Kevin Beaumont, the UK cybersecurity expert who named the wormable Windows BlueKeep bug, is joining Microsoft Threat Protection.
Beaumont, a widely quoted security expert who’s run large security operations centers, has offered insights from the trenches into new attacks via his popular DoublePulsar blog and Twitter for the past few years, covering issues including WannaCry, NSA exploits, the rise of malicious Office macros, and BlueKeep.
The move to Microsoft Threat Protection, which is responsible for Microsoft Defender antivirus, is notable in part because Beaumont has been “largely suspect” of cybersecurity vendors and “occasionally critical of Microsoft”.
But he’s also a fairly big fan of Microsoft’s cloud-based SIEM Sentinel, which he’s used to monitor his BlueKeep honeypot. Microsoft credited Beaumont and Marcus Hutchins – the UK security researcher who halted the 2017 WannaCry outbreak and was later arrested in Las Vegas – with helping it catch the first attempts at exploiting BlueKeep, which Microsoft feared could be as bad as WannaCry.
Rather than stand on the sidelines and criticize the cybersecurity industry, Beaumont reckons it’s time to “put my career where my mouth is” by joining the Redmond company.
As he explains, the cybersecurity industry is in the “black and white era of television” at a time when organized criminal groups are using common tools and techniques to bring down large companies.
“The sad truth is that organizations are getting attacked with whatever tools the attackers can gain access to, and quite often it’s not the most sophisticated or Hollywoodesque way in – it is what works,” he notes.
He thinks Microsoft Threat Protection has the best answer for this, by helping organizations “spot commonalities between attacks, and provide top-down protection through the stack”.
According to Beaumont, his experience running a Security Operations Center with 100,000 endpoints revealed to him that “SIEM monitoring solutions suck” due to their price and complexity.
“Organizations spend big on SIEM solutions because they want to know when hackers break into their network. Quite often SIEM integration projects descend into chucking data into a hole, the hole filling, then everybody ignoring the ugly hole as nobody wants to stare into the abyss of Too Much Suck,” he wrote.
But Sentinel is different. “Azure Sentinel’s vision is pretty simple – deploy it, send your logs to Azure, and let Sentinel provide both a traditional SIEM, and machine learning and threat hunting.”