Microsoft CyberFirst 2023: Empowering young security professionals

The CyberFirst Bursary Scheme is widely known in the UK as being a leading way to encourage young minds from all backgrounds into cybersecurity. Students are given an opportunity to work with a company or organisation in eight week summer placements based around cybersecurity.

At Microsoft, we strive to empower every person and every organisation on the planet to achieve more - securely! So naturally we, alongside other companies involved in the scheme, are keen to offer CyberFirst students the opportunity to place with us over the summer and to gain first hand industry experience.

We expanded our catalogue of placements this year but were unable to offer last year’s roles due to uncertainty of teams and the hard year the economy has had. That being said we offered two positions this year:

Microsoft Security Cloud Solutions Architect  – Architect and provide best security practices of cloud workloads whilst assessing them for both technical and strategic security weaknesses, providing detailed recommendations on how to improve security posture.

Microsoft Cyber Security Data Scientist/Security Researcher – Work within Microsoft’s world-leading threat intelligence organisation on an end-to-end project, using AI/ML and/or technical security expertise to research and develop innovative new ways of detecting and tracking the most sophisticated threat actor behaviours and activity. Microsoft Security has unique optics into end-to-end attacks and how different stages manifest across our telemetry; we join the dots and show the art of the possible, protecting millions of customers around the world.

All these roles are supported by CyberFirst alumni working at Microsoft. As a result, the placements are shaped by a community built by CyberFirst and the growth mindset culture here at Microsoft. In the coming years, we aim to expand these offerings even further. We want to help support and grow young minds into cybersecurity and reduce the security skills gap.

Students can delve into a project that has real value to Microsoft, building on their own skills. They also have the opportunity to present to the wider Microsoft ecosystem in the CyberFirst office hours event, where they highlight what they’ve been working on.

Students this year range from a wide set of academic years, universities, and courses. 50% of students attended the CyberFirst Academy in their first year on the scheme and for 75 percent of students this placement was their first industry placement.

So, what have this year’s students been doing over their placement and what have they learnt? Well, that is best said in their words so I will pass the mic over to them!

James: Tell us about your experience as a CyberFirst Bursary Student?

Edward P

“I got onto the CyberFirst scheme two years ago when I already had a passion for computer science. Each summer you are expected to attend a cybersecurity related placement to further your industry and academic experience. Last year, I attended the CyberFirst Academy, which provides fundamental knowledge for cybersecurity. It was during this time that I became interested in cloud computing and took full advantage of the CyberFirst Cloud Academy subscription to gain practical cloud computing skills. Due to the opportunities provided by CyberFirst, I was able to apply for Microsoft as a Security Cloud Solutions Architect this summer which suited my interests gained from the academy perfectly.”

Finn C

“My first encounter with CyberFirst was applying for the Bursary. I hadn’t heard of the scheme before then and I stumbled across it while looking for something I could apply for as a 2nd year student at university. This is my first summer on the scheme, as I did not go to the academy. Coming from a maths background and being told to skip the academy was daunting but I felt very supported by CyberFirst and the extensive community of alumni as I made my first step into working in security.”

Oliver L

“I have had a really positive experience so far. This is my first industry summer placement as last year I attended the CyberFirst Academy, and I have been able to draw immense value from both. The academy was much more learning based, and being able to apply some of that knowledge in the workplace has been very rewarding.”

Ethan S:

“Being on the CyberFirst Bursary has been an incredible experience for me, when I first received the offer, it was too good to be true. An opportunity to attend University, study a subject I have a passion for and gain knowledge from industry leaders. Too good of an offer to turn down and I still have no regrets. Coming to an end of my second placement the value I have gained has been second to none and I have made many industry connections I can take into my career moving forward. This alongside first-hand insight into what my future career could look like has made CyberFirst invaluable to me. The CyberFirst Bursary is a wonderful experience, and I would highly recommended it to anyone looking for a career in cyber, or maybe those still unsure.”

James: What have you been doing over the last eight weeks?

Edward P:

“In the first few weeks at Microsoft, we attended several business and technical introduction sessions covering XDR, compliance, zero trust, and security architecture, all whilst building connections with different roles including Customer Success Account Managers, Technical Specialists, Specialists, and fellow Cloud Solutions Architects.

My project whilst at Microsoft covered the merging of Defender for Containers and Microsoft Purview. Utilising the facilities and people at Microsoft, I discovered common attacks that happen in Kubernetes environments and how to mitigate them. I reflected on the different challenges of implementing on-premise and cloud environments.

During my project, I considered the impact of governing Kubernetes environments. I used tools such as Azure Container Registry and Azure Policy provide guardrails and secure a cluster. One of the things I discovered was that compliance should not have to apply directly to most AKS situations as best practices are to not use any state with the containers and use read-only filesystems. Nearing the end of this placement, Ethan and I joined together to do a Well Architected Security Assessment for a mock company to demonstrate the skills that we’ve learnt and provide architectural best practice recommendations for a company to implement and improve their security posture.”

Finn C:

“I have been working as a Security Researcher within MSTIC (Microsoft Threat Intelligence Centre). The first couple of weeks was mainly training and a plethora of meetings with people from across MSTIC and wider Microsoft Security. This included experts in reverse engineering, Cloud Solution Architects, threat analysts, deception experts, security data scientists, and much more! This quickly gave me an idea of how MSTIC functioned and the sheer number of roles on offer in Microsoft Security.

I have mainly been working on a couple of projects. One is leveraging LLMs in order to automatically tag threat intelligence, saving time which analysts can use to hunt threat actors. My main project has been investigating a new technique of linking files together, allowing Microsoft to identify more possible malware files given a single, confirmed malware file.”

Oliver L:

“I have been working as a student security data scientist for Microsoft Threat Intelligence Centre on various projects. My main project was led by the App Governance team in India, who focus on researching, tracking and mitigating malicious activity that involves Azure Cloud apps. Specifically, my project has been based around developing a custom dynamic graph exploration tool for analysts, which enables them to hunt for connections between cloud apps, by making direct and indirect links between them, and locate malicious campaigns. This allows them to explore malicious attack campaigns that use Open Authentication Apps to gain illegitimate access to customer data. Ultimately, this contributes to an increase in the speed and comprehensiveness with which analysts can discover and block these sorts of attacks.

In the background I have been working on clearing work items in the teams internal ‘analyst backlog’. This involved both fixing, and developing from scratch, custom tooling - which threat intelligence analysts have requested - that automate queries and pivots based on collected data. For example, I wrote some code that monitors for a specific type of network scanning being performed by known actors. This then generates daily insights for analysts so they can be automatically alerted of this activity.”

Ethan S

“During my last eight weeks at Microsoft, I have gained valuable experience as a Security Cloud Solution Architect. To begin our time, I was exposed to the cyber security giant that is Microsoft and their suite of industry leading products, many of which I was not familiar with but as we progressed through the placement, I gained a real understanding of where they all fit within Microsoft’s portfolio.

Coinciding with the sessions we had across the Microsoft toolset I took a primary interest in Microsoft Sentinel and its threat intelligence platform. For the following weeks I tailored my research and focus to Sentinel and how it can positively impact a customer’s experience and approach to security operations. I learnt an incredible amount in such a brief time and was able to gain hands on experience with Sentinel’s security analytics, threat intelligence, visualisation, proactive hunting and response capabilities.

Reflecting on my learnings I was able to apply my knowledge to a customer architecture highlighting core security considerations and ways to optimise a Sentinel deployment. I was also able to deliver a mock Azure Well-Architected Security Assessment for a customer providing detailed guidance on how to improve their security operations and incident response.”

James: What is one thing you found particularly interesting?

Edward P

“I particularly enjoyed learning about privilege escalation and escaping virtualisation during my project. It was an area which I had learnt about but never performed myself. I was surprised about how easy this type of attack can be performed in a poorly configured environment.”

Finn C

“Microsoft has the extreme benefit of its data and telemetry which MSTIC can filter through to track threat actors and protect Microsoft customers. Only two weeks into the internship I had the opportunity write automation which used known threat intelligence in a novel way to identify new IOCs that can be used to discover and track threat actor activity. The intel that generates was immediately being used to protect millions of customers around the world through Microsoft Defender. I found that whole process fascinating, and the opportunity to build something straight into production so early was amazing!”

Oliver L

“It has been really interesting working with people with such a breadth of knowledge and roles. I’ve been fortunate enough to have several discussions with people across the organisation to get an insight into various types of work at Microsoft which has really expanded my internship past just the team I am working with.”

Ethan S

“One aspect that truly captivated my interest during my stint at Microsoft was the deep dive into Microsoft Sentinel and its capabilities in the realm of threat intelligence. I was intrigued by how Sentinel’s security analytics could offer real-time insights into potential threats across a company. The concept of visualizing attack detection, proactive hunting, and instantaneous threat response was not just a theoretical understanding for me, but I had the chance to apply it hands-on.” 

James: What has been the highlight of your placement?

Edward P

“I really enjoyed visiting the other CyberFirst students in Cheltenham. It was interesting to see the ways in which they handled big data analysis to combat malicious threats. This highlighted the scale of Microsoft and the different roles that you can adopt within the company.”

Finn C

“The advice and insight from so many experts in the world of security has been invaluable, and having the opportunity to assist in running a session for the CyberFirst Academy was really satisfying. The highlight would have to be conducting my own research, and developing a new technique which will continue to be built upon and used in new ways once my internship is over. The knowledge that my work will be extended to further protect Microsoft and its customers is extremely exciting!”

Oliver L

“Being able to directly contribute to in-production Microsoft code bases after such a short time working here has been incredibly rewarding. It’s very cool to see threat intelligence being generated directly because of work that I’ve done.”

Ethan S

“The highlight of my placement at Microsoft is twofold. Firstly, achieving my SC-900 Microsoft Security, Compliance, and Identity Exam qualification was a tremendous accomplishment. The journey to that achievement had numerous challenges. Overcoming these obstacles and passing on my first attempt was an indelible testament to my resilience, adaptability, and the speed I have been able to learn at whilst at Microsoft.

Secondly, the sheer awe of my first day at the Microsoft Office in Reading is a moment etched into my memory. As I walked in, I was star-struck by not just the name, but the magnitude that Microsoft holds. Being in those surroundings, gave me a sense of accomplishment and aspiration.”

What is one thing you are taking away from this placement?

Edward P

“One of the things that I will take away from this placement is the passion that I have gained for Kubernetes and container orchestration in general. Before this placement, I didn’t know much about Kubernetes; I didn’t think that I would be working with it during my placement. Now, I am glad that I had the opportunity to work on systems like AKS where I was able to explore this topic area.”

Finn C

“The value of collaboration and seeking knowledge, feedback, suggestions and more from the experts around you. Microsoft is full of passionate individuals which creates an environment where seeking that advice is not only possible but encouraged. I was able to contact people from a completely different part of the organisation for help with my project and was given help and encouragement!”

Oliver L

“Always have a learning mindset and try to talk to as many people around you as possible. Being able to learn as you work and implement that knowledge directly is a really good skill to develop. And not being afraid to ask for help from those around you, everyone has different expertise, and a project can only be strengthened by utilising this.”

Ethan S

“From my placement at Microsoft, I have gained a profound appreciation for the real-world application of cybersecurity tools, especially through my in-depth work with Microsoft Sentinel. Simultaneously, I have been deeply impacted by the company culture. Despite its global stature and the hectic pace, the readiness of employees to collaborate, share knowledge, and support one another is truly remarkable. This experience taught me the importance of hands-on technical proficiency coupled with a collaborative mindset, both of which are essential for personal and professional growth.”

At Microsoft we received incredibly positive feedback from all CyberFirst students with 100 percent of the students wanting to come back to Microsoft if they are offered a graduate role. These students have shown in just eight weeks it is possible to absorb a vast amount of information and teach security experts new tricks. These students are truly the future of cybersecurity.

It's been great for us to have the CyberFirst students this year all working on valuable projects that will create a lasting impact and for them to meet so many fantastic people who helped to create and shape the placements.

Thank you to Lesley K. , Mark Hawkins , Kenny S. Kamal , André Worwood , Emma Fang , Amritpal Singh , Anil Abraham , Ed Harrison, CISM , Rob Mead , Tim Burrell , Liam Kirton , Rituraj Jodha , Emil Biju and so many more!

From all of us at Microsoft we wish them well in all future endeavours and cannot wait to welcome our next cohort of CyberFirst students, bring on 2024!

#microsoft #cybersecurity #security #CyberFirst #azure #microsoftdefender