Interview: How Organizations Can Combine Prevention And Detection To Harden Their Microsoft 365 Environments

Aaron Turner is the CTO of the new Protect business unit at Vectra. With almost three decades of experience in the industry, Turner is a cybersecurity veteran and active member of the InfoSec community. In 2020, as adversaries began increasingly targeting Microsoft cloud environments, Turner founded Siriux, a SaaS vulnerability assessment too for Microsoft 365. Earlier this year, Siriux was acquired by Vectra and rebranded as Vectra Protect.  Under the leadership of Turner, Vectra Protect now enables the platform to prevent cyberthreats, as well as detect and respond to them.

At RSAC 2022, we spoke to Turner to discuss the reasons behind his founding of Siriux and the company’s acquisition by Vectra, how Vectra Protect helps organizations identify vulnerabilities in their Microsoft cloud environments, and the importance of unified, holistic security in the fight against today’s unknown and zero day threats. 

Could you introduce yourself and tell us how you got into the cybersecurity industry?

I was one of those kids who grew up watching a movie called Wargames, about a computer that has thermonuclear wargame capabilities, and I was just fascinated. And my father would bring home a computer from work—he had a small, portable computer—and one night, I ended up breaking it! I don’t know how; I just pressed the wrong button or something. So, I spent the night rebuilding the computer’s operating system, and that was when I fell in love with technology. Luckily, I was able to fix it and he never knew!

Fast forward, I started dabbling in the hacking scene in high school. I would hang out on the bulletin boards; these were basically modems you would dial up to connect to and get information. And I was fairly active in a couple of those. Then later, in college, I set up a server that would allow people to communicate.

My formal education was in Spanish Linguistics, and I lived in worked in Mexico, so I set up a server that would allow people to collaborate about dialectal differences in Spanish. This was before I met one of my friends, who invented the firewall. So, I just plugged this server into the internet and let it go. Of course, within a few weeks, someone had put inappropriate content on my server. I tried to clean it up, and then they came back. So, I was basically in a chess game with someone doing bad things on my server!

So, I taught myself how to hack servers, so I could protect my own server. This was in 1994, and over the last 20 years I’ve just been inside the security community. I’ve been seeing the things that are happening and trying to make a difference. My lucky break came in ’99 when I went to work for Microsoft. 

Can you tell us more about your role at Microsoft and your other security experience? 

I was on the team that would do testing for things like Active Directory, and other foundational security technologies at Microsoft. I worked with Microsoft for eight years, it was an awesome ride. I got to participate in a lot of fundamental changes in the way the internet works. 

Later, in 2006, I was asked to join a US Government project where we essentially tried to see if we could hack into things like the electrical power grid or cellular telephone networks. I did two years of research for the Department of Homeland Security there. In 2008, I left and started a cybersecurity company focused on payments. I did that for a couple of years. And then since 2008, I’ve just been doing the things that I think are important: inventing technologies, being a consultant, helping people make a difference. 

In April of 2020—concurrent with the pandemic, as everything was getting locked down—I saw the world changing from the primary attack point being an on-premises server, to people focusing on the cloud. And I wasn’t alone. The Russians launched a cyber campaign against the US government that focused on Microsoft 365 as the primary attack vector. So, instead of hacking on-premises Active Directory, they were hacking the Azure Active Directory, under the Microsoft Cloud. By the end of 2020, because of the Russian activity, I got brought into a lot of really interesting situations, where the tooling that I was developing was helping to harden Microsoft 365, to prevent those kinds of attacks.

Can you tell us about Siriux, your current role in Vectra and the solutions you offer?

During 2021, I ran a company called Siriux. We went out and we closed fifty enterprise customers in a year with just eight people! We were just the little company that could, we bootstrapped, going out and helping people. And I knew that I had to decide whether I was going to go raise some venture capital or become part of a bigger company. 

Vectra and I had a common customer. And that common customer said: “You guys are like peanut butter and jelly. You should hook up.” By November of last year, we started that process, and then in January this year, we finalized the acquisition of Siriux, which is now part of Vectra. 

So now, I’m the Chief Technology Officer for a new product line that Vectra is releasing, based upon the technology that I invented. And that’s called Vectra Protect. The mission of Vectra Protect is to help organizations protect their Microsoft cloud investment. So, you’ve invested in Exchange Online for mailboxes, Teams for collaboration, OneDrive for sharing documents. But what have you done to harden this environment?

Yesterday, I did a session on stage, and I asked: “How many people in here feel like they had a proactive security plan of about their migration into the Microsoft Cloud?” 

There was silence. Security teams just got dragged along for the ride because it was a very reactionary thing. Whether it was moving to Exchange Online because they wanted to reduce the cost the operational cost of Exchange On-Premises, or turning on Teams because of the pandemic, or using Azure Active Directory for Single Sign-On (SSO) because a lot of Single Sign On technologies are very expensive. 

Most companies moving to Microsoft 365 come through one of those three paths: email, Teams and SSO. But they all get into a situation where they ask, “Okay we’re here, what are we going to do about security?” There’s not very good governance, not very good policies, and not very good controls. 

With Vectra Protect, we’ve essentially created a robot that goes through and checks all of the doors and windows in your environment as if it were a penetration tester or a red team. And out of that vulnerability scan inside of the Microsoft cloud, we create a report. The report has very detailed guidance about what you should do. For example: “Turn on this feature in Exchange. Turn off this feature in Teams. Make sure this setting is on inside of OneDrive.” It’s very, very detailed guidance about to harden things. 

Vectra traditionally has been about detection and response. If you think about the NIST cybersecurity framework—identify, protect, detect, respond, recover—we’re in the identification and protection phase, we look at the bad things before they happen. So, my mission now as CTO of Vectra Protect is to help people to harden their Microsoft cloud environments in meaningful ways to prevent problems down the road. 

How can harnessing artificial intelligence and machine learning help organizations help improve automation and security for organizations using Microsoft cloud?

The way that we’ve done automation and machine learning is that we’ve been able to participate in a lot of really bad incidents. We’ve been brought in where organizations have had an intrusion; they knew there were bad guys on the network, and they’ve asked us to do a forensic analysis to find the root cause of how this happened. 

We went and did that analysis, and of course the bad guys had got in because they didn’t have certain settings configured correctly. So, then we went and built an automated engine for people to discover these root causes of bad things. So now, people can fix those issues, before the bad things actually happen. 

So, we’re about automation and using our machine learning to essentially detect improperly configured settings, poorly configured settings, bad default settings, and any errors that have been created by administrators in that environment. We detect that with our automated systems, and then we provide the fix. So, our reports say: “You need to harden this thing, to prevent that problem down the road.” 

With the Vectra acquisition of Siriux, you now have a comprehensive platform for Microsoft cloud security. How important is it for organizations to consolidate their security tools rather than using disparate systems? 

I’ve been in this industry a long time—28 years. And throughout the three decades that I’ve been doing this, the commonality has been vendor fatigue. A CISO might have fifteen different things that they have to use to do just one thing. 

One of the reasons why I brought Siriux to Vectra—where it’s now Vectra Protect—is because I believe that it’s really important for an organization to have a holistic identify, protect, detect and respond capability. 

So, you may have endpoint detection response or network detection response; that’s great. But with Vectra, you now have a platform that really brings it all together. And today, we’re looking at a situation where we have to have SaaS detection response, and that’s sort of mind blowing for a lot of people. People are saying, “Wait a second, I thought that Microsoft responsible for the security stuff there.”

But actually, it’s a shared security model. So yes, Microsoft will do things like patch for zero days on the technology, but you’ve got to actually configure the settings to make sure it’s optimal to protect your data and protect your identities. And so, I think it’s really important for organizations to understand that they should be focusing on partnering with organizations that are trying to reduce the vendor spread. 

You don’t need to use fourteen things to do one thing, you just need one. And in our case, that’s where the Microsoft platform comes in. It depends on who you read, but roughly 90% of organizations rely on Microsoft cloud for something, whether that’s for email, Teams or Azure Active Directory. And so really, 90% of businesses out there can solve a lot of their security problems through our platform, using that NIST cybersecurity framework.

What is your advice to organizations struggling to protect themselves against sophisticated attacks such as ransomware and zero-day malware?

Simplify, simplify, simplify. Security is about simplicity right now. So, if an organization is using Microsoft for their collaboration and messaging, then should consider using Microsoft for some of their security. 

But then, you do need to have someone who can and be your partner to make sense of all the telemetry that’s coming in from Microsoft. Because the telemetry coming off of services can be really difficult, especially for small and medium-sized businesses. And that’s where Vectra comes in. We can be that trusted partner where, if you’ve consolidated on Microsoft for your messaging and collaboration, Vectra can help you for both your on-premises detection response and for your cloud detection response. And we’re the protection piece to make sure you have optimal outcomes.

Thank you to Aaron Turner for taking part in this interview. You can find out more Vectra’s AI-powered threat detection and response solutions via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.