1
00:00:00,000 --> 00:00:06,200
Welcome to the Azure Security Podcast,

2
00:00:06,200 --> 00:00:09,380
where we discuss topics relating to security, privacy,

3
00:00:09,380 --> 00:00:13,280
reliability, and compliance on the Microsoft Cloud Platform.

4
00:00:13,280 --> 00:00:16,640
Hey everybody, welcome to episode number 20.

5
00:00:16,640 --> 00:00:19,800
We have Sarah, Mark, and myself.

6
00:00:19,800 --> 00:00:21,120
Gladys is away this week.

7
00:00:21,120 --> 00:00:23,680
She's actually doing some training for her new position.

8
00:00:23,680 --> 00:00:25,680
We also have a special guest,

9
00:00:25,680 --> 00:00:28,680
Alex Dodonka, who works on the Azure Security team.

10
00:00:28,680 --> 00:00:30,680
But before we get to Alex,

11
00:00:30,680 --> 00:00:31,920
let's take a look at the news.

12
00:00:31,920 --> 00:00:33,720
Sarah, why don't you kick us off?

13
00:00:33,720 --> 00:00:38,560
Couple of cool things that took my fancy in the news recently,

14
00:00:38,560 --> 00:00:41,840
so much stuff, even though we're just in the new year.

15
00:00:41,840 --> 00:00:44,000
To start with,

16
00:00:44,000 --> 00:00:47,920
application change analysis has got a new UI,

17
00:00:47,920 --> 00:00:51,280
which shows changes in all the Azure resources

18
00:00:51,280 --> 00:00:53,920
under the subscriptions that you've got up at the moment.

19
00:00:53,920 --> 00:00:55,800
If you're not familiar with this UI,

20
00:00:55,800 --> 00:00:59,600
the last one only showed a limited number of change,

21
00:00:59,600 --> 00:01:01,280
and you couldn't filter them out.

22
00:01:01,280 --> 00:01:04,480
If you had noisy changes that weren't being made regularly,

23
00:01:04,480 --> 00:01:05,800
you wouldn't be able to see

24
00:01:05,800 --> 00:01:09,080
the actual changes you were interested in.

25
00:01:09,080 --> 00:01:11,920
Definitely go and have a look at that because now,

26
00:01:11,920 --> 00:01:16,440
it's in a public preview and it's much, much nicer.

27
00:01:16,440 --> 00:01:19,000
It obviously would never be a new segment without me

28
00:01:19,000 --> 00:01:22,000
by talking about something to do with Azure Monitor.

29
00:01:22,000 --> 00:01:25,560
The next one is that in public preview,

30
00:01:25,560 --> 00:01:27,880
you're now able to use

31
00:01:27,880 --> 00:01:32,760
Azure Data Explorer clusters and monitor it with Azure Monitor.

32
00:01:32,760 --> 00:01:36,000
Lots of things that sound familiar here.

33
00:01:36,000 --> 00:01:37,680
If you're not familiar with these products,

34
00:01:37,680 --> 00:01:42,080
Azure Data Explorer is like a big data lake where you can

35
00:01:42,080 --> 00:01:47,160
chuck all your data in and query it and do whatever you want to there.

36
00:01:47,160 --> 00:01:50,440
Azure Monitor, of course, is our entire monitoring platform,

37
00:01:50,440 --> 00:01:55,480
and now you can get some stats from your ADX cluster.

38
00:01:55,480 --> 00:01:59,600
It can be looking back what's been queried,

39
00:01:59,600 --> 00:02:03,960
who's been using the most CPU in your ADX cluster,

40
00:02:03,960 --> 00:02:06,160
see who's been running all the queries.

41
00:02:06,160 --> 00:02:08,280
Essentially, you can get some operational stuff,

42
00:02:08,280 --> 00:02:11,880
which is good to understand who's using your ADX,

43
00:02:11,880 --> 00:02:14,520
maybe abusing it as well, hopefully not.

44
00:02:14,520 --> 00:02:16,920
But yeah, that's now in public preview.

45
00:02:16,920 --> 00:02:20,200
We've now got built-in Azure Policy support for

46
00:02:20,200 --> 00:02:23,800
NSG Flow Logs, which is lovely,

47
00:02:23,800 --> 00:02:27,680
which means now you can actually force

48
00:02:27,680 --> 00:02:30,920
NSG Flow Logs being turned on or being turned off in

49
00:02:30,920 --> 00:02:35,280
Azure Policy as part of your security baseline, which is sweet.

50
00:02:35,280 --> 00:02:38,760
Last but not least, we have ASC,

51
00:02:38,760 --> 00:02:42,000
Azure Security Center updates for January 2021.

52
00:02:42,000 --> 00:02:44,840
There's only two updates this month.

53
00:02:44,840 --> 00:02:48,760
We've got the CSV export of recommendations.

54
00:02:48,760 --> 00:02:51,800
Security Center gives you hygiene recommendations

55
00:02:51,800 --> 00:02:55,240
based on the CIS benchmark and best practices.

56
00:02:55,240 --> 00:03:00,720
You can see them in the UI and you can also export them via Event Hub.

57
00:03:00,720 --> 00:03:04,200
But now you can also get them through a CSV file,

58
00:03:04,200 --> 00:03:07,680
which I have had some customers ask for.

59
00:03:07,680 --> 00:03:11,400
The other thing that's exciting that's happened this month is

60
00:03:11,400 --> 00:03:13,480
that the vulnerability assessment,

61
00:03:13,480 --> 00:03:16,040
which uses QOLIS in the background for

62
00:03:16,040 --> 00:03:19,880
on-premise and machines in other Cloud has now gone GA,

63
00:03:19,880 --> 00:03:21,960
which is great because it means that you can

64
00:03:21,960 --> 00:03:25,200
vulnerability scan everything because it's in GA.

65
00:03:25,200 --> 00:03:27,760
Some customers of course won't use things or

66
00:03:27,760 --> 00:03:29,840
can't use things until they're in GA when they have

67
00:03:29,840 --> 00:03:32,080
an SLA and the support for them.

68
00:03:32,080 --> 00:03:34,640
If you've been waiting for that one, it's here.

69
00:03:34,640 --> 00:03:37,520
Hooray. That's all my news for this time.

70
00:03:37,520 --> 00:03:41,120
Quite a few things to pique my interest over the last few weeks.

71
00:03:41,120 --> 00:03:45,600
As you said, it's actually been pretty busy even though it's still only January.

72
00:03:45,600 --> 00:03:47,080
The first one is there's now

73
00:03:47,080 --> 00:03:49,160
support for backup on Azure Managed Disks.

74
00:03:49,160 --> 00:03:51,440
My guess is, prior to this,

75
00:03:51,440 --> 00:03:53,560
there was no backup for Azure Managed Disks.

76
00:03:53,560 --> 00:03:57,680
But now there is, which is fantastic because it's a totally agentless backup.

77
00:03:57,680 --> 00:03:59,400
You can just set the policy and

78
00:03:59,400 --> 00:04:01,640
essentially Azure goes ahead and does all the work,

79
00:04:01,640 --> 00:04:03,880
which is absolutely fantastic.

80
00:04:03,880 --> 00:04:07,040
The next one talking about Azure backup is that we now have

81
00:04:07,040 --> 00:04:10,040
support for encryption at rest using customer managed keys.

82
00:04:10,040 --> 00:04:14,120
This is something that I think just about every customer I have

83
00:04:14,120 --> 00:04:17,760
worked with over the last 24 months has said they wanted

84
00:04:17,760 --> 00:04:21,160
to use customer managed key support because backups are often

85
00:04:21,160 --> 00:04:22,720
contained sensitive information.

86
00:04:22,720 --> 00:04:24,680
Obviously, you could encrypt the data itself,

87
00:04:24,680 --> 00:04:27,120
so the backup will automatically take the encrypted data.

88
00:04:27,120 --> 00:04:30,560
But in this case, you can actually encrypt the actual backup itself.

89
00:04:30,560 --> 00:04:34,600
That's, I know of at least two or three customers that immediately come to mind,

90
00:04:34,600 --> 00:04:37,920
but are very happy that that's now finally available.

91
00:04:37,920 --> 00:04:41,160
The next one is as you defend a for SQL,

92
00:04:41,160 --> 00:04:43,160
there's some updates that came out.

93
00:04:43,160 --> 00:04:46,120
The first one is that it's now generally available for

94
00:04:46,120 --> 00:04:51,120
SQL servers inside of a VM or on machines, I should say.

95
00:04:51,120 --> 00:04:55,200
This is really important because I know a lot of customers who,

96
00:04:55,200 --> 00:04:57,160
for specific reasons, want to run,

97
00:04:57,160 --> 00:05:03,920
say a SQL server in a VM rather than as a PaaS platform as a service offering.

98
00:05:03,920 --> 00:05:05,800
Perhaps they're just doing a lift and shift,

99
00:05:05,800 --> 00:05:09,000
and so they wanted to do with the least amount of friction as possible.

100
00:05:09,000 --> 00:05:11,520
Well, as you defend a for SQL servers,

101
00:05:11,520 --> 00:05:13,080
we'll now look inside,

102
00:05:13,080 --> 00:05:17,880
actually look inside that particular VM and do things like baseline configuration analysis.

103
00:05:17,880 --> 00:05:19,120
This is actually pretty cool.

104
00:05:19,120 --> 00:05:23,360
You can set a baseline for security in the SQL database.

105
00:05:23,360 --> 00:05:26,120
There's actually a PowerShell script that you can also run.

106
00:05:26,120 --> 00:05:28,680
I'll put a link to that in the show notes.

107
00:05:28,680 --> 00:05:32,800
The PowerShell script is outside of this as you defend the aspect,

108
00:05:32,800 --> 00:05:37,480
but it's useful to understand this SQL baselining.

109
00:05:37,480 --> 00:05:39,680
We can measure against that baselining,

110
00:05:39,680 --> 00:05:42,400
there's detailed benchmarking information.

111
00:05:42,400 --> 00:05:46,080
There's also much better integration with Azure Security Center.

112
00:05:46,080 --> 00:05:47,840
It just looks a lot nicer.

113
00:05:47,840 --> 00:05:53,680
It also, the update includes Azure Defender for SQL includes support for

114
00:05:53,680 --> 00:05:59,520
Azure Synapse Analytics, a dedicated SQL pool that's also generally available.

115
00:05:59,520 --> 00:06:04,880
Yeah, so just all around fit and finish and making

116
00:06:04,880 --> 00:06:08,760
the Azure Defender for SQL support look a lot more complete.

117
00:06:08,760 --> 00:06:09,920
It's fantastic work.

118
00:06:09,920 --> 00:06:13,520
Next one is Azure HealthBot is now generally available.

119
00:06:13,520 --> 00:06:16,600
I want to point out this has got nothing to do with security whatsoever,

120
00:06:16,600 --> 00:06:17,760
at least not directly.

121
00:06:17,760 --> 00:06:21,160
The only reason I brought this up is just in light of the fact that I've been working a lot

122
00:06:21,160 --> 00:06:23,200
with healthcare organizations of late.

123
00:06:23,200 --> 00:06:25,000
Also with COVID-19,

124
00:06:25,000 --> 00:06:28,400
obviously being front and center with everybody on the planet today.

125
00:06:28,400 --> 00:06:30,880
We now have this Azure HealthBot.

126
00:06:30,880 --> 00:06:32,160
This is actually pretty cool.

127
00:06:32,160 --> 00:06:38,520
This allows developers in healthcare organizations to build and deploy AI-powered

128
00:06:38,520 --> 00:06:43,600
and compliant conversational healthcare experiences at scale.

129
00:06:43,600 --> 00:06:45,960
Again, it's not a direct security thing,

130
00:06:45,960 --> 00:06:50,800
but I thought I would put this out there because it's pretty topical these days.

131
00:06:50,800 --> 00:06:55,680
Next one is Private Link Support for Azure Automation is now generally available.

132
00:06:55,680 --> 00:06:57,520
As I've mentioned many times,

133
00:06:57,520 --> 00:06:59,400
you're probably sick of hearing me say this,

134
00:06:59,400 --> 00:07:07,920
but we've seen over the last few years a bunch of trends inside of Azure,

135
00:07:07,920 --> 00:07:10,280
especially for platform as a service offerings,

136
00:07:10,280 --> 00:07:13,640
things like customer managed key support for encryption and better at rest,

137
00:07:13,640 --> 00:07:15,680
but the other one is Private Link Support.

138
00:07:15,680 --> 00:07:19,560
This is where you can have a PaaS offering in this case Azure Automation,

139
00:07:19,560 --> 00:07:25,320
and essentially have it as an extension of your on-prem network.

140
00:07:25,320 --> 00:07:27,280
That's really great to see as well.

141
00:07:27,280 --> 00:07:33,520
The second to last one is Public IPs can now be upgraded.

142
00:07:33,520 --> 00:07:34,960
Not a lot of people know this,

143
00:07:34,960 --> 00:07:39,520
but an IP address is actually a service in Azure.

144
00:07:39,520 --> 00:07:41,040
It's actually a feature in service.

145
00:07:41,040 --> 00:07:43,160
You can create these public IP addresses,

146
00:07:43,160 --> 00:07:46,720
and there's two versions, basic and standard.

147
00:07:46,720 --> 00:07:49,880
Historically, if you said I want to use a basic IP address,

148
00:07:49,880 --> 00:07:52,440
you are basically stuck with the basic IP address.

149
00:07:52,440 --> 00:07:56,200
Well, the standard IP address includes lots of other offerings,

150
00:07:56,200 --> 00:07:58,600
other capabilities that are not there in basic,

151
00:07:58,600 --> 00:07:59,960
and you couldn't upgrade.

152
00:07:59,960 --> 00:08:01,200
Well, now you can,

153
00:08:01,200 --> 00:08:06,280
and that's another great usability feature that I think a lot of customers will be happy to see.

154
00:08:06,280 --> 00:08:12,720
The last one, one of my favorite topics as he looks across at his Azure Sphere SDK,

155
00:08:12,720 --> 00:08:16,880
my Azure SDK board in my hands right now.

156
00:08:16,880 --> 00:08:22,680
Operating System OS version 21.01 is now available for evaluation.

157
00:08:22,680 --> 00:08:26,600
There's some new features in there most notably around Wolf SSL.

158
00:08:26,600 --> 00:08:28,160
If you're familiar with Wolf SSL,

159
00:08:28,160 --> 00:08:35,520
it's a very small library that does SSL and TLS designed for small IoT devices.

160
00:08:35,520 --> 00:08:38,240
I actually have a running on a little Arduino,

161
00:08:38,240 --> 00:08:41,480
Arduino Uno works nicely.

162
00:08:41,480 --> 00:08:43,200
Yeah, that's my last topic there.

163
00:08:43,200 --> 00:08:48,080
Azure Sphere OS 21.01 is now available for evaluation.

164
00:08:48,080 --> 00:08:49,920
Over to you, Mark.

165
00:08:49,920 --> 00:08:51,920
News in my space.

166
00:08:51,920 --> 00:08:54,040
We'll start with the human operated ransomware.

167
00:08:54,040 --> 00:08:57,440
We've been talking about this over the last couple of episodes,

168
00:08:57,440 --> 00:09:02,360
and finally we do have a landing site and the mitigation plan has been released.

169
00:09:02,360 --> 00:09:04,120
It's in the form of a PowerPoint deck.

170
00:09:04,120 --> 00:09:06,840
I like PowerPoint for those out there that don't know that.

171
00:09:06,840 --> 00:09:08,640
We did get that one out there.

172
00:09:08,640 --> 00:09:14,640
It has a very prescriptive plan for addressing the human operated ransomware,

173
00:09:14,640 --> 00:09:19,640
which honestly given the flexibility of these attackers and

174
00:09:19,640 --> 00:09:23,840
their willingness to profit using pretty much any technique,

175
00:09:23,840 --> 00:09:25,560
it tends to be a very broad one.

176
00:09:25,560 --> 00:09:28,440
It could also be used as a general security template plan,

177
00:09:28,440 --> 00:09:33,000
like what should I be doing and how to protect myself against any threat,

178
00:09:33,000 --> 00:09:35,480
but ransomware is just the top one at the moment.

179
00:09:35,480 --> 00:09:37,360
That is out there.

180
00:09:37,360 --> 00:09:40,200
It's just AKMS slash human operated.

181
00:09:40,200 --> 00:09:42,480
We'll send you that link and put in the show notes.

182
00:09:42,480 --> 00:09:50,600
We are expecting that trend to continue and grow and continue to impact our customers significantly.

183
00:09:50,600 --> 00:09:54,240
The next thing that some of you folks in

184
00:09:54,240 --> 00:09:57,920
cybersecurity may have heard of is this lower gate or sunburst attack.

185
00:09:57,920 --> 00:10:00,880
We have continued to release information on that.

186
00:10:00,880 --> 00:10:06,560
We actually have kept adding to our existing resource center, the AKMS slash lower gate.

187
00:10:06,560 --> 00:10:08,560
That will also be in the show notes.

188
00:10:08,560 --> 00:10:10,880
Couple of notable new blogs.

189
00:10:10,880 --> 00:10:16,880
We did talk about zero trust and slower gate in a really nice blog by Alex Weiner,

190
00:10:16,880 --> 00:10:20,160
and how did zero trust principles stand up to it.

191
00:10:20,160 --> 00:10:24,440
Fairly well, it's my estimation of it there.

192
00:10:24,440 --> 00:10:31,480
Then there's also for the more technical and threat hunter deep dive into the forensics folks.

193
00:10:31,480 --> 00:10:34,400
There is a blog that just released as well on

194
00:10:34,400 --> 00:10:40,760
the second stage activation of how these different pieces that you've seen technically connect together.

195
00:10:40,760 --> 00:10:43,000
Very, very interesting read.

196
00:10:43,000 --> 00:10:46,040
A lot of it honestly went over my head in terms of technical detail,

197
00:10:46,040 --> 00:10:53,120
but I was quite impressed by the sophistication of these attackers as I read through it.

198
00:10:53,120 --> 00:10:56,560
Because there was a lot of pains that were taken,

199
00:10:56,560 --> 00:10:58,520
a lot of effort was taken to stay

200
00:10:58,520 --> 00:11:01,280
stealthy for these particular attackers.

201
00:11:01,280 --> 00:11:04,880
Because of all the questions that we've been getting lately around,

202
00:11:04,880 --> 00:11:08,640
how does Microsoft secure our environment?

203
00:11:08,640 --> 00:11:14,920
We thought we would get a number of guests on the podcast to share how

204
00:11:14,920 --> 00:11:19,560
Microsoft is securing our code and our infrastructure and lessons,

205
00:11:19,560 --> 00:11:21,840
learns and best practices from there.

206
00:11:21,840 --> 00:11:27,080
Our first guest in this informal series is Alex to Docker.

207
00:11:27,080 --> 00:11:29,000
Alex, would you like to introduce yourself?

208
00:11:29,000 --> 00:11:31,800
Yeah, thanks Mark. Like you said,

209
00:11:31,800 --> 00:11:35,720
I'm Alex, a program manager within Cloud Security here at Microsoft.

210
00:11:35,720 --> 00:11:41,320
I work on a team within Azure called Strike and have been a part of the team for close to two years now.

211
00:11:41,320 --> 00:11:45,840
Strike is an internal security education and compliance program that provides

212
00:11:45,840 --> 00:11:51,800
employees with actionable knowledge and resources to support our all up security strategy.

213
00:11:51,800 --> 00:11:55,240
We're most known for our ability to create and deliver

214
00:11:55,240 --> 00:11:58,800
quality learning experiences on those strong security principles

215
00:11:58,800 --> 00:12:01,720
based on current and real-world threats.

216
00:12:01,720 --> 00:12:06,720
Essentially, Strike is a platform for community engagement,

217
00:12:06,720 --> 00:12:11,040
knowledge sharing and broad collaboration promoting on-the-job learning.

218
00:12:11,040 --> 00:12:14,880
While empowering our engineers and participants to raise the bar,

219
00:12:14,880 --> 00:12:17,200
building a healthy security culture.

220
00:12:17,200 --> 00:12:21,880
We do this by offering a variety of trainings and hands-on experiences that

221
00:12:21,880 --> 00:12:27,560
motivate and ready participants to securely design and build and operate services.

222
00:12:27,560 --> 00:12:30,800
So Alex, so if I'm an Azure developer,

223
00:12:30,800 --> 00:12:35,680
say all of the security education,

224
00:12:35,680 --> 00:12:40,360
the mandatory stuff, the cool courses that I would want to take to learn more about security,

225
00:12:40,360 --> 00:12:42,480
that comes from your organization, right?

226
00:12:42,480 --> 00:12:44,680
Most definitely. At the moment,

227
00:12:44,680 --> 00:12:47,800
Strike offers close to 100 online courses,

228
00:12:47,800 --> 00:12:51,240
not only for those developing our services on Azure,

229
00:12:51,240 --> 00:12:53,360
but also for those interacting with them,

230
00:12:53,360 --> 00:12:54,960
maybe even for the first time,

231
00:12:54,960 --> 00:13:00,600
both how to build securely with additional offerings that focus on the user and or customer.

232
00:13:00,600 --> 00:13:04,400
So for example, we have a course that covers best practices to keep

233
00:13:04,400 --> 00:13:07,040
your Cloud applications and infrastructure secure,

234
00:13:07,040 --> 00:13:10,840
but also a far less technical course named how to explain

235
00:13:10,840 --> 00:13:14,400
Cloud security basics to anyone just to give you the gist of it.

236
00:13:14,400 --> 00:13:16,880
Because I know Azure,

237
00:13:16,880 --> 00:13:21,360
developing Azure has a lot of different roles in it with people,

238
00:13:21,360 --> 00:13:24,000
different skill sets, different responsibilities.

239
00:13:24,000 --> 00:13:26,800
Now, if I understand correctly,

240
00:13:26,800 --> 00:13:32,920
Azure is effectively there's a core-based set of services that are out there for everyone.

241
00:13:32,920 --> 00:13:38,000
Then Azure is really a set of different individual feature teams that

242
00:13:38,000 --> 00:13:41,080
develop these individual capabilities and services.

243
00:13:41,080 --> 00:13:43,440
That's your customer.

244
00:13:43,440 --> 00:13:48,680
Those are the folks that you educate is those two constituencies. Is that right?

245
00:13:48,680 --> 00:13:53,120
Correct, Mark. These individuals are within engineering.

246
00:13:53,120 --> 00:13:55,160
That's the common theme.

247
00:13:55,160 --> 00:13:57,160
But as you know,

248
00:13:57,160 --> 00:14:00,300
engineering is broad and covers a ton of backgrounds,

249
00:14:00,300 --> 00:14:03,920
including but not limited to obviously software engineering,

250
00:14:03,920 --> 00:14:07,760
program management, design, data science, hardware engineering.

251
00:14:07,760 --> 00:14:12,880
Basically anyone that has the engineering discipline,

252
00:14:12,880 --> 00:14:14,880
they are most certainly within scope.

253
00:14:14,880 --> 00:14:20,640
So we do try and provide a diverse set of courses and trainings to meet

254
00:14:20,640 --> 00:14:23,880
all of the different players inside of our company.

255
00:14:23,880 --> 00:14:28,440
Now, if I was in a customer organization and I wanted to set up

256
00:14:28,440 --> 00:14:33,240
my own education program to educate my own developers and

257
00:14:33,240 --> 00:14:36,680
application teams and application security teams,

258
00:14:36,680 --> 00:14:45,360
what would be the things that would be most important to set up and to build into that program?

259
00:14:45,360 --> 00:14:52,000
First and foremost, I think understanding holistically of your goals and

260
00:14:52,000 --> 00:14:54,600
knowing the big picture of your product.

261
00:14:54,600 --> 00:14:57,680
I think the best way to go through this is threat modeling.

262
00:14:57,680 --> 00:15:06,400
Threat modeling is an extremely valuable exercise that our team does a ton of workshops and gets behind

263
00:15:06,400 --> 00:15:08,400
acquisitions, for example,

264
00:15:08,400 --> 00:15:11,560
will always offer a security basic session,

265
00:15:11,560 --> 00:15:12,960
a threat awareness session,

266
00:15:12,960 --> 00:15:16,280
as well as threat modeling and then a threat modeling lab.

267
00:15:16,280 --> 00:15:18,640
It's not going to cover all grounds,

268
00:15:18,640 --> 00:15:23,400
but as either a new company or someone trying to get started in that space,

269
00:15:23,400 --> 00:15:26,720
you'll have to go through all the security concepts,

270
00:15:26,720 --> 00:15:28,680
understand what threat modeling is,

271
00:15:28,680 --> 00:15:32,280
and you'll have to know your product inside out.

272
00:15:32,280 --> 00:15:35,440
Find people with pen testing experience,

273
00:15:35,440 --> 00:15:37,560
people that have threat modeled in the past,

274
00:15:37,560 --> 00:15:46,040
and almost build a V team or a team that can go through everything holistically,

275
00:15:46,040 --> 00:15:49,000
but make sure there's security experts in there.

276
00:15:49,000 --> 00:15:51,760
That's where I'd start and where, say,

277
00:15:51,760 --> 00:15:55,920
if an acquisition comes on board where my team will typically get involved.

278
00:15:55,920 --> 00:16:03,160
Very cool. Michael, I first learned about threat modeling from some of your work in the early days of Microsoft some 15,

279
00:16:03,160 --> 00:16:04,440
20 years ago.

280
00:16:04,440 --> 00:16:08,600
Is that similar recommendations as you would have given back then?

281
00:16:08,600 --> 00:16:10,920
Yeah, nothing's changed, I think.

282
00:16:10,920 --> 00:16:14,360
We've always found threat modeling to be a really useful tool.

283
00:16:14,360 --> 00:16:18,120
By tool, I just mean technique, not necessarily a tool per se,

284
00:16:18,120 --> 00:16:24,680
but just a very useful technique for understanding how an attacker may try to compromise the system,

285
00:16:24,680 --> 00:16:27,520
and also making sure you have the appropriate mitigations in place.

286
00:16:27,520 --> 00:16:32,240
We have plenty of knowledge and technology around code level issues,

287
00:16:32,240 --> 00:16:34,720
static analysis, dynamic analysis, and so on.

288
00:16:34,720 --> 00:16:37,280
But in the area of secure design,

289
00:16:37,280 --> 00:16:40,640
threat modeling seems to be the most common by far,

290
00:16:40,640 --> 00:16:43,840
and it's certainly grown a lot in the last 20 or so years.

291
00:16:43,840 --> 00:16:46,840
If I look at the material that we created 20 years ago,

292
00:16:46,840 --> 00:16:51,480
it's nowhere near as slick and as efficient as it is today.

293
00:16:51,480 --> 00:16:55,880
Yeah, I always think of threat modeling as the design part of the process,

294
00:16:55,880 --> 00:17:02,600
whereas all this asked and asked and those kind of things are much more of the implementation part.

295
00:17:02,600 --> 00:17:04,920
But of course, it's a creative process,

296
00:17:04,920 --> 00:17:08,720
so design isn't always completely separate from implementation.

297
00:17:08,720 --> 00:17:15,320
So Alex, one of the things I was very interested in digging into is,

298
00:17:15,320 --> 00:17:17,160
the relationship with the red team,

299
00:17:17,160 --> 00:17:24,160
like how involved is the red team in the various different aspects of

300
00:17:24,160 --> 00:17:27,440
the strike program and the education components?

301
00:17:27,440 --> 00:17:30,800
Now, they're very much involved and the red team

302
00:17:30,800 --> 00:17:34,880
actually provides some of the more popular content of ours.

303
00:17:34,880 --> 00:17:39,760
I'll give you an example of what that partnership has looked like in the past.

304
00:17:39,760 --> 00:17:45,160
So we'll take lessons learned from previous Azure red team operations,

305
00:17:45,160 --> 00:17:48,800
where we have actual pen testers present on their tactics,

306
00:17:48,800 --> 00:17:51,880
findings and insecure practices, and we just don't leave it there.

307
00:17:51,880 --> 00:17:55,360
We highlight the remediation steps taken and how best to work with

308
00:17:55,360 --> 00:17:58,520
the Azure red team after the operation is carried out.

309
00:17:58,520 --> 00:18:03,160
We typically have the impacted team even co-present on the matter at hand,

310
00:18:03,160 --> 00:18:06,160
and everything that went into securing the service after the fact.

311
00:18:06,160 --> 00:18:11,160
Beyond that, we actually have a really exciting product that we built with

312
00:18:11,160 --> 00:18:15,160
the Azure red team called Cloud Capture the Flag.

313
00:18:15,160 --> 00:18:20,080
I know Capture the Flags are big time in cybersecurity,

314
00:18:20,080 --> 00:18:21,880
but ours is super unique.

315
00:18:21,880 --> 00:18:25,760
This partnership consisted of a lot of huddle ups,

316
00:18:25,760 --> 00:18:31,320
a lot of time with the red team determining what challenges and

317
00:18:31,320 --> 00:18:34,760
what vulnerabilities we should highlight in this experience.

318
00:18:34,760 --> 00:18:36,800
If you've never heard of a Capture the Flag,

319
00:18:36,800 --> 00:18:40,800
basically it's a series of challenges that vary in degree of difficulty,

320
00:18:40,800 --> 00:18:46,160
and the participants are required to exercise different skill sets,

321
00:18:46,160 --> 00:18:50,120
that hacker mindset, and once a challenge is solved,

322
00:18:50,120 --> 00:18:53,520
a flag is given out that is usually tied to points,

323
00:18:53,520 --> 00:18:56,960
and you submit these to a CTF Capture the Flag server.

324
00:18:56,960 --> 00:19:03,200
Typically, the highest earning participants will indeed get a bunch of prizes,

325
00:19:03,200 --> 00:19:05,280
and accolades, bragging rights,

326
00:19:05,280 --> 00:19:09,480
but our version and what's unique and why we needed to partner with

327
00:19:09,480 --> 00:19:13,680
the Azure red team is because this is in the Azure hosted environment.

328
00:19:13,680 --> 00:19:16,960
You actually get to fiddle around with our services,

329
00:19:16,960 --> 00:19:19,920
attack them in a real-world setting,

330
00:19:19,920 --> 00:19:25,440
and the different vulnerabilities and procedures were identified as

331
00:19:25,440 --> 00:19:30,800
current and valuable threats to go through these different challenges,

332
00:19:30,800 --> 00:19:33,280
including the Mitre Attack Matrix,

333
00:19:33,280 --> 00:19:38,600
which is super hot right now and something everyone should understand.

334
00:19:38,600 --> 00:19:40,040
But by the end of the day,

335
00:19:40,040 --> 00:19:44,040
people unlock new knowledge for improving security in

336
00:19:44,040 --> 00:19:46,640
their Azure environment just by hacking it.

337
00:19:46,640 --> 00:19:49,960
Now I'm going to step into a little bit more of a manager hack question.

338
00:19:49,960 --> 00:19:52,200
How do you measure success?

339
00:19:52,200 --> 00:19:55,920
I mean, is it all subjective and highlighting key wins and

340
00:19:55,920 --> 00:19:59,280
key impacts in an anecdotal way,

341
00:19:59,280 --> 00:20:06,400
or are there some concrete metrics of what good looks like or what success looks like?

342
00:20:06,400 --> 00:20:09,880
That's the million-dollar question I must admit.

343
00:20:09,880 --> 00:20:12,240
Aside from staying out of the news,

344
00:20:12,240 --> 00:20:14,320
I can share a few examples.

345
00:20:14,320 --> 00:20:18,200
My first would be some of our more targeted efforts.

346
00:20:18,200 --> 00:20:22,320
For example, we have a training series in itself called

347
00:20:22,320 --> 00:20:26,480
an Introduction to Social Engineering and Security Risk for Data Centers.

348
00:20:26,480 --> 00:20:28,440
The title probably gives it away,

349
00:20:28,440 --> 00:20:33,000
but this is specifically for data center employees onboarding and

350
00:20:33,000 --> 00:20:34,880
maybe starting their careers in that space.

351
00:20:34,880 --> 00:20:36,960
But due to the nature of their work,

352
00:20:36,960 --> 00:20:41,480
it's been key to put policy and processes that are unique to them in the forefront.

353
00:20:41,480 --> 00:20:45,960
When you can be intentional and not generic with security training, it pays off.

354
00:20:45,960 --> 00:20:50,480
Additionally, our team will support service adoption and onboarding,

355
00:20:50,480 --> 00:20:53,840
which is very much measurable and monitored by our team.

356
00:20:53,840 --> 00:20:58,640
Since you've had the Azure Security Benchmark team on previously,

357
00:20:58,640 --> 00:21:00,600
I'll share an example of how we got behind

358
00:21:00,600 --> 00:21:03,120
their efforts and demonstrate impact with them.

359
00:21:03,120 --> 00:21:05,840
Essentially, there are processes to establish

360
00:21:05,840 --> 00:21:08,120
security benchmarks by selecting

361
00:21:08,120 --> 00:21:12,120
specific security configuration settings to secure Cloud deployments.

362
00:21:12,120 --> 00:21:16,880
We'll pinpoint service owners who are either new to Azure or

363
00:21:16,880 --> 00:21:20,640
needing to improve their security posture of existing deployments.

364
00:21:20,640 --> 00:21:23,120
What my involvement looks like is

365
00:21:23,120 --> 00:21:25,560
the coordination and execution of a workshop,

366
00:21:25,560 --> 00:21:29,000
where here we provide hands-on assistance while developing

367
00:21:29,000 --> 00:21:31,880
the security baseline for their Azure offers.

368
00:21:31,880 --> 00:21:35,880
Setting a security baseline and

369
00:21:35,880 --> 00:21:37,680
containing recommendations to help

370
00:21:37,680 --> 00:21:40,200
our customers meet their security controls in the Cloud.

371
00:21:40,200 --> 00:21:42,680
Basically, this reviewed baseline gets published on

372
00:21:42,680 --> 00:21:45,200
Azure Docs and this whole process

373
00:21:45,200 --> 00:21:48,920
offers the consistency and the security guidance to our customers.

374
00:21:48,920 --> 00:21:52,080
This is a prime example of measured success because

375
00:21:52,080 --> 00:21:53,840
demonstrating their configuration of

376
00:21:53,840 --> 00:21:56,320
Azure meeting security capabilities,

377
00:21:56,320 --> 00:21:59,120
it's premapped to the industry benchmark.

378
00:21:59,120 --> 00:22:04,680
Once it's complete, these pre-identified teams

379
00:22:04,680 --> 00:22:07,800
are meeting the predetermined needs.

380
00:22:07,800 --> 00:22:12,360
The tangible shift of the needle is indeed a measurement of success.

381
00:22:12,360 --> 00:22:15,240
Someone who's been actively involved for many years,

382
00:22:15,240 --> 00:22:17,480
training software developers, I have to ask,

383
00:22:17,480 --> 00:22:19,720
which classes seems to be the most popular?

384
00:22:19,720 --> 00:22:23,840
There are so many, but quickly let me talk through a few.

385
00:22:23,840 --> 00:22:27,920
One's called what 99 pentests against Azure have taught us.

386
00:22:27,920 --> 00:22:31,520
I can't say much, but it's as good as it sounds.

387
00:22:31,520 --> 00:22:35,840
Another would be security concepts and threat modeling overview.

388
00:22:35,840 --> 00:22:38,120
Threat modeling is one of our favorite topics.

389
00:22:38,120 --> 00:22:39,320
I think we've gone there,

390
00:22:39,320 --> 00:22:44,080
but there's a sneaky fun course called a journey from engineer to hacker,

391
00:22:44,080 --> 00:22:45,720
where a colleague of ours takes you through

392
00:22:45,720 --> 00:22:48,960
staging a safe and controlled environment to well hack.

393
00:22:48,960 --> 00:22:50,680
The underlying message is,

394
00:22:50,680 --> 00:22:52,480
when you understand who your threats are,

395
00:22:52,480 --> 00:22:53,840
where they're coming from,

396
00:22:53,840 --> 00:22:56,560
and their motivations are in a much better position

397
00:22:56,560 --> 00:22:58,680
to defend against them.

398
00:22:58,680 --> 00:23:03,000
But the last few, I'll quickly cover these.

399
00:23:03,000 --> 00:23:07,600
They've actually already been presented to external audiences,

400
00:23:07,600 --> 00:23:11,840
or we plan to bring these to our external communities.

401
00:23:11,840 --> 00:23:16,200
We're doing that through the security community team and their webinar series.

402
00:23:16,200 --> 00:23:18,640
We'll make sure you all get the link,

403
00:23:18,640 --> 00:23:21,120
and I think Michael will make sure to publish that.

404
00:23:21,120 --> 00:23:24,920
But the first one that's already available is called securing you,

405
00:23:24,920 --> 00:23:26,040
basics and beyond.

406
00:23:26,040 --> 00:23:29,160
It's an extremely valuable message about the current threats,

407
00:23:29,160 --> 00:23:33,880
protecting your accounts and staying secure at work, but also at home.

408
00:23:33,880 --> 00:23:35,600
Additionally, in February,

409
00:23:35,600 --> 00:23:40,200
the next one you'll be able to catch is called the billion dollar central bank heist,

410
00:23:40,200 --> 00:23:42,800
costly lessons and cybersecurity.

411
00:23:42,800 --> 00:23:45,640
Basically, this was a riveting case study of

412
00:23:45,640 --> 00:23:49,760
the largest today financial cross-border cybercrime.

413
00:23:49,760 --> 00:23:53,200
What we'll do is we'll talk about

414
00:23:53,200 --> 00:23:56,240
the Azure offerings to prevent such attacks.

415
00:23:56,240 --> 00:23:57,880
Beyond the February plans,

416
00:23:57,880 --> 00:24:01,640
beyond the lookout because we're going to be doing these all the way throughout summer,

417
00:24:01,640 --> 00:24:03,240
I think we end in June.

418
00:24:03,240 --> 00:24:06,760
We have a talk on authentication and authorization,

419
00:24:06,760 --> 00:24:10,280
one on Azure Security Center and CloudApp Security,

420
00:24:10,280 --> 00:24:13,760
and then I believe one about open source.

421
00:24:13,760 --> 00:24:18,480
Check us out. We'll be offering these throughout June,

422
00:24:18,480 --> 00:24:22,160
and you can catch our next one in February.

423
00:24:22,160 --> 00:24:25,840
Yeah, Alex, I've got a question for you.

424
00:24:25,840 --> 00:24:32,280
What resources are available to get started with a program like this?

425
00:24:32,280 --> 00:24:36,520
What I'm going to do is actually shift the tone and share some advice,

426
00:24:36,520 --> 00:24:39,840
because our program is actually only five years old.

427
00:24:39,840 --> 00:24:43,240
A lot of the things maybe going through your mind were

428
00:24:43,240 --> 00:24:48,960
tactical and thought out based on our recent growth as a team.

429
00:24:48,960 --> 00:24:56,640
What I think was most evident in our success was how we were positioned to be alongside

430
00:24:56,640 --> 00:24:58,560
these teams, the red teams,

431
00:24:58,560 --> 00:25:01,520
the blue teams, the purple teams.

432
00:25:01,520 --> 00:25:04,000
To not be detached,

433
00:25:04,000 --> 00:25:06,840
you see a lot of companies that will put

434
00:25:06,840 --> 00:25:11,960
their security training and group it into HR bundle that is

435
00:25:11,960 --> 00:25:16,640
a generic requirement for everyone at the company to meet

436
00:25:16,640 --> 00:25:20,240
this security compliance checkbox,

437
00:25:20,240 --> 00:25:24,440
aka maybe it's phishing or something you'd see on a day-to-day basis.

438
00:25:24,440 --> 00:25:28,400
If you are building as much as a company like Microsoft,

439
00:25:28,400 --> 00:25:32,440
that generic training is not going to even scrape the surface.

440
00:25:32,440 --> 00:25:38,520
That'll leave the doors wide open for unsecure coding practices.

441
00:25:38,520 --> 00:25:41,400
But where we invest all,

442
00:25:41,400 --> 00:25:44,400
a lot of our time and energy is to

443
00:25:44,400 --> 00:25:49,280
bolster that generic training with other opportunities to deep dive.

444
00:25:49,280 --> 00:25:52,680
You'll need to understand who everyone is,

445
00:25:52,680 --> 00:25:54,120
like who's building,

446
00:25:54,120 --> 00:25:55,760
what their needs are,

447
00:25:55,760 --> 00:26:01,080
and to put together different experiences and either hands-on or

448
00:26:01,080 --> 00:26:10,320
just diverse sets of trainings that are almost going beyond what you'd need to even know.

449
00:26:10,320 --> 00:26:13,200
Our team is so unique that we're putting out

450
00:26:13,200 --> 00:26:15,760
content that's 300, 400,

451
00:26:15,760 --> 00:26:21,280
500 level for people that want to become their team security expert.

452
00:26:21,280 --> 00:26:27,160
Not every team has a tried-and-true security champ or even security engineer.

453
00:26:27,160 --> 00:26:33,400
So it's essential to equip some of the other folks to be that lead.

454
00:26:33,400 --> 00:26:35,840
A lot of our efforts are that community building,

455
00:26:35,840 --> 00:26:38,280
getting people in touch with the right folks.

456
00:26:38,280 --> 00:26:40,600
So if you don't know who's who or what's what,

457
00:26:40,600 --> 00:26:43,200
I think you should do a little bit of a self-audit,

458
00:26:43,200 --> 00:26:48,680
but know that the generic run-of-the-mill training is not going to be a catch-all.

459
00:26:48,680 --> 00:26:52,640
You got to offer some more robust content and cover more grounds.

460
00:26:52,640 --> 00:26:54,560
There's so much that goes into this.

461
00:26:54,560 --> 00:27:01,760
So Mike, I'd be interested to hear what Alex has been describing

462
00:27:01,760 --> 00:27:05,440
compares to how we started doing this like 15,

463
00:27:05,440 --> 00:27:09,000
20 years ago. Is it a lot different, a little different?

464
00:27:09,000 --> 00:27:10,800
We're talking about the threat modeling piece,

465
00:27:10,800 --> 00:27:13,560
and I'm just curious from an all-out program and advice perspective,

466
00:27:13,560 --> 00:27:15,960
how much has really changed over that time?

467
00:27:15,960 --> 00:27:18,760
From a 50,000-foot view, nothing's really changed.

468
00:27:18,760 --> 00:27:23,960
It's the same concepts that we laid out in the early 2000s.

469
00:27:23,960 --> 00:27:28,040
Some of the major differences would be the development processes

470
00:27:28,040 --> 00:27:30,360
are significantly different.

471
00:27:30,360 --> 00:27:34,120
Back then, it was mainly waterfall models,

472
00:27:34,120 --> 00:27:36,320
C, C++ stuff.

473
00:27:36,320 --> 00:27:39,760
We had classes of vulnerabilities that we still have to care about today,

474
00:27:39,760 --> 00:27:44,040
obviously, because C and C++, especially old C and C++,

475
00:27:44,040 --> 00:27:48,400
or people who write C++ code as basically glorified C,

476
00:27:48,400 --> 00:27:50,960
those issues are really of concern,

477
00:27:50,960 --> 00:27:53,120
especially memory safety issues.

478
00:27:53,120 --> 00:27:56,000
But now we're talking about different types of issues,

479
00:27:56,000 --> 00:28:00,360
persistent store of credentials in configuration files,

480
00:28:00,360 --> 00:28:02,000
or cross-site scripting,

481
00:28:02,000 --> 00:28:03,440
or cross-site request forgery,

482
00:28:03,440 --> 00:28:08,400
or poor cryptography, poor random number generation news for keys,

483
00:28:08,400 --> 00:28:09,920
those kinds of things.

484
00:28:09,920 --> 00:28:13,920
Memory corruption issues are not front and center

485
00:28:13,920 --> 00:28:15,280
like they were back in the day.

486
00:28:15,280 --> 00:28:17,120
Obviously, they still exist,

487
00:28:17,120 --> 00:28:20,640
but for the average developer developing on a cloud platform,

488
00:28:20,640 --> 00:28:22,480
a modern cloud platform today,

489
00:28:22,480 --> 00:28:25,360
they generally tend to be using higher-level languages,

490
00:28:25,360 --> 00:28:28,400
C-sharp, Java, Go, Python, PHP,

491
00:28:28,400 --> 00:28:31,120
languages that abstract you away

492
00:28:31,120 --> 00:28:34,240
from the low-level machinations of the machine.

493
00:28:34,240 --> 00:28:37,200
In terms of process, very similar.

494
00:28:37,200 --> 00:28:39,360
I mean, the software,

495
00:28:39,360 --> 00:28:40,640
the way we develop the software

496
00:28:40,640 --> 00:28:43,040
using the security development lifecycle,

497
00:28:43,040 --> 00:28:45,680
a lot of that is still very similar.

498
00:28:45,680 --> 00:28:48,160
Again, some of the nuances have changed,

499
00:28:48,160 --> 00:28:49,920
but from a 50,000-foot perspective,

500
00:28:49,920 --> 00:28:54,960
it's good to see that what we started doing 20 years ago

501
00:28:54,960 --> 00:28:57,200
is not just still being used,

502
00:28:57,200 --> 00:28:59,520
but has also been modified and updated

503
00:28:59,520 --> 00:29:01,760
and modernized to adapt

504
00:29:01,760 --> 00:29:04,400
to a rapidly evolving cloud platform.

505
00:29:04,400 --> 00:29:06,560
Alex, I had one last question for you.

506
00:29:08,080 --> 00:29:10,080
Bug bounties, how do we approach that?

507
00:29:10,080 --> 00:29:12,640
What's our philosophy and our thought process

508
00:29:12,640 --> 00:29:13,520
and how do we use them?

509
00:29:14,800 --> 00:29:18,480
Yeah, bug bounties are most certainly a huge priority for us,

510
00:29:18,480 --> 00:29:20,480
and I'm in a unique spot

511
00:29:20,480 --> 00:29:22,560
where some of our partner teams

512
00:29:23,200 --> 00:29:26,080
are the ones going through the different reports

513
00:29:26,080 --> 00:29:27,840
and things that get sent in,

514
00:29:27,840 --> 00:29:31,520
and we're taking a lot of those findings, obviously,

515
00:29:31,520 --> 00:29:35,040
and working through the remediation steps there,

516
00:29:35,040 --> 00:29:37,680
but we also take those messages

517
00:29:37,680 --> 00:29:39,040
and can put them in the forefront

518
00:29:39,040 --> 00:29:40,400
of the people building the products

519
00:29:40,400 --> 00:29:42,720
that may have released something that was found.

520
00:29:42,720 --> 00:29:44,480
That was a bit insecure,

521
00:29:44,480 --> 00:29:46,720
but I think what's most important

522
00:29:46,720 --> 00:29:50,560
is to kind of drill into the bounty programs specifically

523
00:29:50,560 --> 00:29:52,960
because I know a lot of the people out there are doing the work.

524
00:29:54,480 --> 00:29:57,680
We want to support you however we can

525
00:29:57,680 --> 00:30:00,160
and ensure you're kind of set up for success.

526
00:30:00,160 --> 00:30:04,080
So I'd say before you just go poke around anywhere,

527
00:30:04,080 --> 00:30:04,960
make sure you understand

528
00:30:04,960 --> 00:30:07,520
what the actual ongoing programs are.

529
00:30:07,520 --> 00:30:10,800
We have a ton focused on Azure at the moment.

530
00:30:10,800 --> 00:30:13,920
There's even some on Windows and other products,

531
00:30:13,920 --> 00:30:15,360
but a lot of these campaigns

532
00:30:15,920 --> 00:30:17,840
are happening from the product teams.

533
00:30:17,840 --> 00:30:21,200
So they're kind of specific

534
00:30:21,200 --> 00:30:23,040
in terms of what they're looking for.

535
00:30:23,040 --> 00:30:27,600
So be proactive in not wasting your time

536
00:30:27,600 --> 00:30:28,960
just finding anything random,

537
00:30:28,960 --> 00:30:30,960
but really looking at what Microsoft

538
00:30:30,960 --> 00:30:34,080
and what our teams are wanting you to focus on

539
00:30:34,080 --> 00:30:36,880
as we hopefully can pay you out

540
00:30:36,880 --> 00:30:41,760
and work with you to solve some of our security issues.

541
00:30:41,760 --> 00:30:45,360
We definitely want you all to be trying Azure

542
00:30:45,360 --> 00:30:46,640
and seeing what you can find,

543
00:30:46,640 --> 00:30:49,040
but we don't want you to get caught off guard.

544
00:30:49,040 --> 00:30:51,520
And if you're going down a path

545
00:30:51,520 --> 00:30:53,840
that's not part of a tried and true bounty program.

546
00:30:53,840 --> 00:30:55,920
So learn about the bounty programs.

547
00:30:55,920 --> 00:30:58,080
We'll be sure to provide a link

548
00:30:58,080 --> 00:31:00,400
of the current ongoing programs

549
00:31:00,400 --> 00:31:02,400
and make sure to read through it

550
00:31:02,400 --> 00:31:05,440
because often you may find something

551
00:31:05,440 --> 00:31:07,440
and we want you to report it 100%,

552
00:31:07,440 --> 00:31:10,240
but it may not be a part of the current ongoing bounties.

553
00:31:10,960 --> 00:31:13,280
Alex, one thing we always ask our guests

554
00:31:13,280 --> 00:31:17,280
is if you had just one thought to leave listeners,

555
00:31:17,280 --> 00:31:18,000
what would it be?

556
00:31:19,200 --> 00:31:20,160
Be authentic.

557
00:31:20,160 --> 00:31:23,680
And have your message come straight from the source.

558
00:31:23,680 --> 00:31:26,720
Where we really are excelling

559
00:31:26,720 --> 00:31:29,600
is when we partner with the security teams,

560
00:31:29,600 --> 00:31:31,760
they're essential to our success

561
00:31:31,760 --> 00:31:34,480
and a lot of the priorities and messaging we distribute

562
00:31:34,480 --> 00:31:36,800
is in coordination with those teams,

563
00:31:36,800 --> 00:31:39,200
but we happen to be in the same organization

564
00:31:39,200 --> 00:31:40,560
which I've kind of shared

565
00:31:40,560 --> 00:31:43,360
and that direct alignment with those setting

566
00:31:43,360 --> 00:31:46,720
that security strategy is what's unique about us.

567
00:31:46,720 --> 00:31:49,440
Our involvement, it's not just amplification

568
00:31:49,440 --> 00:31:52,240
of these messages, but rather a true partnership

569
00:31:52,240 --> 00:31:54,720
with the individual subject matter experts.

570
00:31:54,720 --> 00:31:56,960
We're not paying actors to carry out trainings.

571
00:31:56,960 --> 00:31:59,040
Instead, we're grooming individuals

572
00:31:59,040 --> 00:32:01,200
to present on the matter themselves.

573
00:32:01,200 --> 00:32:02,960
Like I mentioned earlier,

574
00:32:02,960 --> 00:32:04,960
we'll take the pen tester and we'll put them

575
00:32:04,960 --> 00:32:07,120
in front of an audience.

576
00:32:07,120 --> 00:32:10,560
These experts, we support them in various ways.

577
00:32:10,560 --> 00:32:15,760
So it actually comes across as a professional quality training

578
00:32:15,760 --> 00:32:18,480
and our process requires them

579
00:32:18,480 --> 00:32:22,000
full intake, content reviews, rehearsals,

580
00:32:22,000 --> 00:32:24,480
presenter coaching, design support.

581
00:32:24,480 --> 00:32:26,960
And we're there to moderate and produce the trainings

582
00:32:26,960 --> 00:32:29,040
real time as well as post-production.

583
00:32:29,040 --> 00:32:33,040
So to sum it up, partner closely with those experts.

584
00:32:33,040 --> 00:32:34,880
We couldn't do it without them,

585
00:32:34,880 --> 00:32:37,280
but make sure you're doing enough

586
00:32:37,280 --> 00:32:39,920
where they know they couldn't do it without you.

587
00:32:39,920 --> 00:32:42,640
If a lot of security teams will kind of flounder

588
00:32:42,640 --> 00:32:44,480
as they try and put their own messages out,

589
00:32:45,280 --> 00:32:47,840
get a team that does this day in and day out,

590
00:32:47,840 --> 00:32:50,560
put together and those messages will come together

591
00:32:50,560 --> 00:32:52,320
a lot crisper and a lot cleaner.

592
00:32:52,320 --> 00:32:55,680
And I know you'll start seeing security results

593
00:32:55,680 --> 00:32:57,920
and improvement in your security posture.

594
00:32:59,200 --> 00:33:01,360
So with that, let's bring this to an end.

595
00:33:01,360 --> 00:33:04,240
Alex, thanks so much for coming on this week.

596
00:33:04,240 --> 00:33:05,360
We really appreciate it.

597
00:33:05,360 --> 00:33:07,040
And I learned a few things.

598
00:33:07,040 --> 00:33:08,640
It's kind of been a bit of a blast from the past,

599
00:33:08,640 --> 00:33:09,600
to be honest with you.

600
00:33:09,600 --> 00:33:11,440
It's a modern spin on something

601
00:33:11,440 --> 00:33:14,240
that we frankly started doing 20 years ago,

602
00:33:14,240 --> 00:33:16,160
especially in Windows, Office,

603
00:33:16,160 --> 00:33:20,240
SQL Server and Exchange and Visual Studio back in the day.

604
00:33:20,880 --> 00:33:23,840
With that, I'd like to thank all of you for listening as well.

605
00:33:23,840 --> 00:33:26,160
So stay safe out there and we'll see you next time.

606
00:33:26,160 --> 00:33:29,120
Thanks for listening to the Azure Security Podcast.

607
00:33:29,120 --> 00:33:32,880
You can find show notes and other resources at our website,

608
00:33:32,880 --> 00:33:34,880
azsecuritypodcast.net.

609
00:33:35,920 --> 00:33:37,440
If you have any questions,

610
00:33:37,440 --> 00:33:39,680
please find us on Twitter at azuresecpod.

611
00:33:40,720 --> 00:33:43,600
Background music is from ccmixter.com

612
00:33:43,600 --> 00:33:46,640
and licensed under the Creative Commons license.