BLACK HAT USA – Las Vegas – Wednesday August 7 – This week at Black Hat, Ann Johnson, corporate vice president and deputy chief information security officer (CISO) at Microsoft, and Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy, took the main stage for their conversation, “From the CISO’s Office: Securing Smarter, Faster, Stronger in the Age of AI.” While attendees might have expected a discussion focused on ways AI can increase the effectiveness of cybersecurity tools, you could argue that Johnson and DeGrippo decided to go off script.

“Does anyone remember a little outage a couple weeks ago?” DeGrippo asked the audience, referring to the recent global outage of CrowdStrike. He got a laugh out of it.

The sensory configuration update failure to CrowdStrike’s Falcon platform on July 19, Microsoft caused outages for millions and “blue screens of death” as far as the eye could see. As the days passed, the fallout continued to grow, with the Estimated monetary loss worth approximately $5.4 billion, excluding Microsoft’s own losses.

Johnson then gave the audience the details of someone who was there and saw the effects of the outage firsthand. The night before the incident, Microsoft was dealing with a restricted package in Azure in one of its US regions.

“At 11:30 that night, it was fixed, resolved, and I went to bed,” Johnson said. “I was like, ‘Okay, we’re good.’ At 1 a.m., maybe 1:15, my phone rang with a customer (who) said, ‘Hey, I’m getting this blue screen of death.'”

Other calls came in and she realized this had nothing to do with the Azure outage. Johnson explained that Microsoft then “rallied the troops” to address the problem.

“The pride that I had, not just in Microsoft, but in the people who were literally working in shifts… these people were working around the clock,” she says. “The industry was working around the clock. And even though it was the operations people who were hit the hardest, not the cyber people, the resilience, the community, the things that I saw in the industry were so powerful that it reaffirmed my belief that we can all win together.”

Johnson’s take on the event is that the response from professionals was “incredible” to see. But what is the lesson to be learned?

As DeGrippo explained, the Microsoft Threat Intelligence Center (MSTIC) focuses on working closely with customers on intelligence briefings and is “embedded” in the community of independent researchers, other vendors, and even colleagues in healthcare and other industries.

For example, Scattered spidera group responsible for a significant number of ransomware events over the past 18 months, is a persistent group that Microsoft is paying close attention to. DeGrippo says the Microsoft community, from MSTIC to the Digital Crimes Unit (DCU), is eager to combat the group and assist law enforcement. And it’s not just Microsoft doing this, Johnson points out — her industry colleagues are also working with the public sector to defend against the threat actor, sharing tactics and defense strategies.

“For everything you see in the news, there are thousands of (bad) things that didn’t happen because all the people in this room stopped it,” Johnson told Black Hat attendees. “Take a victory lap and give a round of applause. Yes, bad things will continue to happen. But you’re preventing thousands of other things from happening, and that’s what the community does.”

AI in the hands of threat actors and defenders

Part of improving the community in the future is embracing technologies that make life easier for defenders. For example, as GenAI becomes more popular, threat actors will use it to their advantage. According to Johnson, they’ll use it to become more effective and efficient at what they do, making them harder to counter. What should defenders do in response? Exactly the same.

“We want to use technology like AI or whatever the latest technology is to make you more effective so you can take that time off,” she said, referring to how new strategies and tools are needed to ensure cyber defenders are less likely to burn out. Events like the CrowdStrike Falcon update failure and the resulting Microsoft outage shouldn’t require people to sacrifice their health or time with their families while they “work long hours to combat the problems that we’re collectively facing,” Johnson said.

She added: “AI plays a very meaningful role in the CISO world and in the cyber defender world, but… we want to talk about the people, the community, the defenders.”