Episodes

  • Host vs Host: Get to Know Nic and Wendy

    Host vs Host: Get to Know Nic and Wendy
    Oct 16 2024
    In this episode of the Blue Hat Podcast, hosts Nic Fillingham and Wendy Zenone interview each other to give listeners insight into their personal and professional backgrounds. Nic recounts his unique career journey, which began with jobs like working as a chicken butcher and selling CDs, before joining Microsoft as an Xbox demo specialist. His career with Microsoft spanned various roles, ultimately leading him to work on the Blue Hat program, where he was captivated by the concept of ethical hacking. Wendy, on the other hand, shares her transition from PR into security, with stops at Netflix and Salesforce, and her current role at Microsoft leading the Strike program. In This Episode You Will Learn: Wendy’s experience buying chicken from a stranger in a parking lot Nic’s encounter with The Rock during a wrestling game demo Wendy starting in public relations before transitioning to the security world Some Questions We Ask: How did attending an all-women’s software engineering school influence your career shift? What do you enjoy most about working in the security field? What advice do you have for women looking to enter the security industry? Resources: View Wendy Zenone on LinkedIn View Nic Fillingham on LinkedIn Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast Afternoon Cyber Tea with Ann Johnson Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts The BlueHat Podcast is produced by Microsoft and distributed as part of N2K media network.
    Show more Show less
    36 mins
  • Behind the Scenes and Best Practices for Submitting to MSRC with Jim Hull

    Behind the Scenes and Best Practices for Submitting to MSRC with Jim Hull
    Oct 2 2024
    Jim Hull, Program Manager at MSRC joins Nic Fillingham and Wendy Zenone on this week's episode of The BlueHat Podcast to share insights into his role in reviewing vulnerability reports and managing cases. They dive into the submission process, detailing the types of reports accepted by MSRC and what happens after a researcher submits a potential vulnerability. The conversation also highlights the accessibility of the portal for anyone interested in identifying security issues, whether they are professionals or hobbyists. Jim explains the importance of providing clear proof of concept when submitting a vulnerability and walks through the steps MSRC takes to triage, reproduce, and resolve reports. In This Episode You Will Learn: Why a detailed proof of concept is essential when submitting a vulnerability How the MSRC collaborates with engineers at Microsoft to resolve vulnerabilities The importance of including video or image documentation to support reports Some Questions We Ask: What is the vulnerability triage process at MSRC? How long does it take to fix a vulnerability after it’s been reported? Why is it important to use the researcher portal instead of email or social media? Resources: Microsoft Security Response Center View Wendy Zenone on LinkedIn View Nic Fillingham on LinkedIn Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast Afternoon Cyber Tea with Ann Johnson Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts The BlueHat Podcast is produced by Microsoft and distributed as part of N2K media network.
    Show more Show less
    39 mins
  • Guy Arazi on the Art and Science of Variant Hunting

    Guy Arazi on the Art and Science of Variant Hunting
    Sep 18 2024
    Guy Arazi, a UK-based security expert at Microsoft, joins Nic Fillingham on this week's episode of The BlueHat Podcast. Guy discusses his journey in security, which began in 2018 when he joined Microsoft, and his current role focusing on online services vulnerabilities within the MSRC (Microsoft Security Response Center). They delve into the concept of variant hunting, a critical process in identifying and mitigating repeated patterns of security vulnerabilities across multiple products and services. Guy explains that while static analysis tools are useful, they often require more complex, tailored approaches to detect these recurring issues. He emphasizes the importance of understanding the root cause of vulnerabilities and using both human insight and automated tools to address them across the vast codebase of Microsoft's offerings. In This Episode You Will Learn: The challenges of variant hunting and its significant impact on improving overall security Growing complexity of variant hunting and the necessity of thorough documentation What is important to consider when approaching a security vulnerability Some Questions We Ask: Are there industry tools or publicly available resources you recommend for variant hunting? How can you identify the security boundary a vulnerability affects? Is variant hunting something only humans can do, or can tools and automation help? Resources: View Guy Arazi on LinkedIn View Wendy Zenone on LinkedIn View Nic Fillingham on LinkedIn Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast Afternoon Cyber Tea with Ann Johnson Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts The BlueHat Podcast is produced by Microsoft and distributed as part of N2K media network.
    Show more Show less
    44 mins
  • Ryen Macababbad on How Security Can Empower Productivity

    Ryen Macababbad on How Security Can Empower Productivity
    Sep 4 2024
    Ryen Macababbad, Principal Security Program Manager at Microsoft joins Nic Fillingham on this week's episode of The BlueHat Podcast. Ryen discusses their career journey, including the return to Microsoft after working in security architecture and customer trust engineering. Ryen shares insights from their time at Hacker Summer Camp 2024 in Las Vegas, emphasizing the importance of creating frictionless security measures that don't hinder productivity. They explain that when security becomes a barrier, users will find workarounds, potentially compromising security. The conversation touches on the evolving relationship between security and productivity teams, highlighting the need for security to be an enabler rather than an obstacle. In This Episode You Will Learn: How investing in security helps maintain customer trust and protects revenue Why security should be built-in by default so users don't need to be security experts The importance of incorporating feedback and diverse viewpoints to enhance security Some Questions We Ask: How is a seamless security and productivity experience provided for end users? Can security researchers contribute to identifying gaps and improving product security? What motivated the shift from a focus on identity and program management to defensive security? Resources: View Ryen Macababbad on LinkedIn View Wendy Zenone on LinkedIn View Nic Fillingham on LinkedIn Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast Afternoon Cyber Tea with Ann Johnson Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts
    Show more Show less
    41 mins
  • Michael Howard on Secure by Design vs Secure by Default

    Michael Howard on Secure by Design vs Secure by Default
    Aug 27 2024
    Michael Howard, Senior Director at Microsoft joins Nic Fillingham on this week's episode of The BlueHat Podcast. Michael shares his journey at Microsoft, starting from his early days in New Zealand as part of a small team of ten. He discusses his extensive career, his contributions to cybersecurity, and his role in the development of essential security books like "Writing Secure Code" and "The Security Development Lifecycle." Michael reflects on the importance of fundamental security principles and how they remain relevant today. He also touches on his recent move within Microsoft to John Lambert's team, where he continues to focus on security culture and education. The conversation delves into the origins of the Blue Hat conference, Michael's experiences at the first event, and the ongoing significance of secure coding practices and mitigations. In This Episode You Will Learn: Critical aspects of secure software development and pivotal moments in Microsoft's security The importance of using specific coding constructs and libraries to improve security Findings on vulnerabilities that spurred significant security improvements in SQL Server Some Questions We Ask: How do you deploy security patches effectively while minimizing disruptions? What coding constructs and compiler flags did you recommend for better security? How did external researchers at Blue Hat conferences impact Microsoft's culture? Resources: View Michael Howard on LinkedIn View Wendy Zenone on LinkedIn View Nic Fillingham on LinkedIn The Microsoft Azure Security Podcast Michael Howard (@michael_howard) on X (twitter.com) Latest book: Designing and Developing Secure Azure Solutions (Developer Best Practices): Howard, Michael, Simone, Curzi, Heinrich, Gantenbein: 9780137908752: Amazon.com: Books Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast Afternoon Cyber Tea with Ann Johnson Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts The BlueHat Podcast is produced by Microsoft and distributed as part of N2K media network.
    Show more Show less
    48 mins
  • Navigating AI Safety and Security Challenges with Yonatan Zunger

    Navigating AI Safety and Security Challenges with Yonatan Zunger
    Aug 7 2024
    Yonatan Zunger, CVP of AI Safety & Security at Microsoft joins Nic Fillingham and Wendy Zenone on this week's episode of The BlueHat Podcast. Yonatan explains the distinction between generative and predictive AI, noting that while predictive AI excels in classification and recommendation, generative AI focuses on summarizing and role-playing. He highlights how generative AI's ability to process natural language and role-play has vast potential, though its applications are still emerging. He contrasts this with predictive AI's strength in handling large datasets for specific tasks. Yonatan emphasizes the importance of ethical considerations in AI development, stressing the need for continuous safety engineering and diverse perspectives to anticipate and mitigate potential failures. He provides examples of AI's positive and negative uses, illustrating the importance of designing systems that account for various scenarios and potential misuses. In This Episode You Will Learn: How predictive AI anticipates outcomes based on historical data The difficulties and strategies involved in making AI systems safe and secure from misuse How role-playing exercises help developers understand the behavior of AI systems Some Questions We Ask: What distinguishes predictive AI from generative AI? Can generative AI be used to improve decision-making processes? What is the role of unit testing and test cases in policy and AI system development? Resources: View Yonatan Zunger on LinkedIn View Wendy Zenone on LinkedIn View Nic Fillingham on LinkedIn Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast Afternoon Cyber Tea with Ann Johnson Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts
    Show more Show less
    54 mins
  • Craig Nelson on Simulating Attacks with Microsoft’s Red Team

    Craig Nelson on Simulating Attacks with Microsoft’s Red Team
    Jul 24 2024
    Craig Nelson, leader of Microsoft's Red Team joins Nic Fillingham and Wendy Zenone on this week's episode of The BlueHat Podcast. Craig explains how the Red Team simulates attacks on Microsoft's infrastructure to identify vulnerabilities and protect customer data stored in the cloud. He emphasizes the importance of these simulated attacks in preparing for real threats and describes the collaborative efforts with other security teams at Microsoft, such as the Azure penetration testing team and the Microsoft Security Response Center. Craig shares his personal journey into cybersecurity, highlighting his early fascination with cryptography and computer security. He also discusses the unique challenges and strategies of Red Teaming at Microsoft, including the need to influence engineering teams and the importance of systemic thinking to create durable security solutions. In This Episode You Will Learn: The need for early detection of vulnerabilities during the development lifecycle Why a mix of technical and persuasive skill build successful red teams Significance of internal security education and training initiatives Some Questions We Ask: What projects are you pursuing in AI and security? How do you have conversations with engineers to influence their security decisions? What skills are important for someone aspiring to join the Red Team? Resources: View Craig Nelson on LinkedIn View Wendy Zenone on LinkedIn View Nic Fillingham on LinkedIn Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast Afternoon Cyber Tea with Ann Johnson Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts
    Show more Show less
    38 mins
  • Unlocking Backdoor AI Poisoning with Dmitrijs Trizna

    Unlocking Backdoor AI Poisoning with Dmitrijs Trizna
    Jul 10 2024
    Dmitrijs Trizna, Security Researcher at Microsoft joins Nic Fillingham on this week's episode of The BlueHat Podcast. Dmitrijs explains his role at Microsoft, focusing on AI-based cyber threat detection for Kubernetes and Linux platforms. Dmitrijs explores the complex landscape of securing AI systems, focusing on the emerging challenges of Trustworthy AI. He delves into how threat actors exploit vulnerabilities through techniques like backdoor poisoning, using gradual benign inputs to deceive AI models. Dmitrijs highlights the multidisciplinary approach required for effective AI security, combining AI expertise with rigorous security practices. He also discusses the resilience of gradient-boosted decision trees against such attacks and shares insights from his recent presentation at Blue Hat India, where he noted a strong interest in AI security. In This Episode You Will Learn: The concept of Trustworthy AI and its importance in today's technology landscape How threat actors exploit AI vulnerabilities using backdoor poisoning techniques The role of frequency and unusual inputs in compromising AI model integrity Some Questions We Ask: Could you elaborate on the resilience of gradient-boosted decision trees in AI security? What interdisciplinary approaches are necessary for effective AI security? How do we determine acceptable thresholds for AI model degradation in security contexts? Resources: View Dmitrijs Trizna on LinkedIn View Wendy Zenone on LinkedIn View Nic Fillingham on LinkedIn Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast Afternoon Cyber Tea with Ann Johnson Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts The BlueHat Podcast is produced by Microsoft and distributed as part of N2K media network.
    Show more Show less
    47 mins