About
John Lambert, Corporate Vice President, Security Fellow, Microsoft Security…
Articles by John
-
25 years of security at Microsoft: Five key transformations that are still changing the world
25 years of security at Microsoft: Five key transformations that are still changing the world
#Microsoft50 This year Microsoft is celebrating 50 years as a company. I got into security quite by accident.
13 Comments -
Successful Defenders are Re-writing InfoSec Wisdom
Successful Defenders are Re-writing InfoSec Wisdom
I gave the key note at the Kaspersky SAS conference in Tenerife, Spain. I talked about how despite the bleak headlines…
3 Comments -
Beware the Attack Surface of InfoSec
Beware the Attack Surface of InfoSec
The RSA Conference is upon us. Amid all the vendors selling their security solutions it is wise to keep in mind that…
3 Comments
Activity
12K followers
-
John Lambert reposted thisJohn Lambert reposted thisA month ago, Saar Ron, John Lambert, and I shared a set of Kusto functions for building graphs in Kusto Explorer (Lift_To_Graph, Graph_Fold_By_Property, etc.). Today we're sharing IRQL — a dialect of tabular query primitives that sits on top of KQL and: • hides cluster/database locations behind named sources • normalizes schema drift so ipAddress / IPAddress / ClientIp / cip all read as one column • codifies regular data transformation logic into functions • names operators by intent — Get_Event_Authentication, Enrich_Ip_Employee, Extract_Email_Sender_Domain — so a hunt reads as steps instead of a wall of joins • makes queries easier for people and AI to understand Many of the tabular primitives have graph equivalents, so they compose directly with Lift_To_Graph for investigation workflows. This enables more operators to be applied to make sense of your lifted graph data. Functions + examples on KC7: https://lnkd.in/gHwMY597 #Kusto #LiftToGraph #KnowledgeGraphs #KQL #Security
-
John Lambert reposted thisJohn Lambert reposted thisI've been posting examples on Twitter of Lift_To_Graph - open-source KQL functions (built with Saar Ron and John Lambert) that turn tabular security logs into interactive graph visualizations directly in Kusto Explorer. I've been making good use of the KC7: The Cyber Detective Game for open-source security datasets to lift. Wanted to share some of the learnings on Linkedin as well. 🔹 Process events graph with three lines of Kusto Process events in a graph: (cmd)-[SpawnedBy]->(ps)-[RanOn]->(host) ✨ ProcessEvents | invoke Lift_To_Graph(Process_Mapping()) | invoke Graph_Render_View() Three lines of KQL. No ETL. 🚀 🔹 Graphs aren't just pictures. They're queryable data structures. 🔍 G | graph-match (cmd)-[e1]-(ps)-[e2]-(host) where e1.type == "SpawnedBy" and e2.type == "RanOn" and cmd.id contains "cmd.exe" and ps.id contains "powershell.exe" In AzureCrest, this surfaced the same cmd.exe spawning the same powershell.exe across 50 hosts in ~31 hours — -ExecutionPolicy bypass -enc [base64]. Decoded: Invoke-WmiMethod against CCM_SoftwareUpdatesManager. Legit SCCM, or something hiding behind it? 🔹 Folding turns a hairball into patterns🧶 Graph_Fold_By_Property collapses common property values into clustered nodes. Fold authentication requests by Ip address carrier and immediately notice outliers from regular behavior. In KC7, folding on domains and links in the network event logs surfaces overarching patterns of behavior. 🔹 Long paths are where attack chains can live ⛓️ Lift SecurityAlerts by shared indicators (hostnames, hashes, usernames) and hone in on not just the nodes, but the chains. graph-match (a)-[e*5..6]-(b) surfaces chains 5-6 hops deep, where alerts link together through shared indicators across hosts. That's the attack chain emerging from the noise. 🔹 The full kill chain in one graph. ⛓️ I graphed the SharkBoyz chain from KC7's Castle & Sand with Lift_To_Graph: phish → host → ransom drop, and separately host → C2 domain → actor IP → successful login against the phished user. The C2 IPs come back around as the src_ip on successful logins against the phished users. I also had fun futzing with the icons and edge colors on this one to make it clearer what the graph represents. https://lnkd.in/gR3PiBg7 🔹 The functions are open source. 🛠️ Lift_To_Graph(), Graph_Render_View(), Graph_Fold_By_Property() drop them into Kusto Explorer against your own data or the KC7 dataset. 🔗https://lnkd.in/gEXPbnr9 If you've been using these, send examples my way. 👋 #KQL #LiftToGraph #Kusto #KnowledgeGraphs #Security
-
John Lambert shared thisIf you hunt in KQL, you need to learn the lift operator. ⬇️⬇️⬇️John Lambert shared thisNew Blog: Unlock Different Security Perspectives with Kusto Graph Functions 🔗 https://lnkd.in/eNw8b3sT Last week, Microsoft announced new Kusto Graph Functions for Cybersecurity Investigations. These functions transform flat tables into graphs, changing the perspective of the data. This blog explores how the Lift_To_Graph() and Graph_Render_View() functions make graph based detection, response and hunting scenarios easier. The blog shares two practical use cases: 🔹Clustering suspicious process executions 🔹Monitoring Service Principals for anomalous sign-in patterns Thanks Saar Ron, John Lambert & Diana Damenova for delivering these new functions!Unlock Different Security Perspectives with Kusto Graph FunctionsUnlock Different Security Perspectives with Kusto Graph Functions
-
John Lambert reposted thisDiana is coming from the Microsoft CISO office with John Lambert ("attackers think in graphs, defenders in lists") where they are doing amazing things. Worth catching and meeting in general, and doubly so if you spend time looking at graphs or azure data! See folks there on Monday, online + in SF!John Lambert reposted thisGraphThePlanet is excited to announce another featured speaker for 2026: Diana Damenova, Security Researcher at Microsoft Talk Topic: Lifting Knowledge Graphs from Security Logs (Without ETL) Diana will show how to turn raw security logs into usable knowledge graphs without heavy ETL pipelines, enabling faster investigation workflows and more flexible analysis across large-scale data. Join executives, senior practitioners, researchers, and startup founders for discussions on AI, graph intelligence, and data-driven investigations. 🔴 Watch live on YouTube and LinkedIn during #RSAC2026 week Event Details: • Date: March 23, 2026 RSAC Week 2026 • Location: San Francisco, CA • Registration & More Info: www.graphtheplanet.com Happy graphing, — The Graphistry Team #GraphThePlanet #GTP2026 #RSAC2026 #KnowledgeGraphs #CyberSecurity #SecurityAnalytics #GraphIntelligence #DataEngineering #AIforSecurity
-
John Lambert shared thisOne of the best ways for defenders to start analyzing with graphs is to use the logs they already know. Every log has multiple entities, relations, and properties in its columns. Or as I say, every table has a graph waiting to be born. But how do you transform that relational data structure to a graph? And how to make it easy and repeatable? We have published some KQL functions to make it easy to “lift” a graph from a table in one line of KQL. Define a JSON mapping the columns to nodes, edges, and properties and use Kusto Explorer to visualize and analyze them. A joint project with Diana Damenova and Saar Ron. 🙏John Lambert shared thisSecurity data is inherently graph-shaped in nature: IPs connect to domains, users authenticate to devices, processes spawn other processes. Tabular views flatten these relationships, making it harder to spot patterns. Saar Ron, John Lambert, and I put together some Kusto functions to easily turn KQL query results into explorable graphs. With a KQL query and a simple JSON mapping, you can explore those relationships as a graph in Kusto Explorer. Functions and details here: https://lnkd.in/gEXPbnr9
-
John Lambert reposted thisJohn Lambert reposted this🚨 We’re hiring a Senior Security Researcher to help detect and disrupt real-world threats at cloud scale. If you love security + AI/ML/LLMs and graph-based reasoning, take a look:
-
John Lambert shared thisMoved buildings today and it brought me closer to this piece of #Microsoft history. In the courtyard of Building 16, every time a product shipped, a bronze plaque was installed. Each year, a denser plaque commemorated the growing list of products. Some were celebrated and live on today in modern form. Some came and went quickly. Some were ridiculed as wrong turns. The weathering on the plaques is a reminder of the tremendous change in 50 years of Microsoft
-
John Lambert posted thisThis post is on readiness and where it can come from. In 2000 I started in Windows security as a program manager on CryptoAPI. Microsoft was celebrating 15 years of operating in Ireland. The plan was to digitally sign a contract representing investment into the country. This would be the first digitally signed contract in Ireland's history—because the Prime Minister was going to sign the bill into law the day before the event. It would involve smart cards and had to go right. The Prime Minister would be on stage to witness it. They chose me, the most junior member of the team, to do this. An eight-year veteran from Microsoft’s IT security department would accompany me. He was a few years older but still young. The morning of the ceremony found me practicing the demo in my hotel room. The phone rang at 7 a.m., and it was my colleague. Could I come help him with something? When I got to his room, he explained he didn’t know how to tie a tie. Tying a tie is 90% muscle memory and 100% something I could only do from my perspective. So I did what my dad had always done and turned him around and, hands over shoulders, tied his tie. He nodded, and off we went. The digital signing event went fine later that day. Looking back on this now, I see I didn’t get him ready. I got me ready. This tiny act of mastery—feeling my father’s presence—a transference happened. Jitters were eased, and a feeling of calm took over. Thanks Dad #EarlyMicrosoftMemories
-
John Lambert posted this"It's always a no if you don't ask." Bill Gates used to have Think Weeks. He would take a stack of papers and go to a cabin and read. It was a time for deep concentration and immersion. Any employee could submit papers and maybe he would pick it and read it. My colleague, ·Matt Thomlinson, and I wrote a paper on attack graphs and submitted it. Bill read it and sent us comments back. That was thrilling so early in career. Bill's technical assistant called me because he wanted to see a demo of our tool. The TA gave us "20 minutes". I said Bill would love it and asked for 40 minutes. We got 30 minutes. #EarlyMicrosoftMemories
-
John Lambert reacted on thisJohn Lambert reacted on thisWhat if every KQL hunt you wrote read like a sentence instead of a wall of joins? Saar Ron, John Lambert and Diana Damenova published 👉🏻IRQL, a collection of Kusto functions that wrap security telemetry behind a consistent, analyst friendly dialect. The same concept that shows up as ipAddress, IPAddress, IpAddress, ClientIp and callerIpAddress across different tables becomes one field: 👉🏻ClientIp. Timestamps that appear as Timestamp, TIMESTAMP, ReportTime, env_time and EventTime all become: 👉🏻EnvTime. The function catalog has five groups. -Selectors (Get_*) return projected views of source tables using the unified schema. -Extractors (Extract_*) derive new columns from existing ones. -Enrichers (Enrich_*) left join context from related primitives. -Graph lifted variants compose with Lift_To_Graph so the same logic drives both tabular hunts and visual investigations. -External enrichment wraps VirusTotal and CISA KEV as callable functions. A phishing triage query that would normally span 30+ lines of raw KQL with manual joins and project renames becomes: Get_Email | invoke Extract_Email_Sender_Domain() | invoke Enrich_Username_Employee() | summarize by Domain Function names describe intent, not mechanics. Enrich_Ip_Employee, Extract_Email_Sender_Domain, Get_Event_Authentication. A pipeline reads as a sequence of meaningful operations. This matters for humans and for AI assisted query authoring equally. An LLM composing IRQL is dramatically less likely to hallucinate column names or join keys than one writing raw telemetry queries. The functions are published against KC7 open datasets so you can test them immediately. The pattern generalizes to any telemetry estate by swapping cluster references and reconciling column names to your own schema. This pairs directly with the Lift_To_Graph and Graph_Render_View work from earlier this year. Same team, same design philosophy: make KQL compose like building blocks instead of copy pasted walls of text. 👏🏻 https://lnkd.in/gH6YnT6t #KQL #DetectionEngineering #ThreatHunting #MicrosoftSentinel #DefenderXDR #IRQL #SecOps
-
John Lambert liked thisJohn Lambert liked thisThere’s nothing quite like holding your newly published book in your hands for the first time after months of research, writing, long nights, and sacrifices. That moment never gets old. Today, I’m excited to share that my new book, Cybersecurity Strategy for the AI‑Driven Era, is officially live. I wrote this edition for CISOs, CSOs, security leaders, architects, and practitioners who are responsible for strategy, risk reduction, and compliance in complex enterprise environments. At nearly 800 pages, it’s much larger than the first two editions — because the threat landscape has expanded, and the strategic demands on security leaders have grown with it. This edition includes major new chapters on: • Artificial Intelligence — securing AI systems and using AI to strengthen cybersecurity • API Security — a rapidly growing attack surface • Mitigating Living‑Off‑the‑Land Techniques — one of the most persistent challenges in modern intrusions I also updated and expanded the threat intelligence chapters with fresh data on vulnerabilities, malware evolution, phishing, drive‑by downloads, DDoS, API attacks, and nation‑state activity. Across the book you’ll find 68 tables and 79 figures to ground strategy in real‑world data. At its core, this book is about helping enterprises build cybersecurity strategies that reflect the threats they actually face — and the risks that matter most. A project of this scale is never a solo effort. I’m grateful to the outstanding team at Packt for their partnership throughout the process. Special thanks to Karen Kent, whose depth of experience as Technical Editor made this a stronger book, and to Jeff Jones, Senior Director at Microsoft, for contributing the foreword. I’ve learned a great deal from both of them over the years. If you work in cybersecurity leadership — or aspire to — I hope this edition becomes a valuable resource in your journey. #Cybersecurity #AI #CISO #CyberStrategy #AIinCybersecurity
-
John Lambert liked thisJohn Lambert liked this🎉 Announcing MSTICPy 3.0 🚀 (although, it is older than it looks) Excited to share the release of MSTICPy 3.0 — a major step forward for our security investigation and threat hunting Python library. As well as reaching a major version milestone, we also passed the 1 million downloads mark late last year!🍾 This release is mainly focused on house-cleaning: deprecating old APIs, Python versions and dependencies and bringing support for Python 3.13. (It's amazing how much junk you accumulate over the years!) Highlights: - Support OAuth2 in Defender XDR data provider - Certificate-based authentication support for Microsoft Sentinel provider - New/updated providers for @OpenObserve and CyberReason. - Overhaul of APIs and documentation - This release also reflects growing integration with AI-assisted development workflows, including the use of coding agents to accelerate innovation and maintenance. Release notes: https://lnkd.in/gkt3zfex From investigation notebooks to detection engineering, MSTICPy remains a powerful toolkit for analyzing security data and building advanced analytics. Huge thanks to everyone who contributed code, reviews, feedback, and ideas to make this release possible. We’re excited to see what the future has in store with MSTICPy 3.0. 🚀 #Security #ThreatHunting #Python #OpenSource #MSTICPy #CyberSecurity
-
John Lambert reacted on thisJohn Lambert reacted on thisA month ago, Saar Ron, John Lambert, and I shared a set of Kusto functions for building graphs in Kusto Explorer (Lift_To_Graph, Graph_Fold_By_Property, etc.). Today we're sharing IRQL — a dialect of tabular query primitives that sits on top of KQL and: • hides cluster/database locations behind named sources • normalizes schema drift so ipAddress / IPAddress / ClientIp / cip all read as one column • codifies regular data transformation logic into functions • names operators by intent — Get_Event_Authentication, Enrich_Ip_Employee, Extract_Email_Sender_Domain — so a hunt reads as steps instead of a wall of joins • makes queries easier for people and AI to understand Many of the tabular primitives have graph equivalents, so they compose directly with Lift_To_Graph for investigation workflows. This enables more operators to be applied to make sense of your lifted graph data. Functions + examples on KC7: https://lnkd.in/gHwMY597 #Kusto #LiftToGraph #KnowledgeGraphs #KQL #Security
Experience
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Education
Recommendations received
1 person has recommended John
Join now to viewOther similar profiles
Explore more posts
-
CYBER DEFENSE MAROC
Not all alerts are created equal. Master alert triage by focusing on context: asset criticality, attack vector, and threat intelligence. Prioritize what threatens your crown jewels first, then tackle the noise. Efficient triage = faster response, less burnout. Your SOC’s secret weapon? Smarter, not harder. 🔍 #Cybersecurity #AlertTriage
-
Allsight Secure Solutions
🔐 Understanding Cyber Attacks is the First Step to Preventing Them At Allsight Secure Solutions, we work with businesses across many industries and one thing is clear: cyber threats don’t discriminate. Whether you’re in finance, healthcare, education, government, retail, logistics, or tech, attackers are constantly searching for vulnerabilities. Here are 15 of the most common cyber attacks you should know about: ➡️ Phishing & Spearphishing – email scams targeting employees ➡️SQL Injection & XSS – attacking insecure web apps and portals ➡️Drive-by & Malware Attacks – spreading infection through weak links ➡️Botnets & Cryptojacking – hijacking devices for crypto mining or bigger attacks ➡️Insider Threats & Data Breaches – often the hardest to detect ➡️DoS & DDoS Attacks – flooding systems to cause downtime 📔 Why this matters: Attackers adapt based on your industry and infrastructure. The best defense? Knowing what you’re up against and building resilience. Stay informed. Stay secure. #CyberSecurityPH #CyberThreats #InfoSec #RiskManagement #Compliance
-
Stream.Security
Ready to put your defenses to the test? Our new CDRGoat Getting Started Guide makes it easy to validate your detections against realistic, cloud-native attack chains. Deploy vulnerable environments, execute automated adversary simulations, and test your detection coverage in minutes. 🐐 Read the full guide and explore scenarios on GitHub: https://lnkd.in/g9ZtEybf ⏱️ Stay tuned for a scenario play-by-play, coming soon! David Moss Petr Zuzanov
2 Comments -
The Cyber Security Hub™
Download Pentera Labs Report - revealing three new critical injection points in the ingress-nginx controller, building on Wiz’s IngressNightmare CVE. These overlooked vulnerabilities could let attackers hijack traffic, spoof headers, or reach unauthorized backend services - They exist in one of the most widely used ingress controllers in Kubernetes, putting countless environments at risk. This research highlights how small misconfigurations can lead to major exposure in modern cloud-native architectures. What’s Inside: ✅ 3 new injection vulnerabilities in ingress-nginx ✅ How attackers find and exploit CVEs in open source ✅ Actionable tips to secure your Kubernetes environment https://lnkd.in/eHtX6EdP
1 Comment -
The Cyber Security Hub™
Download Pentera Labs Report - revealing three new critical injection points in the ingress-nginx controller, building on Wiz’s IngressNightmare CVE. These overlooked vulnerabilities could let attackers hijack traffic, spoof headers, or reach unauthorized backend services - They exist in one of the most widely used ingress controllers in Kubernetes, putting countless environments at risk. This research highlights how small misconfigurations can lead to major exposure in modern cloud-native architectures. What’s Inside: ✅ 3 new injection vulnerabilities in ingress-nginx ✅ How attackers find and exploit CVEs in open source ✅ Actionable tips to secure your Kubernetes environment https://lnkd.in/eHtX6EdP
1 Comment -
Daniel Young
Here’s a pattern I’m seeing more often: More sites. More assessments. More reporting expectations. Same headcount. Security teams are being asked to scale output without scaling structure. So what happens? Assessments become episodic. Reporting takes too long. Prioritization becomes subjective. And leaders spend more time translating risk than reducing it. This isn’t a capability issue. It’s an architecture issue. At some point, physical security has to operate with the same operational discipline as finance and IT. Otherwise it stays in permanent catch-up mode. For security people overseeing medium to large portfolios (20+ sites): What’s currently your biggest bottleneck volume, visibility, or validation? And why do you think this is?
1 Comment -
Cannon Fodder Security - Home of Queen City Con
Hundreds of vulnerabilities in 24 leading GenAI models Explore security profiles of 24 leading GenAI models, revealing hundreds of chatbot vulnerabilities with attack success rates up to 64%. Learn strategies to secure AI systems, meet compliance and close the prevention gap. https://lnkd.in/gn4BvKiQ
-
CiNPA - Security SIG
Hundreds of vulnerabilities in 24 leading GenAI models Explore security profiles of 24 leading GenAI models, revealing hundreds of chatbot vulnerabilities with attack success rates up to 64%. Learn strategies to secure AI systems, meet compliance and close the prevention gap. https://lnkd.in/gn4BvKiQ
-
Corero Network Security
🚨 Just released: Corero’s 2025 Threat Intelligence Report 🚨 DDoS atacks are no longer just big floods.They're frequency, evasion, and protocol pivoting. Key insights: • 11 attacks/day avg. in 2024 • Mid-size attacks declining • Multi-vector attacks on the rise Read the release: https://bit.ly/44kLkn0
Explore top content on LinkedIn
Find curated posts and insights for relevant topics all in one place.
View top content