9 episodes

Welcome to Uncovering Hidden Risks, a broader set of podcasts focused on identifying the various risks organizations face as they navigate the internal and external requirements they must comply with.
 
We’ll take you through a journey on insider risks to uncover some of the hidden security threats that Microsoft and organizations across the world are facing.  We will bring to surface some best-in-class technology and processes to help you protect your organization and employees from risks from trusted insiders.  All in an open discussion with topnotch industry experts!

Uncovering Hidden Risks Raman Kalyan, Talhah Mir

    • Business
    • 5.0 • 3 Ratings

Welcome to Uncovering Hidden Risks, a broader set of podcasts focused on identifying the various risks organizations face as they navigate the internal and external requirements they must comply with.
 
We’ll take you through a journey on insider risks to uncover some of the hidden security threats that Microsoft and organizations across the world are facing.  We will bring to surface some best-in-class technology and processes to help you protect your organization and employees from risks from trusted insiders.  All in an open discussion with topnotch industry experts!

    Episode 8: Class is in session

    Episode 8: Class is in session

    When Professor Kathleen Carley of Carnegie Mellon University agreed to talk with us about network analysis and its impact on insider risks, we scooched our chairs a little closer to our screens and leaned right in.

    In this episode of Uncovering Hidden Risks, Liz Willets and Christophe Fiessinger get schooled by Professor Carley about the history of Network Analysis and how social and dynamic networks affect the way that people interact with each other, exchange information and even manage social discord.


    0:00
    Welcome and recap of  
    1:30
    Meet our guest: Kathleen Carley, Professor at Carnegie Mellon University; Director of Computational Analysis & Social and Organizational Systems; and Director of Ideas for Informed Democracy and Social Cybersecurity
    3:00
    Setting the story: Understanding Network Analysis and its impact on company silos, insider threats, counter terrorism and social media.
    5:00
    The science of social networks: how formal and informal relationships contribute to the spread of information and insider risks
    7:00
    The influence of dynamic networks: how locations, people and beliefs impact behavior and shape predictive analytics
    13:30
    Feelings vs Facts:  Using sentiment analysis to identify positive or negative sentiments via text
    19:41
    Calming the crowd: How social networks and secondary actors can stave off social unrest
    22:00
    Building a sentiment model from scratch: understanding the challenges and ethics of identifying offensive language and insider threats
    26:00
    Getting granular: how to differentiate between more subtle sentiments such as anger, disgust and disappointment
    28:15
    Staying Relevant: the challenge of building training sets and ML models that stay current with social and language trends.
     
    Liz Willets:
    Well, hi, everyone. Uh, welcome back to our podcast series Uncovering Hidden Risks, um, our podcast where we uncover insights from the latest trends, um, in the news and in research through conversations with some of the experts in the insider risk space. Um, so, my name's Liz Willets, and I'm here with my cohost, Christophe Fiessinger, to dis- just discuss and deep dive on some interesting topics.
                Um, so, Christophe, can you believe we're already on Episode 3? (laughs)
    Christophe Fiessinger:
    No, and so much to talk about, and I'm just super excited about this episode today and, and our guest.
    Liz Willets:
    Awesome. Yeah, no. I'm super excited. Um, quickly though, let's recap last week. Um, you know, we spoke with Christian Rudnick. He's from our Data Science, um, and Research team at Microsoft and really got his perspective, uh, a little bit more on the machining learning side of things. Um, so, you know, we talked about all the various signals, languages, um, content types, whether that's image, text that we're really using ML to intelligently detect inappropriate communications. You know, we talked about how the keyword and lexicon approach just won't cut it, um, and, and kind of the value of machine learning there. Um, and then, ultimately, you know, just how to get a signal out of all of the noise, um, so super interesting, um, topic.
                And I think today, we're gonna kind of change gears a bit. I'm really excited to have Kathleen Carley here. Uh, she's a professor across many disciplines at Carnigen Melligan, Carnegie Mellon University, um, you know, focused with your research around network analysis and computational social theory. Um, so, so, welcome, uh, Kathleen. Uh, we're super excited to have you here and, and would love to just hear a little bit about your background and really how you got into this space.
    Professor Kathleen Carley:
    So, um, hello, Liz and Christophe, and I'm, I'm really thrilled to be here and excited to talk to you. So, I'm a professor at Carnegie Mellon, and I'm also the director there of two different, uh, centers. One is Co

    • 32 min
    Episode 7: Say what you mean!

    Episode 7: Say what you mean!

    Oh my gosh
    Oh my gosh, I’m dying.
    Oh my gosh, I’m dying.  That’s so funny!

    And in just three short lines our emotions boomeranged from intrigue, to panic, to intrigue again…and that illustrates the all-important concept of context!
    In this episode of Uncovering Hidden Risks, Liz Willets and Christophe Fiessinger sit down with Senior Data Scientist, Christian Rudnick to discuss how Machine Learning and sentiment analysis are helping to unearth the newest variants of insider risks across peer networks, pictures and even global languages.


    0:00
    Welcome and recap of
    1:25
    Meet our guest: Christian Rudnick, Senior Data Scientist, Microsoft Data Science and Research Team
    2:00
    Setting the story: Unpacking Machine Learning, sentiment analysis and the evolution of each
    4:50
    The canary in the coal mine: how machine learning detects unknown insider risks
    9:35
    Establishing intent: creating a machine learning model that understands the sentiment and intent of words
    13:30
    Steadying a moving target: how to improve your models and outcomes via feedback loops
    19:00
    A picture is worth a thousand words: how to prevent users from bypassing risk detection via Giphy’s and memes
    23:30
    Training for the future: the next big thing in machine learning, sentiment analysis and multi-language models
     
    Liz Willets:
    Hi everyone. Welcome back to our podcast series, Uncovering Hidden Risks. Um, our podcasts, where we cover insights from the latest in news and research through conversations with thought leaders in the insider risk space. My name is Liz Willets and I'm joined here today by my cohost Christophe Feissinger, um, to discuss some really interesting topics in the insider risks space. Um, so Christophe, um, you know, I know we spoke last week with Raman Kalyan and Talhah Mir, um, our crew from the insider risk space, just around, you know, insider risks that pose a threat to organizations, um, you know, all the various platforms, um, that bring in signals and indicators, um, and really what corporations need to think about when triaging or remediating some of those risks in their workflow. So I don't know about you, but I thought that was a pretty fascinating conversation.
    Christophe Feissinger:
    No, that was definitely top of mine and, and definitely an exciting topic to talk about that's rapidly evolving. So definitely something we're pretty passionate to talk about.
    Liz Willets:
    Awesome. And yeah, I, I know today I'm, I'm super excited, uh, about today's guests and just kind of uncovering, uh, more about insider risk from a machine learning and data science perspective. Um, so joining us is [Christian redneck 00:01:24], uh, senior data scientist on our security, uh, compliance and identity research team. So Christian welcome. Uh, why don't you-
    Christian Redneck:
    Thank you.
    Liz Willets:
    ... uh, just tell us a little bit about yourself and how you came into your role at Microsoft?
    Christian Redneck:
    Uh, yeah. Hey, I'm Christian. Uh, I work in a compliance research team and while I just kinda slipped into it, uh, we used to be the compliance research and email security team, and then even security moved to another team. So we were all forced to the complaints role, uh, but at the end of the day, you know, it's just machine learning. So it's not much of a difference.
    Liz Willets:
    Awesome. And yeah, um, you know, I know machine learning and and sentiment analysis are big topics to unpack. Um, why don't you just tell us a little bit since you've worked so long in kinda the machine learning space around, you know, how, how that has changed over the years, um, as well as some of the newer trends that you're seeing related to machine learning and sentiment analysis?
    Christian Redneck:
    Yeah. In, in our space, the most significant progress that we've seen in the past year, was as moving towards more complex models. The more complex models and also more c

    • 28 min
    Episode 6: Cracking down on communication risks

    Episode 6: Cracking down on communication risks

    Words matter. Intent Matters.  And yes, most certainly, punctuation matters.  Don’t believe us? Just ask the person who spent the past five-minutes eating a sleeve of cookies reflecting on which emotion “Sarah” was trying to convey when she ended her email with, “Thanks.”

    In this episode of Uncovering Hidden Risks, Raman Kalyan, Talhah Mir and new hosts Liz Willets and Christophe Fiessinger come together to examine the awesomely complex and cutting-edge world of sentiment analysis and insider risks. From work comm to school chatter to social memes, our clever experts reveal how the manifestation of “risky” behavior can be detected.


     
    0:00
    Hello!: Meet your new Uncovering Hidden Risks hosts
    2:00
    Setting the story: The types and underlying risks of company communication
    6:50
    The trouble with identifying troublemakers: the link between code of conduct violations, sentiment analysis and risky behavior
    10:00
    Getting the full context: The importance of identifying questionable behavior across multiple platforms using language detection, pattern matching and AI
    16:30
    Illustrating your point: how memes and Giphy’s contribute to the conversation
    19:30
    Kids say the darndest things: the complexity of language choices within the education system
    22:00
    Words hurt: how toxic language erodes company culture
    26:45
    From their lips to our ears: customers stories about how communications have impacted culture, policy and perception
    Raman Kalyan:
    Hi everyone. My name is Raman Kalyan, I'm on the Microsoft 365 product marketing team, and I focus on insider risk management from Microsoft. I'm here today, joined by my colleagues, Talhah Mir, Liz Willetts, and Christophe Eisinger. And we are excited to talk to you about hidden risks within your organization. Hello? We're back, man.
    Talhah Mir:
    Yeah, we're back, man. It was super exciting, we got through a series of a, a couple of different podcasts, three great interviews, uh, span over multiple podcasts and just an amazing, amazing reaction to that, amazing conversations. I think we certainly learned a lot.
    Raman Kalyan:
    Mm-hmm (affirmative). I, I learned a lot. I mean, having Don Capelli on the podcast was awesome, talked about different types of insider risks, and what I'm most excited about today, Talhah, is to have Liz and Christophe on the, on the show with us 'cause we're gonna talk about communication risk.
    Talhah Mir:
    Yeah, super exciting. It's a key piece for us to better understand sort of sentiment of a customer, but I think it's important to kind of understand that on its own, there's a lot of interesting risks that you can identify, uh, that are completely sort of outside of the purview of typical solutions that customers think about. So really excited about this conversation today.
    Raman Kalyan:
    Absolutely. Liz, Christophe, welcome. We'd love to take an opportunity to have you guys, uh, introduce yourselves.
    Liz Willetts:
    Awesome, yeah, thanks for having us. We're excited to kind of take the reins from you all and, and kick off our own, uh, version of our podcast, but yeah, I'm, I'm Liz Willetts. I am the product marketing manager on our compliance marketing team and work closely with y'all as well as Christophe on the PM side.
    Christophe Eisinger:
    Awesome. Christophe. Hello everyone, I'm, uh, Christophe Eisinger and similar to Carla, I'm on the engineering team focusing on our insider risk, um, solution stack.
    Raman Kalyan:
    Cool. So there's a, there's a ton, breadth of communications out there. Liz, can you expand upon the different types of communications that organizations are using within their, uh, company to, to communicate?
    Liz Willetts:
    Yeah, definitely. Um, and you know kind of as we typically think about insider risks, you know, there's a perception around the fact that it's used, um, and related to things like stealing information or, um, you know, IP, sharing co

    • 32 min
    Episode 5: Practitioners guide to effectively managing insider risks

    Episode 5: Practitioners guide to effectively managing insider risks

    In this podcast we explore steps to take to set up and run an insider risk management program.  We talk about specific organizations to collaborate with, and top risks to address first.  We hear directly from an expert with three decades of experience setting up impactful insider risk management programs in government and private sector.
    Episode Transcript:
    Introduction:
    Welcome to Uncovering Hidden Risks.
    Raman Kalyan:
    Hi, I'm Raman Kalyan, I'm with Microsoft 365 Product Marketing Team.
    Talhah Mir:
    And I'm Talhah Mir, Principal Program Manager on the Security Compliance Team.
    Raman:
    Talhah, episode five, more time with Dawn Cappelli, CISO of Rockwell Automation. Today, we're gonna talk to her about, you know, how to set up an effective insider risk management program in your organization.
    Talhah:
    That's right. Getting a holistic view of what it takes to actually properly identify and manage that risk and do it in a way so that it's aligned with your corporate culture and your corporate privacy requirements and legal requirements. Really looking forward to this, Raman. Let's just jump right into it.
    Talhah:
    Ramen and I talk to a lot of customers now and it's humbling to see how front and center insider risk, insider threat management, has become, but at the same time, customer are still asking, "How do I get started?" So what do you tell those customers, those peers of yours in the industry today, with the kind of landscape and the kind of technologies and processes and understanding we have about the space, what kind of guidance would you give them in terms of how to get started building out an effective program?
    Dawn:
    So first of all you need to get HR on board. I mean, that's essential. We have insider risk training that is specifically for HR. They have to take it every single year. So we have our security awareness training that every employee in the company has to take every year, HR in addition has to take specific insider risk training. So in that way we know that globally we're covered. So that's where I started, was by training HR, and that way the serious behavioral issues, I mean, IP theft is easier to detect, but sabotage is a serious issue, and it does happen.
    Dawn:
    I'm not going to say it happens in every company, but when you read about an insider cyber sabotage case, it's really scary, because this is where you have your very technical users who are very upset about something, they are angry with the company, and they have what the psychologists called personal predispositions that make them prone to actually take action. Because most people, no matter how angry you are, most people are not going to actually try to cause harm, it's just not in our human nature.
    Dawn:
    But like I said, I worked with psychologists from day one, and they said, "The people that commit sabotage, they have these personal predispositions. They don't get along with people well, they feel like they're above the rules, they don't take criticism well, you kind of feel like you have to walk on eggshells around them." And so I think a good place to start is by educating HR so that if they see that, they see someone who has that personality and they are very angry, very upset, and their behaviors are bad enough that someone came to HR to report it, HR needs to contact, even if you don't have an insider risk team, contact your IT security team and get legal involved, because you could have a serious issue on your hand. And so I think educating HR is a good to start.
    Dawn:
    Of course, technical controls are a good place to start. Think about how you can prevent insider threats. That's the best thing to do is lock things down so that, first of all, people can only access what they need to, and secondly, they can only move it where they need to be able to move information. So really think about those proactive technical controls.
    Dawn:
    And then third, take that look back, like we talked about Talhah, take that look bac

    • 23 min
    Episode 4: Insider risk programs have come a long way

    Episode 4: Insider risk programs have come a long way

    In this podcast we discover the history of the practice of insider threat management; the role of technology, psychology, people, and cross-organizational collaboration to drive an effective insider risk program today; and things to consider as we look ahead and across an ever-changing risk landscape.
    Episode Transcript:
    Introduction:
    Welcome to Uncovering Hidden Risks.
    Raman Kalyan:
    Hi, I'm Raman Kalyan, I'm with Microsoft 365 Product Marketing Team.
    Talhah Mir:
    And I'm Talhah Mir, Principal Program Manager on the Security Compliance Team.
    Raman:
    Talhah, this is episode four where we're gonna talk about putting insider risk management into practice.
    Talhah:
    That's right, with Dawn Cappelli, somebody who's been a personal inspiration for me, especially as I undertook the effort to build the insider risk program in Microsoft. Somebody who I've admired very much for what she's done in this space, an amazing storyteller, and how she lands the value and importance of insider risk. Super excited to have her here with us today to share some of that with our customers abroad. So really looking forward to this conversation.
    Raman:
    Yeah and Dawn is the CISO of Rockwell Automation, and know that this is gonna be great. So let's do it, man.
    Talhah:
    Let's do it.
    Raman:
    So thank you Dawn for being on our podcast. Tallah and I started this about two years ago at Microsoft, where we started looking at insider risk management in Microsoft 365. Of course had been doing it a lot longer for Microsoft as part of our insider threat group and he talked a lot about you and so we're really excited to have you on the podcast. And the interesting thing is is that everyone that we've actually had a conversation with thus far actually knows you. So I'm excited to finally meet you virtually. We met once before, but thank you again and very much appreciate it.
    Dawn:
    You're welcome, thank you for the invitation.
    Raman:
    Yeah, absolutely. Just for people listening, would be great to get your background, what is it that you do now, how did you get into insider threats, all that sort of stuff?
    Dawn:
    Okay, so right now I am the VP of Global Security and the Chief Information Security Officer for Rockwell Automation. We make industrial control system products. I came to Rockwell in 2013 as the Insider Risk Director. So I came to Rockwell to build our Insider Risk Program and at that time not many companies in the private sector had Insider Risk Programs. Financial did, Defense Sector of course, they counterintelligence, but not many other companies had Insider Risk Programs. I came here from Carnegie Mellon, the [CERT] program, which for those that don't know, CERT was the very first cyber security organization in the world. It was formed in 1988 when the first internet worm hit and no one knew what it was or what to do about it and Carnegie Mellon helped the Department of Defense to respond. So going back, I actually started my career as a software engineer, programming nuclear power plants for Westinghouse.
    From there, I went to Carnegie Mellon again as a software engineer, but I became interested in security and SERP was right there at Carnegie Mellon, so I tried to get a job there. Fortunately, they hired me. I didn't know anything about security, but I got a job there as a technical project manager so that I could get my foot in the door and learn security. So I was hired by CERT, CERT is a federally funded research and development center. So it's primarily federally funded. They had funding from the United States Secret Service to help them figure out how to incorporate cyber into their protective mission. So at this point, this was August 1st, 2001 when I started, the Secret Service, their protective mission was gates, guards, guns. It was physical and they knew they needed to incorporate cyber. So my job was to run this program and the first thing that we had to do was protect the Salt Lake City Olympics, which were in February

    • 30 min
    Episode 3: Insider risks aren’t just a security problem

    Episode 3: Insider risks aren’t just a security problem

    In this podcast we explore how partnering with Human Resources can create a strong insider risk management program, a better workplace and more secure organization.  We uncover the types of HR data that can be added to an insider risk management system, using artificial intelligence to contextualize the data, all while respecting privacy and keeping in line with applicable policies.
    Episode Transcript:
    Introduction:
    Welcome to Uncovering Hidden Risks.
    Raman Kalyan:
    Hi, I'm Raman Kalyan, I'm with Microsoft 365 Product Marketing Team.
    Talhah Mir:
    And I'm Talhah Mir, Principal Program Manager on the Security Compliance Team.
    Raman:
    And this is an episode three with Dan Costa, talking about how do you bring in HR, legal, privacy, and compliance into building an effective insider risk management program.
    Talhah:
    Yeah, super important. This is not like security where you can just take care of this in your SOC alone, you need collaboration, and he's gonna tell us more on why that's critical.
    Raman:
    Yeah, it was awesome talking to Dan last week. So I'm, let's do it.
    Talhah:
    .... when you talk about these predispositions, these stressors. You gave a great example of a organizational stressor, like somebody being demoted or somebody being put on a performance improvement plan. You can also have personal stressors outside of work that you guys have talked about openly in a lot of your guidance and whatnot. When you look at these, at least the organizational stressors, that a lot of times they reside with your human resources department, right? So this is a place where you have to negotiate with them to be able to bring this data in. So talk to me about that. How do you guide the teams that are looking to establish these connections with their human resources department, the HR department, and negotiate this kind of data so that it's not just for... It's for insider risk management purposes. So talk about that and also talk about, are there opportunities that you see where you could potentially infer sentiment by looking at, let's say, communication patterns or physical movement patterns or digital log-in patterns and things like that? So how can you help to identify these early indicators, if you will?
    Dan:
    Yeah. So let's start with how we bridge the gap between the insider threat program and stakeholders like human resources, because Talhal, you're spot on. They're one of the key stakeholders for an insider threat program, really in two respects. One is they own a lot of the data that will allow us to gather the context that we can use to augment or supplement what we're seeing from our technical detection capabilities, to figure out was that activity appropriate for the job role, the responsibility of the individual associated with the activity. How can we pull left relative to an incident progression and find folks that might be experiencing these organizational stressors, right? That's data that our human resources stakeholders have and hold. We've seen insider threat programs over the years struggle with building the relationships between stakeholders like human resource management. A lot of the challenges there, from what we've seen, come down to a lack of understanding of what it is that the insider threat program is actually trying to do.
    In many cases, the insider threat program isn't necessarily without fault in making that impression stick in the minds of human resources. So this goes back to the insider threat program's not trying to be duplicative or boil the ocean, or carve off too big of a part of this broader enterprise-wide activity that needs to happen to manage insider risk. In that early relationship building and establishment, there's an education piece that has to happen. Human resources folks aren't spending all day every day thinking about how insiders can misuse their access like we are, right? So much of it is these are the threats that our critical assets are subject to, by the nature of o

    • 31 min

Customer Reviews

5.0 out of 5
3 Ratings

3 Ratings

Top Podcasts In Business

Ramsey Network
NPR
Andy Frisella #100to0
Jocko DEFCOR Network
BiggerPockets
Tim Ferriss: Bestselling Author, Human Guinea Pig