You can’t defend something that you don’t see or understand.
Principal Group Manager, Microsoft Security Research
Justin Turner began his career building and breaking communications networks for the United States Army. This allowed him to travel the world and work in places like Iraq, Bahrain, and Kuwait. When his active-duty adventure ended, Justin transitioned to civilian life in Florida in 2006. The job was similar—building, hacking, and breaking things—but this time, he was with the MITRE Corporation.
In 2011, he got a call from a former Army commander about a role at SecureWorks exclusively focused on the commercial side of cybersecurity.
His initial role was in threat intelligence production, looking across customer data sets and responding to questions on malicious files or malware. That included doing analysis and investigating active threat campaigns.
“At the time, banking Trojans were prevalent. Some might remember the Zeus banking Trojan. A lot of remote access tools really came to bear around that time. A couple years after that, I was asked to help develop a threat hunting practice for the company. This was before threat hunting existed in the market as a service like it does now.”
When Microsoft decided to launch Defender Experts for Hunting, Justin received another call from a former colleague and friend. He said, “we’re launching a new service for Microsoft Security, I can’t think of anybody better for this role.”
“Across the board, misconfigurations are a monumental challenge. Our network environment has dramatically changed, we went from server mainframe environments, which had thin client edges, to everyone owning a personal computer. Fast forward to today, there are countless network connected devices from smart homes to manufacturing environments to personal devices. Maintaining a secure baseline across that is a challenge, sustaining patch levels adds another layer of the problem.”
As the complexity and size of the networks grow, so does the number of vulnerabilities, Justin explains.
“Our customers with expanding blended environments try to keep up with patching. It’s easy for us to say, ‘just patch’ but it’s a massively challenging problem that takes a lot of time and continued investment.”
The third challenge is visibility. Justin says many of the customer conversations he has center around a problem that occurred because the customer didn’t know that a vulnerable system exposed to the internet was operating in their network.
“Recently, for a conference, I took an intrusion from decades ago then looked at an intrusion from a week ago. I put the two side-by-side and asked, ‘Which one of these happened in 1986 and which one of these happened last week?’
No one could tell because the two looked so similar. The attack was a software vulnerability that nobody knew existed. It was a misconfiguration of the server, poor auditing and logging, with little to no patch management. The technical details of the problems are different now, but the fundamentals are the same. You can’t defend something that you don’t see or understand.”
Follow Microsoft Security