Microsoft Community Insights Podcast
Welcome to the Microsoft Community Insights Podcast, where we explore the world of Microsoft Technologies. Interview experts in the field to share insights, stories, and experiences in the cloud.
if you would like to watch the video version you can watch it on YouTube below
https://youtube.com/playlist?list=PLHohm6w4Gzi6KH8FqhIaUN-dbqAPT2wCX&si=BFaJa4LuAsPa2bfH
Hope you enjoy it
Microsoft Community Insights Podcast
Episode 39 Security Copilot - Sentence Syntax with Mona Ghadiri
Syntax in security might sound technical and dry, but as Mona Ghadiri reveals, it's actually the secret sauce that determines whether your AI security tools deliver inconsistent results or game-changing efficiency.
This eye-opening conversation explores how treating Security Co-Pilot prompts as code transforms security operations. Mona, a Microsoft MVP in Security Co-Pilot and Vice President at Capgemini, introduces her innovative "Mad Lib Method" - creating templated prompts with specific variables that security analysts can populate. This approach addresses a fundamental challenge: not everyone using these tools is a native English speaker, and subtle differences in syntax dramatically impact AI outputs.
Hello everyone, welcome to Microsoft Community Insights Podcast, where we share insights from community experts to save the day in Microsoft. I'm Nicholas. I'll be your host today. In this podcast we'll dive into theoretical palace, but syntax in different structures. Storytelling, but syntaxing different structures. So we're telling, but before we get started I won't manage social media, so I never miss an episode. Today we have a special guest called mona mona garlish. Sorry, I couldn't pronounce his surname no, it's okay, mona gadiri could you introduce yourself please?
Speaker 2:yeah, absolutely. Thank you so much for having me, nicholas. My name is Mona Ghadiri. I'm a Microsoft MVP in Simin XDR and security co-pilot. As of our recent renewals, and congrats to your renewal as well.
Speaker 2:Nicholas, I know it's not a small amount of effort. I'm also a vice president at Capgemini, where I work in our cloud and infrastructure services team, working specifically on security operations and incident response. I'm excited to be here today to talk about some syntactical overlays with cost and service design and kind of talking about the intersections of all of them in ways that help inform where pragmatic AI choices exist with Security Co-Pilot.
Speaker 1:Okay. So before we get started, what does it mean by your title Syntax in Security Co-Pilotilot? Just in case everyone's yeah yeah, absolutely.
Speaker 2:One of the things I realized is that not everyone who uses security co-pilot is a native english speaker, and a lot of times, uh, small nuances in sentence structure or in syntactical choices end up making significant differences in the way that AI will give you outputs, and so what I have designed and what I want to share with you is a design that I created that allows for folks to take advantage of things like security co-pilot, but without the way of thinking about it, like sitting in with a chat bot and typing natural language and hoping that something works out. Because if you're not a writer and you're usually used to reading books, you know those are not the same skills. So why would we ask someone who's generally been a reader to all of a sudden become an author like that's? Some people will become an author, but very, very rarely is it actually the ratio of readers to authors one for one.
Speaker 2:So we're trying to take the ideas of DevOps and DevOps principles and repositories and shared services and those types of things from enterprise cloud. We're trying to take security, operation modernization and design with like when and where to use AI and where to use hyper automation, and we're also kind of trying to solve for this problem that even if all of us aren't the same readers and writers, the ability to recall or run the exact prompt that you ran before two weeks later is a very, very useful and efficient thing. And if we're not storing and we're not treating those prompts like they're code and we're not thinking about security co-pilot implementation as code, we're going to have a much harder time trying to bring things like security operations along for the ride with our AI transformations.
Speaker 1:Okay. So it's like in DevOps you secure a code base, but in AI you'd be securing the prompt yourself for a security component.
Speaker 2:Part of it is securing the prompt and part of it is how we write detections, right. So the same way, like we write detections with KQL and we store the KQL as code, we're thinking about these detections almost like, instead of writing detections, we're writing these prompts, and we are the best at writing prompts for security because we're replacing some of that KQL with natural language. We're replacing some of that KQL with different other calls to other connectors and other places. But our job is to try to make the investigation process more repeatable and more standardized and more scalable, which is why we're trying to bring those DevOps practices in. So we should be securing the code base, we should be securing the way we write the code, we should be securing the way that people interact with the application right. And we should be monitoring it during runtime, right. So, in our same model here, from a security co-pilot perspective, deploying security co-pilot is one thing, and all the security tools you need alongside to monitor how people are using security co-pilot are important. But in this specific instance, what I'm trying to tease out right is, if I didn't have every security analyst typing things into a box, what is the right level of how much needs to be pre-written for them, versus how much of it is actually them needing to write it.
Speaker 2:And what you realize, even with a lot of writing, let's stick with this writing analogy is that where people usually fall is in a mad lib, and for those of you guys who don't know what a mad lib is, right, that's having a sentence that's missing. It has blanks in it. So my dog jumped over the blank. Okay, well, is it a dog jumping over a bone? Is it a human? Is it? My dog, joey, jumped over a bush.
Speaker 1:Right, is it like a template? It is Exactly.
Speaker 2:And they fill in the blanks, right. And so what we find is that good security copilot use cases and prompts are almost all written in this templated version where, you know, nicholas, you give me a noun, you give me a verb, right, but instead of nouns and verbs there are IP addresses or IP ranges, or maybe instead of a verb it's something like SIDS, like give me the SIDS for these six users, right, and with those SIDS, track, you know they're the token exchange that goes between you know, microsoft Graph and the sign-in logs for Active Directory, right. But it's those types of fill in the blanks that are where folks like you and I, when we're investigating security incidents, need the most help. And what we want from the template is the right syntax and the right sentences, because saying you know Mona and Nicholas jumped happily, or Mona jumped and Nicholas jumped happily, or happily, mona and Nicholas jumped, right, you start to see that the same problem exists.
Speaker 1:Uh, oh yeah yeah right.
Speaker 2:So, um, you know, if I wanted, if I wanted the sentence to always say you know, mona and nicholas jumped happily right versus mona jumped and nicholas jumped happily right, the ai is actually going to give us different answers, even though you and I know that the same things are happening. Both Mona and Nicholas jumped right, but you can even see, just in the tense right, mona and Nicholas are jumping right. Mona and Nicholas jumped, mona and Nicholas sat right. Maybe it wasn't even Mona and Nicholas, maybe it was two other people. Right, but knowing where to do those interchanges Right Is almost become the new, the new art.
Speaker 2:So when we do something like figuring out how much something is going to cost in security copilot, there's a couple of different ways to think about cost or cost implications. Right One is I have no idea how many questions someone's going to ask. I have no idea what the sentence length is. How could I ever predict how much? You know implementing any of these things will be, and my model is if we have the template, the template controls for token length, it controls for repeatabilityability, and if it's just different ip addresses or just different device names, you know it's much easier to change those two or three or five things, and it is to hard code, without variables, right the same question and hope that mona and nicholas, and seeing the same picture of these two little kids jumping over a log, would actually write the sentence the same way. And the reality is that that's not going to happen.
Speaker 1:Yeah, but the template is like a log, like in activity logs you get to see the name, everything, yeah, so I don't have to go and search for those anymore, right?
Speaker 2:So instead of doing a KQL where I'm doing a threat hunt and I'm looking for you know, in these specific tables or looking in this specific thing, I could say, well, I have all this automation that does you know a phishing investigation or does a user investigation, whatever generic thing you have to do, but it's two or five or six things about the user that I want to investigate are going to be a slightly different each time. If it's an unfamiliar sign in versus a brute force attack, I'm not going to actually ask for the same investigation about the user either, right? So what I want to be able to do is have as much templated as possible and then solve for that problem by keeping these prompts in a repository and having a merge process for changes to those sentences and having a QA process for those sentences that mirror exactly the kinds of things you would do if you were building an application.
Speaker 1:Okay, that might be one of the good way for someone to learn security copilot, because they get the templates. And, yes, think about the templates a hundred percent.
Speaker 2:There are some built in templates in security copilot that are already written, sentences, the whole thing and they just ask for things like put in the incident id. But what I'm pushing for, nicholas, is this idea that you could go in even one step further than the out of the box templates and write your own templates for your own SOC. And in managing and creating those templates, not only do you get control of cost in terms of how many times it's run, but then, nicholas, you could attach that AI runbook to some other automation, to another logic app, to a different Azure function, and then have the Azure function do something and then hand that off, you know, to a security copilot agent, you know, or a different runbook, you know, in security copilot to go and do that thing for you. So then you can say oh well, if I have 200 phishing investigations a day and this template costs me three cents to run it, then I can figure out how much it's going to cost me. Because right now it's a little bit harder to understand the pricing for security copilot because they have essentially two different flavors.
Speaker 2:There's the provisioned SCU and then there's the overage SCU, and those are just like dollar amounts, but there isn't a translation that says how many sentences or what questions can I ask for four dollars, like you know, when you go into an arcade and you're like you ask your grown up for money and you're like, ok, I want, I want to go play games, and they're like, ok, I'll give you $20 worth of tokens. That would be like the equivalent of this provisioned SCU, right, my mom or dad gave me, you know, $4 and you know I'm going to. I can play you know 10 games that are each, you know whatever, 40 cents a piece or $4. Or I can play, you know one $4 game, or I could play one $4 game, or I could play four $1 games. But it's up to me to decide which games I want, because it's an arcade and I could be dumb and spend it all on one $4 game and be done, and that could happen in a month with your security copilot. Unless you're thinking about it the way I'm explaining it and you're saying, okay, well, I'm not going to let anybody play whatever arcade game they want.
Speaker 2:I think that the best bang for my buck for this arcade game is to split this $4 across 10, 10 games, right, in which case you know I'm going to, you know I'm going to play a lot more games and I'm going to have a lot more fun. But you could have a scenario where you know, man, I only have two minutes to play my game and if I only have two minutes there's no way I could ever get to 10 games. If I really want to have fun, it may make sense sometimes to play that $4 game, but again, a client should be able to make that decision themselves and they should be able to decide. You know, this query for me to go and threat hunt for this user is going to take me a week or take me 10 hours and I could get it with security copilot in 12 minutes or 15 minutes or even 20 minutes. Is it worth it? For me, $4 is worth it. It's absolutely worth it, you know. But again, it's all about like when you're trying to use it.
Speaker 2:So I would never recommend anybody put every single incident through security co-pilot. It's not designed to be an ingestion thing. It's meant to be, once you've used automation, to sift through the things that you can and you narrow that down, and that's still too big of a pile. 20 phishing investigations for one analyst in a day is not feasible. Right Twenty phishing investigations for one analyst in a day is not feasible If they're all already been through automation and there's a suspicion that they're true positives, whether they're benign or not. So yeah, an easy way for somebody to start working on these things would be to take a start with the Microsoft prompt books and start looking at the sentences and saying what are the things that should be variables instead of being hard-coded?
Speaker 1:I guess if someone keeps using the article as the only tool, it will run out of instances and usage.
Speaker 2:Oh my gosh, you can run over.
Speaker 1:yeah, combine, it with another tool and use it as a secondary.
Speaker 2:Third just like checking over everything.
Speaker 1:Yeah, yeah, that's another great use case.
Speaker 2:Yeah, if you really have two or five or 15. You know where you're like. I really don't know. They're like fishy enough, where I like don't feel comfortable. I mean that makes it. I mean it's just another great use case. Um, the analogy I like to use is you know, you don't always go and buy a car. Every time something that you want to put in your car doesn't fit, you go and you rent a car.
Speaker 2:Yeah copilot is really like that, right, my main daily driver vehicle is a. You know I have a 2015 subaru legacy, right. But if I want to build myself a new deck, well, the boards that I need to fit the wood that I would buy, well, would never fit in my subaru. Does that mean I should go and sell my subaru and buy a whole new car just so I can fit wood in it? I'm not a carpenter, so it doesn't really make sense for me. It makes way more sense to go and rent a truck to get the material home or pay somebody to bring that to me than it would be for me to go and buy that car. And so in a lot of scenarios, in a lot of cases, I like to think about security, co-pilot like that, you know, unless you really know what you're doing, driving a big truck that has, you know, these big logs on the back of it and you want to cut all those logs up, you really probably should let someone else do it. Um, get it.
Speaker 2:Logs, logs, carpentry, okay anyways there's a bad joke, um, but yeah, keep going yeah.
Speaker 1:So, aside from, do you want to, just so before we get started, can you explain, like, what you do on a day-to-day with Security Copilot? Yeah, absolutely. And how you got the idea of like interacting with it and how did you figure it out?
Speaker 2:Yeah, yeah, absolutely so. When I first sat down and I started using Security Copilot, I was one of the first early adopters. When Security Copilot came out about two years ago not this past April, but April before that and so when Security Co-Pilot first came out, it was very much about how do you know how to ask it the right questions. And so I realized it isn't actually about how do you know what the questions are to ask, it's how do you know in what way to ask the questions, because it's almost like talking to a sphinx or something that you have to talk to something with like riddles. It's like, well, if you don't actually just ask it in this exact way. And so that became this like obsession of mine of like, how do you figure out how this thing is ever being repeatable? I can't get it to tell me the same answer twice. And then I started realizing that the way in which I was asking the questions were different, and who was asking them, at what time of day, with what data. All started making all of these different levers that you could pull about when and how you start using security copilot, and I quickly realized, because of this running out of money at the arcade problem, that sitting there and just like asking questions was a terrible use of my time and of the of how much it costs, you know, to run these things and I had realized that a lot of the things that we had solved for in security operations around detections and the way that we write detections and SIMIS code could all be translated into security copilot just the same way into the KQL right, so I could reference this or that or whatever other variable that I was trying to reference in the detection logic, that I could do the same thing with sentences and whether it's a Madlib over here or a Madlib over there. I kept seeing all of these parallels. Security Copilot has this idea of connectors. Sentinel has this idea of connectors. Security Copilot has this idea of connectors. Sentinel has this idea of connectors. Security Copilot has this concept of content. So does Sentinel.
Speaker 2:When you think about integrations with other third-party other things, well, you can integrate those with other SOAR tools. Well, that's the same thing that you can do with Security Copilot. And a lot of those escalation management or report writing or threat intelligence use cases that are auxiliary to the SOC, that take time away from the SOC, you know, doing their own thing actually are all of the things that security co-pilot ends up being better at than the SOC. So, instead of focusing on solving for how do we use AI to do incident triage, I flipped the script and I said what about if we use AI to do things that take away time from the SOC, to actually do the alert investigation stuff? What are all the things that you know people get pulled off of in the SOC to go and do other things for?
Speaker 2:Well, if something's broken or if it's not working correctly, if a customer wants you know, additional investigation beyond what we, you know, had for them in their first investigation these incident reports or concepts of like you know what. How am I going to fix this next time? Right, you know any sort of like lessons learned. You know documentation, things like that. How does a SO learned you know documentation things like that? How does a SOC actually investigate things like all of that stuff?
Speaker 2:I was like, oh my gosh, if we just had other tools that helped us with things like knowledge management, content design.
Speaker 2:You know things that help us scale, like these templates. Maybe that's the better use and better pragmatic ai approach than it is to have an ai powered sock that is trying to put ai everywhere, and that's kind of how we ended up here today that idea of taking, you know, run books or things that the sock was doing. That are things that take away from the SOC end up being the things that end up being the most valuable. So that's why I think if you look at things like conditional access agents or you look at some of the out of the box agents for threat intelligence or DLP investigations, they all have the same mission. They're all the things that are in the SOC that are really hard to do. If really hard to do if it's not your day job, so making it something else's job in this case AI means that it's been transformative in the way that the sock has gotten time back to do the things that they really care about.
Speaker 1:Wouldn't that be more expensive than if you get the AI to do other things that you're not primarily meant to do?
Speaker 2:Well. So this is the thing, right If you think about today in SOC operations and what the SOC is being asked to do. They're asked to do things like breach and attack simulation. They're asked to do things like pen testing, vulnerability management. Oftentimes non-SOC investigation relevant things in point management sometimes ends up being part of the SOC's remit. So it really depends. If you just do all of this SOC investigation stuff, it's going to be insanely expensive because we're still seeing in the trillions of alert signals a day in order of magnitude. Let microsoft do that. Microsoft already put ai in their own detection engines in the unified sec ops portal. We don't need to be doing that, but we need to be focusing our efforts on all the things are that are kind of auxiliary but still necessary to do a good job in the sock, and that's where I think security copilot ends okay being the most beneficial.
Speaker 1:Okay that's why you just focused on the client and your infrastructure, whether it's code-based secrets or anything to carry that using the security copilot prompt.
Speaker 2:You can.
Speaker 2:Yeah, I mean if I was trying to develop a better key vault or secrets or rotating secrets, or I had some issue where I was trying to develop a better key vault or secrets or rotating secrets, or I had some issue where I was trying to develop or design other things for my security operations team. You absolutely can. Whether or not you're AI, you're securing the AI infrastructure or you're using AI to do the investigations, things start to get, you know, mushy there in the middle, and so you just have to really be careful about where you're trying to use security co-pilot to help with infrastructure or policies or fixing things that are broken versus you know, this triage investigation escalation more specific to the SOC problem, because security co-pilot can be used for both and, in fact, if you look at a lot of the other work that some other folks have been doing around security co-pilot, they have been more focused on IT help desk or IT pros rather than security pros. I just happen to be one of the security pros who's more on the SOC side using security co-pilot.
Speaker 1:I think your camera is a bit fuzzy. I don't know if it's you, let's see. I don't know if it's a camera of mine. Okay, sorry, let's just continue. So what does your day-to-day job comprise, mona?
Speaker 2:Oh, man. So I work in the global solutions team at Capgemini, which our job is to create and design the offers that are available to all of our solutioners in order to reduce complexity in design and reduce duplication of effort when it comes to solutioning.
Speaker 2:What we've realized is that, especially for things like SOC transformation or managed detection and response or IT operations, there is a best of practice, best way to do these things and whether it's customer 200 or customer 2000, you know we're applying those same learnings and methodologies to a larger program that we are in every single deployment that we're doing. So you take something like secure remote access or something secure uh. You know security operation centers, um, and we transform those into a reference architectures and other means of assisting um different uh functions, uh. To again get to these more repeatable, scalable, well-designed um uh portfolio offers, um. So within Capgemini, which is where I work right now, we have somewhere north of I think it's in the 34 kind of different categories of different offers that we have across.
Speaker 2:You know IT, professional digital workers, digital experience, types of things, cloud infrastructure, database migrations, types of things, identity transformations and identity fabric, or you know kind of identity first, zero trust.
Speaker 2:You know types of infrastructures and we bring those to life for our clients in ways that help them transform and scale their business. So my day-to-day is made up of working with clients, working on materials that help our solutioners succeed, doing thought leadership and participating in the community, whether it's things like the Microsoft community or the Open Group or other sorts of you know international organizations. And then you know, certainly we have an overlay with not only geographies but also different business functions. So, whether it's manufacturing or health and life sciences or financial services, each of those different industries also has their own unique hot takes on things like cybersecurity, and so our jobs are even more exciting and complex, and we try to apply that industry overlay to some of the things that we're doing. I also work with R&D teams all of our teams that are building new things or testing new things. So some of that is things like security co-pilots, new agents or other sorts of R&D features, like the Sentinel Data Lake that just came out yesterday.
Speaker 2:A big portion of my job is also working with our R&D teams to make sure that the things that are coming out that are new are in line with the portfolio and service offerings that we have available for our solutioners today, and then in my in-between, yeah, I get to mentor people and work with other people okay, so you're like a high level with the service working with the client, and I'm like create service offering how you can embed security in it but you're not actually hands-on like doing it oh so, when things go super duper wrong or if something yeah complex or um, when uh, they need like a senior architect um to come in and talk about strategy and stuff like that, um, but uh, yeah, I would say it's probably like 30, 20 or 30 percent hands-on um and and more than 70 or 80 percent focused on uh strategy, architecture, design and scalability for our business.
Speaker 1:Okay, so you can work with numerous clients at once and just create lists like offering for them, like whether it's documentation built-in or anything like that?
Speaker 2:Yeah, it could be. Usually, when people are purchasing IT solutions, they are also looking for cybersecurity at the same time, and so the idea is, if you're going to do a transformation in any other part of your business, cybersecurity needs to be part of the DNA of that transformation right.
Speaker 1:So it needs to be in a root, otherwise if it's going to bottom there's no way it's take-home.
Speaker 2:Exactly so. I work with our different portfolio teams that also interact with different other parts of our business, like we have a service now practice. We have uh, cloud practices, um, you know. We have partnerships with aws and google, um, and as well as other you know types of firms, um.
Speaker 2:So our intersection of where we sit is fun because I do the tactical things and I get to do the strategic things, but I would say that it's rather rare because I kind of have half of a brain that's a product manager and I've been a cybersecurity product manager for over 10 years, an architect and practitioner, and I've been doing Microsoft cybersecurity. You know deployments and implementations, testing of new features, you know for Microsoft for probably over five years at this point, and so it's kind of unique in the career path because usually someone stays in one side or the other. They don't usually straddle both or usually it's very hard to find people who are capable of doing the client of you know doing the client. You know site types of go-to-market engagements, as well as uh, troubleshooting and building. You know technical reference architectures okay.
Speaker 1:So do you not miss being hands-on, like 50 percent, like troubleshooting, or you just prefer a bit a bit, a bit like 50, 50? This is a good question.
Speaker 2:I think that when I think about my own abilities and my scale, right, um, you know, certainly I'm valuable and could do a deployment, but I think I'm better off trying to help the next 50 deployments go better than the one that I'm working on, than I am necessarily doing the one thing. Um, I also think I'm at a point in my career where I want to empower others to start learning and growing and be those practitioners. And if I am a practitioner until I have even more gray hair than I have, then I've failed the next generation of people who are also trying to work their way.
Speaker 1:You can still lead a team of engineers and still do that by hands-on as well, and just you can.
Speaker 2:Yeah, I think when you get to bigger organizations.
Speaker 2:You know when I was working at startups, which is what I was doing for the last five years I got to do everything just because, by the nature of being a startup, um, you just don't have a lot of people and you know there are there's plenty to do and plenty of opportunities. But as I've grown in my career and I've grown kind of through my own experience what I realized is that I am such a systems thinker that fixing the system that the individuals are working in and being so frustrated that the screws are not next to the screwdrivers Ultimately like I'd rather fix the screws being closer to the screwdrivers than you know, showing up to my job cell and looking down and saying, okay, I guess I got these screwdrivers and the screw here and I guess the way I'm going to do it is going to be the way that it is. So I think that's always kind of been this continuous improvement part of me. That's like I'm never satisfied just working with one client or doing one thing. I'd much rather learn from the deployment of doing multiples of these and really encourage others in their career to continue to grow and build themselves.
Speaker 2:One of the things you know this right about being an MVP is that our job is to bring others along with us along the way, and especially in cybersecurity, there just are not enough people. So me gatekeeping, or being the only one who can do the deployments, or keeping that knowledge to myself, it just doesn't do it for me. I just don't think that there are going to be enough people, and so my job is to say oh yeah, no, you look like you could do this, and you could even be the one to say that the screws and screwdrivers should go in a different place.
Speaker 2:Yeah, I mean, there are the world that I'd much rather be like a tier three support person to those engineers than being, you know, the the hands-on engineer, though I do think everybody in their life should have to do some level of client deployment, client engagement. You know hands-on types of work, whether it's design or implementation, to really feel the love of why you're, why there needs to be other people.
Speaker 1:Um, yeah, it's the same. Like you need to start from like that engineer to see what's like before you go to your chair like 100 client face, otherwise you know not sure what it's like. You don't know.
Speaker 2:You might like it yeah, I think that's the other thing is like we talk about there being this growth trajectory of just like becoming a principal, just being a cyber expert in your field. And you know, for all of the youths who are looking for other careers out there, I do think that pivoting to product or sales engineering or solutioning, you know may another place to just look at. And vice versa, if you're coming in and you want to get into cyber and your background is in sales or marketing or you know those types of things, oftentimes you know product is a hard place to jump to. But jumping in and starting as a delivery engineer, even if you came in from something like sales, it's going to make you into a way, better delivery engineer than some other folks who've never had client facing experience. So I think there's there's wins for everybody.
Speaker 2:Um, and nicholas, like my undergraduate degree is in anthropology and history, like I don't have a cyber security uh degree. So how did you think it's in the cyber security? It's a great story. Um, so I was working as a manufacturing engineer in plastics, plastics injection molding, yeah, and um, about probably like after about four or five years of doing that, I decided to go back to school and get my mba. So I um, I was still working and I did my MBA at night. I was working as a plant engineer, and plant ran 24-7.
Speaker 2:And it turns out that manufacturing, with its supply chain and its multiple layers of people and process and technology that all come together to try to make something, actually gave me an awesome reference point for how cybersecurity works and happens too, because cybersecurity is kind of like applied supply chain, right, when you think about it.
Speaker 2:I have resources, I have raw goods. I take those raw goods and I make them into something else, and that something else maybe is an application running in Azure, you know, and then that application gets shipped, you know, to some distributor or some other place which, where then that app you know if I'm a software development house, right that app then gets shipped to customers all over the globe and whatever clouds you know they happen to be in. And when I was doing my mba, I realized that there were some people who didn't wait to the end of their mba to switch careers. They started switching like a year or two in and I was like, man, I should do that. Like what am I waiting for? The end of this? Like I know that I could do something better than manufacturing and I would have a. I would have more fun. So I was like ah, I wonder what's going on in like software development, like I hear that they treat women better, like.
Speaker 1:I hear that. It's like, yes, that is goal. You switch after you know, before you graduate.
Speaker 2:Then I switched before I graduated and the the I got a job working at um, so in the united states a lot of research sorry, research universities have what they call research parks where they have like little startup companies.
Speaker 2:That are either funded by the university or find funded by big companies and it's this idea of getting you know, kind of this farm system of university graduates into workforces doing whatever. So there was a startup uh, it was. I'd never heard of it before. They had an opening actually for a project manager, software project manager, um, and so I went after that opportunity saying, you know, I had done project engineering, which is basically the equivalent of project management in manufacturing, and I knew all this stuff about how to build and launch products. And they were like, okay, we'll take a, we'll basically take a bet on you.
Speaker 2:And because the software they were working on was Linux operating system stuff for the government, like there just really weren't that many applicants and a lot of the stuff they were like we're going to have to teach somebody, even if they came in with software background. Like it's very rare that people have Linux operating system background in any capacity. Really Still, it's even sort of rare unless you're, you know, really in the world of you know, open source software. But anyways, I digress. My point is that because there were really no other candidates and I was excited and interested in a lot of stuff, they gave me a chance and I got the best opportunity to learn about cybersecurity by building cybersecurity software, basically.
Speaker 1:It was the most meta experience ever.
Speaker 2:At the time when I was learning about cybersecurity, I was a product person. I did project management for about the first six or eight months I was there and then I got promoted to being the product manager and product management ended up being my first love. It's the thing that I really you know, really you know gravitated to in my career, and so once I realized that software cybersecurity software was never going to be easy enough for anybody who wasn't an expert to be able to run successfully or engage with it, I started saying, well, I think that's what I want to dedicate my life to. Is this like okay, we're never going to have enough people to deploy this stuff or run it.
Speaker 2:So how can we make the running and deployment of these things easier so that the people the few people we do have aren't just trying to get the dang thing to start, the engine to start, you know or worried about where the screwdrivers and the screws are Like? Let's focus on. You know, if the screwdrivers and the screws were all in the right place, how could we make this into a gigafactory? How does software development and how does security you know, operations become more like a manufacturing Toyota, you know manufacturing plant and that's where I've been for the last. You know, probably almost seven or eight years is I'm in pursuit of creating the Toyota you know, the Toyota factory equivalent for security operations. I think it's that, I think it's that kind of that simplicity in design and operations that will bring security operations centers from where they are now to where I think they should be.
Speaker 1:What made you think of the research? How did you get to do security research? Were you told that you need to do some research on security?
Speaker 2:No, I just started learning and poking around in the community.
Speaker 2:And it was right around when the ccp started the customer connection program for microsoft started for security that I started getting engaged in it. And before I knew it, I was one of the top you know contributors top 10 contributors to the ccp program. And as I started you know, testing this stuff, what I realized what I was doing is white hat hacking. I was testing these things before they were in production and finding problems. I just, instead of waiting for the bug bounties and waiting for in the point to submit it from src, I would do it before it even got out.
Speaker 2:And I realized that testing all this new stuff gave me the best advantage for as a product manager too, because I knew what to put on the roadmap, because I knew what Microsoft was doing, and it made my IT roadmap or my roadmap for my software design or for my services designs, infinitely easier, because I knew what was coming next, instead of just having to try to design something myself, because none of us work on things that we could just design in a vacuum and hope Microsoft doesn't change any of it. That's just not how it works right If you don't always have like one eye on whatever's coming out next on what you're building. You may find that something in your code got deprecated. You may find that this service isn't available or is being replaced by this new thing or this other thing, yeah, everything's changing a lot and it will change all the time.
Speaker 2:Right, and that's really what led me down this R&D path is I don't want to get surprised. There have to be people who know what's going on before it comes out, and there's no reason I shouldn't be that person. And when I realized that Microsoft really appreciated the PG teams, like they appreciate the feedback, they want to work with people who care deeply about the success of the products, you know, it kind of felt like an insider, yeah, like not a QA person, but really somebody who was I used that to make a name for myself within the Microsoft community, and it's a lot about the intersection, like I said, of design before it comes out versus white hat hacking before it comes out, and I feel like it's really been my passion that I found doing all of this.
Speaker 1:Oh yeah, that's interesting. It sparked after you take part in the open source community with the security program. I thought it got started after you did some research into security.
Speaker 2:No, I mean, I learned about security research when I was at Trustwave. They had a security research team and that's when I kind of learned that like, even if we implemented this perfectly and there were people who knew how to run it, the bad guys are changing stuff all the time.
Speaker 1:And so it's not even enough that I Exactly right.
Speaker 2:It's not even that I can just run what I have really really well, it's that I have to know that. You know there's some you know, 14 year old is trying to jigger your regular way out of the house in the middle of the night at any given moment, right? So it's not just about how well I built the windows or how good I put a lock on the door, right, it's about who's going to try to get out through the chimney, and I never thought there were anybody would go out the chimney, butanta claus.
Speaker 2:And suddenly, here I have my 14 year old trying to scurry their way out. Um, but right, we never think about people using things for other things in the way they were designed. As a designer, I know that I never thought someone would use a screwdriver to, you know, steal a car. Yeah, if I would have known somebody would have done that with a screwdriver. I never would, would I have created a screwdriver.
Speaker 1:No, I never thought about that, because I only thought about all the great, wonderful ways someone could use a screwdriver. Everything in your environment, like Azure stuff. It's burnable, so think of everything everyone uses and stuff. That's how you have to think of it, Otherwise, you won't be able to find vulnerabilities and stuff. That's how you have to think of it. Otherwise, you won't be able to find vulnerabilities and things.
Speaker 2:Well, and it's always like well, the vulnerabilities that you thought wouldn't ever be the ones that are found right. So in my analogy of, like I can use a screwdriver to steal a car, right, I could use that Azure storage blob to infect your entire organization and you never, maybe, even thought of that storage blob being used for something bad. You put the storage blob there for something good, right? So I think that's why we always need two different mindsets the builders and the breakers. And the good people are both builders and breakers.
Speaker 2:If you're ever just a builder or just a breaker, I really don't think that you're doing anybody truly a good service. And so if you're ever just a researcher, you're not a builder. You're a builder. You're not also playing with the research. That's actually how I think security vulnerabilities end up happening the most commonly. But we really have this. It's a loop, right? They should all be informing each other, and if everyone's talking to each other, then theoretically, the builders and the breakers will develop the best things together rather than yeah, it's like, in terms of security, all the departments would have to speak, to communicate to each other about whether it's alerts or anything.
Speaker 2:Yeah we have that problem a ton, yeah, where it's like a game of hot potato every time there's a zero day. Well, no, you're supposed to patch this. Well, I told you that it was exploitable. Well, now it's exploited. What do we do? Well, I told you that it was right, and that's like ultimately not useful. What's more useful is when did? When is the patch coming out? How do we measure whether we're patched? How do we know if our third parties are patched, like let's get out of like he said, she said, they said whatever. Right, it's really about not just us here today, but all everyone else who's connected to us. Um, and sometimes we just like get myopic about the way we think about this stuff and they're like oh, I contained it, it's my problem's done, it's somebody else's problem now, and it's just like that's not.
Speaker 1:That doesn't scale and it's not the way that security operations is ever gonna gonna succeed yeah, so you'll just have to think about how you can stop it for, like, how you can protect something if you like, for example, it's, it's something where leak, for example, a code in your like, like one of your DA account in code, for example. You have to figure out how you can stop that using the best practice and stuff and things. It's the same mindset, so you have to have an engineer mindset as an architect mindset, as well as security mindset 100%.
Speaker 2:I think that you can't spell security without you, and I it's the same kind of problem statement.
Speaker 2:I think that we go through security awareness training don't click the phishing link, don't do this but then, when it comes to architecture and design, we say things like, oh yeah, just give that SPN global admin access. You're like, ah please, one don't use SPNs anymore and two, don't grant it global admin access. But you know those types of you know translating best practices in the way we live our lives to best practices in code or any of those kinds of things are also you know places where I think there's a huge opportunity for organizations to step back and say, oh yeah, actually there's a better way to do that.
Speaker 1:Okay, so let's dive into some aside from your work into security. Let's dive into some amazing community stuff you did aside from like CPP, the Customer Connection Program Are you? I see you've been've been doing like quite a lot of community stuff, so you've been like taking part in feedbacks as well, so giving feedback to the product team and I saw that you're quite active and stuff. Do you want to tell us more about what you do? The community?
Speaker 2:sure, yeah, absolutely, I think. Um, being part of the security community, like I mentioned, like these are just aren't enough people, so I picked a couple of different avenues to invest in. One is called Azure, zero to Hero or Zero to Hero Community, and that's really geared at new learners and people who are trying to get into either Azure or into cybersecurity. The Azure Zero to Hero community has weekly sessions where we bring speakers to teach people about new things. We have a learning community as part of Microsoft Learn and we have a massive YouTube following. In terms of just getting people access to good new content from talented speakers has been a really big point of what we've been trying to do. And from zero to hero, my big thing has been bringing more women and more diversified speakers to want to come and participate to help bring up the number of minority individuals who are participating in things like cyber security.
Speaker 2:The second group that I am part of is something called the MS Farsi Learn Community. So, but for our Persian language speakers you know out there, non-persian language speakers out there I just said hello to everybody and said thank you. I'm excited that you're tuning in. What that community is focused around is bringing Persian language speakers to the world of Azure, to Microsoft. You know Persian language speakers are part of one of the largest diaspora populations in the world, and both due to geopolitical issues and religious tensions. We have found Persian language speakers scattered all over the globe and in a lot of cases, you know where they have been professionals in their field.
Speaker 2:At home, it's not possible for them to do that in the place they've relocated, and a lot of them have had to kind of re-skill or re-engineer.
Speaker 2:It's the problem of every family who's ever immigrated anywhere, right?
Speaker 2:A lot of times you have to start over, and so what we've tried to do is create a community of other Persian language speakers who can help and build a community and a learning journey for those Persianian language speakers, knowing that there really isn't very much, if any, content that's in their native language, and a lot of times that first step um is finding community and finding people who have shared values and shared um, shared language, and so, uh, ms4c has been another investment of mine, and then the last one that I've been invested in is something called Rockstars Women, rockstars in AI and cybersecurity, and that's an initiative that's been part of Team Copilot.
Speaker 2:So Team Copilot as well as the Rockstars for AI and Women in Security, have both been female-focused leadership and guidance around building your AI network of other AI professionals and also finding community in other successful women who are in leadership positions around AI or cybersecurity, and what we've been doing with those communities is largely again trying to focus on visibility and education and showing that the barrier to entry and the types of people who are working on AI and cybersecurity are the same kind of people that they see in the mirror and so, you know, just trying to grow again. Different ways of thinking about community and different ways of thinking about education across those three different, you know, refugees and other language speakers and also women in AI and cybersecurity have been places that I've really people's experiences in both cybersecurity and AI, and definitely kudos to all of the people who have been investing and participating in those types of growth opportunities as well. It's definitely not just a me thing. There are so many other people who I've been working with along the way.
Speaker 1:Nice. Yeah, it's like what you said flying in your community. Whether it's cybersecurity, it will be different, but it's good that you're doing the different language I can't remember what's good the Nauru language.
Speaker 2:Parsi yeah.
Speaker 1:I guess you know Saeed right? Yes, saeed is the other one of the other.
Speaker 2:yeah, Shout out to.
Speaker 2:Saeed Dahl. He's another Microsoft MVP. He has been one of the leaders. Yeah, Hamid Sadiripour. Saleh is another one. Mohsen Ekhh is another one, Mohsen Echavan is another one. Shahab shout out to all of them, Pouya. We really tried to do a good job of getting native or, in my case, my dad's Persian, my mom's American, Parsi speakers from the entire world. So we have representation in Canada, United States, Australia, uh, Sweden, uh, the Netherlands, Um, and it's uh, it's uh, it's truly been an uh and yeah, it's been an amazing experience, uh, connecting with the Persian diaspora of Azure and even cybersecurity experts. It's been actually there's quite a few of us, so it's been a really exciting thing for me being part of the community. I've found so many other people who are looking for other people just like themselves, who really do feel like this place is so big and the world is so small.
Speaker 1:We really should find each other and help each other. Sometimes people might be nervous of coming out like reaching out to the. You just need to reach out to the individual that need help.
Speaker 2:Yeah, sometimes it's all just about, like I said, seeing somebody who looks like you in the mirror to make you feel comfortable and feel like you have a place, and that's always been. You know my thesis statement and any community stuff I do there's always somewhere for you to sit next to me. You always have somebody to say hi to in the halls at a conference. I want everyone to feel that this is some place where they feel like they belong, and not somewhere where they have to prove to other people that they belong.
Speaker 2:Okay, yeah, because I think normally in DevOps when people sit down and stand up together, it's like open floor so that someone can come and speak to space.
Speaker 2:There's a movie, yeah there's a movie, uh huh. If you build it, they will come. If you give people the space to make them feel like there is room for them to come to a stand up and speak openly, they will. You don't have a stand up, you're going to have the same kind of nonsense that was happening the week before, because nobody changed anything, because nobody said anything to anybody else. So you're exactly right the the concept of you know there being stand-ups or there being places where you know people will always be is a tremendous differentiator yeah, plus you're part of expert lab.
Speaker 1:You, you say so, you think, oh yeah, that's another one. Yeah, I mean that's uh.
Speaker 2:Yeah, in terms of conferences, um, you know those, everything I talked about, we're all like online communities. Yeah, I've also definitely, over the last uh year, taken another step into not just being a conference participant but also being a conference organizer. Um, and yeah, experts live us uh, october 10th. Uh, so buy your tickets. Uh, call for papers is closed, um, but we're very excited to bring experts live to the united states. Um, similarly, um, workplace ninjas, which is uh, uh, one of john's uh project on top of the pool. Yeah, he's been working on again bringing the same kind of concept.
Speaker 2:We have a really strong European presence, but not really much in the Americas. That's going to be in December, I believe on the 10th as well, or right around the 10th in Dallas, and we're trying to bring US speakers. We're trying to bring the same kind of user group, user community that we have seen in Europe be so successful to the United States. We have the right practitioners. We just don't have a place for them to all go and talk to each other, and I think what we're trying to do is really create those same types of communities and opportunities for people to learn and grow from each other in the United States that exist pretty strongly within the UK or North and Central Europe.
Speaker 1:Yeah, because I know there's quite a few developer communities like Conference in America. But not a lot of security things as well.
Speaker 2:No, it's a lot of SharePoint, a lot of M365. Yeah yeah, yeah, not a lot of Azure and there's a couple of good user groups. Yeah, yeah, yeah, not a lot of Azure and there's a couple of good user groups. Shout out to the Boston user group those great ones that are happening in the Twin Cities, but they're kind of scattered all over the place.
Speaker 1:But yeah, I think definitely. The only one that I recommend is KCDC, that's the developer one, but it's not really in security. It's like DevOps or developer. You probably will go to that.
Speaker 2:Yeah, it's not really that DevSecOps security type of thing. Security folks we have our generic conferences like Black Hat, the Gartner conferences, rsa, those types of things, right, but they're not cyber, they're not Microsoft cyber specific and they're not even specific even to just like one part of security. Right, it's all security, all vendors, and so I think the other kind of interesting thing, if you're thinking about getting into security, is that we need all types. We need folks with development backgrounds, the folks with identity backgrounds, folks with DevOps experience or application testing or GRC. We need all types, right. But when you start thinking about the intersection of where do you find community? It's very difficult. It's either generic cyber or it's Microsoft specific but not security. So I think that there's a huge opportunity for us in the United States to really build that, and I want to be one of the people who helps build it.
Speaker 1:Nice. That's one of the ambitions for the future.
Speaker 2:Absolutely.
Speaker 1:Accelerate more people in cybersecurity.
Speaker 2:I mean. So there were 26 security co-pilot MVPs this year and I'm the only woman. I would like for that to be different next year.
Speaker 1:What? The only woman in the program or any woman in America.
Speaker 2:Both In Security Co-Pilot all up globally, and also in the United States Wow. So the United States has five, but I'm the only woman of the five, and then of the 26 of us. I'm the only woman in the world.
Speaker 1:Yeah, but I think there's more women in security and like more women in security. So women in security for.
Speaker 2:MVPs. Yeah, I will give shout outs to Sucheta Gawadeade uh, who's amazing, she's a simon xdr. And intune, um. And then uh, santa, uh, who's uh, I think I think her last name is tom run or something like that. She's uh, out of sweden. She's another xdr. Um, lady, um. I mean, they do exist, but they're all generally at the intersection of Sim and XDR and something else. So, like Sim and XDR and Identity, sim and XDR and Intune or things like that, that's Sim and XDR and Security Code.
Speaker 1:Oh okay, so instead of Security Code it's Focus.
Speaker 2:That's new for me this year I used to be cloud security and some NXDR. So, you know, I too came from a different part of the world, from cloud security kind of more into security co-pilot. But you know, I think that's all to say that you know, this world of ours is rapidly consolidating and, to your point, I hope that there will be more women and more women in XDR and SIM and SOC operations, but then also, you know, in security co-pilot and AI and other AI applications. I really do think that you know, we just need more people and we need more places that want to encourage and empower women to be successful at work too.
Speaker 1:Yeah, it could be like, for example, you can build something locally, like a local community, like nearby where you live, and stuff like whether it's a place that has local women. Yeah, it doesn't take very much Whether it's doing hack-a, doing hacker, fraud and stuff, or teach them security. It could be those things, simple things.
Speaker 2:Oh, it takes very little. I find that security is such a hot topic these days that even at a wedding, I was talking to a guy and he was like, oh, I really would love to learn more about how this security stuff works in Microsoft. And I was like, well, let me teach you, but you never know where you might find your next group of people to collaborate on or work on stuff with, and those types of communities are really great. I'll give another shout out to Esan Eskandari. He does a fantastic user group up in Toronto, where it's mostly focused on NET, but he does security stuff too, and I've had the luxury of speaking to his user groups too.
Speaker 2:So there are some really, really talented MVPs and other folks that are doing this, but that's not to say that there are enough. Even if you're not an MVP or you're somebody who just wants to connect with other people, b-sides are always really good for cyber. And then, yeah, there are Microsoft-specific user groups. There's a Sentinel user group that's based out of Europe. There's, you know, ones, like I said, in Boston and Toronto and Twin Cities. Dallas has a really great community. But here's your call to action Go find them, go meet some people and if you have the opportunity.
Speaker 1:So what kind of people can use to go find them? You can choose again bride meetup or anything.
Speaker 2:I use. Yeah, so communitydaysorg, microsoft communitydaysorg is a really, really great one where they list, shout out to Tom Daly who runs that, runs that page, but it's a great place from a centralization perspective to just see what's out there and available. Session eyes is another good one. Session eyes will show you who has calls for papers and even if you don't want to be a presenter, you could still reach out to the person who's in charge of that group and say, hey, I want to get involved, or I don't know how to get involved, or I'd like to, you know, participate in, you know, just as a listener, or I want to give my first conference talk. Those are all really good places to get started too. And if you're in the Microsoft MVP program, there are specific opportunities and ways to engage. Mvp program there are specific opportunities and ways to engage as well as part of Microsoft Reactor. If you want to participate in one of Microsoft's ways of bringing in people to connect, that's another way to engage beyond the user groups themselves.
Speaker 1:It makes me curious whether there's any student ambassador that's really into security, that just come from the university, those things aside from being a professional.
Speaker 2:Well, if there are any student ambassadors out there that want to hang out with some security people, call me. Find me on LinkedIn. I don't know of any security student ambassadors yet. That's not to say that they don't exist, but I definitely think that there is a huge opportunity and some folks have started doing this. They've got like student staffed SOC operations now, where they're like it's like a student job that you can have on campus. You work on the help desk, you work in the SOC, which I thought was kind of also an interesting way of getting more people introduced into cybersecurity is having it as your campus.
Speaker 1:Okay yeah, so I guess that's probably one of the ways to get experience, like someone could get an internship in security, yeah, or looking at colleges that have.
Speaker 2:yeah, look for a college that has a college job listed as sitting in the SOC. There are a couple out there that I think honestly you'll get a better take and more industry experience working in a SOC than you would in some other places. And, you know, if you have the chance to choose between a college job working in the help desk or working in the SOC, I would choose the SOC Any day of the week over dealing with whatever people poured into their computers or whatever doesn't work with their phones, as in SOC.
Speaker 1:do you mean security operation? Yes, security operation.
Speaker 2:Yes, exactly, exactly, I would say. If you're earlier in your career, you're trying to pick a college, or security operations is something that isn't on your radar, it's a great way to also try it. Try it for a semester, yeah, hate it. Then at least you know you're not. You don't want to go and get a job working in the sock, but that even that semester of time will help you with way more practical applications of how to use what you may have learned in school.
Speaker 2:Um, and then the other thing is like you know, these microsoft certifications you with way more practical applications of how to use what you may have learned in school. And then the other thing is, like you know, these Microsoft certifications will count for college credit. So you know, if you're somebody who dropped out of college or maybe is trying to get back into it or just has a couple of credits left to finish, you know other than you're getting a campus job and getting exposure. That way you can always also go in and get Microsoft certifications and you know they could be worth three or four credits a pop.
Speaker 1:Okay, yeah, that's. That's another way to see if you can gain experience like apprenticeship as well, so it's actually a good way, yeah absolutely yeah.
Speaker 2:So you can do apprenticeships, you can do certifications and you can do these user groups and all of those are going to be like new career ways of breaking into, uh, the microsoft ecosystem for sure yeah, they'll do a bit, a bit everything, but not too much, like you yeah, well, I don't think.
Speaker 2:Well, hey, I said I definitely do too much, but I I think I've always suffered from, uh, wanting to do and help out as much as I can in any way wherever I can. But yeah, nicholas, thank you so much for having me.
Speaker 2:I had a chance to talk to you guys, you and your audience, and if anyone wants to reach out or connect with me on LinkedIn, you can find me, mona Gadiri, you can find me, mona Ghadiri, and I would, yeah, love to continue any of the conversations that we've had here with any of our listeners, if they're interested.
Speaker 1:Yeah, so if there's any questions, you can just direct message Mona.
Speaker 2:Anything regarding security, community or yeah, if you want to get involved in this community. Yeah for sure. I never really, yeah, absolutely, I'm a friendly face.
Speaker 1:Thank you so much. Thank you for joining, bye, bye.
