Evan Wimpey: Hello, and welcome to the mining your own business podcast. I’m your host, Evan Wimpey. Today, super excited to introduce our guest, who is Nirmal Budhathoki. Nirmal is a senior data scientist at a company called Microsoft that I think most of our listeners might’ve heard of before. And he works on cloud security, which is new to the show.
So super excited to learn a little bit about Nirmal and his role there. Nirmal, thanks so much for coming on the show today.
Nirmal Budhathoki: Yeah, thank you for having me today. And thank you. Every listeners and audience, that will try to cover cloud security. I think I always feel like security and data science has a good intersection.
If even if it is a real intersection, it is interesting in itself. So I’m glad to be here and excited to explore more.
Evan Wimpey: Awesome. Yeah. Looking forward to digging in there. Maybe to get started. Can you just give us a little bit about your own personal background and how you got into the space?
Nirmal Budhathoki: Absolutely. Yeah, so I actually started my data science career, not that I intended to if I look back. So I did always have a interest or fa fascination towards data. However, the career path itself was, was not as linear as I thought it would be. I came to US in 2007 to do my master’s.
2009 I graduated, obviously everyone remembers, a big recession year in the US It was kind of hard for me, to find the tech roles that I wanted. Then, you know, I joined the US Army, which was completely orthogonal to my career plan. But at that point, I think that was the best decision that I saw.
And then, weighing in all the factors, I went in to join the US Army. Served for four years, you know. But if I look back, that, that was actually one of my best decisions in career that That has kind of pivoting from many decisions after that I got my first data analyst job in cyber after the military career with the US federal government. So I was working for their cyber defense command. So I would say that was my real first data analytics role when I started playing with the tools, you know, like analytics tool and then, in the data, digging into the data. So, cyber data was interesting in itself because obviously it’s messy.
It’s even at that point of time when the big data tools was not much popular, it was somewhere around like 2000, and, you know, like 14, but I think it was getting popular. The Hadoop and everything was getting popular, but not too common as, as today. But I think trying to figure out ways of how to analyze the data in the available tools like axial or any other, you know, simple pandas packages, you know, so was, was challenging, but I learned a lot during my, that five years of career with government, then I did my master’s in data science during that time.
And then that opened up more doors for me. I picked up my first data scientist title with Wells Fargo after that. And then that actually began my data scientist career officially working in FinTech was interesting, but I always wanted to go back to cyber. And that’s when I got offered from Microsoft, you know, to work in the security products.
And then here I am today.
Evan Wimpey: We’ve met outside the show. We’ve spoken a little bit before, and I never put together how Our timelines were, I was graduated in 2008, struggled, floated around, joined the Marine Corps and then studied analytics after I got out of the Marine Corps, always sort of with a, with a hint of data in there.
It seemed very, very similar. East coast, west coast. Yeah, that’s great. And. You speak about security data and it, it almost, it almost seems intuitive, but maybe it’s a sort of a rare thing. I think it’s a less common focus area for a data scientist. So maybe, can you give us just sort of a brief overview of how data science supports security?
And if you’ve got like an example that you could talk about, that’d be great.
Nirmal Budhathoki: Yeah, yeah, sure. So I would definitely agree with your point that it’s not as commonly spoken or talked about field, you know, one of the major reason is it’s hard to find the data to just even do my own self learning, you know. So if I just go around right now in any Kaggle or any other publicly available data set, it’s much easier to find any other data, sales data, e commerce data.
You think about it, but cyber related data, it’s hard one of the main reason is nobody wants to obviously give away their network information, right? So, so it’s kind of challenging when someone wants to kind of like build a skills or, you know, get into this cyber data science side. However, it has improved a lot.
So I think, how data science actually supports cloud security. There are many ways, I think, if I have to just remember a few of the main ones, it will be like anomaly detection is one of the common ones. You know, where you, maybe build your baseline based on the regular traffic or behavior of the users or devices, and then you’re going to start track what is anomaly versus not, then there are use cases like alerts classification. Obviously, the security operations center or SOC, they are always over flooded with the alerts.
You know, there are so many endpoint security products. They’re going to keep firing the alerts. One percent of them are genuine alerts, but most of the times, you know, it could be false positives. It could be just benign positives. However, their queue, we cannot just overflow the queue, right? So ultimately, there is a very good scope of machine learning.
And today, I think a lot of startups even working on that direction, that how do you effectively and efficiently classify these alerts into different categories, right? So maybe the machine learning will be very helpful there—that’s one thing. Same thing when I mentioned about alerts, there could be a lot of false positives.
So, you know, like, can you fine tune your models to reduce the false positives, right? So false positive reduction is also very interesting. Then there’s another thing that’s popping up lately, you know, it’s been a while, but more common these days because of something called users. We work from different hybrid locations these days, right?
So users behavior or something called user entity behavior analysis, UEBA. Right. So it’s very popular. So UEBA. Is getting, because of this large language models or anything, right, like a deep learning models. It’s getting popular. The size or amount of data to process that, you know, I could be logging in by my home.
But in maybe like 20 minutes if I logged in from some IP address from the New York City, I think that that should be a little bit uncommon, right? So that’s just very straight simple example, but there could be more complicated scenarios where they have to track the user’s behavior based on the activities and then they can create a good baseline to say something—true positive versus false positives, right? So those are some examples. Yeah. And I think there are many coming up, obviously this is some of the top of the ones that I think of, you know, and yeah, I think these are some of the use cases that always makes this really interesting, at least from, from me, you know, just always doing it.
Evan Wimpey: Yeah, awesome. It’s very exciting. And, you know, I think it’s like common front of mind use cases in marketing or in sales. And you often think about an end user is the, you know, is the marketing person. And there’s, there’s oftentimes felt or real some tension between, well, here’s what sort of analytics shows.
And here’s what, you know, the business intuition, knowledge, historical practices. In my mind, my perception is that a security and IT department, maybe if you clarify sort of who, who your business stakeholders are, and it seems like a sort of a, a technology driven end user that would be more receptive, that would be more open to advanced analytics, to machine learning, trying to, trying to help out.
Nirmal Budhathoki: Yeah, so yeah, you got it right. So basically when we, you know, like do the projects, especially the customer. Some of it could be based on the company size and how it operates, right? So it could be internal customers. Most of the products. Sometimes we built our internal customers to, and then if you are building something as a SAS product that, you know, like you can probably sell off to third party customers as well.
Like in Microsoft scale, we’re talking about products like Sentinel, which is obviously available to all the users. Where they can log into the portal—the MS cloud portal—and then in the cloud portal, they can see all the devices or everything within their subscription. What is the health monitoring?
Right? So security health monitoring system kind of thing. But yeah, I think there are different models like using, okay, just by internal teams, right? So then, then you have more leverage of how to handle the data security compliance for third party customers, you have to go with a little bit more rigorous process, right?
Then what you go for your internal customers, things like that. So.
Evan Wimpey: Certainly. Yeah. One of the things you mentioned. Getting the data and getting access to data is challenging and I’m curious. And maybe, you know, maybe this is from our, our military background as well. I think in security always, ideally, you want to be proactive and see the new things.
But with like traditional machine learning, we usually think it’s you’re learning from known historical cases you’re, you’re learning from, from labeled data in the past is there an opportunity? You did mention anomaly detection too. So maybe that’s it. But as are there opportunities to try to be proactive and be ahead of whatever the potential security threats?
Nirmal Budhathoki: Yeah, I think this is a very good topic. I think historically or traditionally, most of the security tools or security companies have been, and we still do. Every company still does it, the reactive approach, right? Especially for your training data or even to learn what’s going on with your network or, you know, kind of learn from what recorrect that, rectify that.
However, I think one of the main challenge of doing reactive way is it’s not going to scale. I mean we keep doing reactive mode I think it’s, I mean, I think it’s not going to work. I mean the different and defender side, you know like it’s always going to be on that resource crunch time crunch, you know, because the hackers or offenders, they’re going to come up with new techniques, new technologies, you know, all of these LLMs and everything that we are seeing, they already have their hands on, they’re already using it, you know, they’re already figuring out new ways to create the attack vectors.
So this kind of things is I think it’s never going to be, defenders can never catch up if we only stay on the reactive mode. And that is why I think the industry is shifting, the security industry is shifting to proactive or predictive mode. And this is where we can use the power of ML, right?
So basically even if we are doing the analysis of historical data or cases that happened, you know, how can we leverage or learn something, right? So establish a pattern or something so we can understand what is coming or what’s going to happen, right? I think this is where the power of this advanced models can also help us like there could be some patterns which traditional ML is not picking up, you know, because traditional ML is only feature based the features that we created, most of the times we don’t know what attribute matters versus not, right?
We want the models to learn this features automatically. So the deep learning will bring the auto feature engineering capability. So I think that’s where it’s probably going to help us to do a little bit better on doing the proactive way of defense, right? So yeah, I think this is definitely the direction we should go.
And we are already like many of the projects that I’m also involved in, you know, so we are thinking about like, hey, how do we do put the. The predictive model in place and you know, and this is where I think we have to be very cautious about evaluating our models also that we build something and then it is producing too many of false positives.
Then are we kind of like making the problem better or making the problem worse? Yeah, so it’s a challenge, but yeah, I think definitely have to be on proactive more because if not, then we will never catch up.
Evan Wimpey: Yeah, that that seems spot on. And it’s you’ve mentioned false, like a lot of false positives multiple times.
And I think at least for me, my intuition is you want to make sure you identify the threats. But like earlier, you spoke about the alerting system if you want If you alert everything, then it’s right. It’s useless. Yeah. So trying to cut down on, on all of the false positives. Yes. It’s a tough challenge for sure.
You also mentioned LLMs and Microsoft has obviously been one of, or the biggest player in the last year or so they’ve gotten so popular. Have those work their way into your work at all? Either. Yeah. Yep. As a tool that you can use or as a tool that Microsoft has that you need to be able to identify security threats that are associated with the LLM platforms that they have.
Nirmal Budhathoki: Yeah. So I think one of the best thing about Microsoft is we do adopt the tools in a faster pace, but at the same time, we want to make sure that we adopt in the right way as well, unless and until we figure out, you know, the process in place is accounted for the, compliance, you know, how the LLMs models are behaving.
Is there a proper evaluation technique in place? Do we even do all the meta prompts or those kinds of validation? You know, how it is behaving to the data that we are giving it to it? Are we using a fine-tuned version or we are using the rag or retrieval augmented version, you know, so there’s so many things they want us to do a lot of due diligence or, you know, the compliance checks beforehand, and which is good.
I think we want to do the fail first more. But at the same time, you don’t want to fail on both product and security, right? So security is never a compromise, especially in Microsoft, which is what I always admire about. And then today, like LLM models, I think, if you look about it, as you mentioned, Microsoft is in the forefront.
We have the capability or access to use all the open AI models, but at the same time, they are also putting enough guardrails on us that you use it properly. So I have come across, we are currently exploring few models for building the proof of concept. And again, just meeting all these guardrails is like, once you build a proof of concept, and then you can do some testing with some sample data. And then you can evaluate your models before this models even go in production, things like that.
You want to make sure that you are doing it more securely. Your data is not being locked for external, third parties to rely and train on it because you may have sensitive data. So how are you isolating everything, and it’s still getting the full-fledged capability of LLMs, right? So those are a few things that we are figuring out and working on it.
However, there are, I can see there are potential, a lot of use case and opportunities, even the use case we talked about before, you know, because LLMs can be fine-tuned for classifications, right? LLM can be fine-tuned for summarization. LLMs can be fine-tuned to go through all the historical documents and all the TSGs or SOPs, you know, every notebooks that has been created, you know, if they have all the artifacts or facts, whatever there is, right.
So we can kind of, it’s easy these days to build up on a chat or conversational tool on top of that, you know, so the security analysts don’t have to spend too much time finding the document. They can just, you know, do the Q and a session with the, With the LLM agent, right? So there’s a lot of potential use cases, but obviously you have to take with a grain of salt, right?
As they say, so we are evaluating and making sure all this you know, the Is are dotted and the Ts are crossed, right? So we want to make sure we do it the right way.
Evan Wimpey: I mean, I think that’s super exciting and I doubt that Microsoft ever has a hard time attracting talent to the space, but I would think in the world that’s moved so quickly in the large language models, it seems hard pressed to find a better place to attract talent right now, because you’ve got access to everything.
And as you just spoke about, you’re doing things The right way. You’re being careful the way things are monitored, the way things are implemented. So, I suspect that it’s not too hard for you to attract talent to get some job applicants.
Nirmal Budhathoki: Oh, yeah, yeah, definitely. We are seeing a big influx in some of the job titles being posted by Microsoft around this area.
I actually love seeing the jobs even on the responsible AI side. We do see a lot in Microsoft, you know, so I think, yeah, the privacy side, data privacy side, and which are important because we’re going to have to do it not only from the technical aspect, but also from the process or policy aspect, right?
Compliance aspect. Yeah, as an engineer or technical person, sometimes you feel like it could be, you know, like a process heavy or time consuming, but you have to make sure you have to evaluate both sides, right? So I see a lot of startup these days. Yeah, like they are trying to jump in the The LLM seat too fast to drive, you know, sure, but you have to make sure you are Considering all these factors, you know.
Evan Wimpey: Maybe in sort of a similar vein to job applicants, there are a lot of people in the space that are looking for jobs.
Nirmal, we’ve been connected in some community-based events before this. I know that you’re super active. I see you on LinkedIn pretty often. Can you talk about some of your involvement in either security or just data science generally outside of Microsoft? Sort of just being part of the community.
Nirmal Budhathoki: Yeah. Thanks for including that aspect to the conversation. Yeah, I think I am fairly active in LinkedIn. I do like to share back. Knowledge to the community. I’m a firm believer that we can learn because I myself learned quite a bit from the other folks who has been sharing contents, very relevant contents, you know, so I try my best to do on the data science, sometimes being the topic of security, most of the times like ML related contents, and then I also do my own analysis.
Being a data person, obviously analyze my own audience demographics, then I realized most of my audience is the new grads or the early career data scientists. So, the way I write contents is kind of targeting that majority of the population of my audience, and I have been getting a positive feedback that it has helped them somewhere in that career, you know, to build up the skills or whatever the way it is.
I welcome everyone to connect with me and if there’s any questions or anything, you know, we can do a mentoring session. I also offer mentoring sessions for free done like more than 700 mentoring sessions so far …
Evan Wimpey: Wow.
Nirmal Budhathoki: … which is, if I look back, it’s crazy. I’m like, wow, how did I manage to do that, you know.
Evan Wimpey: Wow, that is incredible. Over what roughly timeframe is that 700 sessions on average?
Nirmal Budhathoki: I was doing the math the other day. I was like, here’s some of the calls were 15 to 20 minutes call. Some of them were like 30 to 40 minutes call. So on average, if I took 30 minutes per session, you know, so it’s roughly 350 hours, right, of commitment. And that’s, I mean, really feel good that, I mean, not only that, I feel good because I spend that much time, but like the impact of that, I always measure the impact, right?
So I started getting people’s responses that, Hey, some folks have just, you know, like help me, help them to get a job, you know, with their resume reviews, or even to have a short conversation about the interview, how to, how to prep for particular company or particular role, right? So, and it’s very fascinating.
And I motivating, especially when I hear from those folks and I will continue this path. You know.
Evan Wimpey: That’s incredible. What a positive impact for the community and helping the community grow. And we’ll, if you’re listening to this, don’t, don’t try it if you’re driving, you know, don’t try to click around, but we’ll definitely in the show notes, we’ll definitely include a link to is LinkedIn the best place for folks who are interested in mentoring or having one of those discussions with you.
Nirmal Budhathoki: LinkedIn is the best place, and I will be looking forward to connecting, you know.
Evan Wimpey: We will definitely put it in there. I’ll try to get 700 more. Thank you. I can help out. I do want to ask you one more question. There’s a lot going on at Microsoft. There’s a lot of products coming out. There’s a lot of advancements in both analytics. There’s a lot to try to do to catch up to in the security world. As always, if everybody at Microsoft was behind your vision and you got to put the resources towards whatever project, whatever product, whatever thing you wanted to, where would you point your efforts? Where would you?
Where would you try to go?
Nirmal Budhathoki: Oh, yeah. So interesting. So I would probably put a lot of effort on the optimization of workflows. You know, so I mean, there’s a lot of work going on as well regardless of what model we use or, you know, like, how do we solve the problem? The main thing is to identify what is the problem, right?
So for me, if I have to put time and effort, and if I had opportunity to do it, I would probably, you know, like pull all the workflows, especially what are the workflows in securities, right? Look, alert processing is one, right? So there could be many, right? So like if someone got some submission of the case or vulnerability report, how are they processing, how they are triaging it?
So basically the goal is to pull all these workflows and then look into this workflows. Where are the bottlenecks? Right. So basically you want to impact with this technology or the ML system, then the one of the major impact will be time savings. You know, we don’t always, especially in security. We don’t always generate the straightforward otherwise, right?
So it’s just the revenues are, I mean, time is money, right? We have to think that way. So how many folks you are? putting in the security operation center right now. And then if you build something, how much cost reduction you can make, and that’s obviously cost saving is your impact. So I would probably do like a pull up all the workflows and see where the bottlenecks are and then if there’s a feasible ML problem and then try to tackle that way, I think, I think just the automation of the workflow is going to be the best for the buck, you know, so awesome.
Evan Wimpey: I think that’s a really telling answer. I think a lot of folks probably, you know, that, that are familiar with, as familiar as I am with Microsoft where it’s a big brand name and they’re high tech and they’re great. You think, oh, all their workflows must be perfectly optimized and streamlined to be able to scale and do the things they do.
So it’s, I think it’s an encouraging answer that you would say something like that. So to listeners and other organizations that maybe feel like they’re behind, well, Everybody’s trying to optimize workflows. So I think that’s, that’s a, that’s a great answer.
Nirmal Budhathoki: Also to add a little bit would be, sometimes we think of solving the problem a hundred percent at a time.
And in my own experience, if you, if I’m looking back, you know, there, there could be many low hanging fruits, right? So there could be many things that you can take care of right away, right. With simple process in place or building a simple model in place. You don’t really have to build a complex model to solve everything hundred percent, right?
So you need to do that a lot of data analysis ahead of time. So that’s why I say that the data analysis, I, you have to spend a lot of time in exploration, you know, stage because. There could be like 80/20 rules you can apply, right? Like 80 percent of your things you can solve with the 20 percent of resource or something you can build.
So always focus on that because even solving that most common problems is already helping your customers or making your system better, you know, you think in that way as well.
Evan Wimpey: Awesome. Thank you so much for coming on the show and sharing your insights with us today. Ladies and gentlemen, our guest, Nirmal Budhathoki from Microsoft.
Thanks so much for coming on.
Nirmal Budhathoki: Yeah, thank you. Thank you for having me.
In this episode Evan Wimpey sits down to chat with Nirmal Budhathoki. A seasoned data scientist at Microsoft, Nirmal has extensive experience in both cybersecurity and the tech industry.
Nirmal Budhathoki | Guest
Evan Wimpey | Host