1
00:00:00,000 --> 00:00:08,640
Welcome to the Talking Security podcast.

2
00:00:08,640 --> 00:00:12,720
We will talk about items related to Microsoft's security.

3
00:00:12,720 --> 00:00:25,440
So, and we back with a new recording of the Talking Security podcast.

4
00:00:25,440 --> 00:00:30,920
This time about defender for Servers in the Defender for Cloud series.

5
00:00:30,920 --> 00:00:34,120
What I'm doing together with Pouyan.

6
00:00:34,120 --> 00:00:35,120
We're back.

7
00:00:35,120 --> 00:00:36,120
Definitely.

8
00:00:36,120 --> 00:00:37,320
Good to be back here, Frans.

9
00:00:37,320 --> 00:00:38,120
Yeah.

10
00:00:38,120 --> 00:00:40,960
In the meantime, you are visited America?

11
00:00:40,960 --> 00:00:45,960
Yes, I was there two weeks ago for the MVP summit.

12
00:00:45,960 --> 00:00:46,960
So, how was that?

13
00:00:46,960 --> 00:00:47,960
First time.

14
00:00:47,960 --> 00:00:50,480
It was my first physical summit.

15
00:00:50,480 --> 00:00:52,760
It was great to be there.

16
00:00:52,760 --> 00:01:01,320
We interacted with the PMs, sharing knowledge, getting back some feedback.

17
00:01:01,320 --> 00:01:04,280
So, it was a really awesome experience.

18
00:01:04,280 --> 00:01:05,280
Yeah, great.

19
00:01:05,280 --> 00:01:11,400
Today, today's guest, Tom Janetscheck, previous MVP.

20
00:01:11,400 --> 00:01:16,360
But nowadays, working in Defender for Cloud team, and especially Defender for service,

21
00:01:16,360 --> 00:01:23,040
a short introduction, maybe because you're already a friend of the show.

22
00:01:23,040 --> 00:01:26,520
You were early in previous recordings as well.

23
00:01:26,520 --> 00:01:30,160
But maybe it's good to inform the people who you are.

24
00:01:30,160 --> 00:01:31,160
Yeah, absolutely.

25
00:01:31,160 --> 00:01:33,680
First of all, thanks for having me here today.

26
00:01:33,680 --> 00:01:38,120
So, as you said, my name is Tom, and I'm a product manager on Defender for Cloud.

27
00:01:38,120 --> 00:01:41,440
In my role, I'm especially focusing on Defender for service.

28
00:01:41,440 --> 00:01:47,240
And we are helping our customers not only to deploy the product in the environment, but also

29
00:01:47,240 --> 00:01:54,080
to remove blockers, take feature requests, have very deep conversations with MVP's like you.

30
00:01:54,080 --> 00:01:58,000
So it's, it's quite interesting role, and happy to be here today.

31
00:01:58,000 --> 00:02:01,320
Yeah, thank you for joining as well.

32
00:02:01,320 --> 00:02:08,120
Last recording, we did a recording with a lot of rent about Defender for Cloud in general.

33
00:02:08,120 --> 00:02:15,520
And in the talk, we mentioned a few Defender products.

34
00:02:15,520 --> 00:02:21,120
In the onboarding, we already talked about a few.

35
00:02:21,120 --> 00:02:30,120
I, one of the numbers that I named was 127, but I don't know how much Defenders are in Defender

36
00:02:30,120 --> 00:02:34,000
for Cloud, but there are a few of them, isn't it?

37
00:02:34,000 --> 00:02:35,000
That's correct.

38
00:02:35,000 --> 00:02:38,280
Well, it's not 127, obviously.

39
00:02:38,280 --> 00:02:42,000
But I think it's like a number of around 15 different plans.

40
00:02:42,000 --> 00:02:46,680
Now, in Defender for Cloud, it's not separate products, but it's capabilities that you

41
00:02:46,680 --> 00:02:50,280
can enable or disable depending on your needs.

42
00:02:50,280 --> 00:02:53,400
For example, for Defender for service, we have two different plans.

43
00:02:53,400 --> 00:02:55,920
Defender for service plan 1 and plan 2.

44
00:02:55,920 --> 00:03:01,360
And yeah, it really depends on what you're looking for to protect your environment with.

45
00:03:01,360 --> 00:03:06,640
You can select any combination of these plans, basically, on your subscriptions.

46
00:03:06,640 --> 00:03:13,880
And if looking at Defender for Cloud, one of the biggest Defenders in Defender for Cloud

47
00:03:13,880 --> 00:03:19,560
is Defender for service, in my opinion, because a lot of VMs are running in Azure,

48
00:03:19,560 --> 00:03:25,920
but also on other stuff, like locally, or other Cloud solutions, and I can be used

49
00:03:25,920 --> 00:03:29,520
within Defender for service.

50
00:03:29,520 --> 00:03:37,480
What is basically Defender for service doing in general within Defender for Cloud?

51
00:03:37,480 --> 00:03:39,320
Can you highlight a few of them?

52
00:03:39,320 --> 00:03:44,960
Yeah, so Defender for service, basically, is the, or the server protection capability within

53
00:03:44,960 --> 00:03:47,080
this scope of Defender for Cloud.

54
00:03:47,080 --> 00:03:52,120
That means that we are not only looking into the operating system to protect it from threats

55
00:03:52,120 --> 00:03:57,960
like malware, but also like real time attacks.

56
00:03:57,960 --> 00:04:02,040
And we also look at the network layer and also give you additional capabilities like

57
00:04:02,040 --> 00:04:05,880
just in time VM access is a capability that has been introduced a few years back, but it's

58
00:04:05,880 --> 00:04:10,680
still very relevant, because you do not want to have a virtual machine that has its management

59
00:04:10,680 --> 00:04:13,560
ports open to the internet.

60
00:04:13,560 --> 00:04:17,880
And if so, if you need to do it, you want to block them and only open them according to

61
00:04:17,880 --> 00:04:18,880
your needs.

62
00:04:18,880 --> 00:04:20,840
So, when you need it and if you need it.

63
00:04:20,840 --> 00:04:24,640
And this is where just in time VM access comes into play, then there are other additional

64
00:04:24,640 --> 00:04:29,880
capabilities and cloud native tools like adaptive application controls, adaptive network

65
00:04:29,880 --> 00:04:32,480
cardining and network layer threat detection.

66
00:04:32,480 --> 00:04:37,600
So, it's not similar to Microsoft Defender for endpoint, and this is by the way often

67
00:04:37,600 --> 00:04:42,120
at times the question we are getting like, hey Tom, why do I need to use Defender for

68
00:04:42,120 --> 00:04:44,120
service when I can use Defender for endpoint?

69
00:04:44,120 --> 00:04:46,560
And the answer is it's better together.

70
00:04:46,560 --> 00:04:53,200
So, we are using Defender for endpoint as part of Defender for service, but it's not a replacement

71
00:04:53,200 --> 00:04:55,920
of Defender for endpoint and the other way around.

72
00:04:55,920 --> 00:05:01,840
Defender for endpoint is not enough to protect cloud servers if they are running in any cloud

73
00:05:01,840 --> 00:05:05,200
virtual or hybrid cloud environment.

74
00:05:05,200 --> 00:05:10,640
Also, I think you indeed mentioned some big differences between the products, because

75
00:05:10,640 --> 00:05:14,160
that was also one of the questions we get a lot like what's the difference between Defender

76
00:05:14,160 --> 00:05:16,400
for endpoint and Defender for servers.

77
00:05:16,400 --> 00:05:21,200
You also get a touch on the technologies like just in time.

78
00:05:21,200 --> 00:05:27,920
What's in your opinion, one of the most important enrichment of Defender for

79
00:05:27,920 --> 00:05:33,280
a service when it comes to Defender for cloud integration.

80
00:05:33,280 --> 00:05:38,920
We have just in time for example, but we have also things like the full little bit of the

81
00:05:38,920 --> 00:05:46,000
assessment, what would be the most important for you in your opinion?

82
00:05:46,000 --> 00:05:52,480
I think it's a combination of all of them.

83
00:05:52,480 --> 00:05:55,280
First of all, and this is in both of our plans, is to mention the MDE integration, the integration

84
00:05:55,280 --> 00:05:58,320
with Microsoft Defender for endpoint.

85
00:05:58,320 --> 00:06:02,080
In Defender for cloud, we are trying not to reinvent the wheel, so that means that if we

86
00:06:02,080 --> 00:06:07,200
have a great solution in-house, then we are trying to leverage that solution as part of our

87
00:06:07,200 --> 00:06:08,200
product.

88
00:06:08,200 --> 00:06:14,080
And this is why we decided to use Microsoft Defender for endpoint as the market leader in an

89
00:06:14,080 --> 00:06:22,640
DR place, which means that by using Defender for servers, you are eligible to leverage

90
00:06:22,640 --> 00:06:25,000
Microsoft Defender for endpoint on these servers.

91
00:06:25,000 --> 00:06:28,680
That's the great solution for protecting your operating system.

92
00:06:28,680 --> 00:06:35,040
You will get the capability to leverage Microsoft Defender and the virus as an

93
00:06:35,040 --> 00:06:38,200
next generation anti-malware solution.

94
00:06:38,200 --> 00:06:42,280
You can use Microsoft Defender vulnerability management to see vulnerabilities on your actual

95
00:06:42,280 --> 00:06:43,280
machine.

96
00:06:43,280 --> 00:06:49,720
So this is a huge combination that is available in Defender for servers plan one already.

97
00:06:49,720 --> 00:06:53,360
Then when it comes to plan two, this is more the enhanced capabilities like you mentioned

98
00:06:53,360 --> 00:06:56,600
the just in time via Maxis.

99
00:06:56,600 --> 00:07:02,080
And this is by the way one of the reasons why we do not allow customers to pick and

100
00:07:02,080 --> 00:07:06,560
choose separate capabilities as part of Defender for servers to be used.

101
00:07:06,560 --> 00:07:10,640
If you are using Defender for servers plan two, you will have the whole toolbox.

102
00:07:10,640 --> 00:07:12,240
You can use all of it.

103
00:07:12,240 --> 00:07:15,680
And this is what we actually want to encourage our customers to do.

104
00:07:15,680 --> 00:07:18,920
Just in time via Maxis is great to block management ports.

105
00:07:18,920 --> 00:07:22,920
Adaptive network hardening is great to analyze your network traffic and to give you

106
00:07:22,920 --> 00:07:27,400
indication if you should block communications to your servers because there is a machine

107
00:07:27,400 --> 00:07:30,560
or an endpoint communicating to these machines.

108
00:07:30,560 --> 00:07:36,560
Adaptive network layer threat detection will give you insights into what is actually happening

109
00:07:36,560 --> 00:07:38,360
on the network layer.

110
00:07:38,360 --> 00:07:42,320
Before you will get a security alert created by Microsoft Defender for endpoint which is

111
00:07:42,320 --> 00:07:45,040
looking at the operating system level only.

112
00:07:45,040 --> 00:07:47,360
So it's that big combination of all of it.

113
00:07:47,360 --> 00:07:52,760
And I'm sure that Rod last time has been talking about Defender CSPM, which is the different

114
00:07:52,760 --> 00:07:55,200
plan in Defender for Cloud.

115
00:07:55,200 --> 00:07:59,240
We have that very close integration with the Agentless Scanning platform.

116
00:07:59,240 --> 00:08:03,400
Now the Agentless Scanning platform is part of both Defender CSPM and Defender for servers

117
00:08:03,400 --> 00:08:09,680
plan 2 and it allows you to use Microsoft Defender vulnerability management as a vulnerability

118
00:08:09,680 --> 00:08:13,520
assessment solution in both worlds.

119
00:08:13,520 --> 00:08:17,520
The aspect why we're doing it is because we want to give customers that are looking

120
00:08:17,520 --> 00:08:22,920
for in-depth knowledge when it comes to protecting the environment using the security

121
00:08:22,920 --> 00:08:27,600
posture management approach to see the vulnerabilities without actually having to deploy

122
00:08:27,600 --> 00:08:29,640
an agent to these machines.

123
00:08:29,640 --> 00:08:33,480
So this is why Agentless Scanning is so big.

124
00:08:33,480 --> 00:08:35,800
It will create a snapshot of your machine.

125
00:08:35,800 --> 00:08:39,840
We will be scanning that snapshot using Microsoft Defender vulnerability management back

126
00:08:39,840 --> 00:08:44,200
and submit the results back to Defender for Cloud's portal.

127
00:08:44,200 --> 00:08:50,120
Now in enhanced version with Defender for endpoint integration you can use that agent on top

128
00:08:50,120 --> 00:08:55,360
to get similar insights but you will not have to wait for 24 hours.

129
00:08:55,360 --> 00:09:00,320
You will get a quicker but just to get the vulnerability assessment results we do not want

130
00:09:00,320 --> 00:09:05,600
to force customers to use an agent and this is why Agentless Scanning is so important.

131
00:09:05,600 --> 00:09:11,240
So yeah it's a very long answer to a short question but it's not like we can say

132
00:09:11,240 --> 00:09:16,160
you just want capability or the other it's a combination of all of them which makes Defender

133
00:09:16,160 --> 00:09:20,560
for servers a great tool box for protecting your server environments in the cloud.

134
00:09:20,560 --> 00:09:23,160
It triggers me a little bit.

135
00:09:23,160 --> 00:09:26,840
We have Defender for Cloud's security positive management.

136
00:09:26,840 --> 00:09:29,840
We have vulnerability management within Defender for servers.

137
00:09:29,840 --> 00:09:35,160
We have vulnerability management within Defender for endpoint within Defender for endpoint.

138
00:09:35,160 --> 00:09:41,040
We have already a premium add-on for vulnerability management.

139
00:09:41,040 --> 00:09:47,680
Can you probably highlight a little bit what are the differences?

140
00:09:47,680 --> 00:09:48,680
Is it integrating?

141
00:09:48,680 --> 00:09:55,680
You already say show that it's integrated but what should I use?

142
00:09:55,680 --> 00:09:57,320
It's a little bit confusing.

143
00:09:57,320 --> 00:10:02,400
There are so much in the world regarding vulnerability management.

144
00:10:02,400 --> 00:10:03,400
Right.

145
00:10:03,400 --> 00:10:07,440
So let's first look at Defender for endpoint.

146
00:10:07,440 --> 00:10:09,880
Now I'm not an expert on Defender for endpoint.

147
00:10:09,880 --> 00:10:13,360
I can talk about the integration and the capabilities that we are leveraging.

148
00:10:13,360 --> 00:10:19,120
But the main idea of Defender for endpoint is to get that whole suite that we've been talking about.

149
00:10:19,120 --> 00:10:23,040
EDR, Anti-Mailware, Microsoft Defender vulnerability management,

150
00:10:23,040 --> 00:10:26,160
Microsoft Defender vulnerability management add-on.

151
00:10:26,160 --> 00:10:32,480
For all you operating systems no matter if that is smartphone, a notebook, a server or whatever.

152
00:10:32,480 --> 00:10:36,040
Defender for servers has a slight overlap when it comes to servers.

153
00:10:36,040 --> 00:10:37,480
But we are just looking at servers.

154
00:10:37,480 --> 00:10:39,600
We are not looking at smartphones or notebooks.

155
00:10:39,600 --> 00:10:43,760
Because we are not interested in protecting endpoints, we are interested in protecting

156
00:10:43,760 --> 00:10:47,840
hybrid and multi-cloud environments including their servers.

157
00:10:47,840 --> 00:10:52,720
Now as I said before we are not trying to reinvent the wheel which is why we decided

158
00:10:52,720 --> 00:10:56,280
to have that tight integration with Microsoft Defender for endpoint.

159
00:10:56,280 --> 00:11:00,800
What we do is in Defender for servers plan 1, you will have the capability to leverage

160
00:11:00,800 --> 00:11:06,360
Microsoft Defender for endpoints, EDR, Anti-Mailware, and MDVM Microsoft Defender vulnerability

161
00:11:06,360 --> 00:11:08,320
management capability.

162
00:11:08,320 --> 00:11:14,520
In plan 2 we add the Agentless Scanning and the Microsoft Defender vulnerability management

163
00:11:14,520 --> 00:11:16,040
add-on.

164
00:11:16,040 --> 00:11:24,280
So everything that you can get from the MDVM perspective for operating systems is integrated

165
00:11:24,280 --> 00:11:28,840
in Defender for servers plan 1 or plan 2 for servers.

166
00:11:28,840 --> 00:11:35,600
So you actually do not have to buy a license for Defender for endpoint for these server

167
00:11:35,600 --> 00:11:40,200
operating systems, we can detect the server and if you enable Defender for servers plan 1

168
00:11:40,200 --> 00:11:45,640
or plan 2 we will offer the automated deployment, the integration and our come to the

169
00:11:45,640 --> 00:11:48,800
integration in the bit and the license coverage for these machines.

170
00:11:48,800 --> 00:11:54,080
So you will automatically be paying for Defender for servers and that includes a license

171
00:11:54,080 --> 00:11:58,120
or a legibility to use that license for Microsoft Defender for endpoint.

172
00:11:58,120 --> 00:12:03,000
Now you also mentioned the integration and what actually is integrated.

173
00:12:03,000 --> 00:12:07,400
They have several things. The first thing obviously is threat detection part which means

174
00:12:07,400 --> 00:12:12,760
that if Microsoft Defender for endpoint creates a security alert for server that is covered

175
00:12:12,760 --> 00:12:17,600
by Defender for servers, this Microsoft Defender for endpoint alert will be shown in the

176
00:12:17,600 --> 00:12:19,960
Defender for server alert portal.

177
00:12:19,960 --> 00:12:23,920
And then in that portal you can click a link and you will redirect it to the Microsoft Defender

178
00:12:23,920 --> 00:12:29,400
for endpoint security center where you can then go threat hunting and use advanced

179
00:12:29,400 --> 00:12:34,040
hunting queries and find out more what is actually happening on that machine.

180
00:12:34,040 --> 00:12:38,520
The second aspect is the software inventory. The software inventory is created by Microsoft

181
00:12:38,520 --> 00:12:42,080
Defender for vulnerability management and using the MDE integration.

182
00:12:42,080 --> 00:12:46,840
We are showing these vulnerability findings in Defender for cloud.

183
00:12:46,840 --> 00:12:52,280
And the third aspect actually is the vulnerability assessment capability.

184
00:12:52,280 --> 00:12:58,520
So we will have security alerts, vulnerability findings and software inventory which is

185
00:12:58,520 --> 00:13:03,920
created by Microsoft Defender for endpoint and highlighted in Defender for cloud portal.

186
00:13:03,920 --> 00:13:13,320
So Tom, all these awesome features and I think output that customers can use to see

187
00:13:13,320 --> 00:13:17,760
how their security password is. Where can they find all this information?

188
00:13:17,760 --> 00:13:20,320
Where is it in the security that Microsoft?

189
00:13:20,320 --> 00:13:21,920
Is it in Azure portal?

190
00:13:21,920 --> 00:13:28,640
Okay, explain a little on where do they need to start with configuring all this and where

191
00:13:28,640 --> 00:13:35,160
what can they expect and where can they expect the output for this security investigation?

192
00:13:35,160 --> 00:13:40,600
So the SS had the security alerts vulnerability findings and the software inventory will be

193
00:13:40,600 --> 00:13:42,800
shown in both sites.

194
00:13:42,800 --> 00:13:48,800
In Defender for cloud we do not show or we do not give you the capability to actually configure

195
00:13:48,800 --> 00:13:54,920
like anti malware exclusions for example. That is something that is done on the M365 side of the house.

196
00:13:54,920 --> 00:14:00,320
In Defender for cloud and especially in the Defender for service plan, we will offer the automated

197
00:14:00,320 --> 00:14:02,480
deployment and integration.

198
00:14:02,480 --> 00:14:09,040
And we will just show you the information where we do not let you, let's say, go for

199
00:14:09,040 --> 00:14:12,760
at hunting because that is something that is then done in the other portal.

200
00:14:12,760 --> 00:14:17,720
When we take a look at the persona using the different capabilities then oftentimes,

201
00:14:17,720 --> 00:14:21,400
the Microsoft Defender for cloud portal is being used by resource owners.

202
00:14:21,400 --> 00:14:26,120
So the team that owns the actual server and they might not be security specialists.

203
00:14:26,120 --> 00:14:30,520
So they might not even know what to actually do with the information that it is being shown

204
00:14:30,520 --> 00:14:37,160
as part of a security alert while the Microsoft 365 Defender security portal and also Microsoft

205
00:14:37,160 --> 00:14:42,680
Sentinel by the way, oftentimes are being used by the security operations center, like security

206
00:14:42,680 --> 00:14:46,160
specialists that really know what they are doing and what they are looking for.

207
00:14:46,160 --> 00:14:51,240
So it's two different teams looking at two different sets of information.

208
00:14:51,240 --> 00:14:55,400
And in Defender for cloud we are trying to give resource owners at least a good indication

209
00:14:55,400 --> 00:15:00,480
of there is something suspicious or malicious happening on a machine.

210
00:15:00,480 --> 00:15:03,320
And then we also give you some information about what you should do.

211
00:15:03,320 --> 00:15:07,720
Like for example, if there is a brute force attack alert that is being created for a server,

212
00:15:07,720 --> 00:15:11,920
you will see information that you could either block the management port for a particular

213
00:15:11,920 --> 00:15:14,600
server or particular endpoint.

214
00:15:14,600 --> 00:15:19,000
You should always raise a ticket with your security operations center, your security specialists

215
00:15:19,000 --> 00:15:22,880
in house, maybe patch the machine and so on.

216
00:15:22,880 --> 00:15:26,840
So there is some information for the resource owner themselves.

217
00:15:26,840 --> 00:15:31,880
But when it comes to really going deep into the weeds, into understanding what is happening

218
00:15:31,880 --> 00:15:35,600
on the machine and why is it happening, then this is something a different team is looking

219
00:15:35,600 --> 00:15:39,160
into and this is why we have a different portal there.

220
00:15:39,160 --> 00:15:47,040
Also, this is I think a clear explanation also on different roles I think, what you touch

221
00:15:47,040 --> 00:15:49,880
on the term.

222
00:15:49,880 --> 00:15:57,120
Now we are talking on Defender for servers, Defender for cloud, a lot of it sounds it for

223
00:15:57,120 --> 00:15:59,120
Azure.

224
00:15:59,120 --> 00:16:04,880
Can we collaborate on is it also for example, can we install it on our data center, can

225
00:16:04,880 --> 00:16:08,120
we do it on our multicloud environment.

226
00:16:08,120 --> 00:16:12,920
What about things like Linux distribution systems?

227
00:16:12,920 --> 00:16:21,280
Is it also can we use the same capabilities for all the platforms?

228
00:16:21,280 --> 00:16:29,280
Well, the short answer is mainly yes, the longer answer is it depends.

229
00:16:29,280 --> 00:16:34,240
So first of all, yes, Microsoft Defender for cloud is a multicloud and hypercloud security

230
00:16:34,240 --> 00:16:35,560
platform.

231
00:16:35,560 --> 00:16:39,720
So this is by the way one of the reasons why we changed the name from Azure security

232
00:16:39,720 --> 00:16:42,520
center into Microsoft Defender for cloud.

233
00:16:42,520 --> 00:16:48,240
Because we offer coverage for AWS, for GCP, but also for on-prem.

234
00:16:48,240 --> 00:16:53,600
And we offer the most important plans for these environments, which includes Defender CSPM,

235
00:16:53,600 --> 00:16:57,440
Defender for servers and also Defender for containers.

236
00:16:57,440 --> 00:17:03,760
When it comes to non-aggerm machines and you see that there is a slight shift in naming

237
00:17:03,760 --> 00:17:10,080
because back in the days we've been talking about, I cannot even remember what we've been

238
00:17:10,080 --> 00:17:14,360
talking about, but today we are talking about Azure VMs and non-aggerm machines that are connected

239
00:17:14,360 --> 00:17:16,200
via Azure Arc.

240
00:17:16,200 --> 00:17:21,080
Azure Arc is an additional agent and we in Defender for cloud we treated as the vehicle

241
00:17:21,080 --> 00:17:24,520
that we can use to integrate non-aggerm machines.

242
00:17:24,520 --> 00:17:31,160
So that means that once you have Azure Arc deployed to an AWS EC2, GCP compute instance,

243
00:17:31,160 --> 00:17:36,720
or even your on-prem server and connect that machine to the Azure subscription, we can

244
00:17:36,720 --> 00:17:45,240
manage it similarly to an Azure virtual machine, including policy capabilities, gas configuration,

245
00:17:45,240 --> 00:17:49,680
but also deployment mechanisms, which includes extensions.

246
00:17:49,680 --> 00:17:55,480
Now there's often time a little misunderstanding of what an extension actually is and it

247
00:17:55,480 --> 00:17:59,960
to be fair it depends on the actual, well, extension.

248
00:17:59,960 --> 00:18:05,200
In the scope of Microsoft Defender for endpoint, we are using an MDE.linics or MDE.windows

249
00:18:05,200 --> 00:18:08,640
extension and this is just the management interface.

250
00:18:08,640 --> 00:18:14,200
You can see it similarly to a custom script extension that you might know for Azure virtual

251
00:18:14,200 --> 00:18:15,200
machines.

252
00:18:15,200 --> 00:18:19,720
So this extension cannot automatically be deployed to an Azure Arc machine and then inside

253
00:18:19,720 --> 00:18:26,480
the operating system, there's an onboarding script that will run, check some prerequisites

254
00:18:26,480 --> 00:18:30,640
and then deploy Microsoft Defender for endpoint into that machine's operating system.

255
00:18:30,640 --> 00:18:35,160
Then it is connected to the MDE backend and by connecting it, we will detect that machine

256
00:18:35,160 --> 00:18:41,440
and we can see that there is a machine that has Microsoft Defender for endpoint coverage

257
00:18:41,440 --> 00:18:47,000
and also then have that alert vulnerability assessment and software inventory integration

258
00:18:47,000 --> 00:18:48,000
there.

259
00:18:48,000 --> 00:18:53,560
So Azure Arc is the main vehicle that we use, but not only for Microsoft Defender for endpoint,

260
00:18:53,560 --> 00:18:56,120
but also for example for Azure Monitor agent.

261
00:18:56,120 --> 00:19:03,120
So with Azure Arc, there's a lot of additional capabilities that is coming for agent deployment,

262
00:19:03,120 --> 00:19:07,480
for agent integration, the guest configuration.

263
00:19:07,480 --> 00:19:12,600
So there's quite a lot of capabilities that come with Azure Arc and this is why we decided

264
00:19:12,600 --> 00:19:18,120
to use that as a vehicle for us to deploy additional capabilities to these machines.

265
00:19:18,120 --> 00:19:25,360
So Azure Arc for our hybrid environment, if we have on-prem stuff, we can use Azure Arc

266
00:19:25,360 --> 00:19:30,480
to leverage Defender for Cloud and Defender for Service capabilities.

267
00:19:30,480 --> 00:19:37,440
What about other Cloud platforms like Amazon, because Defender for Cloud also integrates

268
00:19:37,440 --> 00:19:40,320
with Amazon Google and so on.

269
00:19:40,320 --> 00:19:43,800
What about Defender for Service Indec in that part?

270
00:19:43,800 --> 00:19:48,320
So it's a little bit different, but still relying on Azure Arc.

271
00:19:48,320 --> 00:19:53,800
What we're doing there is you can deploy a multi-cloud connector to your AWS account

272
00:19:53,800 --> 00:20:00,760
or your GCP project or the management account or the, I think it's called Master Project on GCP.

273
00:20:00,760 --> 00:20:06,260
The idea is to first create the connector and then we will provide you foundational CSPM

274
00:20:06,260 --> 00:20:07,360
at no additional cost.

275
00:20:07,360 --> 00:20:11,920
That means that as soon as the connector is created and we are able to retrieve the information

276
00:20:11,920 --> 00:20:17,880
from the third-party Cloud platform, you will get security recommendations for all resources

277
00:20:17,880 --> 00:20:19,800
that we can detect in there.

278
00:20:19,800 --> 00:20:25,460
So the security recommendations part of Defender for Cloud is what we refer to as foundational

279
00:20:25,460 --> 00:20:30,240
CSPM and this is coming at no additional cost as soon as you create the connector.

280
00:20:30,240 --> 00:20:34,560
On top of the connector, you can enable Defender for Service Defender for containers, Defender

281
00:20:34,560 --> 00:20:37,680
for, I'm sorry, Defender CSPM.

282
00:20:37,680 --> 00:20:39,120
I think Defender for SQL.

283
00:20:39,120 --> 00:20:46,040
So there's quite a lot of additional also plans that you can enable on top of the, of the

284
00:20:46,040 --> 00:20:52,040
connector and if you enable Defender for Service for example, what happens is you are asked

285
00:20:52,040 --> 00:20:57,440
to also enable Azure Arc Auto provisioning and Microsoft Defender for endpoint auto provisioning.

286
00:20:57,440 --> 00:21:03,200
What we will then do is we will deploy the Azure Arc component onto these machines and as soon

287
00:21:03,200 --> 00:21:08,520
as the machine shows up as an Arc resource, we can then deploy the MDE.linux, MDE.windows

288
00:21:08,520 --> 00:21:13,120
extension on top of the Azure Arc resource and then again have the onboarding script running

289
00:21:13,120 --> 00:21:20,120
in the operating system which will then onboard Defender for endpoint and also use or allow

290
00:21:20,120 --> 00:21:23,120
us to integrate it into Defender for Cloud.

291
00:21:23,120 --> 00:21:26,800
You're mentioning Linux distribution as well.

292
00:21:26,800 --> 00:21:34,360
In one of the last piece of sentence, are there the same limitations for Linux distributions

293
00:21:34,360 --> 00:21:37,720
as well as for the Defender for endpoint?

294
00:21:37,720 --> 00:21:47,200
Not all distributions are supported in my opinion but probably with vulnerability scanning,

295
00:21:47,200 --> 00:21:52,600
you get some information where you can highlight about it.

296
00:21:52,600 --> 00:22:00,400
So in general, we rely on the other actions support ability matrixes which means that if Defender

297
00:22:00,400 --> 00:22:05,400
for endpoint teams says they have a Linux distribution that they are not supporting, then

298
00:22:05,400 --> 00:22:10,400
we are not supporting it as well because in the end what we are running on the operating

299
00:22:10,400 --> 00:22:15,400
system basically is very similar to the onboarding script that you know from the Microsoft 365

300
00:22:15,400 --> 00:22:21,400
security portal that you can run like as a manual script on the operating system.

301
00:22:21,400 --> 00:22:26,400
So if they do not support it, we cannot support it because it's not our solution, it's just

302
00:22:26,400 --> 00:22:33,400
the MDE Defender for endpoint that is that we have to rely on.

303
00:22:33,400 --> 00:22:39,400
So when it comes to actually scanning, it might be a little bit different.

304
00:22:39,400 --> 00:22:44,400
So this is then something to really look into depending on the operating system because

305
00:22:44,400 --> 00:22:50,400
what actually scanning will do is and this is not only true for Azure but also for AWS.

306
00:22:50,400 --> 00:22:56,400
We will create or we will leverage the platform to create a disk snapshot from each of the

307
00:22:56,400 --> 00:23:03,400
EC2 instances and this snapshot is then being scanned. So what happens is that we are sending the

308
00:23:03,400 --> 00:23:08,400
telemetry to the MDVN backend. We will use the Defender vulnerability management back and to scan that image.

309
00:23:08,400 --> 00:23:14,400
And if we have vulnerability findings, they will be back reported into Defender for cloud portal.

310
00:23:14,400 --> 00:23:19,400
So there might be additional operating systems that might not be supported by the

311
00:23:19,400 --> 00:23:26,400
agent itself but it's something we would have to take a closer look into depending on the use case.

312
00:23:26,400 --> 00:23:32,400
Yeah. So the onboarding terms sounds incredibly easy.

313
00:23:32,400 --> 00:23:39,400
Easy sounds to good. And we have of course the experience. It is also really good.

314
00:23:39,400 --> 00:23:47,400
But what need customers that have already different efficient running taking considerations.

315
00:23:47,400 --> 00:23:55,400
What would your recommendations be for customers that are already running other platforms systems?

316
00:23:55,400 --> 00:24:01,400
So when it comes to Microsoft Defender for endpoint deployment and this is not unique to

317
00:24:01,400 --> 00:24:07,400
Defender for servers or Defender for cloud but it's basically for Defender for end point itself.

318
00:24:07,400 --> 00:24:10,400
There are different scenarios.

319
00:24:10,400 --> 00:24:17,400
And basically it's for the unified solution which is for Defender for I'm sorry for Windows Server 2012

320
00:24:17,400 --> 00:24:20,400
R2 and 2016 and for Linux.

321
00:24:20,400 --> 00:24:28,400
When we take a look at what happens by using the MDE extensions as part of Defender for servers.

322
00:24:28,400 --> 00:24:35,400
Then on Linux we will deploy the Defender and device component in passive mode.

323
00:24:35,400 --> 00:24:42,400
This is to avoid some accidents and the machine going down just because of the MDE deployment.

324
00:24:42,400 --> 00:24:52,400
When it comes to Windows there are simply requisites on Windows Server 2012 R2 and 2016 especially this is for the MDE unified solution.

325
00:24:52,400 --> 00:24:58,400
On 2016 you need to make sure that the anti virus component is running an active.

326
00:24:58,400 --> 00:25:07,400
So if there is a third party anti virus there you should remove it before actually trying to deploy MDE using the MDE extension as part of Defender for servers.

327
00:25:07,400 --> 00:25:14,400
And on Windows Server 2012 R2 we will deploy the Defender antivirus component to this operating system because it's not built in.

328
00:25:14,400 --> 00:25:21,400
It's something that has been installed on top of it and then also it's being installed in active mode.

329
00:25:21,400 --> 00:25:33,400
So if you want to avoid any issues you should basically remove the third party anti malware component on these machines just to make sure that everything is working as expected.

330
00:25:33,400 --> 00:25:49,400
What you can do is if you are using an alternative alternate onboarding mechanism there might be a solution to deploy the antivirus component besides Defender for endpoint.

331
00:25:49,400 --> 00:25:56,400
But this is something I'm not totally aware of and then you could set the antivirus component into passive mode.

332
00:25:56,400 --> 00:25:59,400
But this is not something that is done as part of Defender for servers.

333
00:25:59,400 --> 00:26:08,400
So if you're using our deployment capability for 2012 R2 we will deploy the antivirus component in active mode.

334
00:26:08,400 --> 00:26:21,400
And if you're using the antivirus component in active mode and you need to make sure that it is running on the machine in active mode.

335
00:26:21,400 --> 00:26:24,400
And on Linux we will deploy it and pass it to any other antivirus component there.

336
00:26:24,400 --> 00:26:30,400
Most of the onboarding if you have configured the in the portal dot Azure dot com if you configure the subscription at the.

337
00:26:30,400 --> 00:26:43,400
In a new way all new VMs surface that are onboarded in Azure as well as in Amazon will be automatically onboarded in Defender for cloud and Defender for surface as well.

338
00:26:43,400 --> 00:26:59,400
So that right I think that is that is great because if you had no server is unprotected if you are spending up a new new stuff in your environment that's probably really great because in the past.

339
00:26:59,400 --> 00:27:03,400
And in my in the back days in my own primary for I'm in.

340
00:27:03,400 --> 00:27:05,400
We forgot something.

341
00:27:05,400 --> 00:27:07,400
They call it secure by this.

342
00:27:07,400 --> 00:27:14,400
Yeah it's a robust all that that that kind of terms are using but.

343
00:27:14,400 --> 00:27:20,400
Basically Defender for surface the whole infrastructure the whole part is based on server trust.

344
00:27:20,400 --> 00:27:23,400
We don't trust anything.

345
00:27:23,400 --> 00:27:32,400
So we're not up front we're realizing all the security stuff as well show you are protected from from the beginning.

346
00:27:32,400 --> 00:27:36,400
Yeah so the I think that is that is one of the big advantages.

347
00:27:36,400 --> 00:27:41,400
But it is something you need to consider when it comes to for example, migrating machines.

348
00:27:41,400 --> 00:27:45,400
So if you have an on-prem data sender and you're migrating it to Azure.

349
00:27:45,400 --> 00:27:52,400
You have several ways of doing it, but in the end what you should do is always enable Defender for servers as a plan on top of your subscription.

350
00:27:52,400 --> 00:27:54,400
How you want to have it.

351
00:27:54,400 --> 00:28:00,400
If you are using a third party EDR component and you are using in other anti malware component.

352
00:28:00,400 --> 00:28:08,400
Maybe you can disable the integration with Microsoft Defender for endpoint but still leverage Defender for service plan too because of the actionless vulnerability assessment capability.

353
00:28:08,400 --> 00:28:14,400
And the other enhanced capabilities the cloud native actions and so on.

354
00:28:14,400 --> 00:28:21,400
For for other customers it might make sense to just focus on the integration with Microsoft Defender for endpoint so Defender for service plan one might be their choice.

355
00:28:21,400 --> 00:28:29,400
For for the first step after migrating and then to to upgrade it to Defender for service P2 because it's just one click away.

356
00:28:29,400 --> 00:28:37,400
Or one risk they can I call away because it's just a different setting that you need to do on the subscription then you will automatically enable the plan.

357
00:28:37,400 --> 00:28:42,400
And as you said it's an auto deployment and auto availability capability so.

358
00:28:42,400 --> 00:28:49,400
If you enable Defender for service it is there and you can use it to deploy any extension any agent that is relevant.

359
00:28:49,400 --> 00:28:57,400
Or you can disable the integration and just rely on non action based capabilities so whatever you choose but it is something you should.

360
00:28:57,400 --> 00:29:00,400
Make available for for all your subscriptions.

361
00:29:00,400 --> 00:29:13,400
Yeah but definitely on upfront if you want to start or migrate into Azure or another solution and you want to protect it with Defender for cloud you need to consider.

362
00:29:13,400 --> 00:29:27,400
So if you do things and make some some choices upfront under configuration before you onboard your whole staff into Defender for service because.

363
00:29:27,400 --> 00:29:31,400
If you have if you are running another EDR solution it can be.

364
00:29:31,400 --> 00:29:39,400
It can be challenge so you need to consider a few things so right I probably not every customer can do that.

365
00:29:39,400 --> 00:29:45,400
Or a lot of professionals in the world that can help customers in that way.

366
00:29:45,400 --> 00:29:49,400
Maybe one sentence to that.

367
00:29:49,400 --> 00:29:57,400
That's why I said you can disable the integration with Microsoft Defender for endpoint and what happens by enabling that integration.

368
00:29:57,400 --> 00:30:08,400
We will basically enable a back and process in Defender for cloud and that process will run rest API calls against the compute or hybrid compute instance to deploy the extension.

369
00:30:08,400 --> 00:30:26,400
Now this is something you can do in your own so if you wish to not deploy and the E directly on all to all your machines but you want to do it in a in a stage deployment you can use rest API calls for that and I have written a blog post about half half a year maybe nine months ago.

370
00:30:26,400 --> 00:30:35,400
When we introduce the integration with Microsoft Defender for endpoint unified solution in Defender for service plan too.

371
00:30:35,400 --> 00:30:44,400
In this blog post there is the rest API call that you need to do and then you can use that call well it's two calls.

372
00:30:44,400 --> 00:30:50,400
First of all to re-dream the onboarding package secondly to deploy the extension with the onboarding package.

373
00:30:50,400 --> 00:30:58,400
But you can use these calls to define the machine that will yet now get the integration enabled.

374
00:30:58,400 --> 00:31:06,400
Once you've done for all then you can switch the whole integration on the subscription on to cover all future which machines as well.

375
00:31:06,400 --> 00:31:08,400
So you have that.

376
00:31:08,400 --> 00:31:24,400
I will look into that into the blog and I will post it in the in the show notes as well so if you want to more know more about the rest API call for Defender for service Defender for endpoint please have a look in the show notes the link will be there.

377
00:31:24,400 --> 00:31:28,400
Do you have other questions I think every comfort most of them.

378
00:31:28,400 --> 00:31:33,400
I think we did cover a lot of them.

379
00:31:33,400 --> 00:31:36,400
What maybe to look a little bit in the future.

380
00:31:36,400 --> 00:31:43,400
Other things that are publicly able to share that we can expect from Defender for service.

381
00:31:43,400 --> 00:31:48,400
That you can share with us Tom.

382
00:31:48,400 --> 00:31:58,400
Well as always we cannot disclose our roadmap in public where we know our podcast but what we can say is that.

383
00:31:58,400 --> 00:32:06,400
If you take a look at all the information that we shared since the last ignite when we introduced agent scanning for example.

384
00:32:06,400 --> 00:32:17,400
You will see that agent scanning is a platform so it doesn't stop with vulnerability assessments and there's a lot to expect for the next couple of months.

385
00:32:17,400 --> 00:32:28,400
And in general I think it totally would make sense for us to sit together in a few months because there's quite a lot of work going on within the scope of Defender for service at the moment.

386
00:32:28,400 --> 00:32:38,400
And I'm pretty sure there will be some very exciting news for your audience so maybe we can we can use like the after summertime frame to have another chat on.

387
00:32:38,400 --> 00:32:46,400
We will accept that challenge Tom so I will schedule a new recording after after the holidays to look back.

388
00:32:46,400 --> 00:32:56,400
And see if there is new stuff because we all know that the teams within Microsoft and not only in Defender for service but I'll work in quite hard.

389
00:32:56,400 --> 00:33:00,400
On the challenges that we are facing because.

390
00:33:00,400 --> 00:33:15,400
All the the bad guys are working hard so we need to on on the good side we need to do that as well and we all know that that is done on your side so we will accept that challenge and have a recording.

391
00:33:15,400 --> 00:33:18,400
After the summer and publish that as well.

392
00:33:18,400 --> 00:33:22,400
I think we can close it out we.

393
00:33:22,400 --> 00:33:31,400
Or are there any other topics that you want to cover that we that we forget from our side.

394
00:33:31,400 --> 00:33:40,400
You know I think we covered it pretty good but one thing that might come to your your audience's attention is that.

395
00:33:40,400 --> 00:33:53,400
It might seem a little bit complex so there is a lot of defenders in Defender for cloud we have Defender for servers we have Microsoft Defender for endpoint which also might be referred to as.

396
00:33:53,400 --> 00:34:00,400
Defender for servers when we are talking about Microsoft Defender for endpoint on server operating systems so I think.

397
00:34:00,400 --> 00:34:09,400
There there are two things first of all I would wish for us to really be precise in when we are talking about Microsoft Defender capabilities so either it is Microsoft Defender.

398
00:34:09,400 --> 00:34:19,400
It is Microsoft Defender for endpoint for server operating systems probably or it is Microsoft Defender for servers as a capability in Defender for cloud.

399
00:34:19,400 --> 00:34:27,400
But the other thing is that I and my role I'm trying to understand what are the challenges our customers are currently facing.

400
00:34:27,400 --> 00:34:39,400
What we want to do is we want to improve the acceptance and also the understanding of you know how easy it actually is to enable Defender for servers and to deploy capabilities to leverage capabilities and that scope.

401
00:34:39,400 --> 00:34:44,400
So if there's anything that you know you are hearing from from your audience from your customers.

402
00:34:44,400 --> 00:34:50,400
Please feel free to reach out and now be happy to take that feedback and see what we can do in order to improve the product.

403
00:34:50,400 --> 00:35:02,400
And if you don't know the email address of Tom Thomas quite active at social media as well so please reach out and see if you can help the customers.

404
00:35:02,400 --> 00:35:07,400
We are both all of us are willing to help people on that.

405
00:35:07,400 --> 00:35:11,400
So many thanks for joining this recording Tom.

406
00:35:11,400 --> 00:35:13,400
Thank you very much for having me.

407
00:35:13,400 --> 00:35:20,400
Yeah definitely from our side as well and for our listeners thank you for listening of viewing this podcast.

408
00:35:20,400 --> 00:35:26,400
Hopefully we will back next time with another quite interesting topic of Defender for cloud.

409
00:35:26,400 --> 00:35:27,400
Are we.

410
00:35:27,400 --> 00:35:29,400
Do we know that already?

411
00:35:29,400 --> 00:35:32,400
We have some recording schedule already.

412
00:35:32,400 --> 00:35:39,400
Some of them we can't share but so expect a lot of new episodes.

413
00:35:39,400 --> 00:35:46,400
Yeah in the past we talked about Defender for Defender for containers all that kind of stuff that will come in the next period.

414
00:35:46,400 --> 00:35:51,400
We don't know at the moment when but stay tuned for that sort of recording.

415
00:35:51,400 --> 00:35:53,400
So thank you for listening now.

416
00:35:53,400 --> 00:36:14,400
Thank you.