1 00:00:00,000 --> 00:00:06,200 Welcome to the Azure Security Podcast, 2 00:00:06,200 --> 00:00:09,380 where we discuss topics relating to security, privacy, 3 00:00:09,380 --> 00:00:13,040 reliability, and compliance on the Microsoft Cloud Platform. 4 00:00:13,040 --> 00:00:15,220 Hey everybody, welcome to Episode 23. 5 00:00:15,220 --> 00:00:16,640 We have a full house this week. 6 00:00:16,640 --> 00:00:18,880 We also have a special guest, 7 00:00:18,880 --> 00:00:21,000 Anthony Roman, who is here to talk to us about 8 00:00:21,000 --> 00:00:22,680 Azure Network Security. 9 00:00:22,680 --> 00:00:23,960 Before we get to Anthony, 10 00:00:23,960 --> 00:00:26,320 let's take a quick run around the news. 11 00:00:26,320 --> 00:00:29,440 Mark, I believe you have a public service announcement for us. 12 00:00:29,440 --> 00:00:33,160 Yes, indeed. Very simple. 13 00:00:33,160 --> 00:00:36,400 Please patch your Exchange servers. 14 00:00:36,400 --> 00:00:38,160 This is the on-prem Exchange servers. 15 00:00:38,160 --> 00:00:40,080 Exchange Online does not require this. 16 00:00:40,080 --> 00:00:42,440 But for those of you that are still running Exchange servers, 17 00:00:42,440 --> 00:00:44,160 whether it's in hybrid mode or 18 00:00:44,160 --> 00:00:47,320 still dedicated on-premise Exchange instance, 19 00:00:47,320 --> 00:00:49,440 please apply the latest update. 20 00:00:49,440 --> 00:00:51,800 A couple of key points about this. 21 00:00:51,800 --> 00:00:53,120 Impact is very high. 22 00:00:53,120 --> 00:00:55,160 If an attacker is able to compromise it, 23 00:00:55,160 --> 00:00:57,200 we have seen active exploits in the wild. 24 00:00:57,200 --> 00:01:00,480 The permissions that someone could get from this are right 25 00:01:00,480 --> 00:01:02,320 around that domain admin level 26 00:01:02,320 --> 00:01:04,280 in most configurations of Exchange. 27 00:01:04,280 --> 00:01:06,840 There's some different optional configurations you can do, 28 00:01:06,840 --> 00:01:08,160 but for the most part, 29 00:01:08,160 --> 00:01:10,800 Exchange typically has roughly domain admin equivalent. 30 00:01:10,800 --> 00:01:13,400 So very, very important to patch this. 31 00:01:13,400 --> 00:01:15,640 All the supported Exchange releases, 32 00:01:15,640 --> 00:01:17,480 the patch is available and released, 33 00:01:17,480 --> 00:01:21,280 including one out-of-support version Exchange 2010, 34 00:01:21,280 --> 00:01:23,800 is also has a patch available for that. 35 00:01:23,800 --> 00:01:26,960 So a defense in-depth assistance there. 36 00:01:26,960 --> 00:01:30,200 One other quick note is that the cumulative updates 37 00:01:30,200 --> 00:01:32,520 for Exchange do have to be kept, 38 00:01:32,520 --> 00:01:34,760 do have to be at the current rev. 39 00:01:34,760 --> 00:01:38,040 So if you're a cumulative update behind or two, 40 00:01:38,040 --> 00:01:40,520 you will have to apply that before the patch. 41 00:01:40,520 --> 00:01:44,240 But again, please patch this as fast as possible. 42 00:01:44,240 --> 00:01:46,800 Start with the Internet-facing ones that have 43 00:01:46,800 --> 00:01:51,080 Outlook Web Access and the other internet exposed elements. 44 00:01:51,080 --> 00:01:54,240 Start with that first and get 45 00:01:54,240 --> 00:01:56,960 all on-prem Exchange servers that you have patched 46 00:01:56,960 --> 00:01:58,240 as soon as you can. 47 00:01:58,240 --> 00:02:01,480 That concludes a public service announcement. 48 00:02:01,480 --> 00:02:04,720 Okay. So my news this week. 49 00:02:04,720 --> 00:02:08,880 Big surprise, I'm talking about Sentinel. 50 00:02:08,880 --> 00:02:13,840 But this time, I wanted to talk about UEBA or 51 00:02:13,840 --> 00:02:18,600 user and entity behavior analytics insights in the entity page. 52 00:02:18,600 --> 00:02:22,480 So we've had the entity pages for a little while now, 53 00:02:22,480 --> 00:02:27,440 but we're having more insights there. 54 00:02:27,440 --> 00:02:31,080 So what we're having is general UEBA insights, 55 00:02:31,080 --> 00:02:34,360 which is summarizing anomalous user activities 56 00:02:34,360 --> 00:02:36,680 across geographic locations, 57 00:02:36,680 --> 00:02:41,200 devices, the frequency horizon. 58 00:02:41,200 --> 00:02:44,760 So what I mean by that is basically, 59 00:02:44,760 --> 00:02:47,960 compared to the user's previous history, 60 00:02:47,960 --> 00:02:50,160 does it match up? 61 00:02:50,160 --> 00:02:53,040 And it also will compare with the peer's behavior 62 00:02:53,040 --> 00:02:55,280 and the organization's behavior. 63 00:02:55,280 --> 00:02:59,880 We also can do insight based on security group membership. 64 00:02:59,880 --> 00:03:04,400 So we can see your SOC analyst is able to see 65 00:03:04,400 --> 00:03:08,640 what other users have similar position, permission, sorry. 66 00:03:08,640 --> 00:03:12,600 And there's the threat indicators related to the user. 67 00:03:12,600 --> 00:03:15,360 This one I think is pretty cool because it shows 68 00:03:15,360 --> 00:03:17,640 any threat indicator matches. 69 00:03:17,640 --> 00:03:19,840 So if you're not familiar with threat indicators, 70 00:03:19,840 --> 00:03:22,320 they can be IP addresses, 71 00:03:22,320 --> 00:03:26,200 they can be URLs, they could be file hashes. 72 00:03:26,200 --> 00:03:29,320 And if any of those indicators are related 73 00:03:29,320 --> 00:03:31,800 to this user account, so for example, 74 00:03:31,800 --> 00:03:35,560 we see this user logging in from what is known 75 00:03:35,560 --> 00:03:38,640 to be a known malicious IP address, 76 00:03:38,640 --> 00:03:40,280 that's gonna turn up too. 77 00:03:40,280 --> 00:03:43,000 So personal UEBA is very cool. 78 00:03:43,000 --> 00:03:45,480 You do need to go and turn it on in Sentinel, 79 00:03:45,480 --> 00:03:48,400 so and you need to give it about four days 80 00:03:48,400 --> 00:03:52,360 before it will actually be able to give you some insights, 81 00:03:52,360 --> 00:03:54,800 the engine, but go check it out. 82 00:03:54,800 --> 00:03:58,360 And then one of our colleagues over in the developer 83 00:03:58,360 --> 00:04:01,160 advocate operations team has written a really cool blog 84 00:04:01,160 --> 00:04:04,840 about, and that's Sonya Cuff, has written a really cool blog 85 00:04:04,840 --> 00:04:06,840 about what's the difference between security center, 86 00:04:06,840 --> 00:04:08,480 defender and Sentinel? 87 00:04:08,480 --> 00:04:10,280 Cause I don't know about the rest of you folks, 88 00:04:10,280 --> 00:04:12,160 I get asked this question a lot. 89 00:04:12,160 --> 00:04:16,120 And it's a really nice article that explains 90 00:04:16,120 --> 00:04:18,920 what Azure Defender is used for, 91 00:04:18,920 --> 00:04:21,160 what security center is used for, 92 00:04:21,160 --> 00:04:23,040 and what Sentinel is used for. 93 00:04:23,040 --> 00:04:28,040 Because to the uninitiated, they can be pretty similar. 94 00:04:29,480 --> 00:04:30,640 Yeah, so I got a bunch of things 95 00:04:30,640 --> 00:04:32,280 that really took my interest this week. 96 00:04:32,280 --> 00:04:35,880 One of the first ones, we now have an SDK, 97 00:04:35,880 --> 00:04:38,040 an encryption SDK available. 98 00:04:38,040 --> 00:04:40,200 I was kind of joking at the beginning of the podcast 99 00:04:40,200 --> 00:04:41,200 when we're discussing this, 100 00:04:41,200 --> 00:04:43,200 that I could probably take up the entire podcast 101 00:04:43,200 --> 00:04:45,320 just talking about this subject. 102 00:04:45,320 --> 00:04:46,440 So for those of you who are familiar, 103 00:04:46,440 --> 00:04:48,720 there's a technology in SQL server called Always Encrypted. 104 00:04:48,720 --> 00:04:53,720 And it allows you to do queries over Ciphertext, 105 00:04:53,960 --> 00:04:55,600 some kinds of queries over Ciphertext. 106 00:04:55,600 --> 00:04:57,160 I'm not gonna go into all the nuances of it. 107 00:04:57,160 --> 00:05:01,400 Well, that technology and the crypto that's used 108 00:05:01,400 --> 00:05:05,280 is now available in preview in an SDK. 109 00:05:05,280 --> 00:05:07,560 We'll have the links in the show notes 110 00:05:07,560 --> 00:05:09,000 that explain how you can use it 111 00:05:09,000 --> 00:05:10,600 and some sample applications that you can 112 00:05:10,600 --> 00:05:12,040 sort of experiment with. 113 00:05:12,040 --> 00:05:14,120 But this is really, really cool because, 114 00:05:14,120 --> 00:05:16,600 in theory anyway, and probably in practice, 115 00:05:16,600 --> 00:05:18,400 you could take some data, 116 00:05:18,400 --> 00:05:20,480 you could pass it through this SDK 117 00:05:20,480 --> 00:05:24,680 and crypto store that information in say Cosmos DB, 118 00:05:24,680 --> 00:05:27,240 and then you could take the data out of Cosmos DB 119 00:05:27,240 --> 00:05:30,920 and you could put it into SQL server and do queries over it. 120 00:05:30,920 --> 00:05:32,920 So this is a really cool technology. 121 00:05:32,920 --> 00:05:35,560 I've used a pre-production version of this 122 00:05:35,560 --> 00:05:39,480 with some customers and they like it as fast, 123 00:05:39,480 --> 00:05:42,800 it's well designed and it's well worth, 124 00:05:42,800 --> 00:05:44,120 you know, sort of experimenting with 125 00:05:44,120 --> 00:05:46,440 if you're interested in cryptography. 126 00:05:46,440 --> 00:05:48,880 Another thing that took my interest this week 127 00:05:48,880 --> 00:05:52,120 was TypeScript notebooks are now available. 128 00:05:52,120 --> 00:05:53,600 Now you may be thinking, well, hang on a minute, 129 00:05:53,600 --> 00:05:56,280 you know, what's TypeScript that got to do with security? 130 00:05:56,280 --> 00:05:57,760 Nothing whatsoever. 131 00:05:57,760 --> 00:05:59,600 The reason why I want to add it 132 00:05:59,600 --> 00:06:01,320 is because I just want more and more people 133 00:06:01,320 --> 00:06:03,640 using TypeScript over JavaScript 134 00:06:03,640 --> 00:06:05,880 because JavaScript just helps you write, 135 00:06:05,880 --> 00:06:08,560 you know, insecure and incorrect code. 136 00:06:08,560 --> 00:06:09,840 I just don't like JavaScript. 137 00:06:09,840 --> 00:06:11,760 I made that obvious last week. 138 00:06:11,760 --> 00:06:15,160 So anyway, TypeScript for Jupyter notebooks are now available 139 00:06:15,160 --> 00:06:16,840 and there'll be a link to that as well. 140 00:06:16,840 --> 00:06:19,160 So you can install it, say in Visual Studio Code 141 00:06:19,160 --> 00:06:21,760 and experiment with it as you want. 142 00:06:21,760 --> 00:06:23,400 And the last thing I want to bring up, 143 00:06:23,400 --> 00:06:25,120 this is really cool too, 144 00:06:25,120 --> 00:06:29,840 is there is now support for customer managed encryption keys 145 00:06:29,840 --> 00:06:33,400 for Azure storage tables and queues. 146 00:06:33,400 --> 00:06:35,960 Historically, you could use customer managed keys 147 00:06:35,960 --> 00:06:40,960 but only for say blob storage, not for tables and queues. 148 00:06:40,960 --> 00:06:44,400 So that's available in preview today. 149 00:06:44,400 --> 00:06:47,760 It is only available in a small number of regions, 150 00:06:47,760 --> 00:06:51,120 East US, South Central US and West US too. 151 00:06:51,120 --> 00:06:52,360 But obviously like everything else, 152 00:06:52,360 --> 00:06:54,560 and as we will eventually, you know, 153 00:06:54,560 --> 00:06:57,800 open that up to more regions. 154 00:06:57,800 --> 00:06:59,400 Hi everyone. 155 00:06:59,400 --> 00:07:04,200 Last podcast, I mentioned that Microsoft had released 156 00:07:04,200 --> 00:07:10,000 Azure Synapse, which is an integration of SQL data warehouse 157 00:07:10,000 --> 00:07:13,200 with these lots of cool machine learning 158 00:07:13,200 --> 00:07:15,640 and cognitive services. 159 00:07:15,640 --> 00:07:20,520 And it's used to provide analytical and predictive capability. 160 00:07:20,520 --> 00:07:25,080 It works with CosmoDB, SQL, MySQL. 161 00:07:25,080 --> 00:07:29,160 I got to play with it and it was so easy to bring data sources 162 00:07:29,160 --> 00:07:34,160 and then using either Python, Scala, Sparse SQL, 163 00:07:34,920 --> 00:07:39,400 actually even CCHAR to query the different data sources 164 00:07:39,400 --> 00:07:43,960 and then have basic visualizations in the tool set 165 00:07:43,960 --> 00:07:46,360 or if you wanted something more advanced, 166 00:07:46,360 --> 00:07:50,280 use Power BI for more powerful insights. 167 00:07:50,280 --> 00:07:55,160 Well, this week I want to talk about another analytical solution 168 00:07:55,160 --> 00:07:57,440 named Azure Databricks, 169 00:07:57,440 --> 00:08:02,000 which is an Apache Spark Big Data Analytics, 170 00:08:02,000 --> 00:08:03,680 an AI platform. 171 00:08:03,680 --> 00:08:06,600 It can be used with Synapse as well. 172 00:08:06,600 --> 00:08:11,480 So this solution just received a provisional authorization 173 00:08:11,480 --> 00:08:14,200 for the ODE Impact Level 5. 174 00:08:14,200 --> 00:08:18,440 With these, federal agencies and contractors can use 175 00:08:18,440 --> 00:08:22,680 Azure Databricks to process the most sensitive 176 00:08:22,680 --> 00:08:27,680 and classified mission critical and national security data 177 00:08:27,680 --> 00:08:31,000 in cloud computing environments. 178 00:08:31,000 --> 00:08:36,160 In addition to playing with analytical and predictive 179 00:08:36,160 --> 00:08:41,160 capabilities, another thing that I spent some time 180 00:08:41,160 --> 00:08:45,920 the last few weeks is reviewing identity related content. 181 00:08:45,920 --> 00:08:50,400 Lately I've been reviewing YouTube videos, 182 00:08:50,400 --> 00:08:55,160 Stewart Kwan recorded these videos, awesome videos 183 00:08:55,160 --> 00:08:57,160 in December 2019. 184 00:08:57,160 --> 00:08:58,640 You could search for them, 185 00:08:58,640 --> 00:09:01,400 they call authentication fundamentals 186 00:09:01,400 --> 00:09:03,800 and he has like six or seven videos. 187 00:09:03,800 --> 00:09:05,800 One is about the basics, 188 00:09:05,800 --> 00:09:09,800 another one is about native client application. 189 00:09:09,800 --> 00:09:11,800 I think that one has two parts. 190 00:09:11,800 --> 00:09:14,800 They have one for federation, 191 00:09:14,800 --> 00:09:18,800 one for web application, single sign-on. 192 00:09:18,800 --> 00:09:21,800 So they're awesome, so I recommend it. 193 00:09:21,800 --> 00:09:26,800 But I also been researching these other blogs, 194 00:09:26,800 --> 00:09:30,800 the one that I thought it was awesome is this means 195 00:09:30,800 --> 00:09:35,800 fine security principle and managed identities. 196 00:09:35,800 --> 00:09:38,800 And basically it's because I've been reading 197 00:09:38,800 --> 00:09:41,800 all these SolarWinds documentation 198 00:09:41,800 --> 00:09:45,800 and I have realized that if you don't understand the basics, 199 00:09:45,800 --> 00:09:51,800 sometimes you cannot realize whether the information provided 200 00:09:51,800 --> 00:09:53,800 is the correct, right? 201 00:09:53,800 --> 00:09:57,800 You know that certain people that are writing these articles 202 00:09:57,800 --> 00:10:00,800 are not familiar with the subject, 203 00:10:00,800 --> 00:10:03,800 so sometimes they use incorrect wording 204 00:10:03,800 --> 00:10:06,800 which leads to wrong assumptions. 205 00:10:06,800 --> 00:10:10,800 So I've been reading a lot so I can inform myself better. 206 00:10:10,800 --> 00:10:13,800 And of course, like everyone else, 207 00:10:13,800 --> 00:10:17,800 I have been watching some of the information from Ignite 208 00:10:17,800 --> 00:10:21,800 including Sentinel, Microsoft, Mesh. 209 00:10:21,800 --> 00:10:24,800 Anyway, those are the news for me. 210 00:10:24,800 --> 00:10:26,800 Alright, thanks for the news everyone. 211 00:10:26,800 --> 00:10:29,800 I'll switch to text now and let's introduce our guest. 212 00:10:29,800 --> 00:10:31,800 Our guest this week is Anthony Roman 213 00:10:31,800 --> 00:10:34,800 who's going to talk to us about Azure Network Security. 214 00:10:34,800 --> 00:10:36,800 Anthony, first of all, welcome to the podcast 215 00:10:36,800 --> 00:10:38,800 and we'd like to spend a couple moments 216 00:10:38,800 --> 00:10:40,800 and introduce yourself, what you do at Microsoft. 217 00:10:40,800 --> 00:10:42,800 Thanks very much for having me. 218 00:10:42,800 --> 00:10:45,800 I am admittedly a listener to the podcast, so this is cool. 219 00:10:45,800 --> 00:10:49,800 So I came to Microsoft, I think about two years ago now, 220 00:10:49,800 --> 00:10:52,800 and I originally came here to work on Sentinel 221 00:10:52,800 --> 00:10:57,800 and Azure Security Center, but once the team that I was part of 222 00:10:57,800 --> 00:11:00,800 decided that we were going to take on some more products, 223 00:11:00,800 --> 00:11:02,800 namely the network security stack, 224 00:11:02,800 --> 00:11:06,800 I jumped over onto that bandwagon and now I lead a team 225 00:11:06,800 --> 00:11:09,800 that focuses all on Azure network security. 226 00:11:09,800 --> 00:11:14,800 Primarily we look after Azure Firewall, Firewall Manager, 227 00:11:14,800 --> 00:11:18,800 WAF and DDoS protection, but as we're talking to customers, 228 00:11:18,800 --> 00:11:22,800 of course the broader concepts of network security in Azure 229 00:11:22,800 --> 00:11:27,800 come up and so we're well familiar with all of that. 230 00:11:27,800 --> 00:11:30,800 So we're pretty cognizant that network security in Azure 231 00:11:30,800 --> 00:11:35,800 isn't just a set of products, it's a mindset, a methodology, 232 00:11:35,800 --> 00:11:40,800 a set of disciplines that represent network security. 233 00:11:40,800 --> 00:11:44,800 Yeah, it's interesting you should bring up a topic of networking 234 00:11:44,800 --> 00:11:47,800 general and the disciplines that come with networking security 235 00:11:47,800 --> 00:11:50,800 there's a comment that I made some years ago 236 00:11:50,800 --> 00:11:53,800 and it's something I stand behind 100%. 237 00:11:53,800 --> 00:11:57,800 I would like to know if you agree or disagree or have some more finesse 238 00:11:57,800 --> 00:12:01,800 around the comment and the comment is in a cloud-first world, 239 00:12:01,800 --> 00:12:05,800 you can't escape networking, it doesn't matter if you're a developer, 240 00:12:05,800 --> 00:12:07,800 it doesn't matter what you are, you really can't escape 241 00:12:07,800 --> 00:12:09,800 some of the fundamentals of networking. 242 00:12:09,800 --> 00:12:11,800 At least I'm not saying you should be an expert in them 243 00:12:11,800 --> 00:12:13,800 but you should at least understand some of the basics 244 00:12:13,800 --> 00:12:15,800 and I really want to stress this, 245 00:12:15,800 --> 00:12:19,800 cloud environments are quite different. 246 00:12:19,800 --> 00:12:23,800 If you're a developer you really need to understand basic networking 247 00:12:23,800 --> 00:12:26,800 and if you're in sort of ops slash networking 248 00:12:26,800 --> 00:12:29,800 you really need to understand how to use some of these developer tools 249 00:12:29,800 --> 00:12:32,800 Visual Studio Code, Editor of Choice, 250 00:12:32,800 --> 00:12:35,800 GitHub, Version Control, Pipelines, 251 00:12:35,800 --> 00:12:39,800 these are all things that developers have been using for many years 252 00:12:39,800 --> 00:12:43,800 if not decades and historically those tools 253 00:12:43,800 --> 00:12:46,800 have not been really used by networking folks. 254 00:12:46,800 --> 00:12:52,800 In my opinion, if you're networking you've got to understand basic development, 255 00:12:52,800 --> 00:12:54,800 at least development tools and if you're in development 256 00:12:54,800 --> 00:12:56,800 you really have to understand basic networking 257 00:12:56,800 --> 00:12:59,800 and certainly the implications of network security. 258 00:12:59,800 --> 00:13:01,800 Is that a fair comment? 259 00:13:01,800 --> 00:13:03,800 Yeah, I agree completely. 260 00:13:03,800 --> 00:13:07,800 I think there's two important things that you touched on there. 261 00:13:07,800 --> 00:13:09,800 We can look at it from both directions. 262 00:13:09,800 --> 00:13:15,800 One, developers and just everybody that touches an Azure environment 263 00:13:15,800 --> 00:13:17,800 needs to know at least the basics of networking. 264 00:13:17,800 --> 00:13:19,800 At least as it applies to their discipline. 265 00:13:19,800 --> 00:13:25,800 But we're seeing as companies adopt more kind of cloud native 266 00:13:25,800 --> 00:13:30,800 mentalities and the roles blur between disciplines 267 00:13:30,800 --> 00:13:36,800 and you have democratized ownership of different larger areas 268 00:13:36,800 --> 00:13:42,800 of the environment then you do see people needing to have multiple skill sets. 269 00:13:42,800 --> 00:13:46,800 You need to be at least proficient in networking 270 00:13:46,800 --> 00:13:49,800 and in application design and architecture 271 00:13:49,800 --> 00:13:51,800 and then you can write your code. 272 00:13:51,800 --> 00:13:58,800 It's not as rigidly segmented as it once was. 273 00:13:58,800 --> 00:14:00,800 And on the other side of things, 274 00:14:00,800 --> 00:14:07,800 if you are primarily a cloud administrator or network security architect 275 00:14:07,800 --> 00:14:13,800 something like that then with cloud computing as you're specifically 276 00:14:13,800 --> 00:14:18,800 you really have to start understanding those principles of code 277 00:14:18,800 --> 00:14:20,800 because now that's your infrastructure. 278 00:14:20,800 --> 00:14:24,800 Now you can manage your entire environment with a single arm template 279 00:14:24,800 --> 00:14:26,800 or a collection of them. 280 00:14:26,800 --> 00:14:31,800 It definitely goes both ways and it kind of brings in a good point 281 00:14:31,800 --> 00:14:36,800 of the blurring of the line between even network security 282 00:14:36,800 --> 00:14:41,800 and let's say application security because when I introduced the products 283 00:14:41,800 --> 00:14:48,800 that I tend to focus on some of those can be thought of as application 284 00:14:48,800 --> 00:14:51,800 security tools over network security tools. 285 00:14:51,800 --> 00:14:56,800 And thinking about that kind of blending together of disciplines 286 00:14:56,800 --> 00:15:02,800 within security and within just cloud operations and development in general 287 00:15:02,800 --> 00:15:07,800 you think about what is it that you're building on Azure? 288 00:15:07,800 --> 00:15:11,800 Most of the time you're building some sort of app. 289 00:15:11,800 --> 00:15:16,800 It's an application delivery mechanism whether that's an internal line of business app 290 00:15:16,800 --> 00:15:21,800 or whether that's something that is internet facing, public facing. 291 00:15:21,800 --> 00:15:25,800 You have to write application code that gets delivered somewhere 292 00:15:25,800 --> 00:15:27,800 and it's delivered over the network. 293 00:15:27,800 --> 00:15:30,800 And so you kind of have those two disciplines, 294 00:15:30,800 --> 00:15:34,800 app sec and net sec coming together. 295 00:15:34,800 --> 00:15:38,800 What would you say the building blocks of secure networks then? 296 00:15:38,800 --> 00:15:42,800 As you said Anthony, you cannot get away from, 297 00:15:42,800 --> 00:15:44,800 no one gets away from networking. 298 00:15:44,800 --> 00:15:50,800 So where would you say people need to start to secure their network? 299 00:15:50,800 --> 00:15:52,800 That's a good way to start. 300 00:15:52,800 --> 00:15:57,800 I'll bring in a buzzword into the conversation. 301 00:15:57,800 --> 00:16:03,800 People talk a lot about zero trust lately and zero trust in the conversations 302 00:16:03,800 --> 00:16:07,800 tend to involve identity primarily and I guess rightfully so. 303 00:16:07,800 --> 00:16:08,800 Identity is huge. 304 00:16:08,800 --> 00:16:15,800 It's probably the primary component of the zero trust model depending on how you formulate that model. 305 00:16:15,800 --> 00:16:19,800 But if you look at some of the pillars of zero trust, 306 00:16:19,800 --> 00:16:23,800 at least as I guess Microsoft has written about it, 307 00:16:23,800 --> 00:16:29,800 some of the components that you find within that are just old fashioned, 308 00:16:29,800 --> 00:16:32,800 tried and true, good security practices. 309 00:16:32,800 --> 00:16:37,800 Things like defense in depth, assume breach, 310 00:16:37,800 --> 00:16:39,800 lease privilege. 311 00:16:39,800 --> 00:16:45,800 You can translate all of those things into networking concepts 312 00:16:45,800 --> 00:16:48,800 and we'll kind of go into how to achieve those. 313 00:16:48,800 --> 00:16:52,800 So if you wanted to adapt the principle of lease privilege, 314 00:16:52,800 --> 00:16:55,800 let's say, which is primarily that's an identity concept, 315 00:16:55,800 --> 00:16:57,800 but you can translate something very similar, 316 00:16:57,800 --> 00:17:01,800 which kind of goes hand in hand with assume breach into networking, 317 00:17:01,800 --> 00:17:04,800 which is the concept of micro segmentation. 318 00:17:04,800 --> 00:17:09,800 It's basically lease privilege access when it comes to what on the network 319 00:17:09,800 --> 00:17:11,800 can talk to what else on the network. 320 00:17:11,800 --> 00:17:16,800 And so to achieve that end, there's a bunch of different building blocks 321 00:17:16,800 --> 00:17:22,800 and there's learning modules out there on Microsoft Docs and everything 322 00:17:22,800 --> 00:17:24,800 that you can go through these basic concepts. 323 00:17:24,800 --> 00:17:31,800 But some of the things that to keep in mind would be thinking about a virtual network 324 00:17:31,800 --> 00:17:34,800 as its own isolation barrier. 325 00:17:34,800 --> 00:17:40,800 So when you create a virtual network or a VNet, you give it an IP address space 326 00:17:40,800 --> 00:17:45,800 unless you explicitly do something extra, like peer it to another one 327 00:17:45,800 --> 00:17:50,800 or connect it to a VPN or something like that, that VNet is its own boundary. 328 00:17:50,800 --> 00:17:55,800 It is one barrier of isolation and segmentation. 329 00:17:55,800 --> 00:17:58,800 Then you can go steps further. 330 00:17:58,800 --> 00:18:05,800 Once you have that VNet isolation, you can choose whether to expand that to other VNets. 331 00:18:05,800 --> 00:18:07,800 So you can, there's the concept of VNet peering. 332 00:18:07,800 --> 00:18:10,800 So one network attached to the next network. 333 00:18:10,800 --> 00:18:13,800 And then you can within that peering arrangement, 334 00:18:13,800 --> 00:18:18,800 you can say whether the traffic is allowed to go one way, both ways, etc. 335 00:18:18,800 --> 00:18:24,800 And then within each VNet, you have the concept of you can segment it further 336 00:18:24,800 --> 00:18:29,800 because by default, if you're in the same VNet, you can talk, you know, 337 00:18:29,800 --> 00:18:35,800 if one VNet or one VM lives on the same VNet as the other, it's going to be able to talk. 338 00:18:35,800 --> 00:18:42,800 And so you can get a little bit more segmented by using network security groups or NSGs 339 00:18:42,800 --> 00:18:45,800 that will further lock down that communication. 340 00:18:45,800 --> 00:18:49,800 So if you don't want a particular subnet to talk to another subnet, 341 00:18:49,800 --> 00:18:53,800 you can make that arrangement or you can go even more granular 342 00:18:53,800 --> 00:18:57,800 and say I don't want this machine to talk to that machine even within the same subnet. 343 00:18:57,800 --> 00:19:00,800 So it's, there's a lot of different layers. 344 00:19:00,800 --> 00:19:02,800 And so those are, those are kind of the basics. 345 00:19:02,800 --> 00:19:05,800 Once you start getting a little bit more advanced, because we're talking about, 346 00:19:05,800 --> 00:19:11,800 like, I guess we can frame the conversation in, I'm a developer, I have an application that I've written. 347 00:19:11,800 --> 00:19:16,800 Let's say the application code is running on a VM. 348 00:19:16,800 --> 00:19:22,800 And it could be a PaaS service as well, because a lot of our PaaS services, like, let's say, a web app, 349 00:19:22,800 --> 00:19:25,800 can be given a private link. 350 00:19:25,800 --> 00:19:31,800 And so you can only access it on a private network, which you could integrate into your VM. 351 00:19:31,800 --> 00:19:34,800 So it could be either a virtual machine running on the network, 352 00:19:34,800 --> 00:19:36,800 or it could be a web application running on the network. 353 00:19:36,800 --> 00:19:41,800 But how do you get that piece of your network available to where it needs to go? 354 00:19:41,800 --> 00:19:45,800 You know, whether it's the public internet, whether it's some other spot on your network, 355 00:19:45,800 --> 00:19:51,800 maybe you have a hybrid network where your on-premise network is connected to Azure 356 00:19:51,800 --> 00:19:56,800 and you need to access that application from your on-premise workloads. 357 00:19:56,800 --> 00:20:00,800 The way that you can start doing that and putting all these pieces together is by, 358 00:20:00,800 --> 00:20:07,800 what we normally recommend, what we see the most often in the wild, is using a hub and spoke topology. 359 00:20:07,800 --> 00:20:12,800 So that's, it's fairly common now, I think, and if you're not familiar with it, 360 00:20:12,800 --> 00:20:16,800 the concept is you have one virtual network that access your hub. 361 00:20:16,800 --> 00:20:21,800 It could be just any virtual network that you designate as the hub, 362 00:20:21,800 --> 00:20:25,800 or it could be, we have a service called Virtual WAN, 363 00:20:25,800 --> 00:20:33,800 and Virtual WAN could basically automate some of the components of connecting your networks together in a secure manner. 364 00:20:33,800 --> 00:20:37,800 We'll keep it simple and we'll talk about it in the virtual network context. 365 00:20:37,800 --> 00:20:43,800 And so in a hub and spoke topology, you'll have one virtual network that is acting as your hub, 366 00:20:43,800 --> 00:20:50,800 and via peering relationships to other spoke networks, you connect multiple spokes to that hub. 367 00:20:50,800 --> 00:20:53,800 And so each of those spokes could represent different workloads. 368 00:20:53,800 --> 00:21:03,800 A lot of times we see customers that have, you know, I talked about kind of the democratization of control over pieces of Azure. 369 00:21:03,800 --> 00:21:14,800 Sometimes one application team, the development team, will have complete ownership over their own subscription that has their own virtual network in it, 370 00:21:14,800 --> 00:21:23,800 and they just peer that to the hub, and it makes it so that that area of control they have now can talk to the central place. 371 00:21:23,800 --> 00:21:26,800 And your spokes could be all kinds of different things. 372 00:21:26,800 --> 00:21:29,800 You could have a Windows Virtual Desktop environment as one of your spokes. 373 00:21:29,800 --> 00:21:37,800 You could have an on-premise network segment connected by either ExpressRoute or VPN as one of your spokes, 374 00:21:37,800 --> 00:21:41,800 and that would turn you into a hybrid topology. 375 00:21:41,800 --> 00:21:48,800 And what do you put in that hub to control the traffic, because that hub becomes your center of control, 376 00:21:48,800 --> 00:21:55,800 and most times we see security teams have a lot of visibility into the hub and control over what happens there. 377 00:21:55,800 --> 00:22:00,800 And this is the place where kind of everything comes together, so it's really important. 378 00:22:00,800 --> 00:22:06,800 The hub can usually either contain a network virtual appliance, what we usually abbreviate as an NVA. 379 00:22:06,800 --> 00:22:11,800 And this is the familiar appliances that people might be used to running on-prem. 380 00:22:11,800 --> 00:22:18,800 So it could be a Palo Alto, a checkpoint, something like that, that sits in the hub and it controls the traffic. 381 00:22:18,800 --> 00:22:26,800 We also have, I mentioned that my team works a lot with Azure Firewall, Azure Firewall is the cloud native way to achieve traffic filtering 382 00:22:26,800 --> 00:22:30,800 and direction in a hub network. 383 00:22:30,800 --> 00:22:36,800 And so you can have different things performing different functions in that hub, 384 00:22:36,800 --> 00:22:43,800 but what it amounts to is it's the central control point of the micro segmentation of all those other networks. 385 00:22:43,800 --> 00:22:49,800 So it's kind of a harmony between network security groups controlling local traffic, 386 00:22:49,800 --> 00:22:57,800 peering relationships, allowing traffic to go from hub to spoke, and not from spoke to other spoke without going through the hub. 387 00:22:57,800 --> 00:23:02,800 You have user defined routes which control how traffic is allowed to move, 388 00:23:02,800 --> 00:23:11,800 whether it's forcing traffic to that hub from the spokes or forcing traffic even from the hub to some other filtering destination. 389 00:23:11,800 --> 00:23:17,800 Sometimes customers have an on-premise inspection pipeline or something like that, 390 00:23:17,800 --> 00:23:20,800 that they need to force all traffic from Azure back to. 391 00:23:20,800 --> 00:23:23,800 That tends to be kind of a legacy arrangement, but it's possible. 392 00:23:23,800 --> 00:23:30,800 So there's a lot of moving pieces, but if you can understand the general pattern of hub and spoke, 393 00:23:30,800 --> 00:23:39,800 of segmenting different workloads from other workloads, you're going to achieve those basic security principles that we know are a good idea. 394 00:23:39,800 --> 00:23:47,800 You're assuming breach by performing inspection on all the traffic, forcing it through that central location, 395 00:23:47,800 --> 00:23:52,800 not letting traffic get to where it doesn't absolutely need to go. 396 00:23:52,800 --> 00:24:02,800 You're doing, again, least privilege translated into the network level by creating allow rules rather than deny rules. 397 00:24:02,800 --> 00:24:06,800 What that means is kind of we start with Azure Firewall specifically. 398 00:24:06,800 --> 00:24:14,800 It's a default deny. And so unless once you route traffic to it, nothing passes unless you say it can. 399 00:24:14,800 --> 00:24:22,800 And as long as you're making very deliberate choices on what to allow through, then you're going to achieve those good security principles. 400 00:24:22,800 --> 00:24:28,800 You're going to have a segmented network that only what needs to talk can talk. 401 00:24:28,800 --> 00:24:33,800 So that was a really long-winded explanation of the building blocks. 402 00:24:33,800 --> 00:24:38,800 And I think it really only scratched the surface anyway, but hopefully that's instructive. 403 00:24:38,800 --> 00:24:43,800 Yeah, that makes sense. But yeah, you're right. There's a lot of things to talk about, right? 404 00:24:43,800 --> 00:24:46,800 That's just how it is. 405 00:24:46,800 --> 00:24:53,800 So, Anthony, my question for you is really around traffic inspection and monitoring. 406 00:24:53,800 --> 00:25:00,800 And what is it that we can do with the traffic that goes through and over Azure Firewall? 407 00:25:00,800 --> 00:25:05,800 With Azure Firewall standard, I'll start with standard and then I'll go into premium shortly after. 408 00:25:05,800 --> 00:25:13,800 But with standard, there's always been the capability of matching traffic that passes through Azure Firewall, 409 00:25:13,800 --> 00:25:21,800 whether it's internal traffic or inbound, outbound, whatever, against our internal threat Intel feed. 410 00:25:21,800 --> 00:25:29,800 And so there's always been that capability and that remains in premium and will remain a piece of firewall standard. 411 00:25:29,800 --> 00:25:34,800 But that can be set into alert or alert and in I mode. 412 00:25:34,800 --> 00:25:41,800 So if there's a known malicious FQDN, let's say that one of your VMs is trying to communicate with, we can knock that traffic down. 413 00:25:41,800 --> 00:25:49,800 Same with if there is inbound traffic coming from an IP address that is known malicious, that will also be knocked down. 414 00:25:49,800 --> 00:25:59,800 Threat Intel is kind of the most basic piece, but with Firewall premium, we start getting into some more advanced capabilities. 415 00:25:59,800 --> 00:26:07,800 And you can even argue whether this first one is advanced or not, but it's something that's new to us and required by a lot of customers. 416 00:26:07,800 --> 00:26:11,800 And so the first one is IDS IPS inspection. 417 00:26:11,800 --> 00:26:13,800 So intrusion detection and prevention. 418 00:26:13,800 --> 00:26:24,800 What this is basically just a signature based IDS system that you can, that will match traffic against known malicious patterns. 419 00:26:24,800 --> 00:26:34,800 And it's using a subscription based feed that we manage for the customer, which makes it so that you don't really have to go in and fine tune the engine. 420 00:26:34,800 --> 00:26:38,800 We give you all the tools to fine tune the IDS engine, but you don't really have to. 421 00:26:38,800 --> 00:26:51,800 We offer a curated set of rules so you can just kind of turn it on in that either detect or detect and prevent mode and have that extra layer of security. 422 00:26:51,800 --> 00:27:05,800 Beyond that, and I guess complimenting that as well, we now have the ability to terminate TLS connections at Firewall, which gives us a better ability to see the entire packet to apply those IDS IPS signatures to. 423 00:27:05,800 --> 00:27:17,800 This is done for both outbound traffic and also east west traffic traffic that's going, let's say from one V net in your network crossing the hub where the firewall is in into the next V net. 424 00:27:17,800 --> 00:27:34,800 If it's going to a web application in that, which hopefully is is all encrypted with HTTPS, we can have that connection terminate at Firewall so that we can look at the decrypted payload, which really adds to our ability to inspect that traffic. 425 00:27:34,800 --> 00:27:47,800 When we've done all this inspection, you know, IDS we've looked at the IDS is how to look at things we've broken up the TLS etc. Then what should we be doing with that data? Where should it go? 426 00:27:47,800 --> 00:27:53,800 If you guessed Sentinel, you'd be correct. And I'm guessing that you guessed that. 427 00:27:53,800 --> 00:28:07,800 Maybe I did just a little bit, but I suppose to be fair to have to for a well rounded conversation, you know, it could go to another seam if you're using something else, but ideally Sentinel would be good. 428 00:28:07,800 --> 00:28:21,800 Yeah, and that's that's a good point is that all of the tools that that encompass kind of the network security stack they all work on. They're all Azure services and so they all use the concept of Azure diagnostic logs. 429 00:28:21,800 --> 00:28:37,800 And this is kind of just a general point to make. I'm sure that you guys have talked about this before, but the difference between Azure activity log and Azure diagnostic log mean activity log records all the control plane stuff, but the data plane. 430 00:28:37,800 --> 00:28:46,800 What happens inside your resources? You have to take an extra step to enable the diagnostic logs and put it somewhere. And these resources are no different. 431 00:28:46,800 --> 00:29:01,800 So Azure firewall. In WAF and DDoS protection all work on diagnostic logs and you can send those logs to storage for archiving. A lot of times we recommend that for things like NSG flow logs. 432 00:29:01,800 --> 00:29:18,800 And in fact, that's currently the only place that you can put them. You can put your your log data in log analytics and that's how you would you would pull it into Sentinel and then event hub which like you mentioned you can pull that into an external sim. 433 00:29:18,800 --> 00:29:24,800 Anthony, I mean a lot of these tools people are familiar with on prem. 434 00:29:24,800 --> 00:29:37,800 Even though we are talking about the cloud versions. Can you give the listeners a sort of an overview of kind of comparing and contrasting the on prem mindset of these tools versus the cloud mindset for using these tools. 435 00:29:37,800 --> 00:29:55,800 Yeah, I think that some of these things can translate directly. And I mentioned before that one of one easy way to keep your cloud environment looking a lot like your on prem environment is to just use the virtual version of whatever appliance you're used to using on prem. 436 00:29:55,800 --> 00:30:10,800 And that does work. That's a it's a perfectly valid way to look at things, but then we have customers that do want to embrace the cloud concepts like infrastructure as code and things like that. 437 00:30:10,800 --> 00:30:25,800 And then you can manage their infrastructure as part of pipeline and so that's one thing that you know people tend to like about the services like Azure firewall, you know, at Gateway and WAF and all these things. 438 00:30:25,800 --> 00:30:46,800 And that's part of the rest of your in your Azure environment and so doing something like creating a firewall rule, or updating some setting on your WAF config. Those things can be done in the same system in the same template even as you updating, you know, the number of 439 00:30:46,800 --> 00:31:00,800 devices that are in your scale set, you know, all the things that that go into your Azure environment can be done all in the same pipeline and so that's that's an advantage to a lot of customers it doesn't work for everybody, but it is, it is an advantage. 440 00:31:00,800 --> 00:31:16,800 Another big difference in the thinking of on prem versus cloud is kind of the centralization of a bunch of capabilities into one thing into one box. That's kind of the appliance mindset which again it works. 441 00:31:16,800 --> 00:31:32,800 But when you have the cloud native tools, it enables you to think a little bit differently about that, you know, so the example that that I can give is, maybe you're on premise firewall you're used to being the central point for everything everything everything that happens on your network so 442 00:31:32,800 --> 00:31:44,800 it's it's where you terminate all your VPN connections, it's where you allow all your web application traffic in, it's the where you inspect all the traffic going out. It's where all the east west traffic goes in between. 443 00:31:44,800 --> 00:32:05,800 And that's fine, and that that does work in Azure too. But when you're using the cloud native components you can pick and choose which service does what it's a bit more of a modular approach. So you can have Azure firewall doing the outbound inspection, you can have as your WAF on application gateway or 444 00:32:05,800 --> 00:32:19,800 door doing the inbound inspection, you can have different services altogether like VPN gateway doing your VPN termination. It's it's more of a kind of you check the boxes that you need and not the ones that you don't. 445 00:32:19,800 --> 00:32:29,800 So it's not like you have to put in one monolithic appliance do all the things you provision just the resources that you need and not those that you don't. 446 00:32:29,800 --> 00:32:40,800 So we've sort of touched on various technologies that we have in the stack, one of which is front door. Some of our listeners may not know what as your front door is. 447 00:32:40,800 --> 00:32:51,800 Could you just spend a brief moment explain kind of what front door is how it works how it sort of fits in the overall scheme of things when we're talking about network security and also, while I've got you know what sort of new coming down the pike. 448 00:32:51,800 --> 00:33:08,800 So starting with front door, I guess that's that's more of a conversation on the application security or secure application delivery side of things and so front door is one of the two services that you can currently attach an Azure WAF to so 449 00:33:08,800 --> 00:33:25,800 inspecting inbound traffic with the web application firewall to detect and prevent known malicious web application traffic. So the things like SQL injection and cross site scripting and remote code execution and things like that that you tend to read about in headlines. 450 00:33:25,800 --> 00:33:51,800 So front door is in front door and application gateway are the two attachment points for WAF those. They are both layer seven load balancers which they they do application delivery specifically on the application layer and so how that differentiates from let's say Azure load balancer or traffic manager is that load balancer and traffic manager just work on you know the network layer. 451 00:33:51,800 --> 00:34:03,800 And so they do pretty basic load balancing DNS based send send traffic arbitrarily to two different back end notes. That's that's a fine way to do things if that's your use case. 452 00:34:03,800 --> 00:34:20,800 But if you have more advanced requirements like routing the same application traffic. Let's say traffic to the same application but two different paths to different back ends that correspond to those different paths which is path based routing. 453 00:34:20,800 --> 00:34:33,800 You can use front door application gateway. The big thing that makes these that sets these things apart and the reason that we attach WAF to them is that they terminate TLS inbound. So they always there's always a. 454 00:34:33,800 --> 00:34:50,800 TLS termination that happens on them which enables us to see the entire packet and make either routing decisions based on that or do security inspection. And so that's why they're very relevant to us and so differentiating front door and application gateway. 455 00:34:50,800 --> 00:35:06,800 App gateway is the regional service and front door is the global service and so at gateway lives in inside your V net. It owns a subnet that's that's inside your V net. So back to our secure app design it would it would live in one of those peer networks. 456 00:35:06,800 --> 00:35:11,800 Maybe one of your spoke networks or maybe in the hub itself. 457 00:35:11,800 --> 00:35:27,800 There's different designs possible but app gateway sits inside your network and so it's it's kind of closer to home and it works very well for publishing internal only applications and it can also serve applications that are that are. 458 00:35:27,800 --> 00:35:29,800 Internet accessible. 459 00:35:29,800 --> 00:35:33,800 But keeping in mind that it is it is served from a specific region. 460 00:35:33,800 --> 00:35:45,800 Front door being a global service is pretty much we say it's global it's it's not attached to any specific region. But what is probably more accurate is that it is attached to all the regions. 461 00:35:45,800 --> 00:35:48,800 When you host a web application on front door. 462 00:35:48,800 --> 00:35:55,800 It's simultaneously available and at every one of our data centers throughout the world. And so. 463 00:35:55,800 --> 00:36:03,800 It has an application acceleration. 464 00:36:03,800 --> 00:36:11,800 As your WAF on either of these services to do your your web application security inspection. 465 00:36:11,800 --> 00:36:14,800 And again WAF firewall all these things. 466 00:36:14,800 --> 00:36:17,800 You know feed the security data that everybody. 467 00:36:17,800 --> 00:36:25,800 Everybody loves you also asked what's new so there's new things that that came out very recently a couple of weeks ago. 468 00:36:25,800 --> 00:36:36,800 Both you know we touched on Azure firewall premium so that's the that's kind of the big new thing in the in firewall land which again gives you TLS inspection. 469 00:36:36,800 --> 00:36:51,800 And then IDS IPS web categories were another piece of that that got released and then Azure front door also has a couple of new SKUs that enhance the security of the application delivery it is capable of. 470 00:36:51,800 --> 00:36:53,800 Which. 471 00:36:53,800 --> 00:36:58,800 One of those things I mean there's going to be some some great improvements on what we're doing with WAF. 472 00:36:58,800 --> 00:37:11,800 The for the time being the biggest thing I think that's notable is that front door can now handle private link and so you can you can you can have basically a private connection from front door to your back ends it used to be that you had. 473 00:37:11,800 --> 00:37:19,800 Would have to have a public facing endpoint that would sit behind front door, which is not insecure there's ways that you can lock that down. 474 00:37:19,800 --> 00:37:30,800 But putting it on a private link and having nothing on the on the public Internet is something that a lot of customers have been have been wanting so some good stuff that has been released and definitely. 475 00:37:30,800 --> 00:37:40,800 Keep an eye out for future releases because now that we're we're in the realm of of being able to decrypt traffic on firewall I think you'll see. 476 00:37:40,800 --> 00:37:55,800 Some more and more capabilities piled on we've got customers that that have other requirements that we're looking into developing nothing I can get into specifically now, but it's definitely a space to keep an eye on. 477 00:37:55,800 --> 00:38:08,800 We always ask all our guests this Anthony at the end of the podcast but if you wanted to leave our listeners with a final thought or something they should do. 478 00:38:08,800 --> 00:38:10,800 What would it be? 479 00:38:10,800 --> 00:38:19,800 I would say just don't forget about the network. It's kind of it's funny that the the the network layers tend to be the. 480 00:38:19,800 --> 00:38:27,800 The easily forgotten about ones the ones that people want to move beyond and say this is this is an identity first security world and things like that. 481 00:38:27,800 --> 00:38:40,800 But don't forget about the fundamentals and network network security is one of those fundamentals and so I would just say say that don't don't forget about those fundamental building blocks to security. 482 00:38:40,800 --> 00:38:53,800 You need to have defense in depth and so even if you even if you are doing all the right things on you know the the higher levels and verifying identity every step of the way and doing. 483 00:38:53,800 --> 00:39:01,800 You know, behavioral analytics and all the fun newer and I guess more modern security inspections. 484 00:39:01,800 --> 00:39:09,800 There are there's a lot to be said about continuing to do the right thing on the fundamentals. It's the comparison I make is. 485 00:39:09,800 --> 00:39:24,800 You know I DS is you know maybe thought of as something that's it's been out there for a long time. It's not the most advanced security detection mechanism, but it is something that is that's useful as one component in the stack. 486 00:39:24,800 --> 00:39:26,800 It's not the end all be all. 487 00:39:26,800 --> 00:39:43,800 But just because you're doing in the comparison is just because you're doing, let's say really fancy things in EDR on your endpoints, you shouldn't turn off your signature based malware. It still has a role to play and so network security and kind of the fundamental concepts. 488 00:39:43,800 --> 00:39:49,800 They still have a role to play even in you know an identity first zero trust world. 489 00:39:49,800 --> 00:39:59,800 Anthony, thank you so much for joining us this week. I really appreciate you taking the time and know you're busy. I know I learned a few things as well along the way. And to our listeners. Thank you for listening. Stay safe out there. 490 00:39:59,800 --> 00:40:20,800 And we'll see you next time. Thanks for listening to the Azure Security podcast. You can find show notes and other resources at our website. azsecuritypodcast.net. If you have any questions, please find us on Twitter at Azure sec pod background music is from CC mixture.com and licensed under the Creative Commons license.