Microsoft Corporation (MSFT) Earnings Call Transcript & Summary

All right. Thanks for joining us. Welcome to our next session. I'm really happy to have Charlie Bell here from Microsoft.

Charlie, the -- one of the big questions I got from investors was like, when you moved to Microsoft a few years ago, there was obviously big news kind of way -- given the way you came from. What was like the motivation back then? And how has been your Microsoft journey so far?

Yes. I mean what happened was Jeff came to Andy and I and said he was retiring, which was a huge shock. Nobody thought that was going to happen. We saw that coming. I had a moment where I thought, well, okay, AWS is doing pretty well. It's going to do really well. I was having fun. But if this was -- if I was going to do anything else now is the moment because I've got probably enough time to do one more big thing. I've been 23 years at Amazon, and I just started thinking, well, if I did something else, what would it be? The thing that hit me was security because when you run a cloud, you start to see kind of where it's all going. And it didn't look good, right, things are getting worse, not better. And so I thought, well, where would I work on it. And one of the ideas I had was, well, could I do it here, and I thought now, that's not going to work because we're an infrastructure player. And a huge portion of the security problem that sits above the infrastructure. It's in end user and productivity and identity and everything else.

Yes.

And in fact -- AWS saw a whole bunch of the identity being done by Microsoft. So I thought, well, I could do different thing I just start a company. I talked to my wife a little bit. She goes, "Well, you should talk to Satya." she knew Satya from back in 2008 before Satya was Satya. And she picked up the phone, called over Microsoft says, "Hey, Satya, Charlie should talk to you and say, sure, come in on a weekend, and we'll have a chat." So Saturday, I went over there. I spent a lot of time. What I loved about Satya. He's incredibly curious. He doesn't -- he wasn't selling me anything and say, hey, you need to be at Microsoft. He was just -- we were talking about security and AI and other things. And I just realized, yes, first of all, he's an engineer. He's curious. And so I said, "Yes, well, we'll talk to a few other people." So I talked to Scott Guthrie, who runs Azure and Rajesh Jha, who runs the productivity side. And what I realized a few things. One is Microsoft is an engineering company from the start. It's a place where a lot of innovation has happened and it's a place where there was going to be a lot of innovation happening going forward. And so I thought about a lot. Well, if I'm going to work on security, what better place like Microsoft has arguably the largest security business in the world. They have the biggest footprint. They have the most signal of anybody across the whole landscape. And so yes, it came over.

And how's been your journey so far, like compared to what default you want to do, where we are now?

Oh, it's been a blast. I mean the 1 thing that I knew AI was going to be really important, and I thought it could be really important in security. And we started working on GPT-3.5 right away. But when -- so we had a late August, I think it was end of August, we had a dinner at Bill's house and Sam Altman was there. And we go into the study, this is Scott, Rajesh and I and Satya over there, and we go into the study. And Sam starts showing off GPT-4 and our jaw jobs were -- Bill's jaw was on the floor. I mean to get you Bill's jaw on the floor, it's quite an effort. He's seen a lot of things. And what we realized is, okay, this is an inflection point in what AI is going to be capable of doing. And so we went back and yes, it was -- I mean, it's been a lot of fun. And also, just anticipating the change -- what, it's such a massive change on the world, what's going to happen and trying to get ahead of it and understand the problems we're about to see, that's what we do in security. That's really how you get ahead of it, you think ahead and what attackers are going to do with it. But it's been a lot of fun.

Yes. I can imagine. And the one question I get a lot of the time is like, you obviously have the software securities companies' industry, like trying to do like endpoint, network, et cetera. How do you think about like security Microsoft versus kind of the industry obviously there -- were is still there?

Yes. I think 1 of the things that it stuck with me before I came to Microsoft watching the security industry. There were 2 things about it that bothered me. One is it was so fragmented. There were so many specialties. And when you see how these attacks happen, they move across those specialties. There's somebody compromises an endpoint and uses it to get some malware in place so that they can compromise the credential and identity and then use the identity to increase the privilege and go somewhere else.

Yes.

Like, they move across the environment. One of the things John Lambert, who runs the Threat Intelligence organization. He's a fellow, been actually at it since around 2000. He says, the defenders think in terms of lists. They have their category, and they think in a list, and they work off their list. The attackers think in terms of a graph. They think of the connection of everything, and they move across. And so I think one of the things that's exciting about Microsoft is, it's -- we have products in these areas, but we also have a platform that we can offer to the ecosystem, because it's -- because there's going to be a lot of innovation out there. It's not all going to happen at Microsoft. A key part though is not to fragment the data in the signal and make sure we can share it. So partners can and us can share what we're seeing, and the customer doesn't have to stitch all this stuff together, which is where CISOs have been for a long time.

Yes. And then the -- if you think about it, and almost like I feel embarrassed asking the next question because it's like -- but there has been a lot of progress in the different kind of points. Like if you think I defend there on the end point, if you look at your SIM offering, et cetera, can you talk a little bit about the evolution of that portfolio on the point -- kind of almost point solution side, but like how does it also fit into the bigger picture?

Yes. Well, the evolution of the portfolio, I think the real -- the kernel of the security business really started with the productivity side, which isn't surprising because bad actors are going after people and Defender, Intune, protecting devices. But I think what you start to realize is you have to bring it together. The Sentinel solution that we came up with was the first run at, okay, this is what a platform has to look like. You have to be able to bring anything. You have to -- customers have lots of different things in their environment, and they needed a place to bring it together. And so one of the things when I came in, those were being centered in 2 different organizations. Scott Guthrie's team was working on Sentinel and the Defender teams were all under Rajesh. And so when I took those teams, the first thing I did is I started reordering it and bringing the teams together, so that they share -- one is to share the knowledge that they have, so share the research. So we shared research across everything, share threat intelligence, share the data that we have. And then -- and also to get moving on API strategy because Microsoft is not going to do everything. There are going to be a lot of innovation out there. And then, of course, AI just puts a huge exclamation on that, because AI is going to be great at looking across the entire environment, and it doesn't have silos. We have -- in the security industry, we have a lot of specialization and skills. It's not just the product. It -- you could argue the 2 of them it's Conway's law, but 2 of them feed each other. The fact that we have fragmented security solutions, means we're going to have fragmented experts in different areas. But we do, we have experts who understand reverse engineering and understand identity and understand malware on an endpoint and phishing and all of that. Each of these is an area of expertise. And -- the thing about AI is it doesn't care about -- it doesn't have -- it doesn't look at its org chart. It doesn't say, "Oh, I have a report to so and so that's what I do."

Yes.

It can do pretty much any of it. And now we can break down the barriers. We had the data. We couldn't really harness the data in that way. We now have the ability to get across it all. So -- so yes, that's that is where we've been able to take these products and put them together and then go after the unification.

And if you look at AI, like -- sorry, it's like more a non-techie question. But if you think about it, like both sides will use AI, like the bad guys and the good guy. How do we should -- like how do we should be think about like what's going to come our way? Like in simple terms, we could say like, oh, yes, they kind of infiltrate through like using some LLM models, but it's kind of difficult to -- how do you think about like -- maybe you probably thought it like a lot more than when we did, but I'm having a tough time imagining.

Yes. They'll use it in always. I mean, I had a kind of a fun time with the sales team. The sales leader asked me if he could do this. He took a quick video with me on teams. And he says, "I'm going to train up in LLM, we're going to surprise everybody at the little sales kickoff." And I hadn't seen it until he did it on stage before I walked on stage with him, and he had me telling him what a great job he was doing, and then asking him to click on a link. And I got to tell you, there's nothing more disturbing than seeing yourself trying to manipulate somebody to do something evil, like it -- it's very disturbing experience. Deepfake's are going to be a big thing. And it will be -- we've already seen them, but they'll be used in many ways, I think, voice, video, and we're doing a lot of work in Teams to prevent that. But they'll use it for -- I mean they're using it today for spear phishing, just targeted phish. I mean within LLM, I can create e-mails that look really like they're coming from somebody you know, and they talk about things you already -- you know about. And so they'll use it on the attack side in the same specialized ways we're going to use it on the defense side. They'll also use it to as the reasoning gets better. And this is what's happening right now. The LLMs are getting much better at reasoning. They'll use it for orchestrating attacks. So today, a hands-on keyboard kind of attack, somebody works on breaking their way in and they work on -- once they're in, they work on living off the land, they call it. It's what's in this environment that I can exploit. Oh, wait a minute, it's a privileged account, okay? That says, oh, wait, this one has access to a development account in that development account, there's an application. And that application has some privilege, and that same privilege exists in a production environment. Oh, yes, they left that open. Okay, great. I'll move there. They work their way through on the keyboard. Well, the reasoning engines within LLMs can do that automatically. So now the tremendously labor-intensive process of breaking in becomes way easier for an attacker. They'll be able to move through an environment. There are already companies out there that are doing pen test as a service kind of things with LLMs, basically running through the catalog of potential vulnerabilities and seeing what could happen. So yes, the attackers will be doing an awful lot on their side to employ the technology.

And then from your side on the other side, then so we're using Gen AI more on the protection side. Like for us, we can get like, okay, today, a GitHub copilot or your developers are getting a little bit more productive. But like we probably have to think bigger picture here.

Yes. Well, I think I think we've known for a long time that the game of reactive defense, it's important. You have to do it because there will be constant innovation on the attacker side, but it really won't diminish the problem. The way you diminish the problem is defense and depth. The analogy I use is imagine the one advantage you have is you own the rules of the game, and you own the field. So you're -- we'll use the European football term. So I'm playing football. I have this field...

I get that. I currently...

And I suddenly make it 20 miles long, and I make the goal 2 feet wide. Well, the scores are going to be pretty low in that game. And so because I own the playing field, I can change the rules, it means I can go through the environment. This is what we're doing right now. We have this thing we call the Secure Future Initiative, which having watched some of the Nation States the Storm 558 issue we had last -- summer before last, actually. And understanding what the attacker did -- they're called advanced persistent threats and the P in there is persistent. They do it over many, many years. But it helps you understand how an attacker might try to -- in the future, try to exploit an environment. And so -- so what we did is we said, okay, let's start thinking many steps ahead. Let's start thinking about all the things that we need to do in the environment to make it extremely difficult for an attacker. The term and security as we say assume breach. Assume somebody broke into you, you should always do that because it's probably true. There's -- I think somebody once said there's 2 kinds of companies. Those that know they've been breached and those that have been breached and don't know it. Like -- but the -- but by assuming that, then you take -- and this is the other thing that we got out of the Secure Future Initiative is the understanding that the best source of how attackers might do things is probably our own red team that's trying to break things. And they were very good. They were keeping graph of everything that existed and visible to them in the environment. And they were using that graph when they wanted to try to break things. And so what we understood is that if you can take this same approach where you look at the entire environment as a graph and you begin clipping the connections between the nodes in the graph, and just keep clipping and get down to the only the minimum that you need to run the business. You make it extremely difficult for an attacker. And that's really how we're, I think, going to turn the tables on the -- because the other thing we can do is we can employ AI in that game. So AI can assess your environment. We recently announced some things in Exposure Management, but it's still -- we're at the very beginning of what LLMs are going to be able to do on the defense side. And the reason that I'm really optimistic is if you go back to what the attackers can do, they can employ LLMs, they have access to the technology. But the one thing they don't have is they don't have full visibility of the entire environment. They get to see the surface of it. They come in at the edge of it, and they poke at it and they have to work their way and they have to learn about the environment. We know where everything is. And so we have essentially a data advantage. And one of the things I love about Microsoft is we have 2 kinds of data advantages. One is we get to see more attacks than anyone else because we're sitting on the largest cloud. So we see all these things going on. But the other thing -- and so we get a lot of, what I would call, when you're training AI, you get a lot of the -- call it, the negative examples, the terrible events, the things that the AI has to learn. And the other thing we have is a lot of the good examples. We have the day-to-day. We know what people are doing day, we know what clouds do. Clouds are executing every second. And we know what a good example -- what good behavior looks like, too. And when you -- it's -- one of the things we learned, for example, people are trying to apply LLMs to phish detection. So phishing is when somebody sends you an email, tries to get you click on a link. Well, it turns out that the LLMs are often cranking out false positives. They have a little trouble identifying what's really bad, because they've been trained on a whole bunch of just negative examples. All they've been trained on, if you go out in the Internet, what you find is a whole bunch of examples of terrible, but they're not trained on good examples. And so they are biased to tell you that this thing is phish. And there's lots of examples where it isn't. And that's, in fact, one of the largest problems that customers have with that particular area is false positive. Their security operations centers get overwhelmed by having to chase down all kinds of false alarms. And so by training models on good examples and bad examples you get better models.

And then how do you bring that then? And you talked about the graph and reducing the touch points on the graph, how do you bring that whole security framework then into the whole of Microsoft? Because there's so many parts of Microsoft that impacted or could be like entrance things like how is that kind of filtering through for the organization?

Yes. Well, I think one of the principles of our Secure Future Initiative is standard work. And in fact, this is -- it's actually bigger than the Secure Future Initiative at Microsoft is we have a whole quality push, which is really about standardizing how we do everything because if you go back to what Toyota did, the key to Kaizen was relying on standards. They're just doing everything the same way. And so we bake it in. So a good example would be one of the things that we had that we're now pushing back through all the legacy code is a thing called Managed Identity, which is my identity team manages the identity for the application that some other team is developing, so that when they authenticate and authorize work people -- an identity coming in to do something that's handled by a section of code that's managed by the central team and monitored and logged and all the -- and the team that uses that does nothing. They basically just use Managed Identity. Up until now, if you go very deep into the past, there were many things built where they had to build their own version of it, and having many versions of it, every one of those is an opportunity to make a mistake and get something wrong. So getting everything standard is the way that we take this knowledge that we have and promulgate it into the rest of the -- and by the way, for our customers, we -- one of the things we've talked about with the Secure Future Initiative is that it's not just about us, it's about what we export through our customers. So for example, MFA, making sure that multifactor authentication is turned on for every tenant. So you light up a tenant, you have to have multifactor authentication turned on or we won't accept it. Or if you're an enterprise and you require and you have some other form of authentication, you'll have to do some work to turn it off.

Yes, yes. Okay. And you mentioned several times now, Secure Future Initiative. If you think about it, like, I get the core idea now, but like when you started it, like, was that like a new initiative? Was it a -- Microsoft kind of top-down initiative? How do we have to think about it?

Microsoft always had a pretty robust focus on security. If you go back to Bill wrote a famous trusted computing note to the company. And there was -- there were basically -- there were a lot of standard -- worldwide standard security practice developed at Microsoft. But the one thing that I think we did that was different with the Secure Future Initiative is we kind of turned it into a much more rigorous cultural kind of approach. It started with Satya standing up in front of all the corporate vice presidents and saying, you're going to think of security above all else. You build a product; you're going to think about security while you're building the product. Somebody in the audience raised their hand and say, well, what about -- they raise it. He said, you're going to think about security first. Security above all else. And I think having -- and by the way, we incorporated in what we call a core priority. So when you do your performance review, you talk about your core priorities. There's now a security core priority that people talk about. If you're not -- one of the key things about security and companies is often everybody in the company, think somebody in security is going to be the protector, I'm going to make sure that you're secure. And it turns out everybody has a hand in making sure you're secure. And so having those things -- and then I think the programmatic -- the understanding that it's programmatic and it will go on forever and that we will now take some of these things that we're learning. And the thing that we were doing over time is gradually absorbing security capability as we created it into our legacy. Here, we're intentionally going back and retrofitting on everything we discover, which I think is a stronger approach. And then thinking about how we do that with the products we put out in front of customers.

Is there -- are there a certain -- if you think about it, when you announce it, is there -- are there certain -- do you have to think about like certain components that are part of it?

Yes. It's broken into pillars.

Yes.

So we started out with 3 pillars. And we added more after Midnight Blizzard after we learned more from that attack. But within each pillar, there's an organizational aspect to it, too, which is we have pillar owners who own each of these, like, for example, network security or monitoring. And the pillar owners are technical experts in their areas and report into business leaders. So the pillar owner for networking reports to Scott Guthrie, for example. And this gives us a kind of a deep technical grounding in all the things that have to happen across the company, as well as ownership and also flexible. We can add more pillars is if we run into something that we're not -- we don't think we're covering correctly.

And how -- is this like a Microsoft initiative? Or I mean I could see that, that kind of could be a framework for the whole industry.

Yes. I do a lot of meetings with customers, and they're all thirsty for how do you tag -- this problem is very difficult because security isn't -- you have customers yelling at you every day. You really -- you have other customers out there; I call them anti-customer who are going to do terrible things to you that you don't see every day. And unless you think about them at the same time, you're thinking about your customers, and this is hard for companies. What happens typically is the CISO is out begging the business units to do something, and they're really busy and they're solving the customer problems. So they don't pay attention. So organization is really critical. In addition to the pillar owners, one of the things that Igor Tsyganskiy did, he's mine CISO, he created deputy CISO who live under Rajesh and Scott and in the various parts of the Judson and various parts of the organization. And they do the risk management. Basically, they look at -- they -- because they're sitting at the staff table, and they have accountability to Igor and they meet as a team, they get to assess the risk. And by the way, they don't do it independently, they review it with at least 2 of their peers. And he's got a structure, organizational structure for making sure that -- as an organization, we're constantly thinking about security as a seat at the table. And a lot of customers are wrestling with that problem, how do you bring that into your environment?

And are they -- does that mean also like some of the point solution providers that are you inviting them to join in? Because securities like a bigger problem is just not the point of problem. It's not a point problem. It's like you need to have almost like a framework -- how does that play out?

Yes. So I'm a firm believer that organization follows technology, technology follows organization. If you don't build things actually that bring people together. One of the things that we've been working on as part of all of this, is how would -- it's both for the present. So just from a data perspective, how do people connect with us? How do we share threat intelligence, for example, across providers like Cisco and OneTrust and others who see things? They see every -- it's a fragmented world, everybody has their piece of it. But if we want to get past the fragmentation, we have to be able to share. And so how do you bring partners. Netskope is another -- we work with Netskope. It's going to be an ecosystem that really gets the tables turned on the attackers here. It's not going to be 1 company. There's going to be a lot of innovation going, but I see Microsoft as being in a great position to lead just by the weight of the signal and the fact that we can provide sort of the meeting round. And then we get to AI, everybody is going to be innovating agents for us, and these agents are going to have to cooperate. So having the ability for us to come together with various -- and it will be -- look, each company, it's like customers. You go to meet the customers where they are. Each company is in a certain place in their market. They have a certain responsibility to their customers, things that they do for their customers. They're going to have a certain ability to work with us at a certain level, and we're going to meet them where they are as much as they can do or as little as they can do.

And then I wanted to go back to -- on the Gen AI. Well, Gen AI, but then also on the cloud side, like in a way, the security landscape to some degree, is changing because like one of the classic break-ins worse. You had an on-premise solution and it's -- we're sitting on a nonpatch kind of version of some whatever, and then someone broke in. But that's not the case in cloud because like in Azure, you want to be always on the latest and greatest, so that's a different thing. Like how do you -- how is your -- the conversation with customers going around like, okay, well, here's Azure. And from the outside, we have a different and better security framework than you're doing on-premise, should you -- kind of join us more? Does that say part of the conversation as well?

Yes. I mean, look, I've always been a cloud optimist, obviously. It's because, it's just -- it gets harder and harder to solve the problems of not just security, availability, how do I make things work? How do you manage costs? Like we have deflating world in technology. How do I take advantage of that and refresh. The ability to refresh your organization on the things that actually don't matter to your customers. Your customers don't care what data centers you run and what servers you have, what operating system you're running, they have no idea. And so the ability to move faster refresh and stay current. And in security, it becomes acute. Because we saw that with Hafnium, which was a Chinese threat [ actor ] that was going after on-premise exchange and they were exploiting a bug. And in the cloud, you can patch that in hours. The Storm 558 attack, we patch within hours. If you're on-premise, some customers can't patch because they're sitting on old hardware that can't run the new things. So they literally can't. They're trapped. And so the way that you defend is much more difficult in that world. And so being able to -- there's a tough game in the vulnerability world where we have to publish vulnerabilities. So a CVE, that's the prefix for vulnerability, CVE 1, 2, 3, 4, 5 will come out, and it will say this is a critical vulnerability and you need to patch it immediately. Well, guess who gets to see that. And they're immediately saying, "Well, go to town." I see this vulnerability, where can I use it? So now there's a foot race that goes off. Now the world has to patch faster than the attackers can find it and do something with it, and it's just long. Like the cloud, you just patch it immediately. In fact, you can patch it simultaneously by telling people that there's -- by the way, we've also, I think, innovated here, cloud providers tend to be a little bit secretive on these things. We've been really transparent. We copublished with researchers. We've created these cloud vulnerability things where we talk about the vulnerabilities that discovered in the cloud. But the things is we can do it immediately. We don't have to wait. And for some of these things, it can take months. And in the meantime, companies are vulnerable.

Yes. Yes. I see our time is up. But I could talk for hours. It's like -- it's so interesting chatting with you and it's like it's such a great new world out there or like it's not all great, but it's an amazing world out there. So thanks for joining us here. Very insightful. Thank you.

Thank you for having me.