1 00:00:00,000 --> 00:00:06,200 Welcome to the Azure Security Podcast, 2 00:00:06,200 --> 00:00:09,360 where we discuss topics relating to security, privacy, 3 00:00:09,360 --> 00:00:13,240 reliability, and compliance on the Microsoft Cloud Platform. 4 00:00:13,240 --> 00:00:15,520 Hey everybody, welcome to Episode 21. 5 00:00:15,520 --> 00:00:16,720 This week we have a full house, 6 00:00:16,720 --> 00:00:19,040 we have myself, Gladys, Sarah, and Mark. 7 00:00:19,040 --> 00:00:20,800 We also have a special guest, 8 00:00:20,800 --> 00:00:23,040 Arthur Schezza from the Azure Sentinel team. 9 00:00:23,040 --> 00:00:24,000 But before we get to it, 10 00:00:24,000 --> 00:00:26,000 Arthur, let's take a look at the news. 11 00:00:26,000 --> 00:00:27,080 I'll kick things off. 12 00:00:27,080 --> 00:00:29,960 A few things really peaked my interest this week. 13 00:00:29,960 --> 00:00:34,600 The first one was the general availability of Azure Attastation. 14 00:00:34,600 --> 00:00:37,320 This allows you to essentially vouch for 15 00:00:37,320 --> 00:00:40,600 the integrity and trustworthiness of a running process. 16 00:00:40,600 --> 00:00:45,040 Probably the most common example of that today would be, 17 00:00:45,040 --> 00:00:47,320 say SQL Server with secure enclaves, 18 00:00:47,320 --> 00:00:50,400 where you have to verify that the enclavers, 19 00:00:50,400 --> 00:00:52,960 the correct enclave, and not a rogue's enclave. 20 00:00:52,960 --> 00:00:56,640 Talking of which, we've now made available in public preview, 21 00:00:56,640 --> 00:01:01,400 confidential computing using always encrypted with secure enclaves. 22 00:01:01,400 --> 00:01:03,360 Let me just spell this out. 23 00:01:03,360 --> 00:01:08,960 We've historically had SQL Server with secure enclaves on-prem. 24 00:01:08,960 --> 00:01:13,240 We also have confidential computing virtual machines, 25 00:01:13,240 --> 00:01:15,840 the DC series that support 26 00:01:15,840 --> 00:01:20,720 the appropriate CPU architectures to support secure enclaves. 27 00:01:20,720 --> 00:01:25,760 Well, now we have support for virtual machines running 28 00:01:25,760 --> 00:01:31,320 SQL Server with always encrypted using secure enclaves. 29 00:01:31,320 --> 00:01:33,520 That's now in public preview. 30 00:01:33,520 --> 00:01:37,240 I've been using it for a few months now in private preview. 31 00:01:37,240 --> 00:01:38,920 It's pretty cool stuff. 32 00:01:38,920 --> 00:01:41,600 If you're a customer who has to handle 33 00:01:41,600 --> 00:01:45,040 sensitive workloads in the Cloud where the data must be encrypted, 34 00:01:45,040 --> 00:01:47,280 secure enclaves is certainly an option because you don't 35 00:01:47,280 --> 00:01:50,920 necessarily have to decrypt the data on the fly just to query it. 36 00:01:50,920 --> 00:01:52,840 But that's a discussion for another day. 37 00:01:52,840 --> 00:01:54,640 I'll provide links in the show notes. 38 00:01:54,640 --> 00:01:59,160 Another cool set of features is in our HDInsight. 39 00:01:59,160 --> 00:02:02,320 HDInsight now supports IPsec, 40 00:02:02,320 --> 00:02:03,840 which is pretty cool. 41 00:02:03,840 --> 00:02:08,440 IPsec has personally been a bit of a nightmare to configure. 42 00:02:08,440 --> 00:02:11,520 So it'd be good to see what they've done in HDInsight. 43 00:02:11,520 --> 00:02:14,600 The second one is that HDInsight now 44 00:02:14,600 --> 00:02:17,840 supports customer managed keys for encryption of data at REST. 45 00:02:17,840 --> 00:02:20,800 So that's always good news to see. 46 00:02:20,800 --> 00:02:26,960 So I've got three items today that I wanted to make sure folks were aware of. 47 00:02:26,960 --> 00:02:32,400 The first one is that the Azure Security Benchmarks version 2 are now 48 00:02:32,400 --> 00:02:34,240 the default configuration in 49 00:02:34,240 --> 00:02:37,280 Azure Security Center or ASC as we like to call it. 50 00:02:37,280 --> 00:02:41,760 So this is pretty cool because it really takes the daylight out of 51 00:02:41,760 --> 00:02:44,560 what Azure Security Center is recommending 52 00:02:44,560 --> 00:02:47,360 and what we're recommending through Azure Security Benchmarks. 53 00:02:47,360 --> 00:02:50,760 So it just makes it that much easier to implement, 54 00:02:50,760 --> 00:02:54,240 measure against, and monitor your compliance with 55 00:02:54,240 --> 00:02:57,640 those Azure Security Benchmarks and those best practices in there. 56 00:02:57,640 --> 00:03:01,680 This is really the standard across Microsoft that we're aligning all of 57 00:03:01,680 --> 00:03:05,480 our security guidance to relative to Azure Security. 58 00:03:05,480 --> 00:03:08,880 The second one is that in Azure Sentinel, 59 00:03:08,880 --> 00:03:13,160 there's a Cybersecurity Maturity Model Certification workbook. 60 00:03:13,160 --> 00:03:17,120 This is for folks that work with the federal government, 61 00:03:17,120 --> 00:03:23,080 CMMC is a security standard that is being required for a number of 62 00:03:23,080 --> 00:03:25,800 different US federal government suppliers, 63 00:03:25,800 --> 00:03:28,240 sub-suppliers, and whatnot down the line. 64 00:03:28,240 --> 00:03:32,320 So this is a handy way to get really good visibility 65 00:03:32,320 --> 00:03:37,080 into how you're doing against that particular control set. 66 00:03:37,080 --> 00:03:41,760 Then the last one is a little bit outside of the normal Azure Swimlane, 67 00:03:41,760 --> 00:03:46,480 but I thought it would be really nice illustration of Microsoft's commitment 68 00:03:46,480 --> 00:03:49,800 to cross-platform Microsoft Defender for Endpoints, 69 00:03:49,800 --> 00:03:54,960 our EDR now has gone general availability for 70 00:03:54,960 --> 00:03:57,520 threat and vulnerability management for Mac OS. 71 00:03:57,520 --> 00:04:01,360 So if you've got Macs in your enterprise and you want to have 72 00:04:01,360 --> 00:04:05,600 those threat and vulnerability management features that are integrated with 73 00:04:05,600 --> 00:04:10,080 the EDR capabilities, they are now fully generally available on 74 00:04:10,080 --> 00:04:13,080 Mac OS in Microsoft Defender for Endpoints. 75 00:04:13,080 --> 00:04:15,320 So some pretty cool stuff there. 76 00:04:15,320 --> 00:04:20,040 So the things that have caught my eye this week is, 77 00:04:20,040 --> 00:04:23,000 of course, we've got some security center updates. 78 00:04:23,000 --> 00:04:24,280 Always one of my favorites, 79 00:04:24,280 --> 00:04:28,200 the Kubernetes Workload Protection recommendations are now GA. 80 00:04:28,200 --> 00:04:30,440 So they have been in preview for some time, 81 00:04:30,440 --> 00:04:35,120 but now if you install the Azure Policy add-on into your AKS cluster, 82 00:04:35,120 --> 00:04:39,400 ASC is going to monitor your Kubernetes API server against 83 00:04:39,400 --> 00:04:44,320 a predefined set of best practices so you can see if you are adhering to 84 00:04:44,320 --> 00:04:48,520 your best practices there as well, which is very cool. 85 00:04:48,520 --> 00:04:52,680 Also, there's one more thing that I thought was particularly good is 86 00:04:52,680 --> 00:04:59,200 the SQL data classification recommendation will no longer affect your secure score. 87 00:04:59,200 --> 00:05:03,800 So that control now has a secure score value of zero. 88 00:05:03,800 --> 00:05:06,240 If you're not classifying your SQL data, 89 00:05:06,240 --> 00:05:09,120 it's not going to affect your secure score anymore. 90 00:05:09,120 --> 00:05:13,640 That is something that customers definitely do come across. 91 00:05:13,640 --> 00:05:18,360 The other one I wanted to talk about was talking about a bit of Sentinel. 92 00:05:18,360 --> 00:05:21,360 Now, we're going to talk about Sentinel quite a bit in this episode, 93 00:05:21,360 --> 00:05:27,320 but something that one of my teammates posted was a blog post about 94 00:05:27,320 --> 00:05:32,120 using Data Explorer for long-term retention of Azure Sentinel logs. 95 00:05:32,120 --> 00:05:35,880 Now, if you're not familiar with Azure Data Explorer or ADX, 96 00:05:35,880 --> 00:05:40,360 that is a tool that we've had in Azure for some time. 97 00:05:40,360 --> 00:05:45,360 It also uses KQL, it stores lots of logs like log analytics, 98 00:05:45,360 --> 00:05:49,360 but the way that you pay for it and its price is slightly different, 99 00:05:49,360 --> 00:05:52,280 it's based on the retention and processing power. 100 00:05:52,280 --> 00:05:57,440 So it can be used for long-term retention of Sentinel logs. 101 00:05:57,440 --> 00:06:01,160 My colleague Javier wrote a great blog post, 102 00:06:01,160 --> 00:06:06,160 which we'll link to in the show notes about how you might want to keep everything in 103 00:06:06,160 --> 00:06:11,960 effectively your hot storage in Sentinel and log analytics for three months or maybe six months, 104 00:06:11,960 --> 00:06:17,440 and then you can move it to your warm storage where ADX can still have a look at it. 105 00:06:17,440 --> 00:06:21,440 Then you might want to take that one step further and then subsequently, 106 00:06:21,440 --> 00:06:23,560 perhaps after a year or something, 107 00:06:23,560 --> 00:06:27,360 move it into blog storage for archival. 108 00:06:27,360 --> 00:06:29,320 Lots of different things you can do there. 109 00:06:29,320 --> 00:06:34,760 It is a very cool integration and recommended architecture practice and 110 00:06:34,760 --> 00:06:36,560 something you might be interested in. 111 00:06:36,560 --> 00:06:38,320 So go and have a look. 112 00:06:38,320 --> 00:06:43,400 The last thing I'm sure our friend will talk about this is we now have 113 00:06:43,400 --> 00:06:46,840 a what's new page for Azure Sentinel. 114 00:06:46,840 --> 00:06:50,040 Before you would have to look at our tech community blog, 115 00:06:50,040 --> 00:06:54,600 but now we do have a dedicated what's new page for Sentinel features, 116 00:06:54,600 --> 00:06:56,720 and we are adding lots all the time. 117 00:06:56,720 --> 00:07:02,240 If you go to aka.ms-as-new, 118 00:07:02,240 --> 00:07:06,640 then you can see everything that's new in Azure Sentinel. 119 00:07:06,640 --> 00:07:09,200 Last time that we were in the podcast, 120 00:07:09,200 --> 00:07:12,920 I mentioned that I was changing roles. 121 00:07:12,920 --> 00:07:16,840 So I had been basically a month in training. 122 00:07:16,840 --> 00:07:20,960 I feel like a newbie drinking from the host. 123 00:07:20,960 --> 00:07:24,800 So I don't really have a lot of news to share, 124 00:07:24,800 --> 00:07:31,240 but I wanted to share something that I learned from this training that I have been on. 125 00:07:31,240 --> 00:07:37,360 I do not really have a need to be connected in Microsoft critical system. 126 00:07:37,360 --> 00:07:42,520 So even though I have helped customers to implement Paws, 127 00:07:42,520 --> 00:07:47,360 I have never seen Microsoft using them. 128 00:07:47,360 --> 00:07:49,560 However, during this training, 129 00:07:49,560 --> 00:07:54,360 I was impressed with the process Microsoft has for Paws. 130 00:07:54,360 --> 00:07:57,440 For those of you that are not familiar with this term, 131 00:07:57,440 --> 00:08:05,440 Privilege Access Workstation or Paw, also called Secure Access Workstation or SO, 132 00:08:05,440 --> 00:08:09,640 is a physical device that has been hardened. 133 00:08:09,640 --> 00:08:19,760 Microsoft recommend using the latest Windows 10 version and implement all the embedded security, 134 00:08:19,760 --> 00:08:23,560 such as credential guard, exploit guard. 135 00:08:23,560 --> 00:08:28,200 If you have defender for endpoint, put it there. 136 00:08:28,200 --> 00:08:30,800 But basically, you limit the amount of 137 00:08:30,800 --> 00:08:35,920 applications that are installed in the workstation itself. 138 00:08:35,920 --> 00:08:39,880 Also, configuration is put in place, 139 00:08:39,880 --> 00:08:44,960 so there's limited internet access connection and no email. 140 00:08:44,960 --> 00:08:47,960 You would ask yourself, why is that? 141 00:08:47,960 --> 00:08:52,600 Well, accordingly to Verizon data breach digest report, 142 00:08:52,600 --> 00:08:58,440 emails still drive for 90 percent of the security breaches. 143 00:08:58,440 --> 00:09:04,240 So if you force an administrator account to be used only from 144 00:09:04,240 --> 00:09:09,120 a hardened physical device where there's no access to email and 145 00:09:09,120 --> 00:09:11,280 limited access to the internet, 146 00:09:11,280 --> 00:09:15,200 think about the reduction of risk to the environment. 147 00:09:15,200 --> 00:09:22,040 I mentioned a limited access to the internet because you really will need 148 00:09:22,040 --> 00:09:27,920 access to do some administration to the different cloud services. 149 00:09:27,920 --> 00:09:30,760 But by controlling access to other websites, 150 00:09:30,760 --> 00:09:35,640 then you reduce the risk of having watering hole attacks, 151 00:09:35,640 --> 00:09:42,400 which are attacks where websites are used to infect visitors with malware. 152 00:09:42,400 --> 00:09:52,000 You could also have advertisement attacks being done or other browser related attacks. 153 00:09:52,000 --> 00:09:55,200 So that get reduced. 154 00:09:55,200 --> 00:10:00,160 Another question that often we are asked is, 155 00:10:00,160 --> 00:10:10,520 what about if I use a remote desktop or jump to a server or maybe virtual desktop to do the administration? 156 00:10:10,520 --> 00:10:15,520 That only works if the physical machine is still hardened with 157 00:10:15,520 --> 00:10:18,680 no access to email and limited internet. 158 00:10:18,680 --> 00:10:26,280 The reason for this is that if the physical device has access to the internet or email, 159 00:10:26,280 --> 00:10:29,840 malware can come in and infect the device. 160 00:10:29,840 --> 00:10:37,600 Now malware has access to extract information from memory. 161 00:10:37,600 --> 00:10:40,920 There could be key loggers installed. 162 00:10:40,920 --> 00:10:52,000 Now the malware or the attacker could be monitoring remote sessions that are being performed 163 00:10:52,000 --> 00:11:01,080 and capture that information that is being sent across from the physical device to those remote sessions. 164 00:11:01,080 --> 00:11:05,440 This is why the device must be the one hardened. 165 00:11:05,440 --> 00:11:12,320 The device should not have that email access and should not have the internet connection. 166 00:11:12,320 --> 00:11:21,720 Now, if you have the physical device hardened and no email and no limited internet, 167 00:11:21,720 --> 00:11:27,760 then you could perform a remote connection to other devices that have email and internet access. 168 00:11:27,760 --> 00:11:34,600 So like an example, you may have the hardened device controlled completely 169 00:11:34,600 --> 00:11:48,320 and then you may have a virtual desktop or VDI where you connect to do your regular day-to-day email and internet browsing. 170 00:11:48,320 --> 00:11:53,720 The one thing that you need to make sure is that the connection is tightly secure, 171 00:11:53,720 --> 00:11:57,400 so malicious that I do not attempt to jump over. 172 00:11:57,400 --> 00:12:04,080 So I really believe on the recommendation that Microsoft have been putting that 173 00:12:04,080 --> 00:12:08,360 every administrator, actually more than administrator developers, 174 00:12:08,360 --> 00:12:22,360 network administrators must use privileged access workstation in order to reduce the chance of privileged credentials being captured. 175 00:12:22,360 --> 00:12:24,280 So that's it with the news. Thanks everybody. 176 00:12:24,280 --> 00:12:27,520 Let's turn our attention now to our guest, Arthur Schezaf. 177 00:12:27,520 --> 00:12:30,800 Arthur is a principal product manager in the ASIA Sentinel team. 178 00:12:30,800 --> 00:12:35,080 Welcome to the podcast, Arthur. Could you please spend a moment and introduce yourself? 179 00:12:35,080 --> 00:12:37,720 Thank you, Michael. Glad to be here today. 180 00:12:37,720 --> 00:12:39,880 So my name is Arthur Schezaf. 181 00:12:39,880 --> 00:12:41,240 Hard to pronounce. 182 00:12:41,240 --> 00:12:42,480 Forget about last name. 183 00:12:42,480 --> 00:12:43,360 Call me Arthur. 184 00:12:43,360 --> 00:12:48,800 I joined Microsoft around two years ago for an exciting project called ASIA Sentinel. 185 00:12:48,800 --> 00:12:53,200 I am a SIM guy and ASIA Sentinel is Microsoft's new SIM. 186 00:12:53,200 --> 00:13:02,360 I came for quite many years at ArcSight, which is to be the leader in the SIM market, so I know a thing or two about SIM. 187 00:13:02,360 --> 00:13:11,600 And I'd love to talk about SIM, share my experience, why I like ASIA Sentinel and what excites me in general. 188 00:13:11,600 --> 00:13:15,480 OK, Arthur. So let's start with the basics. 189 00:13:15,480 --> 00:13:20,320 For anyone who doesn't know, what is ASIA Sentinel? 190 00:13:20,320 --> 00:13:24,800 So ASIA Sentinel is Microsoft's new cloud native SIM. 191 00:13:24,800 --> 00:13:30,960 We launched it around a bit more than a year ago, so it's really new. 192 00:13:30,960 --> 00:13:33,560 It's a first for Microsoft. 193 00:13:33,560 --> 00:13:38,040 And I think it's also a first in the SIM world. 194 00:13:38,040 --> 00:13:42,040 Now, for those that don't know what SIM is, 195 00:13:42,040 --> 00:13:51,400 SIM is security information event management and it's essentially the nerve center of security operations. 196 00:13:51,400 --> 00:13:57,480 So it's this glue system that is there in the SOC, Security Operations Center. 197 00:13:57,480 --> 00:14:05,600 And it serves the team in the SOC to make sure that no alert goes unnoticed. 198 00:14:05,600 --> 00:14:08,040 So what is the role of a SIM? 199 00:14:08,040 --> 00:14:13,960 I use the term nerve center, which of course can imply so many things. 200 00:14:13,960 --> 00:14:18,840 And you're right, it requires some explanation. 201 00:14:18,840 --> 00:14:24,440 Also, I think that SIM is sometimes something different to different people. 202 00:14:24,440 --> 00:14:27,480 So I want to share my view, my experience around that. 203 00:14:27,480 --> 00:14:37,800 So a SIM is the system to manage the incident in the Security Operations Center. 204 00:14:37,800 --> 00:14:39,080 Now, you can't start there. 205 00:14:39,080 --> 00:14:42,440 You have to collect telemetry, you have to collect data. 206 00:14:42,440 --> 00:14:45,520 Data might be alerts from different systems. 207 00:14:45,520 --> 00:14:51,360 For example, in the Microsoft world, we know how to collect the alerts from all of the Microsoft security systems, 208 00:14:51,360 --> 00:14:54,120 but not just that also from other systems. 209 00:14:54,120 --> 00:15:02,480 You also want to collect broad data to support those alert and managing these and around them. 210 00:15:02,480 --> 00:15:11,920 Once you've collected it, once you have a big pile of information, that's why it's security information and event management, 211 00:15:11,920 --> 00:15:19,880 the SIM has a role in detection, in identifying threats and attacks on the organization. 212 00:15:19,880 --> 00:15:31,960 However, one of the key, I think, misunderstandings around the SIM is that it's not the core detection platform. 213 00:15:31,960 --> 00:15:36,600 Any organization has a large number of detection systems. 214 00:15:36,600 --> 00:15:40,400 Many of them are very specialized when they do. 215 00:15:40,400 --> 00:15:48,640 We at Microsoft provide a number of such systems, most obviously Microsoft Defender for Endpoint, 216 00:15:48,640 --> 00:15:55,600 our EDRSES system, Microsoft Call of Security to protect SAS applications, etc. 217 00:15:55,600 --> 00:15:58,480 And detection is a shared responsibility. 218 00:15:58,480 --> 00:16:05,440 So you should really rely on your expert systems to do detection where they can, 219 00:16:05,440 --> 00:16:09,760 and augment that with the SIM to do detection where you have none, 220 00:16:09,760 --> 00:16:17,120 or where your car's custom algorithms or cross-source detection. 221 00:16:17,120 --> 00:16:23,440 Now, once you have detections, you usually want to go on and you need to manage the incidents. 222 00:16:23,440 --> 00:16:26,520 When something triggers, when a flag goes on, 223 00:16:26,520 --> 00:16:30,800 there are too many of those, you need to triage those, 224 00:16:30,800 --> 00:16:35,120 to investigate those that were triaged is really suspicious, 225 00:16:35,120 --> 00:16:37,800 and then respond to something about it. 226 00:16:37,800 --> 00:16:40,520 This is why I call it the nerve center. 227 00:16:40,520 --> 00:16:45,520 And the SIM takes you from collecting the telemetry, detecting threats, 228 00:16:45,520 --> 00:16:48,640 managing the incidents and responding to them. 229 00:16:48,640 --> 00:16:51,920 Every sizable organization should have a SIM. 230 00:16:51,920 --> 00:16:56,840 Small organization probably, because they don't have people managing the incidents, 231 00:16:56,840 --> 00:16:59,920 24 by 7 or near real time, 232 00:16:59,920 --> 00:17:02,680 may need to rely on a service provider to do the same, 233 00:17:02,680 --> 00:17:05,640 but it means the service provider will need a SIM. 234 00:17:05,640 --> 00:17:09,200 I can ask this a lot by customers, and I'm sure you have been too, 235 00:17:09,200 --> 00:17:13,280 but is Sentinel just for Microsoft products, 236 00:17:13,280 --> 00:17:21,600 because it's built by Microsoft, or is it for other things as well? 237 00:17:21,600 --> 00:17:27,440 So we do get this question a lot, as you mentioned. 238 00:17:27,440 --> 00:17:36,080 And I think part of it is because people still don't take Microsoft to be a security vendor. 239 00:17:36,080 --> 00:17:38,720 That said, we're probably the largest security vendor out there, 240 00:17:38,720 --> 00:17:39,920 and not just because of Sentinel, 241 00:17:39,920 --> 00:17:46,120 because we just have market leaders in many of the security realms. 242 00:17:46,120 --> 00:17:53,000 And once you consider that we are a major security solutions vendor, 243 00:17:53,000 --> 00:17:59,040 we try to provide a solution for security, not just to protect Microsoft states. 244 00:17:59,040 --> 00:18:08,400 And the same is true for Sentinel, which is a system for protecting any workload, 245 00:18:08,400 --> 00:18:12,400 or I should say the nerve center for managing incident services and any workload. 246 00:18:12,400 --> 00:18:19,880 So a SIM for Microsoft, other clouds, as well as on-prem workloads. 247 00:18:19,880 --> 00:18:26,160 It's important to make the point, I've assumed that most of the listeners of this podcast 248 00:18:26,160 --> 00:18:29,480 are Microsoft users, Azure users. 249 00:18:29,480 --> 00:18:37,000 It's worth mentioning that we do work very well with Azure services and Microsoft services. 250 00:18:37,000 --> 00:18:40,640 We do have a more intimate relationship with the teams. 251 00:18:40,640 --> 00:18:47,080 So out of the box, it's very useful for Microsoft stuff. 252 00:18:47,080 --> 00:18:50,680 Why did Microsoft make Azure Sentinel offer? 253 00:18:50,680 --> 00:18:55,560 You joined right at the beginning for an exciting project. 254 00:18:55,560 --> 00:19:02,680 Can you give us a bit more on the history on why we decided to actually make Azure Sentinel for our customers? 255 00:19:02,680 --> 00:19:07,600 Actually, it's a good story. We did it because we needed it. 256 00:19:07,600 --> 00:19:15,280 So Microsoft, we organically grew to be a 10 billion security business. 257 00:19:15,280 --> 00:19:18,840 We are also one of the largest IT operators in the world. 258 00:19:18,840 --> 00:19:22,960 Azure is a major IT operation and we are a large company. 259 00:19:22,960 --> 00:19:26,400 So over the years, we had to build our own SOC. 260 00:19:26,400 --> 00:19:28,120 We have a SOC internally as well. 261 00:19:28,120 --> 00:19:30,520 And the Microsoft SOC team, there's more than one. 262 00:19:30,520 --> 00:19:33,920 There's one protecting Azure. There's one protecting internal IT. 263 00:19:33,920 --> 00:19:41,680 We've started to morph from using standard SIM tools into using internal technology. 264 00:19:41,680 --> 00:19:47,080 So the bits of pieces that Microsoft have already developed in order to do security operation management. 265 00:19:47,080 --> 00:19:55,120 So for example, we have a very, very good event management system called Azure Data Explorer. 266 00:19:55,120 --> 00:19:58,480 That was developed internally in order to manage logs. 267 00:19:58,480 --> 00:20:01,280 We have tons of logs around our cloud services. 268 00:20:01,280 --> 00:20:05,520 And internal IT decided to start using this system 269 00:20:05,520 --> 00:20:08,960 because they thought it's the best way to manage security events. 270 00:20:08,960 --> 00:20:12,640 Essentially, the SIM was built organically internally. 271 00:20:12,640 --> 00:20:17,680 And at 1.9, we thought that we just have great technology and we should make a product out of it. 272 00:20:17,680 --> 00:20:19,600 And sort of that's the story. 273 00:20:19,600 --> 00:20:23,280 There's also the other side, you know, as a very large security vendor. 274 00:20:23,280 --> 00:20:29,200 We feel we should fill all the gaps and provide an overall solution. 275 00:20:29,200 --> 00:20:34,400 If I can share what I really like about working for a SIM at Microsoft, 276 00:20:34,400 --> 00:20:38,960 you know, when you're a hammer, everything looks like a nail. 277 00:20:38,960 --> 00:20:45,120 And when you're a SIM vendor, you think that every problem in the world should be solved by a SIM. 278 00:20:45,120 --> 00:20:48,080 Being part of Microsoft, I don't have to do that. 279 00:20:48,080 --> 00:20:52,560 I can focus on the added value of a SIM on top of other products. 280 00:20:52,560 --> 00:20:56,800 I think that what I said before about the role of a SIM is easier for me 281 00:20:56,800 --> 00:21:05,040 because as Microsoft, we have all solutions and we are in a better position to advise on how to combine them better. 282 00:21:05,040 --> 00:21:13,280 I think that we added a SIM to make our security stock whole and provide the best security for our customers. 283 00:21:13,280 --> 00:21:19,760 It's interesting that you mentioned that because the other products are more focused, 284 00:21:19,760 --> 00:21:26,320 like a defender for employees, focus and endpoint, a defender for identities, focus and identity. 285 00:21:26,320 --> 00:21:30,400 And now you're bringing all the telemetry together into Sentinel 286 00:21:30,400 --> 00:21:35,440 and getting more out of the data being analyzed. 287 00:21:35,440 --> 00:21:38,400 What is a cloud native SIM? 288 00:21:38,400 --> 00:21:41,760 Two stories around that. It's one story we're broken into. 289 00:21:41,760 --> 00:21:47,280 So I'll start elsewhere. When I joined Microsoft, Elia Levie, you hired me. 290 00:21:47,280 --> 00:21:51,360 And you came also from Arkside, a few years before me. 291 00:21:51,360 --> 00:21:53,680 Told me, I know you know everything about SIM. 292 00:21:53,680 --> 00:21:55,760 I mean, you've been doing SIM for a decade. 293 00:21:55,760 --> 00:21:58,000 Now go and learn cloud. 294 00:21:58,000 --> 00:22:01,840 Now, I found a new cloud. 295 00:22:01,840 --> 00:22:03,760 A bunch of VMs there. 296 00:22:03,760 --> 00:22:08,240 It took me, I think the better part of six months, 297 00:22:08,240 --> 00:22:12,320 to understand what a real cloud infrastructure is. 298 00:22:12,320 --> 00:22:16,960 The one that maybe two or three vendors in the world actually offer. 299 00:22:16,960 --> 00:22:21,120 And it was also the time it took me to understand that cloud native is not just marketing, 300 00:22:21,120 --> 00:22:23,760 but it's a real advantage. 301 00:22:23,760 --> 00:22:27,920 And actually, it happened to me in Brussels. 302 00:22:27,920 --> 00:22:30,320 We were still traveling. 303 00:22:30,320 --> 00:22:36,000 And there's a great thing about the Microsoft office in Brussels, in the airport. 304 00:22:36,000 --> 00:22:43,520 So I went there to meet a government customer. 305 00:22:43,520 --> 00:22:48,640 I landed across the road, entered the building spend a day there and came back. 306 00:22:48,640 --> 00:22:54,160 And it was one of the best trips I ever had because I was just learning. 307 00:22:54,160 --> 00:22:56,800 I wasn't too long into Microsoft. 308 00:22:56,800 --> 00:22:59,920 I was still more a SIM guy than a cloud guy. 309 00:22:59,920 --> 00:23:02,640 And I met two people in the room. 310 00:23:02,640 --> 00:23:06,960 One of them was the previous SIM owner. 311 00:23:06,960 --> 00:23:11,280 The one that was going to be replaced in URFP. 312 00:23:11,280 --> 00:23:15,920 And on the other side was the cloud workloads owner. 313 00:23:15,920 --> 00:23:23,920 And I felt that the people on one side, the SIM team, they just didn't understand 314 00:23:23,920 --> 00:23:28,480 how to protect the cloud on one side and what they can get from the cloud on the other side. 315 00:23:28,480 --> 00:23:32,240 They may have known they have a big security gap there. 316 00:23:32,240 --> 00:23:36,960 And on the other side of the table, I met the cloud security guy. 317 00:23:36,960 --> 00:23:41,360 And he knew not just what he needs to protect the cloud, what are the threats, 318 00:23:41,360 --> 00:23:46,400 what are the use cases, how it is different when you leave the physical network, 319 00:23:46,400 --> 00:23:50,960 but also why cloud is better. 320 00:23:50,960 --> 00:23:57,040 So I came back and I was convinced it took me six months after joining. 321 00:23:57,040 --> 00:23:59,840 Before that, I just thought we had a great SIM. 322 00:23:59,840 --> 00:24:01,680 So what is cloud native? 323 00:24:01,680 --> 00:24:09,600 So cloud native is a technology that fits the way that things work in the cloud. 324 00:24:09,600 --> 00:24:12,400 So the cloud is temporal. 325 00:24:12,400 --> 00:24:13,840 It ever changes. 326 00:24:13,840 --> 00:24:16,800 We call it often infrastructure is code. 327 00:24:16,800 --> 00:24:21,040 You start things and stop things in a zero notice. 328 00:24:21,040 --> 00:24:24,320 A VM doesn't really have a lifespan. 329 00:24:25,120 --> 00:24:26,720 An IP doesn't have any meaning. 330 00:24:27,680 --> 00:24:32,080 And traditional SIMs still cherish and glorify the IP address. 331 00:24:33,200 --> 00:24:35,760 That can't be the case anymore. 332 00:24:35,760 --> 00:24:40,320 Moreover, the promise of the cloud is elasticity. 333 00:24:40,320 --> 00:24:42,160 Go as high as you want. 334 00:24:42,880 --> 00:24:46,640 The way traditional SIM works is that you need to design for capacity, 335 00:24:47,520 --> 00:24:54,000 which entirely kills the notion of using cloud workloads, which can just grow very high. 336 00:24:54,640 --> 00:25:01,680 So for years, I was bringing Black Friday as an example of the challenges of scale. 337 00:25:01,680 --> 00:25:06,880 I did work in dark side and when architecting systems for customers, 338 00:25:06,880 --> 00:25:09,920 asking them, do you have some Black Friday you have to prepare for? 339 00:25:10,560 --> 00:25:16,800 Should you design for twice the capacity just for one day? 340 00:25:18,560 --> 00:25:23,120 And the same was a story I told after joining Microsoft, understanding the cloud, 341 00:25:23,920 --> 00:25:27,440 and explaining to customers that only Sentinel can really do that. 342 00:25:27,440 --> 00:25:34,800 Last Black Friday, November 26, 27, was our first true Black Friday with a large, 343 00:25:34,800 --> 00:25:36,320 massive amount of customers. 344 00:25:36,320 --> 00:25:38,480 The previous one we've been a month on the road. 345 00:25:39,200 --> 00:25:41,440 And we have a lot of large retail customers. 346 00:25:41,440 --> 00:25:49,760 And it's amazing to see the peak, the traffic rising three times as much for one day, 347 00:25:50,480 --> 00:25:51,760 which is the promise of the cloud. 348 00:25:52,560 --> 00:25:56,320 And with any traditional SIM, you'll have to design for Black Friday 349 00:25:56,320 --> 00:25:58,560 or not be protected Black Friday. 350 00:25:58,560 --> 00:26:01,360 We sent in that there was no meeting about that. 351 00:26:01,360 --> 00:26:02,320 It just works. 352 00:26:03,600 --> 00:26:08,720 If we sustained everybody going home during the COVID early days, 353 00:26:08,720 --> 00:26:11,440 Black Friday is really not an issue. 354 00:26:12,320 --> 00:26:17,840 So that's the elasticity, the infrastructure as a code, 355 00:26:17,840 --> 00:26:21,040 the flexibility to grow as much as you need, 356 00:26:21,040 --> 00:26:27,760 as well as if I need to at the third point, the fact that the cloud implies that IT has a lot less control. 357 00:26:27,760 --> 00:26:30,960 So you need to make sure that you actually monitor everything, 358 00:26:30,960 --> 00:26:36,160 even if every business owner has the ability to start services themselves. 359 00:26:36,160 --> 00:26:42,160 So things like policy enforcement in terms of monitoring are very important. 360 00:26:42,160 --> 00:26:47,600 So CICD scaling, all those are terms of the cloud, 361 00:26:47,600 --> 00:26:53,280 which are important to maintain a SIM in the cloud. 362 00:26:53,280 --> 00:26:57,520 Of course, they also contribute a lot to on-prem workloads, 363 00:26:57,520 --> 00:27:02,480 because I'll share with you a story about a customer complaint. 364 00:27:02,480 --> 00:27:03,520 Actually a prospect. 365 00:27:03,520 --> 00:27:05,120 I'm not sure there'll be a customer. 366 00:27:05,840 --> 00:27:07,680 They said something like that. 367 00:27:07,680 --> 00:27:11,280 With our currency, we really, really lack the flexibility, 368 00:27:11,280 --> 00:27:13,280 which we think is missing in Sentinel. 369 00:27:13,280 --> 00:27:17,600 On the other hand, we don't like the fact that Sentinel is too much DevOps, 370 00:27:17,600 --> 00:27:20,800 which is contradicting nature and means the customer. 371 00:27:20,800 --> 00:27:24,000 As I mentioned, SIM people are not always already into the cloud. 372 00:27:24,000 --> 00:27:29,200 They don't understand that DevOps is the modern way to get flexibility, which we provide. 373 00:27:29,200 --> 00:27:31,600 So a beautiful end-fianc. 374 00:27:32,800 --> 00:27:36,480 Arthur, you talked about Sentinel and automation and SecOps 375 00:27:37,200 --> 00:27:41,600 and doing DevOps in our sort of new, new, 376 00:27:41,600 --> 00:27:44,960 hybrid environments that customers are coming across with cloud. 377 00:27:44,960 --> 00:27:50,880 But how can Sentinel help do that automation piece from the SecOps side of things? 378 00:27:50,880 --> 00:27:57,280 So first of all, a point I missed in the last topic about cloud and SIM. 379 00:27:57,280 --> 00:27:59,920 Cloud is built very well for integrations. 380 00:27:59,920 --> 00:28:06,240 So things which on-prem, how to even get from system A to system B. 381 00:28:06,240 --> 00:28:12,160 In the cloud, it's just a rest endpoint. 382 00:28:12,160 --> 00:28:16,160 With this in mind, Sentinel excels in automating your SecOps. 383 00:28:16,160 --> 00:28:20,800 Now, a word before that, a bit of a, again, a personal view on SIM. 384 00:28:20,800 --> 00:28:27,680 SIM is an oxymoron because everyone will tell you that they don't have enough security people 385 00:28:27,680 --> 00:28:30,080 and they want to automate as much as possible. 386 00:28:30,080 --> 00:28:34,160 That said, the concept for the SIM implies 387 00:28:34,160 --> 00:28:38,640 you still want a human to be there somewhere in the middle. 388 00:28:38,640 --> 00:28:44,240 So an EDR may be able to detect and protect immediately. 389 00:28:44,240 --> 00:28:46,320 So detect and block. 390 00:28:46,320 --> 00:28:52,800 A SIM is the overlay that the system on top that gets the EDR, 391 00:28:52,800 --> 00:28:57,280 so Microsoft Defender Framepoints detection or detect itself, 392 00:28:57,280 --> 00:29:01,680 and enables a human to try and investigate and respond. 393 00:29:01,680 --> 00:29:06,800 Because it didn't work at the first expert systems level, 394 00:29:06,800 --> 00:29:10,160 because the decision was less clear. 395 00:29:10,160 --> 00:29:17,440 Now, with that in mind, still, human are experts are scars, hard to find, 396 00:29:17,440 --> 00:29:21,040 and we want to save on the time and make them more productive. 397 00:29:21,040 --> 00:29:24,320 We also don't want to scare them away and have them live after a year 398 00:29:24,320 --> 00:29:27,120 when they do just boring stuff. 399 00:29:27,120 --> 00:29:34,480 With this in mind, one of the great things about Sentinel is that it enables you to have the human in the loop, 400 00:29:34,480 --> 00:29:37,520 but still automate as much as possible. 401 00:29:37,520 --> 00:29:42,720 We are using Logic Apps, one of the advantages of living in the Azure environment, 402 00:29:42,720 --> 00:29:45,360 as our automation mechanism. 403 00:29:45,360 --> 00:29:49,280 It's tightly integrated into the core instance management within Sentinel, 404 00:29:49,280 --> 00:29:54,880 as a model within Sentinel, and it enables essentially automating any workflow. 405 00:29:54,880 --> 00:29:58,640 You'd think that automation is usually about blocking things, 406 00:29:58,640 --> 00:30:01,280 that's what people have in mind, 407 00:30:01,280 --> 00:30:05,040 but that's something that Defender for Endpoint would do already. 408 00:30:05,040 --> 00:30:09,200 Keep in mind that I mentioned the sim is for a human to decide. 409 00:30:09,200 --> 00:30:14,240 So in practice, in many cases, automation is not about a shoot-up game. 410 00:30:14,240 --> 00:30:18,080 We saw a bad guy, let's shoot him and get him off the air. 411 00:30:18,080 --> 00:30:21,680 It's usually about automating the process of decision. 412 00:30:21,680 --> 00:30:25,680 So collecting more information, for example, automatically, 413 00:30:25,680 --> 00:30:31,680 getting this additional information from an Azure AD that can support the decision that you need to make. 414 00:30:31,680 --> 00:30:38,880 So in general, Sentinel is one of the only sims which is tightly integrated with an automation engine. 415 00:30:38,880 --> 00:30:44,080 What I see is that in a typical environment, typical sim environment, 416 00:30:44,080 --> 00:30:48,880 customers are not able to use the automation engine, 417 00:30:48,880 --> 00:30:54,880 but in a typical sim environment, customers implement use cases. 418 00:30:54,880 --> 00:31:02,080 Use cases are the same term for a threat detection and response flow, 419 00:31:02,080 --> 00:31:08,080 and they collect the data and create a detection capability on top of that. 420 00:31:08,080 --> 00:31:12,080 With Sentinel, it's the first sim I've used, 421 00:31:12,080 --> 00:31:19,280 and I'm going to go and write automation to make the investigation response more efficient. 422 00:31:19,280 --> 00:31:24,480 I wanted to touch on one of the things that you mentioned early on in the description. 423 00:31:24,480 --> 00:31:30,080 The XDR, extended detection response versus sim. 424 00:31:30,080 --> 00:31:35,680 How do you think about which use cases, which detections, etc.? 425 00:31:35,680 --> 00:31:39,680 How do you think about which ones belong with an EDR 426 00:31:39,680 --> 00:31:44,080 or a Defender for Identity type of capability versus which ones would be in a sim? 427 00:31:44,080 --> 00:31:46,080 Where do you draw that line? 428 00:31:46,080 --> 00:31:50,880 I mentioned that and I also mentioned that I love working for Microsoft, 429 00:31:50,880 --> 00:31:53,280 because it means that I can openly talk about that. 430 00:31:53,280 --> 00:31:56,880 I don't have to pick sites, which is unique. 431 00:31:56,880 --> 00:31:58,080 Was that in mind? 432 00:31:58,080 --> 00:32:02,480 There's the high-level answer and the techie answer to that. 433 00:32:02,480 --> 00:32:11,280 The high-level answer is that I believe that XDR is the X-Pret detection system. 434 00:32:11,280 --> 00:32:17,680 The difference is that XDR and XDR stand for X detection and response. 435 00:32:17,680 --> 00:32:24,880 For those who don't know, the original system Defender for Endpoint is an EDR endpoint detection response. 436 00:32:24,880 --> 00:32:31,280 The term was extended to cover systems that cover multiple areas. 437 00:32:31,280 --> 00:32:36,480 For example, Microsoft, our XDR covers endpoint, which is Defender for Endpoint, 438 00:32:36,480 --> 00:32:43,680 identity protection, which is Defender for Identity, office protection, Defender for Office, 439 00:32:43,680 --> 00:32:48,080 and general specifications, which are cloud security. 440 00:32:48,080 --> 00:32:54,080 That's the X in detection response, those workloads. 441 00:32:54,080 --> 00:32:59,280 As a note, I believe those are the modern workloads you need to worry about, 442 00:32:59,280 --> 00:33:01,680 cloud workloads and endpoint. 443 00:33:01,680 --> 00:33:04,480 Leaving XDR aside, after I explained what that is, 444 00:33:04,480 --> 00:33:10,880 XDR has the advantage of intimate understanding of the protected workload. 445 00:33:10,880 --> 00:33:14,480 It has intimacy with the protected system. 446 00:33:14,480 --> 00:33:20,080 This enables the research team at each one of the workload protection models 447 00:33:20,080 --> 00:33:22,080 to create the best detection out there. 448 00:33:22,080 --> 00:33:26,880 It also enables a great investigation mechanism that specifically tailor, for example, 449 00:33:26,880 --> 00:33:32,080 in endpoint for processes, process activations, etc. 450 00:33:32,080 --> 00:33:36,880 The expert system is exactly the right place to do so. 451 00:33:36,880 --> 00:33:41,680 The challenge is that there are many X in XDR. 452 00:33:41,680 --> 00:33:44,080 There are many different workloads. 453 00:33:44,080 --> 00:33:46,480 No XDR will cover all of them. 454 00:33:46,480 --> 00:33:49,680 Any organization would have their custom applications. 455 00:33:49,680 --> 00:33:51,680 Applications are not covered by XDR. 456 00:33:51,680 --> 00:33:54,680 Even at Microsoft, we have two defenders. 457 00:33:54,680 --> 00:33:58,880 We have the Microsoft one workplace defender, 458 00:33:58,880 --> 00:34:04,480 so Microsoft fix-inside defender, and we have Azure defender. 459 00:34:04,480 --> 00:34:07,080 There's a reason why they are not still the same. 460 00:34:07,080 --> 00:34:08,880 The other is different personas. 461 00:34:08,880 --> 00:34:11,880 Different people usually use them. 462 00:34:11,880 --> 00:34:15,880 On top of that, you may have third party firewalls from someone else 463 00:34:15,880 --> 00:34:19,080 that have their expert detection system. 464 00:34:19,080 --> 00:34:20,280 You need to consolidate it. 465 00:34:20,280 --> 00:34:25,280 You need a single system that collects first and foremost the alerts from all those, 466 00:34:25,280 --> 00:34:29,080 providing a single pane of glass across all those workloads. 467 00:34:29,080 --> 00:34:30,280 And also complement. 468 00:34:30,280 --> 00:34:33,680 That now explains better why I mentioned compliments. 469 00:34:33,680 --> 00:34:35,480 Detection, we're missing. 470 00:34:35,480 --> 00:34:39,880 If it's a workload that does not have detection built into it, 471 00:34:39,880 --> 00:34:45,680 I often bring VPN as the one security system that has no security in it. 472 00:34:45,680 --> 00:34:48,680 There's no detection mechanism for VPN. 473 00:34:48,680 --> 00:34:59,280 There's also, in many cases, an advantage in doing cross-source detection, 474 00:34:59,280 --> 00:35:04,280 sort of the whole kill chain, so to speak. 475 00:35:04,280 --> 00:35:08,680 And then you have those alerts popping in from every side. 476 00:35:08,680 --> 00:35:11,080 You need a central console to manage them. 477 00:35:11,080 --> 00:35:14,280 So that's why it's probably not XDR versus XDR, 478 00:35:14,280 --> 00:35:19,080 but XDR with SIEM, which would be my position. 479 00:35:19,080 --> 00:35:20,080 That makes sense. 480 00:35:20,080 --> 00:35:25,080 And would that also extend to, because you didn't mention it specifically, 481 00:35:25,080 --> 00:35:29,680 Azure Defender as well, which is the XDR for the various Azure services 482 00:35:29,680 --> 00:35:34,680 like Azure SQL and storage and Kubernetes and whatnot? 483 00:35:34,680 --> 00:35:35,880 Yes. 484 00:35:35,880 --> 00:35:42,880 The great thing about the letter X in this context is that it can imply any detection system. 485 00:35:42,880 --> 00:35:46,480 So, yes, Azure Defender as well. 486 00:35:46,480 --> 00:35:50,480 It's also here the relationship is if you're more intimate, 487 00:35:50,480 --> 00:35:56,080 because Azure Defender does not have its own investigation system. 488 00:35:56,080 --> 00:36:02,480 It doesn't collect the raw telemetry and enables you to further analyze and hunt through it. 489 00:36:02,480 --> 00:36:05,880 Since it shares the same environment as Azure Sentinel, 490 00:36:05,880 --> 00:36:10,280 Azure Sentinel is, by definition, the investigation platform. 491 00:36:10,280 --> 00:36:17,080 I do want to mention Azure Defender is the detection system for Azure Defender, 492 00:36:17,080 --> 00:36:21,680 has another part to it, which is Azure Security Center, 493 00:36:21,680 --> 00:36:28,480 which focuses on a different area that has a more complex relationship with the SIEM. 494 00:36:28,480 --> 00:36:31,580 And that's security posture management. 495 00:36:31,580 --> 00:36:34,680 And Mark, you'll remember the actual acronym you often use, 496 00:36:34,680 --> 00:36:40,680 but there's a whole bunch of systems which not specialize in detecting threats and attacks, 497 00:36:40,680 --> 00:36:44,480 but rather in checking whether your environment is secure enough. 498 00:36:44,480 --> 00:36:48,480 That's the reason you have secure score in Azure. 499 00:36:48,480 --> 00:36:51,680 That's the reason you run verbally scanning on your systems. 500 00:36:51,680 --> 00:36:53,480 It's not to detect an attacker coming in. 501 00:36:53,480 --> 00:36:59,680 It's to detect whether your systems are configured correctly to prevent attacks in the first place. 502 00:36:59,680 --> 00:37:06,180 Those two use cases, so threat management versus security posture management, 503 00:37:06,180 --> 00:37:13,080 they have some level of relationship, but there are two different processes within the organization. 504 00:37:13,080 --> 00:37:15,180 One is reactive, one is proactive. 505 00:37:15,180 --> 00:37:22,280 And Azure Security Center, the part which provides recommendations, for example, 506 00:37:22,280 --> 00:37:29,180 is more, or the part that runs scanning for you, is more on the security posture side of the house. 507 00:37:29,180 --> 00:37:34,180 So the way I like to think about is potential risk, which is the posture management, 508 00:37:34,180 --> 00:37:42,180 things that could go wrong versus actual realized risk, which is, hey, there's an actual attacker that did something with that. 509 00:37:42,180 --> 00:37:43,380 That's a very good way to put it. 510 00:37:43,380 --> 00:37:47,180 The important thing is, again, the role of a SIEM. 511 00:37:47,180 --> 00:37:53,880 When you have a SIEM for vendor selling on a SIEM, they may suggest to you to do everything with your SIEM. 512 00:37:53,880 --> 00:38:01,880 I think, again, expertise is important here, and security posture management should be done by tools specializing in that, such as Security Center. 513 00:38:01,880 --> 00:38:06,380 So I got one last question before I turn it over to Michael. 514 00:38:06,380 --> 00:38:15,380 We kind of went from zero to SIEM pretty fast as Microsoft, and not just a SIEM, but a fairly full featured one at Hyperscale. 515 00:38:15,380 --> 00:38:18,380 How did Microsoft pull that off? 516 00:38:18,380 --> 00:38:27,780 So another thing, I mentioned that it took me six months to understand why cloud native is not a marketing term, but a real advantage. 517 00:38:27,780 --> 00:38:39,680 There's another thing I really love about talking about Sentinel, and that's that when asked whether we support something, in many cases, I can say, 518 00:38:39,680 --> 00:38:45,180 I have no clue, but I assume we do, and I'll go figure, I'll go find it for you. 519 00:38:45,180 --> 00:38:55,180 And the reason for that is that beyond the set of capabilities developed organically within one engineering team I'm a member of, 520 00:38:55,180 --> 00:39:05,180 we also enjoy the capabilities of a lot of other elements within Azure that we bundled into our SIEM. 521 00:39:05,180 --> 00:39:10,680 So I'll mention a few, and I'll go to those. 522 00:39:10,680 --> 00:39:18,180 One of them is Azure Data Explorer. Azure Data Explorer is a big data platform, especially targeted event management. 523 00:39:18,180 --> 00:39:26,680 Everything I'm saying about is skill ability comes from the fact that Black Friday is not an issue for a customer. 524 00:39:26,680 --> 00:39:28,680 So that's Azure Data Explorer. 525 00:39:28,680 --> 00:39:34,680 They create things, they create new functions in their query language, and I know about it when customers tell me about it sometimes. 526 00:39:34,680 --> 00:39:46,680 I should do better, by now I do better, but sometimes we struggle with the feature, geolocation, and then they create a new function that solves the whole issue for us, 527 00:39:46,680 --> 00:39:48,680 which happened a couple of months ago. 528 00:39:48,680 --> 00:39:51,680 So that's one. We also have Log Analytics. 529 00:39:51,680 --> 00:39:55,680 Log Analytics is a log management platform built on top of Azure Data Explorer. 530 00:39:55,680 --> 00:40:01,680 It transformed ADX, which is passed into more of a SaaS service. 531 00:40:01,680 --> 00:40:04,680 It includes a lot of capabilities to collect information. 532 00:40:04,680 --> 00:40:06,680 That's our starting point. 533 00:40:06,680 --> 00:40:09,680 So we started from a very solid log management platform. 534 00:40:09,680 --> 00:40:11,680 Now we wanted to add automation. 535 00:40:11,680 --> 00:40:15,680 As I mentioned, we went and we found that LogicOps is a great automation engine. 536 00:40:15,680 --> 00:40:18,680 It's mature. It has hundreds of connectors. 537 00:40:18,680 --> 00:40:25,680 Connectors in terms of automation implies the piece that enables to reach out to another system and automate it. 538 00:40:25,680 --> 00:40:28,680 So we did have to implement things. 539 00:40:28,680 --> 00:40:30,680 An anecdote. 540 00:40:30,680 --> 00:40:32,680 As a scene, we need dashboarding. 541 00:40:32,680 --> 00:40:40,680 Dashboarding is important because one of the things you want is visibility, so into the status of your thread management system. 542 00:40:40,680 --> 00:40:48,680 It's also a good way to provide capabilities around investigation in certain specific areas, so a specialized investigation interface. 543 00:40:48,680 --> 00:40:55,680 We started and we used an Azure technology called Azure Dashboards, and we were in public preview. 544 00:40:55,680 --> 00:41:03,680 Public preview is there, but you always think it's just a stage, but actually it is there to get reviews, to get people to tell you what they need. 545 00:41:03,680 --> 00:41:07,680 So we got feedback on the dashboards and people told us that they're not good enough. 546 00:41:07,680 --> 00:41:11,680 Specifically, they wanted more interactive dashboards. 547 00:41:11,680 --> 00:41:18,680 They wanted to drill down and they wanted to not just have a large screen showing a large monitor in the security operation center, 548 00:41:18,680 --> 00:41:25,680 but try to be able to actually use dashboards in order to drill into data and analyze data and investigate. 549 00:41:25,680 --> 00:41:35,680 So it took us something like two and a half weeks to change all our dashboarding features from one of our Microsoft's colleagues called Azure Dashboards 550 00:41:35,680 --> 00:41:37,680 into another one called Azure Workbooks. 551 00:41:37,680 --> 00:41:39,680 Both were available. 552 00:41:39,680 --> 00:41:41,680 Both are developed by teams within Microsoft. 553 00:41:41,680 --> 00:41:45,680 Both have continued to evolve since. 554 00:41:45,680 --> 00:41:52,680 And now it's provided a very robust dashboarding, reporting, application capabilities around that. 555 00:41:52,680 --> 00:41:56,680 Report generator, Power BI is there, works very nicely with Azure Sentinel. 556 00:41:56,680 --> 00:42:06,680 So the power of the environment ecosystem really enabled us to multiply the capabilities of our development, my development team 557 00:42:06,680 --> 00:42:12,680 to create a much more mature and robust product than you'd think is possible in, well, a year and a seven. 558 00:42:12,680 --> 00:42:18,680 So I have to ask, so what's new? What's in public preview? What's coming down the pipe? 559 00:42:18,680 --> 00:42:21,680 First of all, it's coming fast. 560 00:42:21,680 --> 00:42:25,680 So whatever I'm saying now will be different. 561 00:42:25,680 --> 00:42:30,680 We'll be released and be new stuff coming in a month, two or three. 562 00:42:30,680 --> 00:42:33,680 I do want to mention we have a very long roadmap. 563 00:42:33,680 --> 00:42:39,680 So a few areas that are, I think, of interest for Azure guys. 564 00:42:39,680 --> 00:42:42,680 First, the same is all about connectors. 565 00:42:42,680 --> 00:42:45,680 You need to connect and get data from different sources. 566 00:42:45,680 --> 00:42:51,680 And to Mark's question before, one of the areas where we really had to ram up because it's ours was, 567 00:42:51,680 --> 00:42:54,680 did we get from somewhere else in the Azure environment? 568 00:42:54,680 --> 00:42:58,680 It was sources, it was connectors to sources to collect data. 569 00:42:58,680 --> 00:43:01,680 So we're rapidly releasing those connectors. 570 00:43:01,680 --> 00:43:07,680 And I mentioned that because I think yesterday released 13 new connectors. 571 00:43:07,680 --> 00:43:10,680 And the rate is accelerating. 572 00:43:10,680 --> 00:43:12,680 So that's an example. 573 00:43:12,680 --> 00:43:14,680 More to, I mentioned DevOps. 574 00:43:14,680 --> 00:43:17,680 I mentioned that we are very cloud native. 575 00:43:17,680 --> 00:43:19,680 So automation is important to us. 576 00:43:19,680 --> 00:43:22,680 We are, of course, API first. 577 00:43:22,680 --> 00:43:26,680 Incidentally, it's worth mentioning that we have a very, very active community. 578 00:43:26,680 --> 00:43:33,680 We have a lot of industry experts that specialize in Sentinel because they like it because it's exciting. 579 00:43:33,680 --> 00:43:41,680 And until recently, we actually were relying on a PowerShell module created on one of our champions, 580 00:43:41,680 --> 00:43:45,680 not from Microsoft, as our PowerShell module. 581 00:43:45,680 --> 00:43:50,680 Recently released a PowerShell CMD led for Azure Sentinel. 582 00:43:50,680 --> 00:43:53,680 So you can automate everything, do everything using PowerShell. 583 00:43:53,680 --> 00:43:58,680 Going into larger, more important areas. 584 00:43:58,680 --> 00:44:06,680 User and entity behavior analytics is sort of a premium feature area in the same world. 585 00:44:06,680 --> 00:44:18,680 The idea is that moving from sort of source event driven detection into focusing on identifying threats from users. 586 00:44:18,680 --> 00:44:26,680 If you think about it, especially in the cloud world, the network, you know, root forcing is important, 587 00:44:26,680 --> 00:44:28,680 but not as much. 588 00:44:28,680 --> 00:44:34,680 On the other hand, identity based attacks are very important, whether it's malicious insider, 589 00:44:34,680 --> 00:44:38,680 whether it's an over, it's an account overtake. 590 00:44:38,680 --> 00:44:43,680 So user entity behavior analytics, which tries to identify those attacks, 591 00:44:43,680 --> 00:44:49,680 not by detecting known patterns, but by doing behavioral analytics, such as peer analysis. 592 00:44:49,680 --> 00:44:53,680 Is this user doing what his peers are doing or something entirely different? 593 00:44:53,680 --> 00:44:56,680 So it is a premium feature in the same world. 594 00:44:56,680 --> 00:45:01,680 And a couple of months ago, we introduced our own user entity behavior analytics. 595 00:45:01,680 --> 00:45:06,680 It's extensive, it's interesting, and we provide it as a free feature. 596 00:45:06,680 --> 00:45:08,680 Now it's part of Sentinel. 597 00:45:08,680 --> 00:45:10,680 So I think that's pretty exciting. 598 00:45:10,680 --> 00:45:22,680 So, you know, actually the most recent addition to our new stuff is finally we have a What's New page that went online today. 599 00:45:22,680 --> 00:45:30,680 And we'll of course share the link to it, and that will enable you to get to the full list, which is just getting longer every day. 600 00:45:30,680 --> 00:45:39,680 Thanks, Ofer. Every time I talk to you, I learn something new and I have learned a ton, but where can we learn more about Sentinel? 601 00:45:39,680 --> 00:45:42,680 I'll talk a bit here about my own personal project. 602 00:45:42,680 --> 00:45:51,680 I talked a lot, you thought that Sentinel is me, Sentinel is not me, Sentinel is a large number of people working hard to make the product work for customers. 603 00:45:51,680 --> 00:46:01,680 One pet project of mine is the Sentinel Ninja training, which is not an official training, but it is very effective. 604 00:46:01,680 --> 00:46:13,680 It's the place to get a very organized introduction and training on Sentinel by combining all the webinars that we did through the years, 605 00:46:13,680 --> 00:46:22,680 through the years around Azure Sentinel, and it's actually, you can read, you can select the webinars you want to watch. 606 00:46:22,680 --> 00:46:33,680 And what I did recently is move from a very feature-oriented description of the world of Azure Sentinel into a more user-centric. 607 00:46:33,680 --> 00:46:42,680 So if you are a manager, you just want to understand something about Sentinel, you will have a model for you, the first part. 608 00:46:42,680 --> 00:46:47,680 If you are an architect, there's the part from you. 609 00:46:47,680 --> 00:46:52,680 If you're an analyst, if you're there sitting in the sock day in, day out in your shift, there's the part for you. 610 00:46:52,680 --> 00:46:54,680 So I'm pretty proud of that. 611 00:46:54,680 --> 00:47:05,680 I think that in the nine months that the training exists, I had something like 230,000 views, so it's popular, and the product is popular. 612 00:47:05,680 --> 00:47:07,680 I think that's the best starting point. 613 00:47:07,680 --> 00:47:09,680 I do want to mention one roadmap item. 614 00:47:09,680 --> 00:47:15,680 I think it's coming out in a few weeks. I'm willing to talk about it because it's certification. 615 00:47:15,680 --> 00:47:23,680 If the Ninja training was not official so far, we're going to release certification for it in the near future. 616 00:47:23,680 --> 00:47:31,680 So one thing we like to ask our guests is if you had one final thought to leave our listeners, what would it be? 617 00:47:31,680 --> 00:47:42,680 Sarah, which I work every day with, had a discuss to her team and I was a guest on the call getting security certifications, 618 00:47:42,680 --> 00:47:45,680 which is an important part of our business. 619 00:47:45,680 --> 00:47:49,680 People that's part of it just talk about training. That's how you get trained. 620 00:47:49,680 --> 00:47:57,680 And it got me thinking about the fact that I have never been certified in anything. 621 00:47:57,680 --> 00:48:00,680 So I never did any security certification. 622 00:48:00,680 --> 00:48:07,680 Maybe you wonder whether that's good or bad, and whether certifications are good for security or not. 623 00:48:07,680 --> 00:48:13,680 With Solargate being a moment where you have to think whether the world knows how to secure itself, 624 00:48:13,680 --> 00:48:20,680 I did want to think about whether I know what's right in terms of security. 625 00:48:20,680 --> 00:48:28,680 It brought me to think about an analogy from a different, very, very, also very current topic. 626 00:48:28,680 --> 00:48:30,680 I'm from Israel. 627 00:48:30,680 --> 00:48:37,680 In Israel is the world leader in COVID vaccination. We did very fast. 628 00:48:37,680 --> 00:48:42,680 In the first few weeks, we had 20% of the population vaccinated. 629 00:48:42,680 --> 00:48:45,680 We are now at more than 50. 630 00:48:45,680 --> 00:48:50,680 The challenges that we got, we essentially got close to vaccinating everybody who was willing to get vaccinated. 631 00:48:50,680 --> 00:48:54,680 We are a democracy and so we can't enforce. 632 00:48:54,680 --> 00:49:02,680 On the other hand, we are also topping the charts in the pandemic rate. 633 00:49:02,680 --> 00:49:06,680 Don't get me wrong, it's not that the vaccine is not working. 634 00:49:06,680 --> 00:49:13,680 We are a very big trial space for the vaccination because so many of us were vaccinated. 635 00:49:13,680 --> 00:49:17,680 So the numbers are pretty good when you're vaccinated, but it's not total. 636 00:49:17,680 --> 00:49:22,680 It's still 50%, probably a bit less because some just now got it. 637 00:49:22,680 --> 00:49:28,680 So the question is, how did we manage to be so fast in vaccinating? 638 00:49:28,680 --> 00:49:40,680 And on the other hand, also being, you know, higher in the list of affected countries before I think every European country, including the UK. 639 00:49:40,680 --> 00:49:50,680 My taking both cases, the relevant one for certifications, is that in both cases, it's because we're not following the rules. 640 00:49:50,680 --> 00:49:53,680 It's a cultural thing. 641 00:49:53,680 --> 00:50:04,680 On the one hand, you'll understand why not following the rules would mean more people, you know, in fact, keeping their habits, you know, not social distancing. 642 00:50:04,680 --> 00:50:12,680 On the other hand, so if you stop here, then not following the rule is not good. 643 00:50:12,680 --> 00:50:19,680 On the other hand, not following the rules is also the reason that you got people vaccinated so fast. 644 00:50:19,680 --> 00:50:26,680 Because for example, we found tricks as to how to make the logistics around the vaccination easier. 645 00:50:26,680 --> 00:50:29,680 I'll give you one example. 646 00:50:29,680 --> 00:50:37,680 The vaccine is coming in sort of polyethylene boxes that hold the small bottles. 647 00:50:37,680 --> 00:50:43,680 And it's a box, it's a sizable box that has around a thousand shots each. 648 00:50:43,680 --> 00:50:55,680 A thousand shots means that you need one vaccination center, that's how you see all those big vaccination centers that need to distribute to a lot of people in a short time because once you defreeze it, it dies fast. 649 00:50:55,680 --> 00:51:07,680 What we did in Israel is we sliced the boxes into pizza size trays so we can deliver them to smaller locations. 650 00:51:07,680 --> 00:51:17,680 So I'm told we were approved by Pfizer to do that, but somebody thought about it and decided to go with it because the name is getting further. 651 00:51:17,680 --> 00:51:34,680 The other thing, even less orthodox, is that in Israel, once shots were going to be lost, actually that's the way I was vaccinated, I got a WhatsApp message from, I live in a small community, so there's somebody here in charge of COVID. 652 00:51:34,680 --> 00:51:48,680 And I sent a WhatsApp message to the community saying, if you go now to this town 20 kilometers from here, they'll vaccinate you even if you're not in the approved groups because they have shots to get rid of. 653 00:51:48,680 --> 00:51:59,680 This way, and I've heard stories about places where it was the end of the day, another hundred to get rid of, they went to the street and asked people, do you want to come in and vaccinate them? 654 00:51:59,680 --> 00:52:15,680 So that's the other side of not following the rules. Is it good or bad to follow the rules? How do we do with security? Should we just go by the book or should we do things differently? 655 00:52:15,680 --> 00:52:24,680 Think out of the box, not always follow the rules, not use our certifications to go back to where I started with Sarah. 656 00:52:24,680 --> 00:52:32,680 That's not an easy one. I personally had never done certification, I usually am, and I'm Israeli, I probably tend to decide not following the rules. 657 00:52:32,680 --> 00:52:41,680 Given the Solari gate, we may need to think again about the best approach at this level. So something to think about. 658 00:52:41,680 --> 00:52:47,680 Alright then, so let's bring this episode to a close. Arthur, thanks so much for joining us this week. I know you're incredibly busy. 659 00:52:47,680 --> 00:52:54,680 Someone who doesn't use Azure Sentinel on a day-to-day basis and would like to concur with Gladys. I learned a great deal today. Thank you very much. 660 00:52:54,680 --> 00:53:21,680 We also trust that you are listeners found this podcast useful. Thank you so much for listening. Stay safe and we'll see you next time. 661 00:53:24,680 --> 00:53:26,680 .