1 00:00:00,000 --> 00:00:09,600 Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, 2 00:00:09,600 --> 00:00:13,280 reliability and compliance on the Microsoft Cloud Platform. 3 00:00:13,280 --> 00:00:17,540 Hey everybody, welcome to episode 102. 4 00:00:17,540 --> 00:00:21,440 This week we have a guest in Astoria Cinema who's here to talk about purple teaming untra 5 00:00:21,440 --> 00:00:22,440 ID. 6 00:00:22,440 --> 00:00:25,560 But before we get to our guest, let's take a little lap around the news. 7 00:00:25,560 --> 00:00:27,000 This week is just myself, Michael and Sarah. 8 00:00:27,000 --> 00:00:29,280 So Sarah, why don't you kick off the news? 9 00:00:29,280 --> 00:00:30,280 I will do. 10 00:00:30,280 --> 00:00:34,560 So I'm going to go with the first thing, because this is top of mind for me at the moment, 11 00:00:34,560 --> 00:00:36,600 which is Ignite. 12 00:00:36,600 --> 00:00:41,860 So you may know that Microsoft Ignite has the registration has opened. 13 00:00:41,860 --> 00:00:47,080 It's in Chicago in November, just the week before Thanksgiving for those of you in the 14 00:00:47,080 --> 00:00:48,080 US. 15 00:00:48,080 --> 00:00:56,480 Now it is generally sold out, but a cool, cool thing is that if you are a security professional, 16 00:00:56,480 --> 00:01:03,040 there is an RSVP code to get you in as a security person, which is very cool. 17 00:01:03,040 --> 00:01:08,400 So if you're listening to this and you wanted to go to Ignite and you missed out on a ticket, 18 00:01:08,400 --> 00:01:09,640 we've got the links in the show notes. 19 00:01:09,640 --> 00:01:12,240 So you can go use the RSVP code. 20 00:01:12,240 --> 00:01:16,640 Something of note, apart from the normal Ignite things like the breakout sessions, we've also 21 00:01:16,640 --> 00:01:22,360 got the pre-day stuff, which is half a day before the main Ignite thing starts on November 22 00:01:22,360 --> 00:01:25,840 the 19th and the pre days on November the 18th. 23 00:01:25,840 --> 00:01:28,200 And there are three security pre days. 24 00:01:28,200 --> 00:01:32,600 There is the Microsoft Ignite Security Forum, which is a decision maker type thing. 25 00:01:32,600 --> 00:01:34,800 And then we also have two pre day labs. 26 00:01:34,800 --> 00:01:39,760 Now I'm biased that I'm extremely excited about these, but that might be because I'm 27 00:01:39,760 --> 00:01:43,500 running them or overall on the hook for these things. 28 00:01:43,500 --> 00:01:46,140 So the first one is AI Red teaming in practice. 29 00:01:46,140 --> 00:01:50,060 So it's a hands on workshop that's done by the AI Red team folks. 30 00:01:50,060 --> 00:01:53,160 It was also taught a black hat earlier this year. 31 00:01:53,160 --> 00:01:54,760 Those people are amazing. 32 00:01:54,760 --> 00:01:56,560 They really know their stuff. 33 00:01:56,560 --> 00:01:59,400 It's very different for something we've done at Ignite before, because there's actually 34 00:01:59,400 --> 00:02:01,440 no Microsoft products involved in it. 35 00:02:01,440 --> 00:02:05,880 It is just the principles and some of the open source tooling and techniques you can 36 00:02:05,880 --> 00:02:07,440 use to Red team things. 37 00:02:07,440 --> 00:02:12,240 And the second one is secure your data estate for a copilot for M365 deployment. 38 00:02:12,240 --> 00:02:14,840 And that's, it's going to be a lecture based workshop. 39 00:02:14,840 --> 00:02:18,880 And of course, top of mind for a lot of people is I want to deploy a copilot. 40 00:02:18,880 --> 00:02:23,160 And unsurprisingly, a lot of people start with M365 copilot. 41 00:02:23,160 --> 00:02:27,360 So in that workshop, we're going to talk about how you can do that, how you can understand 42 00:02:27,360 --> 00:02:33,680 the state your data is in and how you can make it secure so you can let some AI and 43 00:02:33,680 --> 00:02:38,460 copilot run loose on it without the copilot accidentally sharing all the information it 44 00:02:38,460 --> 00:02:39,960 shouldn't do with the wrong people. 45 00:02:39,960 --> 00:02:40,960 So that's the first one. 46 00:02:40,960 --> 00:02:45,280 I gave far too much time to that, but that's something I'm very heavily involved in. 47 00:02:45,280 --> 00:02:47,440 But let's look around the other things. 48 00:02:47,440 --> 00:02:52,080 We've got build and secure your apps with App Service and Defender for cloud. 49 00:02:52,080 --> 00:02:57,880 So if there's a new service capability for the better together stuff, if you're using 50 00:02:57,880 --> 00:03:02,520 Azure App Service, you can now use Defender for App Service, which is part of Defender 51 00:03:02,520 --> 00:03:03,520 for cloud. 52 00:03:03,520 --> 00:03:07,720 Now you may remember, we've had a good friend of the podcast, Yuri on many times to talk 53 00:03:07,720 --> 00:03:09,160 about Defender for cloud. 54 00:03:09,160 --> 00:03:12,280 So you should go and have a look at that. 55 00:03:12,280 --> 00:03:19,120 Now I also talked about in the last couple of episodes ago, we talked about the FIPS 56 00:03:19,120 --> 00:03:25,160 Mutability Support in AKS, that has now gone GA, which is very quick for something to go 57 00:03:25,160 --> 00:03:26,600 from public preview to GA. 58 00:03:26,600 --> 00:03:28,480 So well done to AKS. 59 00:03:28,480 --> 00:03:32,800 So if you need to use the federal, I'm going to FIPS or Federal Information Processing 60 00:03:32,800 --> 00:03:33,800 Standards. 61 00:03:33,800 --> 00:03:36,680 So if you're in the US and you need to use that, it's now GA. 62 00:03:36,680 --> 00:03:37,680 Hooray. 63 00:03:37,680 --> 00:03:43,560 Public preview Azure Monitor Metrics is doing Azure Monitor Metrics exporting now. 64 00:03:43,560 --> 00:03:50,920 So that means that through the DCR data collection rules, you can now route Azure Resource Metrics 65 00:03:50,920 --> 00:03:55,680 out to storage accounts, event hubs, and from event hubs, you can send them elsewhere. 66 00:03:55,680 --> 00:04:00,480 So if you want to put your Azure Monitor Metrics somewhere else or do something with them, 67 00:04:00,480 --> 00:04:02,320 you can do that. 68 00:04:02,320 --> 00:04:07,320 And then a couple of big announcements that actually at the time of recording this only 69 00:04:07,320 --> 00:04:10,100 were announced a couple of days ago. 70 00:04:10,100 --> 00:04:15,120 So exciting, we're doing trustworthy AI. 71 00:04:15,120 --> 00:04:18,720 So this is kind of does what it says on the tin. 72 00:04:18,720 --> 00:04:22,440 We are, FATCHR announced that we're doing trustworthy AI. 73 00:04:22,440 --> 00:04:28,560 So it's a number of principles and kind of principles that we're building our AI on. 74 00:04:28,560 --> 00:04:31,960 We'll put a link to it so you can have a look and read all about it. 75 00:04:31,960 --> 00:04:37,560 You'll be hearing quite a lot about that in the next few months for sure. 76 00:04:37,560 --> 00:04:41,600 And then last but not least for me, this has been a big news section for me. 77 00:04:41,600 --> 00:04:45,400 We have public preview of hybrid Azure AI content safety. 78 00:04:45,400 --> 00:04:49,040 Now Azure AI content safety has been around for a little bit now. 79 00:04:49,040 --> 00:04:53,920 That is essentially when we put filters in your AI. 80 00:04:53,920 --> 00:05:01,760 So it can filter for hate things, violence, sexual content, etc. 81 00:05:01,760 --> 00:05:09,800 But hybrid Azure AI content safety will also help you look at stuff on prem and disconnected 82 00:05:09,800 --> 00:05:10,800 containers. 83 00:05:10,800 --> 00:05:12,280 So it's a little bit more flexible. 84 00:05:12,280 --> 00:05:17,600 So as always, we'll put the link in the show notes and you can go and have a look. 85 00:05:17,600 --> 00:05:19,760 And that is me for the news, Michael. 86 00:05:19,760 --> 00:05:20,760 So over to you. 87 00:05:20,760 --> 00:05:23,720 Yeah, I've got quite a few as well. 88 00:05:23,720 --> 00:05:28,800 So the first one is we've just released an update on the secure future initiatives. 89 00:05:28,800 --> 00:05:30,360 So it's just basically a progress update. 90 00:05:30,360 --> 00:05:34,240 It's well worth reading, giving an idea of all the things that we're working on right 91 00:05:34,240 --> 00:05:35,440 now. 92 00:05:35,440 --> 00:05:40,360 Essentially the big overarching metric, if nothing else, is that we've got the equivalence 93 00:05:40,360 --> 00:05:44,280 of about 34,000 full-time engineers working on this stuff. 94 00:05:44,280 --> 00:05:49,880 And we're starting to see a lot of the fruits of that effort, not just internally, but also 95 00:05:49,880 --> 00:05:52,560 some of the products that are getting changed as well. 96 00:05:52,560 --> 00:05:54,680 So I'll actually touch on a couple of those. 97 00:05:54,680 --> 00:05:59,440 The first one is we've just released a video on secure and scalable quick starts for Azure 98 00:05:59,440 --> 00:06:02,040 functions using the Azure Developer CLI. 99 00:06:02,040 --> 00:06:09,360 A huge focus in this video on security, best practices for securing apps, how to use VNet 100 00:06:09,360 --> 00:06:14,760 integration, how to use managed identities and so on to access things like Azure storage. 101 00:06:14,760 --> 00:06:15,760 Really good to see. 102 00:06:15,760 --> 00:06:19,140 Huge fan of managed identities. 103 00:06:19,140 --> 00:06:23,600 Next one is, so Sarah touched on this with the Microsoft Trustworthy AI. 104 00:06:23,600 --> 00:06:25,320 Definitely go and check out the video on that. 105 00:06:25,320 --> 00:06:27,840 It's well worth looking at. 106 00:06:27,840 --> 00:06:31,480 Microsoft Playwright, I don't even know what Microsoft Playwright was, to be honest with 107 00:06:31,480 --> 00:06:33,080 you, but now I do. 108 00:06:33,080 --> 00:06:35,880 It's an end-to-end web testing tool. 109 00:06:35,880 --> 00:06:42,440 And we've now added Entra ID support for Microsoft Playwright testing. 110 00:06:42,440 --> 00:06:48,040 Very cool because if you want to test a system that's using Entra ID, then this is the way 111 00:06:48,040 --> 00:06:49,440 to go. 112 00:06:49,440 --> 00:06:56,000 Next one is managed identity support for WordPress on app service. 113 00:06:56,000 --> 00:06:57,400 This is really cool. 114 00:06:57,400 --> 00:07:05,680 Again, I swear that every few episodes I talk about some new feature, some new product that 115 00:07:05,680 --> 00:07:09,960 is getting managed identity support, it's critically important that we remove credentials 116 00:07:09,960 --> 00:07:13,760 from the environment and managed identities are one way of doing that. 117 00:07:13,760 --> 00:07:15,880 And this is actually a big focus of SFI as well. 118 00:07:15,880 --> 00:07:19,960 So here we've got a third-party product, WordPress, and we're now supporting managed identities 119 00:07:19,960 --> 00:07:23,400 for that as well, which is great to see. 120 00:07:23,400 --> 00:07:29,480 Sort of in a similar vein, Azure Bastion now has Entra ID support for SSH connections into 121 00:07:29,480 --> 00:07:30,480 the portal. 122 00:07:30,480 --> 00:07:35,080 Again, this is really cool to see because I don't think SSH would normally have worked 123 00:07:35,080 --> 00:07:37,840 with Entra ID without some kind of extra work. 124 00:07:37,840 --> 00:07:38,840 So this is good to see as well. 125 00:07:38,840 --> 00:07:42,400 So again, removing credentials from the environment. 126 00:07:42,400 --> 00:07:47,600 Next one is managing network security groups on subnets via Azure Policy. 127 00:07:47,600 --> 00:07:48,760 This is really cool to see. 128 00:07:48,760 --> 00:07:51,200 I'm a huge fan of Azure Policy. 129 00:07:51,200 --> 00:07:55,440 I'm a huge fan of NSGs as well, but Azure Policy is just a way of deploying an environment 130 00:07:55,440 --> 00:08:00,040 or configuration in the environment so that the policies are always applied. 131 00:08:00,040 --> 00:08:03,920 So you can say that certain subnets must have certain kinds of network security group rules 132 00:08:03,920 --> 00:08:06,040 by default. 133 00:08:06,040 --> 00:08:09,920 Something from my old stomping ground, SQL Insights, which apparently never came out 134 00:08:09,920 --> 00:08:10,920 of preview. 135 00:08:10,920 --> 00:08:11,920 I didn't know that. 136 00:08:11,920 --> 00:08:19,040 But SQL Insights will be retired on December the 31st this year, 2024, and you must replace 137 00:08:19,040 --> 00:08:23,160 it with something with products like Database Watcher for Azure SQL or something like that. 138 00:08:23,160 --> 00:08:28,320 So again, if you're monitoring your SQL environment using SQL Insights, that thing is going to 139 00:08:28,320 --> 00:08:31,360 be retired at the end of this year. 140 00:08:31,360 --> 00:08:34,720 The last one, which I want to touch on, because I think it's incredibly important because 141 00:08:34,720 --> 00:08:38,000 no doubt by now, most of you have seen the email. 142 00:08:38,000 --> 00:08:40,680 If you haven't, you need to. 143 00:08:40,680 --> 00:08:44,880 And that is that we're announcing mandatory multi-factor authentication for Azure Sign-In. 144 00:08:44,880 --> 00:08:49,160 Now, this will be a feature sort of slow rollout. 145 00:08:49,160 --> 00:08:52,500 And what I mean by that is we're starting with the Azure portal. 146 00:08:52,500 --> 00:08:55,600 So basically, if you're going to access the environment through the Azure portal, then 147 00:08:55,600 --> 00:09:00,160 you must have your accounts that are doing that must have MFA support, multi-factor authentication 148 00:09:00,160 --> 00:09:01,160 support. 149 00:09:01,160 --> 00:09:05,200 This is going to come into effect towards the end of October this year. 150 00:09:05,200 --> 00:09:08,000 You can opt out of it, I believe, until about April next year. 151 00:09:08,000 --> 00:09:10,000 But if you don't, then it will come into effect on October. 152 00:09:10,000 --> 00:09:13,600 And I also want to point something else out that's really, really important here. 153 00:09:13,600 --> 00:09:15,400 This is just for the portal for the moment. 154 00:09:15,400 --> 00:09:20,760 Over time, we will change that to cover more things like API access and so on. 155 00:09:20,760 --> 00:09:23,320 But right now, it is just for the portal. 156 00:09:23,320 --> 00:09:28,480 I realize it's not a complete defense because you can still access resources, potentially 157 00:09:28,480 --> 00:09:32,480 access other resources using, say, API access. 158 00:09:32,480 --> 00:09:36,320 But this is just a starting point to sort of make sure that everyone sort of gets on 159 00:09:36,320 --> 00:09:39,840 the train at the beginning so that we can roll this out in the future. 160 00:09:39,840 --> 00:09:40,840 All right. 161 00:09:40,840 --> 00:09:43,040 That's all I have in the news department. 162 00:09:43,040 --> 00:09:45,560 So why don't we switch our attention to our guest? 163 00:09:45,560 --> 00:09:50,400 As I mentioned, our guest this week is Nestorii Sinema, who's here to talk to us about purple 164 00:09:50,400 --> 00:09:52,440 teaming Entra ID. 165 00:09:52,440 --> 00:09:56,080 So with that, hey, Nestorii, thank you so much for joining us this week. 166 00:09:56,080 --> 00:09:59,080 We'd like to take a moment and introduce yourself to our listeners. 167 00:09:59,080 --> 00:10:01,120 Yeah, thanks for having me. 168 00:10:01,120 --> 00:10:06,320 So my name is Dr. Nestorii Sinema, also known as Dr. Azure ID. 169 00:10:06,320 --> 00:10:10,640 And I've been working with Microsoft since January this year. 170 00:10:10,640 --> 00:10:13,720 So what is it, nine months or so. 171 00:10:13,720 --> 00:10:21,520 And I'm working now in Mystic, which stands for Microsoft Threat Intelligence Center. 172 00:10:21,520 --> 00:10:25,920 And I'm pretty much doing the same thing I did before joining Microsoft. 173 00:10:25,920 --> 00:10:30,800 So I kind of try to break our stuff and then help to fix that and of course help to build 174 00:10:30,800 --> 00:10:33,760 detections for that. 175 00:10:33,760 --> 00:10:41,600 And those eventually becomes part of our tools like MDE or MDA or whatever Defender products 176 00:10:41,600 --> 00:10:43,800 we have. 177 00:10:43,800 --> 00:10:52,160 And I think people know me best from my toolkit called A8 Internals, which is used quite often 178 00:10:52,160 --> 00:10:59,240 for like purple teaming Entra ID. 179 00:10:59,240 --> 00:11:01,160 So that's a very quick introduction. 180 00:11:01,160 --> 00:11:02,160 Okay, Nestorii. 181 00:11:02,160 --> 00:11:08,360 I'm going to have to ask you first of all, as you said, you're known as Dr. Azure ID. 182 00:11:08,360 --> 00:11:10,520 How did you get that nickname? 183 00:11:10,520 --> 00:11:13,880 Okay, well, I am a doctor. 184 00:11:13,880 --> 00:11:17,280 So I did my doctorate 2015. 185 00:11:17,280 --> 00:11:19,600 It wasn't about security as such. 186 00:11:19,600 --> 00:11:22,400 So it was about informatics. 187 00:11:22,400 --> 00:11:26,380 And it's from University of Reading, England. 188 00:11:26,380 --> 00:11:29,240 So that's the doctor part. 189 00:11:29,240 --> 00:11:36,280 And because I know a little bit things about Azure ID, which is now Entra ID. 190 00:11:36,280 --> 00:11:39,000 So that's why I picked the name. 191 00:11:39,000 --> 00:11:43,680 Now I warned you I was going to ask you about this when we had our little pre-record. 192 00:11:43,680 --> 00:11:47,280 But can I ask you about your car registration? 193 00:11:47,280 --> 00:11:49,960 Yeah, sure. 194 00:11:49,960 --> 00:11:53,000 So it was about 15 months or something like that. 195 00:11:53,000 --> 00:11:59,080 So I ordered a new car with vanity plates, of course. 196 00:11:59,080 --> 00:12:03,440 And the registration number is AAD365. 197 00:12:03,440 --> 00:12:07,440 And we were having a vacation in Spain. 198 00:12:07,440 --> 00:12:10,680 And then when we flew back, I was able to pick up the car. 199 00:12:10,680 --> 00:12:15,060 But during the vacation, Microsoft announced that, okay, we are going to change the name 200 00:12:15,060 --> 00:12:16,060 to Entra ID. 201 00:12:16,060 --> 00:12:19,760 And I was like, oh, yeah, that's the story with my car plates. 202 00:12:19,760 --> 00:12:25,120 So it's a kind of like a joke with our friends that every time Microsoft rebrands something, 203 00:12:25,120 --> 00:12:29,080 it cost me like 1000 because that's the price of the new plates. 204 00:12:29,080 --> 00:12:31,920 But I'm still not going to chase the plates. 205 00:12:31,920 --> 00:12:36,320 I think I'm going to have to find a link to your socials where there's a picture of that 206 00:12:36,320 --> 00:12:44,120 to put on for the listeners because I remember seeing it and I felt so bad for you. 207 00:12:44,120 --> 00:12:51,120 But I guess I wanted to ask you, how did you decide or how did you get into doing research 208 00:12:51,120 --> 00:12:53,720 about Azure AD specifically? 209 00:12:53,720 --> 00:12:54,880 Was it an accident? 210 00:12:54,880 --> 00:12:56,440 Did you choose it? 211 00:12:56,440 --> 00:13:03,600 Because as you said, you've been looking at how we can purple team and do things to Azure 212 00:13:03,600 --> 00:13:06,440 AD or Entra ID for a long time. 213 00:13:06,440 --> 00:13:07,960 How did you get into it? 214 00:13:07,960 --> 00:13:11,020 Yeah, well, it's a kind of long story. 215 00:13:11,020 --> 00:13:21,560 So back in 2008 or something, I was CIO of third largest Finnish teleoperator. 216 00:13:21,560 --> 00:13:27,400 And we were building up hosted message and collaboration environment like email and 217 00:13:27,400 --> 00:13:30,080 SharePoint and that kind of things. 218 00:13:30,080 --> 00:13:32,800 So we built that environment. 219 00:13:32,800 --> 00:13:36,840 And then we quickly go to 2013 or something like that. 220 00:13:36,840 --> 00:13:38,440 Yes, it was 2013. 221 00:13:38,440 --> 00:13:48,320 So one of my old colleagues, he was a director in Finnish organization that provides IT training 222 00:13:48,320 --> 00:13:53,120 like for administrators and that kind of roles. 223 00:13:53,120 --> 00:13:58,040 And nobody in the company, I mean other traders, they didn't believe that cloud is going to 224 00:13:58,040 --> 00:14:00,300 be a big thing. 225 00:14:00,300 --> 00:14:08,280 So he asked for me that now because you build that hosted messaging and collaboration environment, 226 00:14:08,280 --> 00:14:12,160 could you come here and train like cloud? 227 00:14:12,160 --> 00:14:14,320 And I was okay, why not? 228 00:14:14,320 --> 00:14:20,720 And at that time it was just Office 365, which is now Micro 365 and so on. 229 00:14:20,720 --> 00:14:25,480 But the Entra ID was part of that since the beginning. 230 00:14:25,480 --> 00:14:32,360 And when I was doing the training, of course, you need to make sure that everything is secured 231 00:14:32,360 --> 00:14:35,260 and the environment is secure and so on. 232 00:14:35,260 --> 00:14:42,280 So I kind of accidentally went that path. 233 00:14:42,280 --> 00:14:49,880 Because in the training, you build your environment, you connect your OnePrem AD to the cloud, you 234 00:14:49,880 --> 00:14:51,720 build the synchronization. 235 00:14:51,720 --> 00:14:55,240 At that time, we did a lot of ADFS also. 236 00:14:55,240 --> 00:14:59,400 So that's kind of how it started. 237 00:14:59,400 --> 00:15:03,800 And then I started to research more and more and more. 238 00:15:03,800 --> 00:15:08,800 And the first version of my tool, I think it was published 2018. 239 00:15:08,800 --> 00:15:11,520 So yeah, that's how it started. 240 00:15:11,520 --> 00:15:16,280 Do you want to just talk about the AD internals tool and just explain sort of what it does 241 00:15:16,280 --> 00:15:18,920 and how people sort of use it on a daily basis? 242 00:15:18,920 --> 00:15:21,360 Well, it's a PowerShell module. 243 00:15:21,360 --> 00:15:22,400 And why PowerShell? 244 00:15:22,400 --> 00:15:29,640 Because everybody who is administering Windows, they are using PowerShell or who are like 245 00:15:29,640 --> 00:15:38,280 administering servers or cloud, Microsoft Cloud, you usually use PowerShell. 246 00:15:38,280 --> 00:15:45,200 And also like when I found something that I think that this might be a vulnerability, 247 00:15:45,200 --> 00:15:49,640 I reported that to Microsoft, to Microsoft Security Response Center. 248 00:15:49,640 --> 00:15:55,160 And they usually require that they would be like a proof of concept, that would be easy 249 00:15:55,160 --> 00:15:58,140 to use, so that you can replicate that. 250 00:15:58,140 --> 00:16:04,080 So I implemented that as a new feature to my tool. 251 00:16:04,080 --> 00:16:10,320 And then I was able to send that to MSRC and they were able to replicate that. 252 00:16:10,320 --> 00:16:14,800 So during the years, I have put a lot of things there. 253 00:16:14,800 --> 00:16:20,080 So I can't even remember how many different like functions there currently are, but they 254 00:16:20,080 --> 00:16:22,240 are like hundreds. 255 00:16:22,240 --> 00:16:32,260 And it is used by, well, bad guys are using that also. 256 00:16:32,260 --> 00:16:39,440 But typically it's used by like administrators who want to check that how they, what is the 257 00:16:39,440 --> 00:16:42,000 security post of their environments. 258 00:16:42,000 --> 00:16:47,740 So I have implemented same techniques in the tool that threat actors are using. 259 00:16:47,740 --> 00:16:53,240 So now when you have the toolkit, you can run it in your own environment and you can 260 00:16:53,240 --> 00:16:58,680 test using the same methods and tactics and techniques that threat actors are using, that 261 00:16:58,680 --> 00:17:05,200 can you detect those attacks and then how you can prevent those after you have like 262 00:17:05,200 --> 00:17:06,840 detected those. 263 00:17:06,840 --> 00:17:09,320 So that's how kind of it is used. 264 00:17:09,320 --> 00:17:11,080 Do you want to give some examples? 265 00:17:11,080 --> 00:17:12,080 I'm just curious. 266 00:17:12,080 --> 00:17:13,560 I mean, so I agree 100%. 267 00:17:13,560 --> 00:17:19,320 I mean, I think knowing how bad actors go sniffing around environments, looking for 268 00:17:19,320 --> 00:17:23,800 vulnerabilities and then potentially exploits those vulnerabilities or configuration weaknesses. 269 00:17:23,800 --> 00:17:25,160 So I agree 100%. 270 00:17:25,160 --> 00:17:30,000 I think that's something that all people who deploy on any platform should understand. 271 00:17:30,000 --> 00:17:32,720 They need to understand what they're up against. 272 00:17:32,720 --> 00:17:36,240 So you wanted to give me some examples of what sort of things it would do. 273 00:17:36,240 --> 00:17:39,600 What would someone do on a daily basis if they were using a tool? 274 00:17:39,600 --> 00:17:44,280 Well this probably not going to happen like daily basis, but if you remember the solar 275 00:17:44,280 --> 00:17:50,560 gate attack a few years ago, so that is kind of like, it started with kind of golden seminal 276 00:17:50,560 --> 00:17:51,560 attack. 277 00:17:51,560 --> 00:17:55,600 I mean, when the attackers were pivoting from on prem to cloud. 278 00:17:55,600 --> 00:18:02,520 So for instance, you may run my tool in a server that is running ADFS, which is used 279 00:18:02,520 --> 00:18:05,920 typically for identity federation. 280 00:18:05,920 --> 00:18:10,100 And you run that and you export the token sign in certificate. 281 00:18:10,100 --> 00:18:14,420 That's one thing that you should be able to detect in the endpoint that you are running 282 00:18:14,420 --> 00:18:19,840 this command or you are somebody's extracting those certificates. 283 00:18:19,840 --> 00:18:26,800 And when you have those, then you can forge SAML tokens and then you can log in as any 284 00:18:26,800 --> 00:18:29,800 user in the tenant basically. 285 00:18:29,800 --> 00:18:32,680 You can also bypass MFA with that. 286 00:18:32,680 --> 00:18:36,880 Now while you have that certificate, you can then start doing this. 287 00:18:36,880 --> 00:18:47,040 So you log in using any user you want to, maybe bypass MFA and then as a purple teamer, 288 00:18:47,040 --> 00:18:52,720 maybe the blue side of the purple team, they can then try to see that how well we are detecting 289 00:18:52,720 --> 00:18:53,720 that. 290 00:18:53,720 --> 00:18:57,120 I mean, like forging those SAML tokens. 291 00:18:57,120 --> 00:18:59,120 So that kind of things you can do with that. 292 00:18:59,120 --> 00:19:00,880 I want to be really pedantic. 293 00:19:00,880 --> 00:19:05,440 When you say exporting the signing certificate, I assume you mean certificate and the private 294 00:19:05,440 --> 00:19:06,440 key. 295 00:19:06,440 --> 00:19:07,440 Yes, correct. 296 00:19:07,440 --> 00:19:08,440 So yeah. 297 00:19:08,440 --> 00:19:09,600 What does it take to do that? 298 00:19:09,600 --> 00:19:11,800 I'm just curious more than anything else. 299 00:19:11,800 --> 00:19:17,400 And that would assume that first of all, whoever is getting in there has access to the certificate 300 00:19:17,400 --> 00:19:18,400 and private key. 301 00:19:18,400 --> 00:19:20,440 So you have to run as an account that has access to that, right? 302 00:19:20,440 --> 00:19:23,920 Because we're not going to let anyone have access to the private key. 303 00:19:23,920 --> 00:19:26,280 Yeah, that's correct. 304 00:19:26,280 --> 00:19:31,200 But usually you only need to have like a local admin on that ADFS box and then you can do 305 00:19:31,200 --> 00:19:32,200 that. 306 00:19:32,200 --> 00:19:33,200 Okay. 307 00:19:33,200 --> 00:19:34,200 Fair enough. 308 00:19:34,200 --> 00:19:35,200 All right. 309 00:19:35,200 --> 00:19:36,200 What other examples? 310 00:19:36,200 --> 00:19:37,200 I'm just curious. 311 00:19:37,200 --> 00:19:38,200 What other examples have you got? 312 00:19:38,200 --> 00:19:39,200 What else? 313 00:19:39,200 --> 00:19:43,040 So you can simulate like phishing attacks also. 314 00:19:43,040 --> 00:19:47,980 You lure user to use this authentication code thing. 315 00:19:47,980 --> 00:19:51,840 So it's pretty much the same device code authentication flow. 316 00:19:51,840 --> 00:19:55,880 It's pretty much similar than if you are using like Netflix, for instance, and you can log 317 00:19:55,880 --> 00:19:57,140 into Netflix that easily. 318 00:19:57,140 --> 00:20:01,720 So it just shows you a code and you need to use your phone or your laptop to go to Netflix 319 00:20:01,720 --> 00:20:05,240 and give the code and then your TV kind of logs in. 320 00:20:05,240 --> 00:20:07,600 So Android has a similar kind of functionality. 321 00:20:07,600 --> 00:20:13,020 If you want to log in in Cloud Shell, for instance, you don't have the GUI, so you need 322 00:20:13,020 --> 00:20:16,400 to use some other way and this device code is one of those. 323 00:20:16,400 --> 00:20:18,660 So basically you can do that. 324 00:20:18,660 --> 00:20:24,160 So you lure user to log in using that code and then you will get a refresh token and 325 00:20:24,160 --> 00:20:26,060 access token. 326 00:20:26,060 --> 00:20:30,300 And you can log into, let's say, Teams, for instance, or Office. 327 00:20:30,300 --> 00:20:32,320 So that's shown to the user. 328 00:20:32,320 --> 00:20:37,360 And then when you have the refresh token, you can use that to get access tokens to other 329 00:20:37,360 --> 00:20:39,160 services. 330 00:20:39,160 --> 00:20:43,560 And that's also what you can do with any internals. 331 00:20:43,560 --> 00:20:46,240 So you can simulate stuff that the attackers would do. 332 00:20:46,240 --> 00:20:51,440 So it does sound like you need quite a bit of knowledge about tokens and probably OAuth 333 00:20:51,440 --> 00:20:53,360 2 and SAML tokens and that sort of stuff. 334 00:20:53,360 --> 00:20:54,360 Is that a fair comment? 335 00:20:54,360 --> 00:20:58,120 I mean, to take full advantage of this, or is it really just a black box? 336 00:20:58,120 --> 00:21:01,720 Like you just say, I want to do this and the tool just goes ahead and does it. 337 00:21:01,720 --> 00:21:05,480 Or is there some requirement to have at least a baseline level of knowledge of what the 338 00:21:05,480 --> 00:21:07,560 heck is going on under the covers? 339 00:21:07,560 --> 00:21:14,600 Yes, you need to have some kind of basic knowledge so that you at least know what you are doing. 340 00:21:14,600 --> 00:21:20,120 But for instance, those parts which are exporting the certificate, so there you don't need to 341 00:21:20,120 --> 00:21:21,120 know anything. 342 00:21:21,120 --> 00:21:22,740 You just say, give me the certificate. 343 00:21:22,740 --> 00:21:26,300 And it gets that from the box using different methods. 344 00:21:26,300 --> 00:21:28,320 So I'm going to ask you a question, this story. 345 00:21:28,320 --> 00:21:33,080 As someone, because there could be, there's probably people listening who've never heard 346 00:21:33,080 --> 00:21:35,760 of Azure AD internals. 347 00:21:35,760 --> 00:21:41,840 And if people, if anybody was listening who wanted to use it or give it a go, are there 348 00:21:41,840 --> 00:21:49,840 any particular modules or parts of it or particular things you can run that you'd recommend people 349 00:21:49,840 --> 00:21:51,360 started with? 350 00:21:51,360 --> 00:21:58,240 No, not really, because it's like a toolbox and there are tools for different purposes. 351 00:21:58,240 --> 00:22:00,200 So it depends on your purpose. 352 00:22:00,200 --> 00:22:06,960 So I can't say there's anything like a specific way to start, but well, maybe, you know, just 353 00:22:06,960 --> 00:22:11,240 like I'm trying to get in those tokens, so sign in, get token and try to access some 354 00:22:11,240 --> 00:22:12,240 service. 355 00:22:12,240 --> 00:22:14,720 So maybe that's where to start. 356 00:22:14,720 --> 00:22:17,240 So what do you see as common weaknesses? 357 00:22:17,240 --> 00:22:22,480 Like, if there was one thing that people seem to find the most using this tool, what sort 358 00:22:22,480 --> 00:22:26,520 of, you know, if you sort of enumerate like the top two or three, what would they be? 359 00:22:26,520 --> 00:22:30,060 That's a really good question, because I don't actually know. 360 00:22:30,060 --> 00:22:33,840 So because I just made the tool and others are using that. 361 00:22:33,840 --> 00:22:38,880 But what I have heard is that what people quite often tell me is that they have learned 362 00:22:38,880 --> 00:22:45,000 so much about how things work, because I also used to blog about things a lot. 363 00:22:45,000 --> 00:22:50,760 And then when I implemented the tool, and because it's like a PowerShell script based, 364 00:22:50,760 --> 00:22:54,600 you can just open up the script and see how it's working under the hood. 365 00:22:54,600 --> 00:23:01,560 So maybe kind of like that way, I would say that that has been like most useful to people. 366 00:23:01,560 --> 00:23:04,760 Yeah, so it's kind of like a educational tool also. 367 00:23:04,760 --> 00:23:12,000 Yeah, I really back that point up that I'm the sort of person that really needs to understand 368 00:23:12,000 --> 00:23:13,000 how something works. 369 00:23:13,000 --> 00:23:17,800 You know, if I want to know, you know, what something does, I sort of want to know all 370 00:23:17,800 --> 00:23:20,000 the machinery underneath. 371 00:23:20,000 --> 00:23:28,160 I'm reading a book right now that explains how Rust does all its stuff under the covers. 372 00:23:28,160 --> 00:23:33,960 And I found that to be more useful than just reading a book on, you know, advanced Rust, 373 00:23:33,960 --> 00:23:37,400 because I have a much better idea of how the borrow checker works. 374 00:23:37,400 --> 00:23:39,720 And I realize we're going completely off topic here. 375 00:23:39,720 --> 00:23:44,880 But the points I'm trying to make is that, yeah, I'm a big fan of I personally learn 376 00:23:44,880 --> 00:23:46,840 by knowing how something works. 377 00:23:46,840 --> 00:23:48,920 I mean, you got to understand the basics. 378 00:23:48,920 --> 00:23:52,120 Once I understand the basics, then I know what I need to go ahead and learn. 379 00:23:52,120 --> 00:23:57,120 I made a comment about this on X a few weeks ago, but I got a new Surface Laptop 7, which 380 00:23:57,120 --> 00:24:00,200 is an ARM 64 based CPU. 381 00:24:00,200 --> 00:24:01,200 So have a guess. 382 00:24:01,200 --> 00:24:04,080 You know, have a guess who's learning ARM 64 assembly language. 383 00:24:04,080 --> 00:24:08,480 You know, I don't have to learn it, but I just want to learn it because now I'm in a 384 00:24:08,480 --> 00:24:10,560 position where I can actually experiment with it. 385 00:24:10,560 --> 00:24:14,440 I know people learn in different ways, but certainly that's the way I learn is by learning 386 00:24:14,440 --> 00:24:16,000 how things actually work. 387 00:24:16,000 --> 00:24:17,160 So yeah, it's pretty cool stuff. 388 00:24:17,160 --> 00:24:23,280 Yeah, kind of like process of how the tool has evolved is that I want to study that how, 389 00:24:23,280 --> 00:24:26,000 as you mentioned, how this works. 390 00:24:26,000 --> 00:24:28,880 And then I'm implementing that in my toolkit. 391 00:24:28,880 --> 00:24:30,840 So okay, let's go back a little bit. 392 00:24:30,840 --> 00:24:32,320 So how cloud works. 393 00:24:32,320 --> 00:24:37,960 So basically you have some client that is talking to some service in internet using 394 00:24:37,960 --> 00:24:39,360 APIs. 395 00:24:39,360 --> 00:24:42,760 So everything happens using APIs. 396 00:24:42,760 --> 00:24:48,200 So basically there's some new functionality and I want to learn how it works. 397 00:24:48,200 --> 00:24:53,080 And then I have implemented that in my tool, like it works as it should. 398 00:24:53,080 --> 00:24:58,880 And then I'm trying to tweak some parameters and try to do things that shouldn't be possible. 399 00:24:58,880 --> 00:25:03,160 And that way I found most of the vulnerabilities I have found. 400 00:25:03,160 --> 00:25:04,680 So that kind of helps there. 401 00:25:04,680 --> 00:25:11,280 So first implement it as it should work in a correct way, and then try to, you know, 402 00:25:11,280 --> 00:25:15,680 tweak and do it in some other way. 403 00:25:15,680 --> 00:25:16,680 That's a good point. 404 00:25:16,680 --> 00:25:20,240 I don't think a lot of people realize this, but every single thing that you do when you're 405 00:25:20,240 --> 00:25:24,560 talking to Azure or any other cloud platform, whether through the portal, whether it's through 406 00:25:24,560 --> 00:25:32,360 the CLI, whatever, whether it's through some.NET assembly, you know, the Azure SDK, at 407 00:25:32,360 --> 00:25:36,120 the end of the day, it's just REST calls, just REST API calls. 408 00:25:36,120 --> 00:25:37,120 That's really all of it. 409 00:25:37,120 --> 00:25:42,680 In fact, I think there's sort of a meta best practice there, which is if you are building 410 00:25:42,680 --> 00:25:46,320 anything that uses REST endpoints, REST APIs, then you need to make sure those things are 411 00:25:46,320 --> 00:25:47,320 secure as well. 412 00:25:47,320 --> 00:25:53,560 In fact, there are, you know, REST APIs are becoming an increasingly important attack 413 00:25:53,560 --> 00:25:54,560 point. 414 00:25:54,560 --> 00:25:57,000 In fact, I'll put a link in the show notes. 415 00:25:57,000 --> 00:26:01,600 There's a little newsletter that I get every, I think it's like every week or something, 416 00:26:01,600 --> 00:26:06,120 which is like, you know, this week in REST endpoint security and, you know, vulnerabilities 417 00:26:06,120 --> 00:26:10,960 have been found where attackers, for example, just make something up, could enumerate, you 418 00:26:10,960 --> 00:26:15,480 know, all the movies that someone's watched on a streaming service, you know, anonymously, 419 00:26:15,480 --> 00:26:20,160 because they just call the API with some key, you know, some random key or some, or something 420 00:26:20,160 --> 00:26:21,520 that's predictable. 421 00:26:21,520 --> 00:26:23,760 These are all incredibly common attacks these days. 422 00:26:23,760 --> 00:26:26,480 So yeah, just your point there is well taken. 423 00:26:26,480 --> 00:26:29,880 At the end of the day, it's just, if they're just API calls, that's all they are, REST 424 00:26:29,880 --> 00:26:30,880 endpoints. 425 00:26:30,880 --> 00:26:33,240 And it's incredibly important that those endpoints are secured. 426 00:26:33,240 --> 00:26:39,600 Yeah, also one thing that is kind of related to this is that how does cloud know who you 427 00:26:39,600 --> 00:26:41,760 are when you are calling those APIs? 428 00:26:41,760 --> 00:26:44,840 Well, you are telling to the cloud who you are. 429 00:26:44,840 --> 00:26:49,360 You are telling to the cloud what device you are using, what client you are using, and 430 00:26:49,360 --> 00:26:50,360 so on. 431 00:26:50,360 --> 00:26:55,760 So that was also one reality thing that I realized that how the cloud works. 432 00:26:55,760 --> 00:27:00,000 So that allowed me also to find some interesting stuff. 433 00:27:00,000 --> 00:27:01,560 And that's the entire ID part. 434 00:27:01,560 --> 00:27:02,560 Correct. 435 00:27:02,560 --> 00:27:03,560 Right. 436 00:27:03,560 --> 00:27:04,560 You may decide not to use enter ID. 437 00:27:04,560 --> 00:27:09,720 There may be some other authentication or authorization model that's less secure. 438 00:27:09,720 --> 00:27:11,320 So it's okay. 439 00:27:11,320 --> 00:27:20,640 Nisrari, you already mentioned, and I know this already, that you joined Microsoft quite 440 00:27:20,640 --> 00:27:27,480 recently compared with your career in, you know, looking at Azure AD and doing research. 441 00:27:27,480 --> 00:27:35,280 So how did you came and joined us rather than doing your Azure AD research or enter ID as 442 00:27:35,280 --> 00:27:37,000 an external researcher? 443 00:27:37,000 --> 00:27:38,000 Yeah. 444 00:27:38,000 --> 00:27:42,920 So when I was working outside Microsoft, everything I did was so-called black box testing. 445 00:27:42,920 --> 00:27:47,380 I only like an interface with the services was API. 446 00:27:47,380 --> 00:27:52,180 So I was sending stuff there and something came back and I kind of didn't know how things 447 00:27:52,180 --> 00:27:53,420 work internally. 448 00:27:53,420 --> 00:27:58,480 So it kind of took a long time to see if something is secure or not. 449 00:27:58,480 --> 00:28:05,300 And at Microsoft you have access to more telemetry and you have access to the source code. 450 00:28:05,300 --> 00:28:07,280 So you can now see inside the box. 451 00:28:07,280 --> 00:28:08,280 So it's not black anymore. 452 00:28:08,280 --> 00:28:12,760 So it's more like white box testing or glass box testing or whatever. 453 00:28:12,760 --> 00:28:16,640 So I can now do more, more good. 454 00:28:16,640 --> 00:28:22,240 So I can find more vulnerabilities faster and they can be even fixed before it's in 455 00:28:22,240 --> 00:28:24,140 production in some cases. 456 00:28:24,140 --> 00:28:27,880 So that was basically the reason why I joined. 457 00:28:27,880 --> 00:28:34,640 And then I talk about with this in some of my current colleagues and ask that maybe they 458 00:28:34,640 --> 00:28:36,920 would be something interesting to me, maybe not. 459 00:28:36,920 --> 00:28:43,100 And then we did some bit of negotiation, a couple of months, and then there was a nice 460 00:28:43,100 --> 00:28:47,080 position for me, which I then applied and got selected. 461 00:28:47,080 --> 00:28:51,200 So that's kind of a very short story how I ended up being here. 462 00:28:51,200 --> 00:28:57,520 I guess, well, the last thing I wanted to ask you was, are there any, well, from what 463 00:28:57,520 --> 00:29:07,080 you're allowed to talk about, are you investigating any new interesting types of identity attacks 464 00:29:07,080 --> 00:29:12,600 or identity research things that you can share with our audience or things that you think 465 00:29:12,600 --> 00:29:20,000 folks should be aware of in that identity space that we're seeing more or less of, anything 466 00:29:20,000 --> 00:29:24,040 that you've noticed that would be interesting for folks to hear about? 467 00:29:24,040 --> 00:29:25,040 Yes. 468 00:29:25,040 --> 00:29:32,560 So nowadays, everything like when you're using those APIs, so you are using quite modern 469 00:29:32,560 --> 00:29:35,720 authentication called token-based authentication. 470 00:29:35,720 --> 00:29:38,000 And there are a couple of attack scenarios there. 471 00:29:38,000 --> 00:29:46,040 So for instance, this Solvergate attack, there was kind of token-based authentication attack 472 00:29:46,040 --> 00:29:51,960 where you stole the secrets which are used to sign those tokens. 473 00:29:51,960 --> 00:29:57,520 So that's kind of a requirement so that you can forge those tokens. 474 00:29:57,520 --> 00:30:00,200 So that's one example. 475 00:30:00,200 --> 00:30:05,480 And to mitigate that, you just need to protect your on-prem server wherever those secrets 476 00:30:05,480 --> 00:30:07,140 are very well. 477 00:30:07,140 --> 00:30:09,160 So you can't do that anymore. 478 00:30:09,160 --> 00:30:15,480 And now that we have made that quite difficult, nowadays bad guys are doing the token theft 479 00:30:15,480 --> 00:30:16,480 thing. 480 00:30:16,480 --> 00:30:21,720 So they are doing the phishing or they are compromising endpoints and then stealing those 481 00:30:21,720 --> 00:30:23,540 access tokens from there. 482 00:30:23,540 --> 00:30:28,480 But now we are, well, we are or we have made that also quite difficult. 483 00:30:28,480 --> 00:30:34,840 So if we are, for instance, requiring that you can access our services only from compliant 484 00:30:34,840 --> 00:30:35,840 devices. 485 00:30:35,840 --> 00:30:42,520 So if your laptop, for instance, if that's like it's managed and it's marked as compliant, 486 00:30:42,520 --> 00:30:47,400 meaning that it has to have certain security features enabled, it has to be up to date 487 00:30:47,400 --> 00:30:50,440 and so on and so on, depending on your organization. 488 00:30:50,440 --> 00:30:56,240 So if you only accept like access from those kinds of devices, you are good to go. 489 00:30:56,240 --> 00:31:04,160 So this means that this is very hard currently for threat actors if we have like this zero 490 00:31:04,160 --> 00:31:06,720 trust configuration. 491 00:31:06,720 --> 00:31:11,240 So now I'm currently focusing on, can we break this thing somehow? 492 00:31:11,240 --> 00:31:13,080 Yeah, sad story there. 493 00:31:13,080 --> 00:31:18,040 So I had a cell phone and one day I got a message saying, hey, you need to make, you 494 00:31:18,040 --> 00:31:22,720 can't use a cell phone anymore because the version of Android you're using doesn't support 495 00:31:22,720 --> 00:31:26,800 the security features that we require for you to connect to the corporate network. 496 00:31:26,800 --> 00:31:29,280 So I had to go out and buy a new cell phone. 497 00:31:29,280 --> 00:31:34,160 I mean, there was an option to put like a Fido key in the bottom in the USB port, but 498 00:31:34,160 --> 00:31:36,200 I felt that was just going to be a little bit messy. 499 00:31:36,200 --> 00:31:37,200 So I didn't bother with that. 500 00:31:37,200 --> 00:31:38,440 So it's got a new cell phone. 501 00:31:38,440 --> 00:31:42,920 But yeah, that's a really good example of something I think, you know, where the risks 502 00:31:42,920 --> 00:31:47,480 have increased and we require endpoint protection of a certain level and the version of Android 503 00:31:47,480 --> 00:31:49,240 that I was using didn't support it. 504 00:31:49,240 --> 00:31:53,000 So yeah, can't access the corporate network with that device anymore. 505 00:31:53,000 --> 00:31:54,000 Yeah. 506 00:31:54,000 --> 00:32:00,360 And when I look back to 2013 or something, when I started training this Office 365, at 507 00:32:00,360 --> 00:32:04,000 that point, the message from Microsoft was a little bit different. 508 00:32:04,000 --> 00:32:07,100 So at that point it was bring your own device. 509 00:32:07,100 --> 00:32:13,400 So everybody were able to connect to the cloud from anywhere using their own personal devices. 510 00:32:13,400 --> 00:32:17,040 But now it's a little bit different because the risks are also different than they were 511 00:32:17,040 --> 00:32:18,180 at that time. 512 00:32:18,180 --> 00:32:24,420 So it's been quite good to see how this has evolved to the current point where you actually 513 00:32:24,420 --> 00:32:31,520 are requiring secure devices, multi-factor authentication or phishing resistant authentication, 514 00:32:31,520 --> 00:32:33,320 passwordless authentication as I would. 515 00:32:33,320 --> 00:32:34,320 Yeah. 516 00:32:34,320 --> 00:32:36,200 So it's bring your own device, but we're going to tell you the devices you're allowed to 517 00:32:36,200 --> 00:32:39,080 bring is kind of what it sounds like, but that's fine. 518 00:32:39,080 --> 00:32:41,880 I mean, at the end of the day, if you've got some sensitive corporate assets, right, you 519 00:32:41,880 --> 00:32:45,960 don't want some hacked endpoint, you know, accessing the corporate data. 520 00:32:45,960 --> 00:32:46,960 You just don't. 521 00:32:46,960 --> 00:32:48,440 So yeah, I'm all for that. 522 00:32:48,440 --> 00:32:49,440 Yeah. 523 00:32:49,440 --> 00:32:56,560 Also like 10 years ago, there was in quotes only email, Skype, then you had a SkyDrive, 524 00:32:56,560 --> 00:32:57,760 which changed to OneDrive. 525 00:32:57,760 --> 00:33:03,320 But anyways, it was more like this productivity kind of tools, but now everything is in cloud. 526 00:33:03,320 --> 00:33:09,880 So it can be like your line of business application that would get compromised if your users endpoint 527 00:33:09,880 --> 00:33:11,020 gets compromised. 528 00:33:11,020 --> 00:33:16,280 So it's a bit different than it was then, but yeah, I like the current, let's say security 529 00:33:16,280 --> 00:33:18,000 poster much better than then. 530 00:33:18,000 --> 00:33:19,000 All right. 531 00:33:19,000 --> 00:33:22,480 So a question that we've decided we're going to start asking our guests is what does a 532 00:33:22,480 --> 00:33:24,760 typical day for Nestorio look like? 533 00:33:24,760 --> 00:33:25,760 Okay. 534 00:33:25,760 --> 00:33:26,760 Yes. 535 00:33:26,760 --> 00:33:33,040 Well, I'm located in Finland, so it's a little bit different time zone than the US, especially 536 00:33:33,040 --> 00:33:34,120 on the West coast. 537 00:33:34,120 --> 00:33:41,360 So I usually will wake up quite early, but I do other things that work in the morning 538 00:33:41,360 --> 00:33:47,680 because I want that my kind of like working hours are overlapping with my colleagues in 539 00:33:47,680 --> 00:33:48,680 the US. 540 00:33:48,680 --> 00:33:53,160 So I started in the morning by looking social media. 541 00:33:53,160 --> 00:33:57,780 So I follow a lot of like researchers and it's good to know if there's anything happened 542 00:33:57,780 --> 00:33:58,780 during the night. 543 00:33:58,780 --> 00:34:05,200 Then I start doing my work and it depends where I am and so on because well, there's 544 00:34:05,200 --> 00:34:07,040 a couple of things I do. 545 00:34:07,040 --> 00:34:08,580 The one is the researching thing. 546 00:34:08,580 --> 00:34:12,320 And another one is that I do a lot of like speaking. 547 00:34:12,320 --> 00:34:18,280 For instance, Sarah mentioned the Ignite conference. 548 00:34:18,280 --> 00:34:24,120 So I'll be in the same time in the same week, I'll be in the US, but I'm speaking in three 549 00:34:24,120 --> 00:34:25,680 other conferences. 550 00:34:25,680 --> 00:34:28,600 So I'm not able to make it. 551 00:34:28,600 --> 00:34:32,760 So when I'm doing the speaking thing, well, then I'm traveling usually. 552 00:34:32,760 --> 00:34:38,200 I'm tuning my slides like a couple of minutes before the presentation is and so on. 553 00:34:38,200 --> 00:34:40,200 So it's a kind of different life. 554 00:34:40,200 --> 00:34:47,760 But when I'm back at my office, home office, after doing that all social media stuff, I 555 00:34:47,760 --> 00:34:49,440 start doing the research. 556 00:34:49,440 --> 00:34:54,080 So it depends what I'm doing, what I'm researching. 557 00:34:54,080 --> 00:34:57,160 And I have meetings with my colleagues. 558 00:34:57,160 --> 00:35:05,360 I comment some blog posts or technical publications and so on. 559 00:35:05,360 --> 00:35:09,240 So it's a very, how would I say, it depends. 560 00:35:09,240 --> 00:35:10,840 It's always different day. 561 00:35:10,840 --> 00:35:13,380 So there's no same kind of days ever. 562 00:35:13,380 --> 00:35:15,440 And that's also why I like this job a lot. 563 00:35:15,440 --> 00:35:22,160 So it's not like my grandfather used to go to the factory for 30 years and do the same 564 00:35:22,160 --> 00:35:24,840 kind of work day every single day. 565 00:35:24,840 --> 00:35:27,440 No, that's not in this job. 566 00:35:27,440 --> 00:35:34,000 So Nestori, we always ask our guests at the end of the show, if you'd like to leave our 567 00:35:34,000 --> 00:35:39,840 listeners with a final thought, it can be advice or whatever you like. 568 00:35:39,840 --> 00:35:43,280 What is your final thought that you wanted to leave them with? 569 00:35:43,280 --> 00:35:47,360 Use MFA and require compliant devices. 570 00:35:47,360 --> 00:35:48,360 That's it. 571 00:35:48,360 --> 00:35:49,360 Quite simple. 572 00:35:49,360 --> 00:35:50,360 I think we'll just leave it at that. 573 00:35:50,360 --> 00:35:53,160 I think that's a, I'm a big fan of short and sweet. 574 00:35:53,160 --> 00:35:58,120 I think if you can tell a story or give some advice in a very tiny sentence, I think it's 575 00:35:58,120 --> 00:35:59,120 generally good advice. 576 00:35:59,120 --> 00:36:00,120 All right. 577 00:36:00,120 --> 00:36:02,040 So with that, let's bring this episode to an end. 578 00:36:02,040 --> 00:36:03,760 Nestori, thank you so much for joining us this week. 579 00:36:03,760 --> 00:36:07,680 I know you're incredibly busy and I know it's getting on in the day in Finland. 580 00:36:07,680 --> 00:36:10,520 So again, thank you so much for your time. 581 00:36:10,520 --> 00:36:13,600 And to all our listeners out there, we hope you find this episode of interest. 582 00:36:13,600 --> 00:36:15,760 Stay safe and we'll see you next time. 583 00:36:15,760 --> 00:36:18,760 Thanks for listening to the Azure Security Podcast. 584 00:36:18,760 --> 00:36:25,600 You can find show notes and other resources at our website azsecuritypodcast.net. 585 00:36:25,600 --> 00:36:30,440 If you have any questions, please find us on Twitter at Azure Setpod. 586 00:36:30,440 --> 00:36:50,480 Background music is from ccmixtor.com and licensed under the Creative Commons license.