with so great customers.
00:19:39
My dream was quite a long time to get back in red teaming or to
00:19:50
become a security researcher.
00:19:55
This was when I literally tried and brute-forced my application
00:20:03
in.
00:20:03
As a human brute-forcing.
00:20:05
I applied to every security researcher position I could find
00:20:12
within Microsoft.
00:20:13
I applied, applied, applied.
00:20:15
I got denied, denied, denied.
00:20:17
Basically, it was always the question are you willing to
00:20:24
relocate to Redmond.
00:20:25
For me it was like no, I don't want to relocate because I have
00:20:30
my family and friends here in Germany.
00:20:32
I applied a lot.
00:20:39
I think I applied for more than two years.
00:20:45
In the end, at some point, one person that already interviewed
00:20:51
me got promoted to be a manager.
00:20:54
It looks like I convinced this person in an interview before.
00:20:59
When he became a manager, he asked me hey, do you still want
00:21:06
to become a security researcher?
00:21:07
I was like oh, I'm Jamie.
00:21:10
My heart just stopped a beat.
00:21:12
I was like, of course, yes, I had to go through the entire
00:21:18
process again and got interviewed again.
00:21:22
I had the lack that also the interviewer had the impression
00:21:28
that I might fit into the team.
00:21:31
I was so obsessed with this role Somehow.
00:21:37
I was really really lucky that my manager and also his manager
00:21:44
and everybody in line was up to make an exception for me to work
00:21:51
in this role.
00:21:52
I was really really lucky, combined with a little bit of
00:21:56
human brute forcing.
00:22:00
Speaker 1: Yeah, that's great.
00:22:01
It's such a huge ask for someone to uplift their life and
00:22:08
move to another country.
00:22:10
For me it would be another state, but that's a huge, huge
00:22:17
ask.
00:22:17
I feel like in this current modern-day ecosystem that we're
00:22:24
in, where everything can be remote it was really well proven
00:22:29
out with COVID it's almost unreasonable to ask someone to
00:22:37
have to relocate for a role, especially if you're not an
00:22:42
executive.
00:22:43
You're not an executive, you don't have to talk with the
00:22:48
board, you don't have to talk with other executives.
00:22:50
It's not necessarily a collaboration thing, even.
00:22:58
It's just different, if that makes any sense at all.
00:23:03
Speaker 2: Yeah, so don't get me wrong, I really love visiting
00:23:06
the states, but I just did not want to leave my family and my
00:23:11
friends.
00:23:11
That was no option for me.
00:23:14
You said it.
00:23:17
We just proved it with COVID that it is possible.
00:23:20
And I still don't really understand what so many
00:23:24
companies are still trying to force that people relocate.
00:23:29
So I was really really happy that it worked out for me in the
00:23:36
end and I think now after the pandemic also, Microsoft got a
00:23:41
little bit looser with the relocation policies.
00:23:48
Speaker 1: Yeah, that's good to hear, because in security you
00:23:52
hear about other companies, like Amazon, demanding a three-day
00:23:56
workweek and internal memos coming out saying that it'll
00:24:01
take years for them to get back to a five-day in the office
00:24:05
workweek.
00:24:06
It just doesn't make any sense to me because if I was to work
00:24:13
for Amazon, they have a Chicago office.
00:24:15
I would go into the Chicago office, but how many other
00:24:18
people on my team are going to be in Chicago?
00:24:22
So if that answer is none, then why am I in?
00:24:28
Because everything else can be solved over a meeting.
00:24:32
It would be any other time.
00:24:36
The logic isn't there and I hope that companies are catching on
00:24:40
to that in some regard.
00:24:42
It sounds like Microsoft has.
00:24:44
Microsoft is probably one of the few big tech companies that
00:24:50
I haven't heard of a real big push to go back to the office,
00:24:53
which is it's refreshing because other companies really take
00:24:58
their lead off of big tech and what the big tech guys are doing
00:25:02
and what these other smaller companies should be doing and
00:25:06
whatnot, because they're really trying to keep up and keep their
00:25:10
talent and whatnot.
00:25:11
Speaker 2: Yeah, but I still think it will take some time
00:25:17
until also the smaller companies keep up, because usually it's
00:25:23
hard for them to just have the same policies and not only work
00:25:29
policy-wise, also security policy-wise or something like
00:25:33
that.
00:25:34
So they also need the people to get the work done and to have
00:25:43
the trust in their employees also.
00:25:45
Maybe.
00:25:50
Speaker 1: Hmm, so what's the day-to-day like as a security
00:25:54
researcher?
00:25:55
Is there any cool security researching areas or topics that
00:26:01
you have dove into that just like blew you away and really
00:26:06
opened your eyes to something, or what is that like?
00:26:10
Speaker 2: So, basically, every day or every project is
00:26:15
different, so you can't say this is 100% security research, and
00:26:20
even every role at Microsoft is different.
00:26:22
So I, for my part, I work in the Microsoft 365 Defender
00:26:28
Research Team, so we are the ones behind the Microsoft 365
00:26:33
Defender correlations and everything that is related with
00:26:40
this area, with this topic.
00:26:41
So if there is more than one, I used to call the sub-product
00:26:48
pillars.
00:26:48
So, for example, defender for Endpoint, defender for Identity,
00:26:52
defender for Office, and so on, I used to call those products
00:26:57
pillars of Microsoft 365 Defender.
00:26:59
And as soon as there is more than one pillar involved in this
00:27:06
project, this is our team who is working on it.
00:27:09
And yeah, so there were many, many cool projects so far, and
00:27:19
one of the latest is also related with AI.
00:27:23
So, yeah, for example, co-pilot , but I cannot tell you too much
00:27:29
about it.
00:27:30
Speaker 1: I'm sorry.
00:27:31
So something like Defender for AI is potentially coming or
00:27:37
being researched, looked into in some way.
00:27:40
Speaker 2: No, that's not what I say.
00:27:41
I don't know if that is something that is coming, but so
00:27:46
Security Co-Pilot was announced as your AI helper to help you
00:27:55
to answer questions or to just help you to see with one glance
00:28:02
what is the problem in your environment.
00:28:04
Because there are many companies that have too few
00:28:10
employees and also not the knowledge, because knowledge is
00:28:14
expensive and so they need the employees that they have to do
00:28:21
all the work, also security-wise .
00:28:23
But what if there is a really huge incident that you would
00:28:29
need hours to get an overview on ?
00:28:31
And using Co-Pilot, it can help you to get an overview within
00:28:38
minutes, within seconds, basically, and yeah, that's
00:28:44
really interesting.
00:28:46
Speaker 1: You know, with Microsoft, I look at their
00:28:54
security stack, I look at their tech stack and I try to picture
00:29:00
how it evolved over the years and overall it seems like
00:29:05
Microsoft's security is like night and day compared to what
00:29:09
it was even five to eight years ago, which is really saying
00:29:14
something you typically don't see.
00:29:17
Whole companies kind of revolutionize how they do, an
00:29:21
entire pillar of their business, slash something like security.
00:29:26
And even eight years ago it was kind of laughable if you said,
00:29:34
oh, I have Microsoft Defender.
00:29:36
You know, like everyone's just like, oh, OK, that's not going
00:29:38
to do anything for you.
00:29:39
But now you know that whole perception has completely
00:29:44
changed within the security community even is like, yeah, I
00:29:49
have Microsoft Defender and I'm protected, Like I'm
00:29:52
significantly protected with this solution and whatnot, and
00:29:56
it's, I feel like Microsoft creates a very interesting
00:30:00
scenario where you can go as far into Microsoft, like as you
00:30:05
want in terms of consuming services and, you know,
00:30:09
providing your whole tech stack for you, and they do offer other
00:30:15
avenues to bring in your own tech stack.
00:30:17
But it's just interesting to me that Microsoft offers, you know
00:30:22
, so many different services and whatnot.
00:30:25
Do you ever find that challenging internally,
00:30:28
potentially to, I guess stay on top of everything.
00:30:34
Speaker 2: Oh, yes, so I don't stay on top of everything.
00:30:37
So what I immediately thought about was, when you mentioned
00:30:45
all these technologies, was the time when I went out as a PFE,
00:30:50
so that some kind of security consultant at Microsoft and I
00:30:56
went to customers to assess their environments.
00:30:59
So basically I was focused on one technology like Active
00:31:04
Directory security or Windows Server security, and the
00:31:09
challenge, or one thing that I found funny, slash challenging,
00:31:14
was that when you come to a customer and you have the local
00:31:19
Microsoft on your back, they immediately assume that you need
00:31:23
to know everything that Microsoft ever did, that
00:31:26
Microsoft ever released and you are the expert of it.
00:31:30
And so when I came to customer and they were like, oh and, by
00:31:35
the way, I do have a problem with my team's installation, can
00:31:39
you help me?
00:31:39
And I was like I have no idea about teams, so I never worked
00:31:43
with that.
00:31:44
Sorry, I use it only as a user.
00:31:47
And they were like but you are Microsoft.
00:31:49
And then you had just to explain that, yes, but you are
00:31:53
specialized, so you have your areas of expertise and you don't
00:31:59
know everything that Microsoft ever did or you are not an
00:32:03
expert in everything.
00:32:04
So, yeah, so.
00:32:09
Speaker 1: Yeah, that's a really good point.
00:32:10
You know, even as a security professional, I feel like
00:32:16
sometimes we just assume right, like when a big tech consultant
00:32:21
is in the office it's like, ok, this is the time to bring up.
00:32:25
You know, absolutely everything that's going on, you know like,
00:32:30
but that's not the best way of going about it.
00:32:33
I have found, you know, from being on the other side and
00:32:37
actually providing services to customers is to, at least you
00:32:42
know, point them in the right direction.
00:32:44
You know, for me at least, right, I'm sure, at Microsoft
00:32:47
it's so much more difficult to even do that because you know it
00:32:52
could be a team within a team, you know, that handles this one
00:32:56
little thing that they know about right, like it's just a
00:33:02
complicated problem to even just do that, I would think.
00:33:05
Speaker 2: Yeah, so sometimes you don't even know who is
00:33:08
responsible for what when it's another product.
00:33:11
You know your peers.
00:33:13
You also might know, if you have worked with someone in the
00:33:18
past, that this is somebody you can go to and say hi, hi,
00:33:22
remember me.
00:33:23
Great talking to you again.
00:33:24
I want to work with this product that you are currently
00:33:28
working in.
00:33:29
Can you help me to find the right person?
00:33:31
And this is basically the only way that you get the right
00:33:36
person.
00:33:37
Or you ask people if they know people who know other people, or
00:33:41
you just browse internally if you find some key words
00:33:46
connected with some other projects.
00:33:48
But, yeah, so Microsoft is huge , and if you don't know the
00:33:54
right people, or try to connect to the right people, yeah, you
00:34:01
don't find it.
00:34:02
Speaker 1: Yeah, yeah, it's going to be a very difficult
00:34:04
time for you and you won't be able to provide that like that
00:34:07
next tier of support and service .
00:34:10
You know it's networking is a critical part.
00:34:14
That you know I bring up a good amount on this podcast is
00:34:18
because you know, it's not always about what you know, it's
00:34:22
more about who you know, and that's not necessarily.
00:34:25
You know.
00:34:25
Who you know is, you know, getting you the job or anything
00:34:28
like that.
00:34:28
But it's like you know you could be in a situation where
00:34:32
you know a customer has a question about something that's
00:34:34
like, well, I'm not the right person, but I know the guy, like
00:34:37
I can get you in front of them and typically, you know, maybe
00:34:40
they have a, you know, a backlog of like a month, right?
00:34:44
So you can't get on their calendar for a month.
00:34:46
It's like, well, I can get you in, you know tomorrow, right?
00:34:49
And those sorts of things really make the difference, because
00:34:54
you're not only leaving a good impression within your own
00:34:57
company for doing that right You're raising the bar for your
00:35:00
own company but you're also leaving a really good impression
00:35:03
with that customer, you know.
00:35:04
So you're making connections without even really having to do
00:35:08
that, which pays dividends.
00:35:11
You know, is that something that is kind of taught at
00:35:16
Microsoft or instructed upon at all, is that you know developing
00:35:21
your network and making sure you know that you're maintaining
00:35:25
it properly, and things like that.
00:35:27
Is that ever talked about?
00:35:29
Speaker 2: Yeah, so during my onboarding but this is sometime
00:35:33
ago so during my onboarding there were a lot of sessions
00:35:39
where they really advised us to network, to get to know other
00:35:44
people, to keep those connections alive.
00:35:47
And again, so when I, when I got involved with all of this,
00:35:50
yeah, I found it at first hard to have those enforced
00:35:57
networking sessions that they said, okay, go out and network.
00:36:01
But in the end it really made sense and keeping your
00:36:07
connections in your network is really beneficial.
00:36:11
So, as you said, it's not forgetting the job or something
00:36:14
like that, but it's to get things done and sometimes it can
00:36:20
be.
00:36:20
It can make the difference if a request just yeah, just sinks
00:36:27
down and drowns, or if you can fulfill the request or it's also
00:36:32
a matter of time.
00:36:33
So, if you are really eager to fulfill the request, the request
00:36:38
, and if you don't know anybody, it can still work out.
00:36:42
If you just do the work and, yeah, just browse for who can do
00:36:48
that and ask who can do that, but if you already know the
00:36:52
people and have sense of direction, that is way faster
00:36:57
than just asking around.
00:36:58
So therefore, yeah, it's really beneficial to have your network
00:37:03
, to know your people and, yeah, it was encouraged in the
00:37:09
beginning, but I only found it's worth during the time and I
00:37:15
never I never networked for any reasons.
00:37:18
I try to keep it real because otherwise you don't, it's not
00:37:23
authentic, and you know what I mean.
00:37:25
I really try to keep authentic and genuine connections and not
00:37:30
just for the sake of it, because that's not not how I do it.
00:37:36
Speaker 1: Right, I think you know what important factor with
00:37:39
networking is being yourself.
00:37:41
You know, not trying to be something that you're not, or
00:37:44
someone that you're not, or trying to emulate someone else.
00:37:49
you know that stuff comes off, as you know, disingenuous and
00:37:54
yeah people will pull away, you know, and not want to, not want
00:37:58
a network, not want to be a part of your network and whatnot.
00:38:00
So it's extremely important to really, to really just be
00:38:05
yourself, right, and then live in the moment.
00:38:08
I guess you know you brought up that you work on the 0365
00:38:13
Defender team.
00:38:14
Can you?
00:38:16
Can you tell me anything at all about the, the, the?
00:38:22
What was it?
00:38:23
The Microsoft Outlook breach or attack that happened a couple
00:38:27
weeks ago?
00:38:28
And I'm not asking for anything , any internal information,
00:38:32
right, like because I, for me, right, I didn't even look into
00:38:37
it myself, I just saw that that happened and it's like, okay,
00:38:40
well, I'm heads down in this other thing, I can't worry about
00:38:43
that.
00:38:43
Can you talk to me about what it was or what you saw or
00:38:47
anything like that?
00:38:48
Speaker 2: I'm sorry.
00:38:49
I'm currently on parental leave and so also for the last weeks.
00:38:54
I just saw it, but I did not really dive deep into it because
00:38:59
my little one just does not leave me any time Completely
00:39:02
understandable.
00:39:02
Yeah, you are, I think, also a father and you know how it is.
00:39:09
And yeah, I just have some.
00:39:12
I just have some beautiful time with my son, and so I need to
00:39:19
catch up when I come back.
00:39:20
Yeah, yeah maybe we can cut that part out.
00:39:26
Speaker 1: It's fine, it's not a big deal.
00:39:27
I mean, you know, I bring on former spies, right, for
00:39:32
instance, and I'll ask them a question.
00:39:35
They'll say like, oh, I can't answer that, you know, it's just
00:39:37
onto the next topic.
00:39:38
It's not, it's not a big deal, right?
00:39:41
So you know, miriam, I also saw that you put together a book
00:39:46
pretty recently.
00:39:47
It was released.
00:39:49
It's a PowerShell automation and scripting for cybersecurity
00:39:53
which you know I find really interesting because you know,
00:39:58
I'm not a developer, right, I'm not a coder or a scripter,
00:40:01
really like.
00:40:02
I can read it most of the time, but, man, if you put me in
00:40:06
front of a terminal and say, go create this thing, I'm not going
00:40:09
to be able to do it.
00:40:09
You know, I just don't have that skill, probably because it
00:40:12
hasn't been, you know, ingrained into me and at one point in
00:40:15
time in my career I was actually I really put a lot of effort
00:40:20
into learning PowerShell and PowerShell seemed to be probably
00:40:25
the easiest I guess, you know, scripting language or whatever
00:40:30
might be right to learn for me to actually pick up.
00:40:33
And so I always, you know, really enjoyed doing anything in
00:40:37
PowerShell, and the power that PowerShell actually gives you on
00:40:41
a system is enormous, right and you don't realize that until
00:40:44
you start diving into it.
00:40:45
So what made you want to go down this path?
00:40:49
And one, why did you want to write a book?
00:40:52
Because that's a huge undertaking right there.
00:40:55
And why did you choose this topic?
00:41:00
Speaker 2: So basically, this is also something that I just
00:41:03
stumbled in.
00:41:04
I never planned it.
00:41:06
I always thought that it was really cool writing a book and I
00:41:12
thought I will never achieve it .
00:41:13
I thought this is really really big.
00:41:17
And I was very active in the PowerShell security community.
00:41:22
I presented at conferences like Blackhead or PSConf you are
00:41:28
others and I also wrote some open source tools using
00:41:33
PowerShell which I also presented at those conferences.
00:41:37
And somehow I think this was my footprint in the internet.
00:41:44
And one day I was contacted by the publisher, pact, and they
00:41:54
were like hey, we saw that you do a lot with PowerShell
00:41:57
security and we find that really interesting.
00:42:01
Would you be willing to write a book for us?
00:42:05
And I was so flattered at first and so I'm still flattered that
00:42:12
they chose me or picked me and approached me.
00:42:15
But my first thoughts were like oh, I'm gay, I will never be
00:42:22
able to write this book.
00:42:24
There's so much knowledge that you need to put into that book
00:42:28
and I don't have that knowledge.
00:42:29
At least, that was my first thought.
00:42:32
And then I just thought about it longer and longer.
00:42:37
So I really took my time to think about it, and the more I
00:42:42
thought about it I was like, oh, I would really like to read
00:42:46
that book and basically what would be needed for this book.
00:42:51
And I already structured it in my head and at some point I was
00:42:58
like, okay, basically you already have a lot of knowledge
00:43:02
regarding PowerShell security and there are, there might be
00:43:08
some topics that you need to research, but they are not it's,
00:43:12
it's, it's, not that much.
00:43:14
And so I, yeah, sometimes I say I made the worst mistake in my
00:43:22
life and agreed, but basically I'm still really happy that I
00:43:27
wrote this book, but it was so much work that it just joke
00:43:30
sometimes that I made the mistake and agreed and when I
00:43:39
agreed I did not know how much work there will follow.
00:43:44
And then, yeah, I just started structuring it and creating a
00:43:52
table of contents and just thinking about what could be in
00:43:56
the book and in which order, which structure, and in the end,
00:44:01
during the process, this also really changed Not too much, but
00:44:06
in the end I added two chapters that I initially did not think
00:44:10
about and I, when I was writing it, I could just add so much
00:44:17
more information that was not necessarily PowerShell related,
00:44:21
but security related, and at some point I was really, yeah,
00:44:28
just burning to write down all the knowledge and but in the end
00:44:34
you just have to make yeah, they cut at some point and
00:44:39
decide what belongs in this book and what doesn't.
00:44:42
And if there was some information that does not belong
00:44:47
in the book, because otherwise it would have become huge, and
00:44:50
it already is really really huge .
00:44:53
So I think almost 600 pages, 574, I think, or something like
00:45:02
that Don't don't pin me on this, but it's already really really
00:45:08
big and I would have also I could have added more months to
00:45:14
just make it even bigger.
00:45:16
And if there is some information in there that I
00:45:21
think is, or might be, interesting but not relevant for
00:45:25
this book, I also mentioned it and linked it or mentioned some
00:45:31
other sources.
00:45:33
Speaker 1: So so you dive into a lot with that, but I really
00:45:39
kind of want to break down the, the decision and what was going
00:45:43
through your head when you were offered this opportunity.
00:45:45
Right, because there's a lot of people out there I mean
00:45:49
probably, you know, 95%, if not more of people would have
00:45:54
probably said no.
00:45:56
You know, I'm okay, that's too hard of a task for me.
00:45:59
I don't know what that entails, or you know, there's a million
00:46:03
different excuses you come up with to get out of that.
00:46:05
Right Like.
00:46:07
I don't know what that entails.
00:46:08
I've never done that before, and this and that right, but you
00:46:12
won't know until you do it.
00:46:14
Speaker 2: Yes.
00:46:15
Speaker 1: And jumping into that unknown water is it's scary, to
00:46:20
say the least.
00:46:21
You know it's it's scary.
00:46:23
You know.
00:46:23
I remember when I accepted the contract to create my first
00:46:28
cybersecurity course on the three clouds and how they
00:46:31
compare to each other and whatnot, and you know I stayed
00:46:36
up that night, the night that I had accepted it, and I was like
00:46:39
why did I just do this?
00:46:40
Like this is dumb, I just made a mistake.
00:46:44
Now I'm bound by contract to complete this thing, Like, I
00:46:48
don't know how to create a table of contents, I don't know how
00:46:51
to create an introduction or like anything like that.
00:46:54
Right, and I got through it.
00:46:57
And you know it's funny.
00:46:59
I look back when I was recording my course and I was, I
00:47:05
was such like a nervous recorder, you know, I didn't
00:47:07
want to record or be on video or anything.
00:47:09
Now I have a podcast and I talk to people about things that I
00:47:13
know nothing about.
00:47:14
You know, it's such a night and day difference.
00:47:18
And now when I record courses it's it's totally different.
00:47:21
You know, it's easy.
00:47:22
I get through them pretty quick now.
00:47:24
But you know, what was that like for you?
00:47:27
Did you like also, you know, sign the contract, essentially?
00:47:31
And I was like, what the hell did I just do?
00:47:34
Like, what did I just sign?
00:47:36
Speaker 2: Several times, not only after signing.
00:47:40
So after signing I think I felt really good, but the next day I
00:47:45
was like, oh gee, why did I do that?
00:47:48
I'm not able to write that book .
00:47:50
And sometimes you really had those doubts in your head, and
00:47:56
not only at the beginning but also during the writing.
00:48:00
You had some really really deep , lows and I was thinking, okay,
00:48:05
I will never be able to achieve this, to finish the book.
00:48:09
And at some point I also had the thoughts about just, yeah,
00:48:15
just throwing it off, so that I just lay down the project and
00:48:20
say, okay, sorry, I can't finish it or whatever.
00:48:23
So, but in the end you can get yourself motivated again and
00:48:33
it's basically those challenges that you need to overcome.
00:48:38
It's all in your head.
00:48:40
So it's not that you are not able to do it, it's just in your
00:48:45
head.
00:48:45
And that's a tricky thing, because your head plays tricks
00:48:50
on you and you feel like you are not able to achieve your task.
00:48:55
And when you just look at it it looks so big.
00:49:00
But in the end you just need to start.
00:49:04
And if you just sit on your computer and don't get
00:49:10
distracted by, for example, your mobile phone or anything else,
00:49:18
then you just sit at your computer and you just write one
00:49:24
word and after that word follows another.
00:49:27
Or if you don't, if you are not in the mood for writing, you
00:49:31
maybe think about the illustrations for your book.
00:49:34
And suddenly you are there.
00:49:36
If you just said for yourself okay, I'm so demotivated today,
00:49:43
but I just have to just work at least half an hour on it just to
00:49:48
check my box, to check my checkmark.
00:49:52
I just need to work half an hour on it and then I can just
00:49:56
let it be and finish my day.
00:49:58
And then you just get started and work half an hour on it and
00:50:02
then you just hooked, you are right there in the writing and
00:50:06
then you are like, okay, now I can't finish, I need to finish
00:50:09
what I have started, and then you are in the floor again.
00:50:12
So sometimes you really have bad days, days when you can't
00:50:18
concentrate, but somehow you just need to pull through and
00:50:24
sit down and just get the work done.
00:50:28
Speaker 1: Yeah, that's a really good point.
00:50:30
You know, I wonder, when you so when you, when you embarked on
00:50:37
this journey of writing the book and now you have finished the
00:50:41
book, you've published it when you look back on it when you
00:50:45
started it, how much of the book did you already know?
00:50:49
You know how much of that knowledge did you already have
00:50:53
and then how much when you were going through it, where you're
00:50:56
like, oh, I need to research this a little bit more before I
00:50:58
put this into the book and, you know, kind of get that
00:51:01
information right in my head.
00:51:02
I would assume you know you probably had somewhere around
00:51:06
like 70, 85% of it of the knowledge that it was required
00:51:12
and the rest of it is probably fine tuning and adding a little
00:51:16
bit more color and things like that to it.
00:51:18
Is that, is that correct, or was it a different process for
00:51:21
you?
00:51:22
Speaker 2: That's a very good assumption.
00:51:23
So I think there were two topics that I thought, okay, I
00:51:27
really need to research them, and the rest I already had
00:51:33
knowledge about them.
00:51:35
But while you're writing, you are writing down your facts and
00:51:42
then you can either demonstrate it in your environment or, if
00:51:49
there are some background facts that you at some time may be a
00:51:54
heard of but you're not 100% sure, if that really was the
00:51:58
case, then you just have to get a source for that so that you
00:52:03
can say, okay, yes, All the content that I wrote down in
00:52:09
this book is 100% true and or yeah, so at least I hope so I
00:52:17
have some good technical reviews , I think, and I did my research
00:52:22
to make sure that everything I wrote down is 100% true.
00:52:26
But, as I said, even if you have the knowledge, sometimes
00:52:31
you just need to research to also have a source in your
00:52:37
backhand.
00:52:38
But for the actual research part so knowledge versus
00:52:46
research I would say that 80, 85% is a really good assumption.
00:52:52
So, yeah, as I said, I think there were two topics that I
00:52:56
needed to research.
00:52:57
I had some basic knowledge about it, but for going deeper I
00:53:04
needed the research and the rest.
00:53:08
Yeah, I think was knowledge.
00:53:15
Speaker 1: Does Microsoft offer, like a authors group to
00:53:20
internal employees or anything like that?
00:53:22
Because I asked?
00:53:24
Because I would assume that there's been several Microsoft
00:53:29
employees that have written books on topics that are
00:53:33
well-respected topics, you know, and well-respected books even,
00:53:39
and you know, when I look at some of the top authors from
00:53:43
within Microsoft, right, mark Rusunovic is right at the top of
00:53:47
that list.
00:53:47
You know, the value that he provides on the Windows
00:53:53
Internals series of books is it is extraordinarily valuable,
00:54:01
right?
00:54:01
Like, yeah, I mean, I have it, you know, behind me somewhere as
00:54:05
well.
00:54:05
It's one of those books where, like, if you're in IT, like you
00:54:09
need to pick it up.
00:54:09
You know, even if you're not going to read 80% of it, that
00:54:13
20% that you do read, like you're going to understand that
00:54:18
aspect of Windows so much more.
00:54:20
Is there anything like that at Microsoft that kind of supports
00:54:24
new authors or, you know, authors that are soon to be
00:54:27
published, or things like that?
00:54:28
Because I would assume that Mark Rusunovic, you know, has a
00:54:33
lot of experience that others could use and utilize and
00:54:38
whatnot, and I think that that would be helpful if something
00:54:42
like that existed.
00:54:44
Speaker 2: So I don't know if something like that exists, but
00:54:48
if it does, please let me know if you find out.
00:54:54
Speaker 1: Yeah, that would be.
00:54:55
That would be hard for me to find out, especially on the
00:54:57
outside of Microsoft.
00:55:00
Speaker 2: Sorry, I don't know honestly.
00:55:01
Oh, no worries yeah.
00:55:04
Speaker 1: Yeah.
00:55:05
So, miriam, you know we're right at the top of our time
00:55:08
here and I'm trying to be very conscious of everyone's.
00:55:10
You know schedules and whatnot.
00:55:11
But before I let you go, why don't you tell my audience, you
00:55:15
know where they could find you if they wanted to reach out to
00:55:17
you, where they could find you know, your book and any other
00:55:21
resources that you may want my audience to check out.
00:55:25
Speaker 2: So you can find me on Twitter and Miriam I will just
00:55:31
send link to you later and on my stoton I'm MW at Infosec
00:55:37
exchange and on LinkedIn you can find me on the Miriam or Miriam
00:55:44
see like on the book.
00:55:46
And you can get this book on Amazon or in the bookstore of
00:55:56
your choice.
00:55:57
And as we speak, I don't know when you will release this
00:56:02
episode, but now in October, until the 31st October, there is
00:56:10
Cyber Security Awareness Month, launched by PACT.
00:56:13
This means that you can get my book, as well as other
00:56:18
cybersecurity books, for 20% off with a code 20 cyber books, I
00:56:25
think.
00:56:26
Let me just check.
00:56:27
I will send the code to you.
00:56:29
Let me check.
00:56:31
Yes, 20 cyber books, it is.
00:56:35
Speaker 1: Okay, awesome, well, thanks, miriam.
00:56:38
I really appreciate you coming on and I hope everyone listening
00:56:41
enjoyed this episode.
00:56:42
All of the links that she mentioned will be in the
00:56:44
description of the episode.