1
00:00:00,000 --> 00:00:09,600
Welcome to the Azure Security Podcast where we discuss topics relating to security, privacy,

2
00:00:09,600 --> 00:00:13,000
reliability and compliance on the Microsoft Cloud Platform.

3
00:00:13,000 --> 00:00:14,720
Hello, everybody.

4
00:00:14,720 --> 00:00:17,040
Welcome to Episode 31.

5
00:00:17,040 --> 00:00:18,840
This week it's the full gang here.

6
00:00:18,840 --> 00:00:21,120
We have Sarah Gladys-Mark and myself.

7
00:00:21,120 --> 00:00:23,440
We also have a guest, Nicholas DeCola.

8
00:00:23,440 --> 00:00:27,600
He's here to talk to us about automating security in Azure.

9
00:00:27,600 --> 00:00:29,920
Before we get to Nick, let's take a look at the news.

10
00:00:29,920 --> 00:00:32,080
Sarah, why don't you kick things off?

11
00:00:32,080 --> 00:00:34,200
Okay, I will do.

12
00:00:34,200 --> 00:00:36,360
I'm going to talk about some of my favorite things.

13
00:00:36,360 --> 00:00:40,160
To start with, I will talk about Azure Defender.

14
00:00:40,160 --> 00:00:45,000
Azure Defender for Azure Database for my SQL is now GA.

15
00:00:45,000 --> 00:00:47,200
In fact, there's a few of them here.

16
00:00:47,200 --> 00:00:49,800
Azure Database for MariaDB,

17
00:00:49,800 --> 00:00:52,000
Azure Defender is now GA,

18
00:00:52,000 --> 00:00:59,240
and Azure Defender for PostgreSQL is also now generally available.

19
00:00:59,240 --> 00:01:01,920
If you've been waiting for those to go GA,

20
00:01:01,920 --> 00:01:07,280
we know that some customers aren't comfortable using things before their GA.

21
00:01:07,280 --> 00:01:09,480
Go and have a look at them.

22
00:01:09,480 --> 00:01:13,160
Your Azure Defender will obviously give you

23
00:01:13,160 --> 00:01:17,400
some insights as to what's going on in your database.

24
00:01:17,400 --> 00:01:20,400
Whether that's MariaDB, SQL, etc.

25
00:01:20,400 --> 00:01:22,280
Because of course, we know that people can do

26
00:01:22,280 --> 00:01:25,320
terrible things with databases if they get into them.

27
00:01:25,320 --> 00:01:29,240
Other thing I could not finish the news without talking about is my baby,

28
00:01:29,240 --> 00:01:31,240
and Azure Sentinel,

29
00:01:31,240 --> 00:01:34,480
and I actually had a customer email me,

30
00:01:34,480 --> 00:01:36,280
hello if you're listening to this,

31
00:01:36,280 --> 00:01:39,520
saying that I need to learn more about your baby.

32
00:01:39,520 --> 00:01:43,920
I can only assume that you do listen to the podcast and I'm really sorry.

33
00:01:43,920 --> 00:01:46,920
But something that we released last week was

34
00:01:46,920 --> 00:01:50,120
our normalization schema documentation.

35
00:01:50,120 --> 00:01:54,320
In particular, our DNS normalization schema is now in public preview.

36
00:01:54,320 --> 00:01:56,680
But generally, we've updated all of

37
00:01:56,680 --> 00:01:59,760
our normalization documentation in Sentinel.

38
00:01:59,760 --> 00:02:06,840
So go and have a look at that because you'll be seeing more of that in the future.

39
00:02:06,840 --> 00:02:09,760
That's probably me for this time.

40
00:02:09,760 --> 00:02:12,880
Actually, Sarah, I'm going to add some information

41
00:02:12,880 --> 00:02:15,920
that I wanted to release about readiness.

42
00:02:15,920 --> 00:02:19,400
The last few months, I have been providing links

43
00:02:19,400 --> 00:02:23,720
to the different Ninja courses that Microsoft have been releasing for Sentinel,

44
00:02:23,720 --> 00:02:27,080
Azure Security Center, Defender 365,

45
00:02:27,080 --> 00:02:30,320
Defender for Endpoint, Defender for Office,

46
00:02:30,320 --> 00:02:32,000
and Defender for Identity.

47
00:02:32,000 --> 00:02:33,200
Do I forget?

48
00:02:33,200 --> 00:02:36,200
My Cloud App Security.

49
00:02:36,200 --> 00:02:42,000
Well, Microsoft just released a new course for Defender for IoT.

50
00:02:42,000 --> 00:02:44,160
So that's pretty cool.

51
00:02:44,160 --> 00:02:48,520
For those of you that have not heard about these Ninja courses before,

52
00:02:48,520 --> 00:02:54,560
they are free set of trainings that intend to take you from level 100 to

53
00:02:54,560 --> 00:02:57,640
400 for each of those services.

54
00:02:57,640 --> 00:03:04,560
So I recommend searching for the Ninja courses or go to our podcast site for more information.

55
00:03:04,560 --> 00:03:06,800
In addition to those courses,

56
00:03:06,800 --> 00:03:10,720
Microsoft has a security community where we post a lot of

57
00:03:10,720 --> 00:03:14,320
different information about our security services.

58
00:03:14,320 --> 00:03:18,480
Through the summer, they're having live webinars.

59
00:03:18,480 --> 00:03:23,200
About Sentinel and many of the other security services.

60
00:03:23,200 --> 00:03:29,760
You could get more information by going to aka.ms.securitywebinars.

61
00:03:29,760 --> 00:03:33,360
In the technical area, I saw a really interesting blog

62
00:03:33,360 --> 00:03:38,680
named Azure Security Score versus Microsoft Security Score.

63
00:03:38,680 --> 00:03:42,120
It explains the differences between each of

64
00:03:42,120 --> 00:03:45,600
the capabilities provided for each of the service.

65
00:03:45,600 --> 00:03:51,880
The type of data that each of the secure score provide and lots more.

66
00:03:51,880 --> 00:03:55,960
For example, Azure Security Score focused on

67
00:03:55,960 --> 00:04:03,200
Azure Amazon Web Services and Google IS and on-prem related.

68
00:04:03,200 --> 00:04:07,880
While Microsoft Security Score focused on identity devices and

69
00:04:07,880 --> 00:04:11,120
app areas for the SaaS services.

70
00:04:11,120 --> 00:04:12,520
Again, for more information,

71
00:04:12,520 --> 00:04:14,240
just go to the podcast site.

72
00:04:14,240 --> 00:04:18,800
The last one thing that I wanted to mention was

73
00:04:18,800 --> 00:04:24,480
this awesome PowerPoint presentation is included as part of

74
00:04:24,480 --> 00:04:30,360
the Human Operated ransomware documentation and Microsoft Docs.

75
00:04:30,360 --> 00:04:35,400
It's called ransomware recommendations and it provides

76
00:04:35,400 --> 00:04:41,880
some mitigation plan for many of the areas including collaboration and email,

77
00:04:41,880 --> 00:04:46,520
and phone protection plan which include client servers and browsers,

78
00:04:46,520 --> 00:04:50,840
remote access plans for RDP, VPN,

79
00:04:50,840 --> 00:04:53,680
and VDI account protection,

80
00:04:53,680 --> 00:04:58,920
privilege access plan, data protection plan, and much more.

81
00:04:58,920 --> 00:05:03,160
Actually, Mark, I think you've been working heavily on this.

82
00:05:03,160 --> 00:05:04,960
Can you provide more information?

83
00:05:04,960 --> 00:05:07,840
Yeah. The reason for the details on that,

84
00:05:07,840 --> 00:05:11,160
which we wanted to help with that bridge,

85
00:05:11,160 --> 00:05:14,800
oftentimes customers have this challenge of,

86
00:05:14,800 --> 00:05:15,840
okay, great, I agree,

87
00:05:15,840 --> 00:05:17,760
this is a good technical best practice.

88
00:05:17,760 --> 00:05:18,680
We want to adopt it,

89
00:05:18,680 --> 00:05:22,360
but then they have to go and figure out what their team looks like,

90
00:05:22,360 --> 00:05:25,800
who needs to get sponsorship for management,

91
00:05:25,800 --> 00:05:28,480
how do they measure success and show that they're actually doing

92
00:05:28,480 --> 00:05:32,280
something meaningful to justify the project, etc.

93
00:05:32,280 --> 00:05:36,800
We wanted to shortcut all that and provide a ready-made project plan.

94
00:05:36,800 --> 00:05:39,120
That's really what we focused on creating there,

95
00:05:39,120 --> 00:05:41,920
is creating that bridge there so that you can then go to

96
00:05:41,920 --> 00:05:43,960
the technical guidance and follow it.

97
00:05:43,960 --> 00:05:46,760
The big reason for that quite frankly is,

98
00:05:46,760 --> 00:05:50,480
as you know, Gladys, I'm a look out into the future of cybersecurity

99
00:05:50,480 --> 00:05:54,200
and try and bring all the positive stuff as close to the present as we can,

100
00:05:54,200 --> 00:05:56,840
and let's get to the better future faster.

101
00:05:56,840 --> 00:05:58,680
I'll tell you what, with this ransomware thing,

102
00:05:58,680 --> 00:06:03,040
there is not a lot of light in the tunnel for a long time,

103
00:06:03,040 --> 00:06:07,280
because the profit model of these attackers is crazy.

104
00:06:07,280 --> 00:06:09,360
The amount of money that they're taking in just from

105
00:06:09,360 --> 00:06:13,400
the publicly disclosed ransom payments that we've seen go by,

106
00:06:13,400 --> 00:06:17,760
not the silent ones that get paid and nobody ever hears about it on the news.

107
00:06:17,760 --> 00:06:20,760
Just that tip of the iceberg is putting

108
00:06:20,760 --> 00:06:25,880
these ransomware gangs in control of budgets that are rivaling that of nation states.

109
00:06:25,880 --> 00:06:28,240
These are some back alley,

110
00:06:28,240 --> 00:06:30,920
bare-knuckle criminals that are just hardcore.

111
00:06:30,920 --> 00:06:33,800
They don't mind putting someone in harm's way and say,

112
00:06:33,800 --> 00:06:37,680
we're going to shut your hospital down if you don't pay us.

113
00:06:37,680 --> 00:06:42,120
In their ruthless, they will say, hey, we can't afford to pay.

114
00:06:42,120 --> 00:06:45,000
Well, here's your financial record that says you can.

115
00:06:45,000 --> 00:06:49,120
These guys play rough and they've got a lot of money.

116
00:06:49,120 --> 00:06:54,040
It's a pretty difficult situation and I don't see it getting better anytime soon.

117
00:06:54,040 --> 00:06:56,480
I see a lot of good moves at the government level,

118
00:06:56,480 --> 00:07:01,320
but it takes a long time to get extradition and prosecution and

119
00:07:01,320 --> 00:07:05,080
all the jurisprudence stuff to work when you're talking about

120
00:07:05,080 --> 00:07:07,480
every country in the world having to agree and work with it.

121
00:07:07,480 --> 00:07:10,160
Because there's quite a few countries that are seeing a lot of

122
00:07:10,160 --> 00:07:14,520
local economic benefits from this and other benefits as well, strategic, etc.

123
00:07:14,520 --> 00:07:18,320
So I don't expect ransomware to get any easier anytime soon.

124
00:07:18,320 --> 00:07:23,240
That was one of the things that drove that guidance and we're continuing to invest in

125
00:07:23,240 --> 00:07:28,640
more prescriptive guidance and document form so it's easy to consume and the like.

126
00:07:28,640 --> 00:07:34,120
So that's a huge area of focus for us is to help customers with this rising tide of ransomware.

127
00:07:35,320 --> 00:07:38,240
The other pieces just to remind folks, I can't remember,

128
00:07:38,240 --> 00:07:41,280
it's been a couple of weeks since I was on the podcast last.

129
00:07:41,280 --> 00:07:45,280
But we did release this new cyber reference architecture from Microsoft,

130
00:07:45,280 --> 00:07:48,280
the MCRA as some like to call it.

131
00:07:48,280 --> 00:07:53,680
So that's out there as well as, because that's a nice architectural level thing.

132
00:07:53,680 --> 00:07:57,080
But there's also a lot of need that we found at the program level,

133
00:07:57,080 --> 00:08:02,480
sort of what is a good security program look like and how should you be thinking

134
00:08:02,480 --> 00:08:08,640
about security operations as a discipline, access control, asset protection, etc.

135
00:08:08,640 --> 00:08:12,920
And so we put out a secure methodology of our cloud adoption framework that really

136
00:08:12,920 --> 00:08:18,840
outlines that sort of CSO and their directs and directors level view of the program,

137
00:08:18,840 --> 00:08:23,160
how to interact with the business, how to run your program, how to measure good, etc.

138
00:08:23,160 --> 00:08:26,840
And so that CAF secure methodology is also available.

139
00:08:26,840 --> 00:08:31,160
And then just a little bit of geeky nose for a bit of a positive silver lining is

140
00:08:31,160 --> 00:08:35,640
that Microsoft is actually one of the founding members of the Space ISAC,

141
00:08:35,640 --> 00:08:40,960
the information sharing AC, I forgot what the AC usually stands for.

142
00:08:40,960 --> 00:08:44,960
But this is where organizations that are in the space industry get together and

143
00:08:44,960 --> 00:08:49,840
exchange threat intelligence and knowledge and learning specific to their industry.

144
00:08:49,840 --> 00:08:54,560
And so, yeah, kind of a very kind of forward looking,

145
00:08:54,560 --> 00:08:57,520
star trek type of moment there, that's all I got.

146
00:08:57,520 --> 00:09:00,080
So a bunch of things to my interest over the last couple of weeks.

147
00:09:00,080 --> 00:09:06,200
The first one is that we now have in preview the ability to audit service

148
00:09:06,200 --> 00:09:08,680
principles and Azure Active Directory.

149
00:09:08,680 --> 00:09:13,000
This is actually pretty cool because as we move more and more applications to the

150
00:09:13,000 --> 00:09:17,400
cloud, but things like client authentication, we're gonna start adding more

151
00:09:17,400 --> 00:09:19,880
around say service principles and managed identities.

152
00:09:19,880 --> 00:09:24,120
We need to understand what those identities have access to.

153
00:09:24,120 --> 00:09:28,120
You may have an orphaned application that runs with some kind of elevated

154
00:09:28,120 --> 00:09:30,440
identity and you totally forget about it.

155
00:09:30,440 --> 00:09:34,200
Well, this will allow you to find those things and audit what they have access to.

156
00:09:34,200 --> 00:09:36,840
So this is a really cool feature to see.

157
00:09:36,840 --> 00:09:39,800
Another one is for Azure Migrate.

158
00:09:39,800 --> 00:09:41,720
We now have private endpoint support.

159
00:09:41,720 --> 00:09:45,800
Basically means that you're gonna have say an express route with a private tunnel,

160
00:09:45,800 --> 00:09:49,240
IP address tunnel between the source and the destination when it comes to

161
00:09:49,240 --> 00:09:50,280
doing migration.

162
00:09:50,280 --> 00:09:53,720
And as I've mentioned in many podcasts prior, but I'll say it again,

163
00:09:53,720 --> 00:09:57,760
one thing that we see in more and more products that are coming out in Azure is

164
00:09:57,760 --> 00:10:02,880
the support for private endpoints along with custom managed key support for

165
00:10:02,880 --> 00:10:04,480
data at rest.

166
00:10:04,480 --> 00:10:12,200
Another one is we've actually reduced the price for the DC2 SV2 virtual machines.

167
00:10:12,200 --> 00:10:16,200
These are the virtual machines that are used in confidential compute.

168
00:10:16,200 --> 00:10:18,640
So for example, if you decide to spin up your own processes and

169
00:10:18,640 --> 00:10:24,920
write your own code using the secure enclave SDK that's available on GitHub,

170
00:10:24,920 --> 00:10:27,040
those VMs are gonna be cheaper.

171
00:10:27,040 --> 00:10:32,400
I actually don't know what the impact is on the cost of say running Azure SQL DB

172
00:10:32,400 --> 00:10:38,680
with secure enclaves, but it's around 37% all up, which is real money.

173
00:10:38,680 --> 00:10:43,400
Another big one that really took my interest is Azure Key Vault managed

174
00:10:43,400 --> 00:10:47,960
HSM hardware security module is now available.

175
00:10:47,960 --> 00:10:50,480
So Azure Key Vault is kind of interesting, right?

176
00:10:50,480 --> 00:10:54,360
So you've got this service that you can use to store secrets, keys, and

177
00:10:54,360 --> 00:10:57,600
certificates, which by the way, certificates and private keys.

178
00:10:58,600 --> 00:11:02,600
But some people want their own dedicated HSM as opposed to having a shared

179
00:11:02,600 --> 00:11:05,080
resource, which is what Azure Key Vault is.

180
00:11:05,080 --> 00:11:12,960
We did have an offering called Azure Key Vault dedicated HSM.

181
00:11:12,960 --> 00:11:14,480
It had different APIs.

182
00:11:14,480 --> 00:11:18,240
It didn't use the same APIs as Azure Key Vault, which meant that you couldn't use

183
00:11:18,240 --> 00:11:21,360
it with certain features within Azure.

184
00:11:21,360 --> 00:11:24,960
So we've now replaced it with Azure Key Vault managed HSM, and

185
00:11:24,960 --> 00:11:26,160
that is now generally available.

186
00:11:26,160 --> 00:11:30,080
So for customers who require a higher level of assurance,

187
00:11:30,080 --> 00:11:32,160
keyword there being assurance.

188
00:11:32,160 --> 00:11:37,720
So these are validated at Vipspon 40-2 level three.

189
00:11:37,720 --> 00:11:42,360
These are fully managed, single tenants, high throughput HSMs.

190
00:11:42,360 --> 00:11:46,440
So the cool thing is they have the same APIs as Key Vault.

191
00:11:46,440 --> 00:11:50,880
So if you're using say Key Vault today with Azure Storage or Azure SQL,

192
00:11:50,880 --> 00:11:56,880
or say Azure Information Protection, you can now essentially slip in a managed HSM.

193
00:11:56,880 --> 00:12:03,040
I don't see this being a huge seller compared to say just straight Azure Key Vault.

194
00:12:03,040 --> 00:12:05,120
But for those customers that need this thing,

195
00:12:05,120 --> 00:12:08,080
this is a welcome addition to the Azure Key Vault family.

196
00:12:08,080 --> 00:12:12,400
The last item I want to talk about, and this is really coming from a development

197
00:12:12,400 --> 00:12:16,480
perspective, is I don't know if you guys know or not, but Visual Studio Code went

198
00:12:16,480 --> 00:12:20,480
from literally nothing to being the most popular editor on the planet.

199
00:12:20,480 --> 00:12:22,960
There's a lot of very good reasons for that.

200
00:12:22,960 --> 00:12:26,640
Visual Studio Code is used to edit things like ARM templates,

201
00:12:26,640 --> 00:12:30,880
as well as writing Azure Functions Code.

202
00:12:30,880 --> 00:12:34,880
There's all sorts of Azure-related plugins available for the editor.

203
00:12:34,880 --> 00:12:40,920
Well, one of the downsides of having this incredible complexity is you might download,

204
00:12:40,920 --> 00:12:48,000
say, a plugin or you may download, say, a workspace that might have code that runs.

205
00:12:48,000 --> 00:12:50,360
Well, what happens if that's malicious code?

206
00:12:50,360 --> 00:12:57,240
So now there's a thing called Workspace Trust, which is now built into Visual Studio Code.

207
00:12:57,240 --> 00:13:02,000
The version that just came out, I think it's 1.5.1, has this enabled.

208
00:13:02,000 --> 00:13:03,840
So when you go and open up a workspace,

209
00:13:03,840 --> 00:13:06,480
it will actually ask you if you trust that workspace or not.

210
00:13:06,480 --> 00:13:11,400
And if you don't, basically, a whole bunch of plugins just won't work.

211
00:13:11,400 --> 00:13:13,680
There's a bunch of features that won't work by default.

212
00:13:13,680 --> 00:13:16,280
You'll still be able to edit the code and look at the code,

213
00:13:16,280 --> 00:13:19,880
but there's a whole bunch of extensions that just won't work.

214
00:13:19,880 --> 00:13:24,320
So this is a welcome addition because we are seeing and we have historically seen

215
00:13:24,320 --> 00:13:28,720
attacks through editors that have all this extensibility capability.

216
00:13:28,720 --> 00:13:30,960
So this is a fantastic addition to see.

217
00:13:30,960 --> 00:13:34,280
So if you're not using Visual Studio Code, go kick the tires on it.

218
00:13:34,280 --> 00:13:37,800
And again, the latest version has this workspace trust built into it.

219
00:13:37,800 --> 00:13:41,520
Now that we have the news wrapped up, let's turn our attention to our guest.

220
00:13:41,520 --> 00:13:44,280
This week we have Nicholas DeCola.

221
00:13:44,280 --> 00:13:47,600
He is the director of Cloud Security within CXE.

222
00:13:47,600 --> 00:13:51,560
Nick, why don't you spend a moment, introduce yourself to our listeners,

223
00:13:51,560 --> 00:13:54,400
explain kind of how long you've been at Microsoft and what you do.

224
00:13:54,400 --> 00:13:58,680
Actually, while you're at it, word on the street is you have written some books

225
00:13:58,680 --> 00:14:00,040
and you got a new one coming out.

226
00:14:00,040 --> 00:14:04,200
So why don't you just spend a couple of moments explaining what the books are all about.

227
00:14:04,200 --> 00:14:05,680
Yeah, Michael, no problem.

228
00:14:05,680 --> 00:14:09,080
So first, thanks to everybody and the podcast crew here for having me on.

229
00:14:09,080 --> 00:14:12,360
I've worked with all of you over the years and it's been great.

230
00:14:12,360 --> 00:14:13,920
But my name is Nicholas DeCola.

231
00:14:13,920 --> 00:14:18,200
As Mike said, I work in our Cloud Security division here at Microsoft.

232
00:14:18,200 --> 00:14:21,440
I've been here actually almost 15 years as of next month.

233
00:14:21,440 --> 00:14:23,440
So really close to that 15 year mark.

234
00:14:23,440 --> 00:14:27,000
Done a bunch of different things here, but always kind of worked in security and cyber.

235
00:14:27,000 --> 00:14:33,000
And before that, I was in the United States Marine Corps doing IT slash security,

236
00:14:33,000 --> 00:14:36,200
which I retired from there in the reserves as a cyber.

237
00:14:36,200 --> 00:14:39,920
They called a cyber weapons officer, which sounds really, really aggressive,

238
00:14:39,920 --> 00:14:42,880
but it's just more of a cyber defense analyst.

239
00:14:42,880 --> 00:14:47,120
Right. So yeah, so about the books, you know, we published the Azure Sentinel book

240
00:14:47,120 --> 00:14:49,240
with Yuri last year.

241
00:14:49,240 --> 00:14:51,400
We're actually planning to do a second version of that.

242
00:14:51,400 --> 00:14:53,520
So that may be coming out in the near future.

243
00:14:53,520 --> 00:14:56,920
And then we just published with Anthony Roman and myself.

244
00:14:56,920 --> 00:14:58,600
The Azure network security book.

245
00:14:58,600 --> 00:15:01,600
And we found just, you know, talking to customers that there was kind of a gap

246
00:15:01,600 --> 00:15:05,000
around all the capabilities that Azure has in network security

247
00:15:05,000 --> 00:15:07,880
and really understanding those from an architecture perspective

248
00:15:07,880 --> 00:15:10,320
and diving into each of the capabilities of the products

249
00:15:10,320 --> 00:15:13,240
and how to really use them in the best manner with some depth.

250
00:15:13,240 --> 00:15:15,600
So Anthony and I spent some time and wrote that book.

251
00:15:15,600 --> 00:15:17,200
So that one just published.

252
00:15:17,200 --> 00:15:20,240
And we actually have an SC 900 book coming out.

253
00:15:20,240 --> 00:15:22,040
We're finalizing that now.

254
00:15:22,040 --> 00:15:24,200
So that should be out later this year.

255
00:15:24,200 --> 00:15:28,520
So folks can use that as a test prep to really help with the new SC 900 test.

256
00:15:28,520 --> 00:15:30,440
And I'm glad to talk about security automation.

257
00:15:30,440 --> 00:15:34,920
It's like this big passion I've had kind of for the past couple of years.

258
00:15:34,920 --> 00:15:40,080
And it really stems from all of my years and working in IT and security, you know,

259
00:15:40,080 --> 00:15:42,040
it's just task after task after task.

260
00:15:42,040 --> 00:15:44,560
And a lot of these things become a repetitive process.

261
00:15:44,560 --> 00:15:47,920
And if you really look at any technology we have in some way, shape or form,

262
00:15:47,920 --> 00:15:50,000
a lot of it is about reducing that, right?

263
00:15:50,000 --> 00:15:55,160
And the big next leap for me that I see in passion is, or I have a passion around,

264
00:15:55,160 --> 00:15:58,360
is that security needs automation, right?

265
00:15:58,360 --> 00:15:59,480
There's more alerts coming in.

266
00:15:59,480 --> 00:16:00,560
There's more data to analyze.

267
00:16:00,560 --> 00:16:05,760
There's more things generating incidents and those types of things that happen.

268
00:16:05,760 --> 00:16:10,200
And we need to be able to automate and respond to those in an efficient manner, right?

269
00:16:10,200 --> 00:16:14,440
So I think it's super important and I'm super passionate about this and glad to talk about it.

270
00:16:14,440 --> 00:16:18,560
So can you give us a background as to what sort of things you're going to automate?

271
00:16:18,560 --> 00:16:21,280
Is there a way we can think about automation?

272
00:16:21,280 --> 00:16:23,720
Any sort of nomenclature we can think of?

273
00:16:23,720 --> 00:16:29,240
Yeah, so in the industry, if you hear the term SOAR or Security Orchestration Automation

274
00:16:29,240 --> 00:16:34,000
in Response, that's typical what you would hear from vendors with these types of products

275
00:16:34,000 --> 00:16:39,320
or if you hear it kind of generically in type of tech docs or things like that.

276
00:16:39,320 --> 00:16:41,640
SOAR is the term that you hear from folks.

277
00:16:41,640 --> 00:16:44,560
OK, so there's verbs in there.

278
00:16:44,560 --> 00:16:45,680
I'm letters.

279
00:16:45,680 --> 00:16:48,040
It's going to sound like, what did we say it was, Michael?

280
00:16:48,040 --> 00:16:49,760
Jeff, what was it?

281
00:16:49,760 --> 00:16:50,880
Wheel of Fortune?

282
00:16:50,880 --> 00:16:55,360
You see, from where I'm from in the world, you would say it was a different show.

283
00:16:55,360 --> 00:17:00,400
But anyway, OA and R, what's O?

284
00:17:00,400 --> 00:17:03,240
Yeah, so SOAR is definitely an acronym, right?

285
00:17:03,240 --> 00:17:08,280
Not that SOAR is in SOAR and flying high, although we hope that this will get you there.

286
00:17:08,280 --> 00:17:09,800
Maybe you'll be able to fly and do much more.

287
00:17:09,800 --> 00:17:11,360
But great question.

288
00:17:11,360 --> 00:17:16,920
O is orchestration and kind of the key to security automation and SOAR, as you will call it,

289
00:17:16,920 --> 00:17:20,200
or folks will call it, is really orchestration.

290
00:17:20,200 --> 00:17:24,760
You have to be able to talk to all of these different things and platforms and APIs and

291
00:17:24,760 --> 00:17:30,160
capabilities because no organization has any one single product for all of security.

292
00:17:30,160 --> 00:17:33,200
And actually, that would probably be a bad model because no product would be really,

293
00:17:33,200 --> 00:17:34,200
really good at it.

294
00:17:34,200 --> 00:17:35,640
They'd be too broad.

295
00:17:35,640 --> 00:17:40,560
And so we typically get products, whether that's from Microsoft or other vendors, that

296
00:17:40,560 --> 00:17:43,520
are very focused on a certain domain.

297
00:17:43,520 --> 00:17:48,480
And that's great because they do really, really well at looking at that capability, right?

298
00:17:48,480 --> 00:17:54,240
And just like companies that do ITSM or ticketing type systems are really, really great at ticketing

299
00:17:54,240 --> 00:17:55,400
type systems.

300
00:17:55,400 --> 00:17:59,600
But something has to be the glue that can help you orchestrate and talk to all of these

301
00:17:59,600 --> 00:18:00,600
different things.

302
00:18:00,600 --> 00:18:06,480
And that's really key is having a capability or product or solution that can talk to a

303
00:18:06,480 --> 00:18:10,440
lot of things so you don't have to write those integrations, right?

304
00:18:10,440 --> 00:18:13,720
Being able to call all of these different type of capabilities.

305
00:18:13,720 --> 00:18:16,280
So what is A then?

306
00:18:16,280 --> 00:18:17,280
Great question.

307
00:18:17,280 --> 00:18:20,040
So A is automation, right?

308
00:18:20,040 --> 00:18:24,400
It's all about now that once you're able to orchestrate, is automating that.

309
00:18:24,400 --> 00:18:30,440
And we need to be able to basically do action A, do action C, do action B in some type of

310
00:18:30,440 --> 00:18:35,680
order and be able to do things like conditional statements, et cetera, from the orchestration.

311
00:18:35,680 --> 00:18:38,120
But it's really about automating that next step, right?

312
00:18:38,120 --> 00:18:40,920
So a human doesn't have to go click A, click B, click C.

313
00:18:40,920 --> 00:18:42,360
Okay, I want to play too.

314
00:18:42,360 --> 00:18:44,680
Tell me about R.

315
00:18:44,680 --> 00:18:50,480
And I'm also interested in kind of comparing the Microsoft 365 Defender variant of SOAR

316
00:18:50,480 --> 00:18:51,480
as well.

317
00:18:51,480 --> 00:18:53,360
So tell us about the R.

318
00:18:53,360 --> 00:18:55,840
Yeah, R is response, right?

319
00:18:55,840 --> 00:18:58,200
So it's going to be the action you take.

320
00:18:58,200 --> 00:19:02,440
What's interesting is really in response, there's a couple of different things that you can

321
00:19:02,440 --> 00:19:03,560
do there.

322
00:19:03,560 --> 00:19:06,720
And that's, you know, you can go enrich an object.

323
00:19:06,720 --> 00:19:09,120
So maybe I have an incident and I want to go get some more information.

324
00:19:09,120 --> 00:19:15,400
Like imagine I have an IP address, some unknown IP address, I can go grab some geo information

325
00:19:15,400 --> 00:19:16,720
and bring that back to the incident.

326
00:19:16,720 --> 00:19:20,320
So that might be like an enrichment scenario, but I can actually also respond and actually

327
00:19:20,320 --> 00:19:21,320
take an action, right?

328
00:19:21,320 --> 00:19:26,280
So maybe I go block that IP address in a firewall or something like that.

329
00:19:26,280 --> 00:19:27,840
So that's kind of what response is.

330
00:19:27,840 --> 00:19:33,200
And then you mentioned AutoIR inside of M365, which is an amazing capability, right?

331
00:19:33,200 --> 00:19:36,400
And this is back to the depth in these certain domains.

332
00:19:36,400 --> 00:19:41,160
So the AutoIR capability is really good in depth currently for Defender for Endpoint

333
00:19:41,160 --> 00:19:44,080
and Defender for Office.

334
00:19:44,080 --> 00:19:48,520
Going in and running these automated incident response playbooks, they're kind of pre-canned

335
00:19:48,520 --> 00:19:53,240
and built from Microsoft for you, but they're very focused on that domain, right?

336
00:19:53,240 --> 00:19:57,640
So doing things with Defender for Endpoint, looking at endpoints or email with Office.

337
00:19:57,640 --> 00:20:01,200
So they lack a little bit of that orchestration to be able to integrate with other systems,

338
00:20:01,200 --> 00:20:02,200
right?

339
00:20:02,200 --> 00:20:03,320
So they're very, very focused there.

340
00:20:03,320 --> 00:20:07,600
And just kind of talking personal experience here.

341
00:20:07,600 --> 00:20:12,120
One of the things that has made me so passionate about this is I think back to the days in

342
00:20:12,120 --> 00:20:16,840
the Marine Corps and early on working with customers at Microsoft, we get an incident

343
00:20:16,840 --> 00:20:19,120
and then you have to go do 10 different things, right?

344
00:20:19,120 --> 00:20:23,040
I need to go like, hey, maybe I just have something where I'll take an impossible travel

345
00:20:23,040 --> 00:20:24,560
is a simple one.

346
00:20:24,560 --> 00:20:27,880
Maybe I have an impossible travel and Mark's traveling to Thailand and we don't expect

347
00:20:27,880 --> 00:20:28,880
him to.

348
00:20:28,880 --> 00:20:32,200
So I got to call his manager, hey, is Mark expected to be there?

349
00:20:32,200 --> 00:20:34,320
And he comes back and says, oh, no, he's not.

350
00:20:34,320 --> 00:20:37,040
Okay, well, let me go see what other activities going on with his accounts.

351
00:20:37,040 --> 00:20:38,800
And now I got to do some more queries.

352
00:20:38,800 --> 00:20:41,760
And then I establish, okay, this is probably legit and I need to take an action.

353
00:20:41,760 --> 00:20:45,440
And then I actually have to go over to whatever system I'm using for identity and actually

354
00:20:45,440 --> 00:20:50,400
like reset Mark's password or enforce an MFA on him or maybe even just disable his account,

355
00:20:50,400 --> 00:20:51,400
right?

356
00:20:51,400 --> 00:20:55,880
So like, it's just the whole security automation I've just seen over years, like there's just

357
00:20:55,880 --> 00:20:58,880
too much steps that people have to take manually.

358
00:20:58,880 --> 00:21:02,640
And it's so important that we figure out a way to automate this with everybody.

359
00:21:02,640 --> 00:21:07,320
Yeah, the swivel chair automation, excuse me, the swivel chair and analytics as well as

360
00:21:07,320 --> 00:21:11,560
those manual repetitive steps are just like the misery of the sock.

361
00:21:11,560 --> 00:21:12,560
Yeah.

362
00:21:12,560 --> 00:21:14,880
Yeah, who wants to do the same, same clicks every day, right?

363
00:21:14,880 --> 00:21:18,480
Like everybody wants to focus on kind of the cool thing and the hard problem to solve.

364
00:21:18,480 --> 00:21:23,640
And if we can reduce the thing that they do every day into something that's automated,

365
00:21:23,640 --> 00:21:27,400
now you can take that brainpower and really focus it on something else, right?

366
00:21:27,400 --> 00:21:30,280
It actually is more important and a much harder challenge.

367
00:21:30,280 --> 00:21:34,960
We already explained a little bit of why automation is important, but can you expand

368
00:21:34,960 --> 00:21:38,400
a further and how interconnection makes this happen?

369
00:21:38,400 --> 00:21:39,400
Yeah.

370
00:21:39,400 --> 00:21:41,000
I mean, this is a great one.

371
00:21:41,000 --> 00:21:45,320
Like the way I think about it kind of at a really high level is like, we're running

372
00:21:45,320 --> 00:21:46,520
out of humans, right?

373
00:21:46,520 --> 00:21:51,400
We already know there's like a 2 million person job shortage for cyber security type jobs,

374
00:21:51,400 --> 00:21:52,400
right?

375
00:21:52,400 --> 00:21:53,560
There's all these jobs out there meeting, right?

376
00:21:53,560 --> 00:21:56,720
2 million jobs that are open, but there's nobody to fill them.

377
00:21:56,720 --> 00:22:02,480
And yes, we need to do more and we need to train STEM better at the lower levels of schooling

378
00:22:02,480 --> 00:22:04,640
so that we get more people into STEM.

379
00:22:04,640 --> 00:22:06,280
But at the end of the day, there's still going to be a job shortage.

380
00:22:06,280 --> 00:22:07,560
We're behind the curve.

381
00:22:07,560 --> 00:22:12,160
And so it's really important that we, again, we go back to what I just said, which is automate

382
00:22:12,160 --> 00:22:14,520
that basic task that happens all the time.

383
00:22:14,520 --> 00:22:19,800
And even some of those more complex tasks and kind of the struggle I hear from customers

384
00:22:19,800 --> 00:22:25,560
really is like, hey, I want to automate this stuff, but I'm afraid of like breaking something.

385
00:22:25,560 --> 00:22:27,400
What happens if I break something, right?

386
00:22:27,400 --> 00:22:32,240
And so I think it's super important that customers look at those simple things that they can

387
00:22:32,240 --> 00:22:35,880
start with and kind of move up that stack and get a little more complex each way.

388
00:22:35,880 --> 00:22:40,040
And if there's something you're not comfortable with automating, great, don't automate it,

389
00:22:40,040 --> 00:22:41,040
right?

390
00:22:41,040 --> 00:22:45,360
Like, add in approval steps if that can help alleviate that mitigation or help alleviate

391
00:22:45,360 --> 00:22:47,440
that concern with a mitigation, right?

392
00:22:47,440 --> 00:22:49,320
Yeah, I mean, that's awesome, dude.

393
00:22:49,320 --> 00:22:53,160
I mean, the way I like to think about it is really that we're empowering the humans,

394
00:22:53,160 --> 00:22:54,160
right?

395
00:22:54,160 --> 00:23:01,040
And we're trying to get more out of folks so that they can do more as opposed to replacing

396
00:23:01,040 --> 00:23:02,040
them.

397
00:23:02,040 --> 00:23:04,000
We're just replacing the manual annoying tasks.

398
00:23:04,000 --> 00:23:05,720
Can you give us some real world examples?

399
00:23:05,720 --> 00:23:08,000
You mentioned some of these tasks.

400
00:23:08,000 --> 00:23:14,680
How are organizations using the SOAR and Sentinel and what kinds of things specifically are

401
00:23:14,680 --> 00:23:15,680
they solving?

402
00:23:15,680 --> 00:23:17,560
Yeah, great question.

403
00:23:17,560 --> 00:23:22,120
So we talked a lot about, and this is the Azure Security Podcast, but kind of the news

404
00:23:22,120 --> 00:23:25,840
around Azure Defender and Sentinel at the beginning, thanks to Sarah.

405
00:23:25,840 --> 00:23:31,840
And with CSPM and Azure Defender and Azure Security Center, we talked a little bit about

406
00:23:31,840 --> 00:23:35,600
secure score, but customers have this secure score.

407
00:23:35,600 --> 00:23:39,400
And I kind of think back again, this is a personal experience of, hey, you remember

408
00:23:39,400 --> 00:23:43,240
the old vulnerability days of scanning with some type of scanner and now you have this

409
00:23:43,240 --> 00:23:47,400
new vulnerability and now it's on a list and someone needs to go remediate it.

410
00:23:47,400 --> 00:23:49,560
Well, what if you could automate that, right?

411
00:23:49,560 --> 00:23:54,200
So what if you could build a playbook using Logic Apps in Azure to say, hey, whenever

412
00:23:54,200 --> 00:24:00,640
this new resource comes online and it's not in a secure model, I want to go do X.

413
00:24:00,640 --> 00:24:04,080
And X could be lots of different things, but it could be all the way to best case would

414
00:24:04,080 --> 00:24:06,840
be you go automatically remediate that resource, right?

415
00:24:06,840 --> 00:24:13,840
And so we go change whatever bit or setting in ARM or put it behind a private endpoint,

416
00:24:13,840 --> 00:24:17,280
as Michael talked about, some of these new services using private endpoint, so that now

417
00:24:17,280 --> 00:24:20,400
it's not exposed and we've just immediately reduced that vulnerability.

418
00:24:20,400 --> 00:24:24,360
And again, we could add extra steps in there for things like coordinate with my IT ops

419
00:24:24,360 --> 00:24:29,000
section so that they know it's happening or maybe even the developer or owner of the application.

420
00:24:29,000 --> 00:24:35,240
So they know it's happening and it's not breaking them, but that way they really, you can speed

421
00:24:35,240 --> 00:24:37,200
up the time to that resolution, right?

422
00:24:37,200 --> 00:24:41,920
Because if that, let's just say, resources public to the internet when it's not supposed

423
00:24:41,920 --> 00:24:46,560
to be, that's just more minutes that the attacker has that they can actually go after it.

424
00:24:46,560 --> 00:24:47,880
And I think it's super important.

425
00:24:47,880 --> 00:24:52,400
And there's lots of scenarios in a sim world, whether you're using Azure Sentinel, which

426
00:24:52,400 --> 00:24:56,280
I love Azure Sentinel wrote the first book on it.

427
00:24:56,280 --> 00:24:59,400
I want more people to use it, like lots of opportunities to respond there.

428
00:24:59,400 --> 00:25:01,360
And again, I talked about the enrichment scenario.

429
00:25:01,360 --> 00:25:03,480
Hey, we get an alert.

430
00:25:03,480 --> 00:25:07,720
Mark has traveled to Thailand or to an IP address.

431
00:25:07,720 --> 00:25:10,160
Maybe we know it's in Thailand or maybe we don't.

432
00:25:10,160 --> 00:25:11,160
But let's go full.

433
00:25:11,160 --> 00:25:12,160
You keep sending me to Thailand, man.

434
00:25:12,160 --> 00:25:13,160
I don't mind.

435
00:25:13,160 --> 00:25:17,200
I visited Thailand, so it's always on my mind at some point.

436
00:25:17,200 --> 00:25:18,480
I've been to lots of different countries.

437
00:25:18,480 --> 00:25:22,120
But yeah, maybe I can go rich and get some information.

438
00:25:22,120 --> 00:25:27,440
And now I've just saved that analyst time from opening a Google browser or a Bing browser

439
00:25:27,440 --> 00:25:30,880
and searching, hey, where is this IP address located?

440
00:25:30,880 --> 00:25:35,800
Or I'm going to look in my own threat intelligence capability that I have in-house and query

441
00:25:35,800 --> 00:25:39,240
that IP address and see what I know about it, those types of things.

442
00:25:39,240 --> 00:25:43,520
So it's just really more things that you can alleviate from the analysts having to go do

443
00:25:43,520 --> 00:25:49,520
manually, as you call it, the swivel chair automation is really great for them.

444
00:25:49,520 --> 00:25:56,080
So just another example, kind of real world scenario is, again, you want to orchestrate

445
00:25:56,080 --> 00:25:57,840
and automate some actions.

446
00:25:57,840 --> 00:26:01,680
And so I love some of the capabilities that are in Logic Apps.

447
00:26:01,680 --> 00:26:04,920
We have a step that you can actually go send an approval email.

448
00:26:04,920 --> 00:26:06,160
And I think that's amazing.

449
00:26:06,160 --> 00:26:10,240
Like, I explain this to customers and I'm like, think about that impossible travel alert.

450
00:26:10,240 --> 00:26:14,040
What if instead of picking up the phone and calling Mark's boss, right, I can just send

451
00:26:14,040 --> 00:26:17,080
him an email that says, hey, is Mark traveling to this country?

452
00:26:17,080 --> 00:26:18,720
And there's two buttons, yes or no.

453
00:26:18,720 --> 00:26:21,360
Very simple, very easy for the manager to respond to that.

454
00:26:21,360 --> 00:26:22,960
All he has to do is click the link.

455
00:26:22,960 --> 00:26:27,400
And once he clicks it, assuming you haven't trained him too well in spearfishing attacks,

456
00:26:27,400 --> 00:26:31,080
right, he clicks the link and says, yeah, Mark's supposed to be traveling there.

457
00:26:31,080 --> 00:26:33,760
Well, now I can handle that incident, maybe just close it.

458
00:26:33,760 --> 00:26:36,800
Or, hey, maybe he says, no, he's not supposed to be traveling there.

459
00:26:36,800 --> 00:26:40,280
And so I can handle that condition and go do some other different steps inside of that

460
00:26:40,280 --> 00:26:41,280
playbook.

461
00:26:41,280 --> 00:26:43,480
So you mentioned Logic Apps.

462
00:26:43,480 --> 00:26:46,800
I've done a lot of work with Azure Functions, but I'll be honest, I've never really played

463
00:26:46,800 --> 00:26:47,800
around with Logic Apps.

464
00:26:47,800 --> 00:26:53,120
Can you just give our listeners a brief overview of Logic Apps, why Logic Apps and their benefits?

465
00:26:53,120 --> 00:26:54,120
Yeah, absolutely.

466
00:26:54,120 --> 00:26:56,840
And I love that you're doing stuff in Azure Functions.

467
00:26:56,840 --> 00:26:57,840
I do too.

468
00:26:57,840 --> 00:27:01,800
I like it because I can run native PowerShell code in there and do some really great things.

469
00:27:01,800 --> 00:27:06,440
And what's really interesting, and we'll talk about this is what Logic Apps is, but Logic

470
00:27:06,440 --> 00:27:11,920
Apps is really a super powerful, low-code environment, right?

471
00:27:11,920 --> 00:27:18,080
So think about a capability, if you've never seen it, to be able to design steps and actions

472
00:27:18,080 --> 00:27:19,080
of a playbook.

473
00:27:19,080 --> 00:27:22,200
So you can call it a workflow, you can call it a playbook.

474
00:27:22,200 --> 00:27:26,320
Basically I want to do A, I want to do B, I want to do C. But with every one of those

475
00:27:26,320 --> 00:27:30,800
things, first in Logic Apps, there's a trigger, something has to trigger it, which typically

476
00:27:30,800 --> 00:27:35,880
will be something from Azure Defender, something from Azure Sentinel, it could be a manual

477
00:27:35,880 --> 00:27:38,480
thing that happens on a reoccurrence schedule.

478
00:27:38,480 --> 00:27:40,760
You can even have an HTTP endpoint as your trigger.

479
00:27:40,760 --> 00:27:46,160
So you call an API out to Azure and it basically would run that playbook.

480
00:27:46,160 --> 00:27:51,080
But with each trigger and action, there is dynamic properties that come out.

481
00:27:51,080 --> 00:27:54,760
And this is really, really powerful because there's a nice list of properties from all

482
00:27:54,760 --> 00:27:58,000
of your previous actions as you go further down into your playbook.

483
00:27:58,000 --> 00:27:59,800
And you can use any one of those properties.

484
00:27:59,800 --> 00:28:05,560
So I don't need to code, know how to code or find the severity of an incident or a severity

485
00:28:05,560 --> 00:28:09,200
of maybe something that comes in from Azure Defender, whether it's a high or medium or

486
00:28:09,200 --> 00:28:12,080
low, it's a dynamic property called severity.

487
00:28:12,080 --> 00:28:16,080
And I could just drop that into my condition statement that says, hey, if this severity

488
00:28:16,080 --> 00:28:21,560
is high, and I can put in high, medium, low, whatever I want in there, and take these actions.

489
00:28:21,560 --> 00:28:24,280
And so it makes it very, very easy.

490
00:28:24,280 --> 00:28:28,320
And if you're familiar with or a word of Microsoft Flow, it's the same thing, but in

491
00:28:28,320 --> 00:28:33,360
Azure, so they have a lot of the same capabilities there in Logic Apps.

492
00:28:33,360 --> 00:28:38,040
But one of the cool things you mentioned Azure Functions is you can actually call an Azure

493
00:28:38,040 --> 00:28:40,000
Function from your Logic App.

494
00:28:40,000 --> 00:28:44,480
So if you have some capability that you need to run native code, they do have a little

495
00:28:44,480 --> 00:28:47,320
bit of new capability in Logic Apps where you can run some native code.

496
00:28:47,320 --> 00:28:51,480
It's specifically Java, not a Java person myself, so I like PowerShell.

497
00:28:51,480 --> 00:28:57,200
But I can call a build an Azure Function with some PowerShell code in it, call that from

498
00:28:57,200 --> 00:29:02,160
my Logic App if there's maybe something that is much more complex that you need to do a

499
00:29:02,160 --> 00:29:05,800
little bit beyond what the low code capabilities provide you there.

500
00:29:05,800 --> 00:29:12,200
Hey, actually on that topic, so does that mean you can pass in an argument from the

501
00:29:12,200 --> 00:29:15,200
Logic App as an argument as soon as you function?

502
00:29:15,200 --> 00:29:16,520
Yeah, absolutely.

503
00:29:16,520 --> 00:29:18,240
You can pass in all kinds of properties.

504
00:29:18,240 --> 00:29:20,720
So and again, you can use those dynamic properties.

505
00:29:20,720 --> 00:29:23,320
So you don't have to hard code your argument.

506
00:29:23,320 --> 00:29:27,600
You can actually take one of those dynamic properties and pass it in.

507
00:29:27,600 --> 00:29:32,120
Again, your Azure Function would be looking to accept that as part of the body or the

508
00:29:32,120 --> 00:29:34,800
payload that comes in.

509
00:29:34,800 --> 00:29:37,600
And yeah, you can absolutely pass those in.

510
00:29:37,600 --> 00:29:42,160
So Nick, the way we think about it is like a full life cycle view of security.

511
00:29:42,160 --> 00:29:46,400
If you go with the NIST one, it's Identify, Protect, Detect, Respond, Recover.

512
00:29:46,400 --> 00:29:50,800
Microsoft tends to shorten it because a lot of those things can be similar to each other

513
00:29:50,800 --> 00:29:53,000
as prevent, detect, respond.

514
00:29:53,000 --> 00:29:54,960
Where does SOAR fit in the life cycle?

515
00:29:54,960 --> 00:29:59,160
Is it purely like instant response only or are there other elements of it?

516
00:29:59,160 --> 00:30:02,160
So what are your thoughts on that?

517
00:30:02,160 --> 00:30:05,880
Yeah, it's definitely not preventative.

518
00:30:05,880 --> 00:30:11,160
Those are typically things where you're blocking an action before it happens.

519
00:30:11,160 --> 00:30:13,320
So it's definitely detective and responsive.

520
00:30:13,320 --> 00:30:20,080
So you may see something that's happening and need to respond to that with the playbooks

521
00:30:20,080 --> 00:30:21,080
there.

522
00:30:21,080 --> 00:30:25,360
Take the, somebody creates a storage account with a public IP address.

523
00:30:25,360 --> 00:30:29,800
And I say I don't want any storage accounts with public IP in my environment.

524
00:30:29,800 --> 00:30:32,800
So Azure Security Center would pick that up as a recommendation.

525
00:30:32,800 --> 00:30:37,800
And so once that's there, you can have a workflow automation is what we call it inside of Azure

526
00:30:37,800 --> 00:30:38,800
Security Center.

527
00:30:38,800 --> 00:30:40,640
And it would automatically call a playbook.

528
00:30:40,640 --> 00:30:41,800
That playbook could go handle it.

529
00:30:41,800 --> 00:30:46,440
So maybe it could remove the public IP or put it back on a private endpoint or whatever

530
00:30:46,440 --> 00:30:50,760
it is that you want to turn on the firewall on storage to make sure that it's not allowing

531
00:30:50,760 --> 00:30:51,760
anything inbound.

532
00:30:51,760 --> 00:30:55,560
So again, you could follow all kinds of things there, but it's very much detective and responsive

533
00:30:55,560 --> 00:30:56,560
type controls.

534
00:30:56,560 --> 00:30:57,560
Yeah.

535
00:30:57,560 --> 00:31:00,560
So you talk about prevent, detect and respond.

536
00:31:00,560 --> 00:31:05,160
I mean, in Azure, probably the number one feature that we would use in Azure would be

537
00:31:05,160 --> 00:31:07,160
Azure policy as a preventative control.

538
00:31:07,160 --> 00:31:10,520
I had a strong customer just recently about this.

539
00:31:10,520 --> 00:31:16,240
They had a storage account that had a publicly accessible IP address, which basically means

540
00:31:16,240 --> 00:31:23,040
that the storage account was sitting on the internet caused a little bit of a fire drill.

541
00:31:23,040 --> 00:31:27,120
But one of the outcomes of this was, hey, we really need to start looking at using Azure

542
00:31:27,120 --> 00:31:30,800
policy with the action set to deny.

543
00:31:30,800 --> 00:31:33,960
That way we can actually prevent this thing from happening going forward.

544
00:31:33,960 --> 00:31:36,640
And the customer said, well, we're actually using this other tool.

545
00:31:36,640 --> 00:31:39,680
I can't remember what the tool was.

546
00:31:39,680 --> 00:31:40,680
Let's just say it was DiviCloud.

547
00:31:40,680 --> 00:31:42,480
I actually don't quote me on that.

548
00:31:42,480 --> 00:31:46,400
So we're using DiviCloud to find these kinds of things.

549
00:31:46,400 --> 00:31:50,880
Well, the problem there is DiviCloud is not a preventative control.

550
00:31:50,880 --> 00:31:54,280
It is a detective control.

551
00:31:54,280 --> 00:31:59,640
So there was a gap between the storage account going live and then it being picked up by

552
00:31:59,640 --> 00:32:00,640
the tool.

553
00:32:00,640 --> 00:32:04,600
And so that's why, even though you've got all this stuff, you know, talking about Nick,

554
00:32:04,600 --> 00:32:09,160
we can't lose track of the fact that things like Azure policy can be used as a very, very

555
00:32:09,160 --> 00:32:11,880
powerful preventative control mechanism.

556
00:32:11,880 --> 00:32:14,720
Yeah, it's a funny point.

557
00:32:14,720 --> 00:32:18,160
Actually, I was talking to a customer about Azure policy not that long ago and they love

558
00:32:18,160 --> 00:32:19,160
the capabilities there, right?

559
00:32:19,160 --> 00:32:21,200
Like being able to block, just like you said.

560
00:32:21,200 --> 00:32:25,320
And specifically we asked, can you extend this over to other cloud providers?

561
00:32:25,320 --> 00:32:27,240
Because it's such a great capability.

562
00:32:27,240 --> 00:32:32,840
But, you know, one of the things that I think is really good is, you know, the capability

563
00:32:32,840 --> 00:32:33,840
in Azure policy.

564
00:32:33,840 --> 00:32:38,760
The downside is not quite everybody's ready to implement those policies or has gotten

565
00:32:38,760 --> 00:32:43,400
to that point yet and things like Gladys talked about with our guidance that we published

566
00:32:43,400 --> 00:32:47,360
around this, you know, we have some pre-camp policies folks can use.

567
00:32:47,360 --> 00:32:51,640
But the other challenge is at the rate of innovation in the cloud, new features, new

568
00:32:51,640 --> 00:32:55,700
capabilities, and so, you know, people might not be creating those policies as fast as

569
00:32:55,700 --> 00:32:57,840
these new capabilities are coming out, right?

570
00:32:57,840 --> 00:33:01,640
Like, okay, maybe today, you know, storage doesn't have private endpoint and it comes

571
00:33:01,640 --> 00:33:02,640
out tomorrow.

572
00:33:02,640 --> 00:33:06,840
Well, people, you know, it takes time to build that policy, maybe do some testing with it,

573
00:33:06,840 --> 00:33:07,840
etc.

574
00:33:07,840 --> 00:33:10,840
And it's implemented and sometimes maybe it's just missed, right?

575
00:33:10,840 --> 00:33:15,400
And so the nice thing I think with, you know, store capability is to bring all that together

576
00:33:15,400 --> 00:33:20,520
in the sense that, okay, now we have this storage account with public IP, I can build

577
00:33:20,520 --> 00:33:25,040
a playbook that one opens a ticket and let's say something like ServiceNow, right?

578
00:33:25,040 --> 00:33:27,160
Because we have a nice ServiceNow connector there.

579
00:33:27,160 --> 00:33:31,440
So there's this new ticket or incident inside of ServiceNow saying that this resource is

580
00:33:31,440 --> 00:33:33,480
out there public.

581
00:33:33,480 --> 00:33:37,080
And you know, maybe we do some approval, maybe we don't, but we automatically go resolve

582
00:33:37,080 --> 00:33:38,200
that resource, right?

583
00:33:38,200 --> 00:33:40,760
We take it off of being public through whatever means.

584
00:33:40,760 --> 00:33:42,760
Well, you know, the ticket's there now.

585
00:33:42,760 --> 00:33:47,280
And so the ticket person, you know, kind of working that in their queue can take that

586
00:33:47,280 --> 00:33:51,680
and assign it over to the engineering team to say, hey, like, this is probably something

587
00:33:51,680 --> 00:33:53,320
we should make into a policy.

588
00:33:53,320 --> 00:33:56,040
And now you can continue like tracking that over to policy.

589
00:33:56,040 --> 00:33:59,240
Maybe it's to go spin up another ticket if you have to or whatever, but at least you

590
00:33:59,240 --> 00:34:02,280
can add it to their backlog, you know, using that type of integration.

591
00:34:02,280 --> 00:34:05,800
So you could even do something like, hey, after it's resolved, go ahead and open a second

592
00:34:05,800 --> 00:34:10,140
ticket that says, hey, engineering, you need to evaluate whether this should be a policy

593
00:34:10,140 --> 00:34:12,240
or not based on that.

594
00:34:12,240 --> 00:34:15,800
So you know, you can definitely have some steps or maybe you have a manual playbook

595
00:34:15,800 --> 00:34:20,760
that you call to create those kinds of tickets that you want engineering to go review and

596
00:34:20,760 --> 00:34:21,760
build policies around.

597
00:34:21,760 --> 00:34:25,920
So definitely ways to help automate that and make sure that stuff gets tracked so that

598
00:34:25,920 --> 00:34:30,280
at the end of the day, right, you get to that secure place, hopefully using policy to prevent.

599
00:34:30,280 --> 00:34:33,680
But if you don't, you got some detective response controls as well.

600
00:34:33,680 --> 00:34:38,840
So what about the security alerts from Defender?

601
00:34:38,840 --> 00:34:40,760
How would you deal with those?

602
00:34:40,760 --> 00:34:42,920
Yeah, I mean, there's two ways, right?

603
00:34:42,920 --> 00:34:47,320
You can obviously, you know, build workflow automation in Defender with that.

604
00:34:47,320 --> 00:34:50,560
But you know, what I'm recommending to a lot of customers and there's a big reason why

605
00:34:50,560 --> 00:34:53,280
here is really integrate those with Sentinel.

606
00:34:53,280 --> 00:34:57,880
And the key factor there is that you can now correlate that, right?

607
00:34:57,880 --> 00:35:02,500
So yeah, it's an Azure resource, Azure Defender picks up that, hey, something was attacking

608
00:35:02,500 --> 00:35:05,480
this resource and you need to go mitigate that.

609
00:35:05,480 --> 00:35:08,440
But are you missing some type of bigger context, right?

610
00:35:08,440 --> 00:35:13,160
And so bringing it together in Sentinel, you could basically use logic apps with Sentinel

611
00:35:13,160 --> 00:35:15,480
and again with Azure Defender if you wanted to.

612
00:35:15,480 --> 00:35:21,840
But you could correlate it and have actions that touch multiple different things across

613
00:35:21,840 --> 00:35:26,080
all the data and all of the different devices that might be involved or different resources

614
00:35:26,080 --> 00:35:28,000
that might be involved.

615
00:35:28,000 --> 00:35:30,120
Can you give an example of correlation?

616
00:35:30,120 --> 00:35:33,000
Yeah, this is a great one.

617
00:35:33,000 --> 00:35:36,760
We actually built a couple of samples and we'll make sure to share out the link to our

618
00:35:36,760 --> 00:35:39,500
public GitHub repo with a bunch of samples.

619
00:35:39,500 --> 00:35:45,080
But a great kind of example of this is, so I have an Azure resource, let's imagine that

620
00:35:45,080 --> 00:35:50,360
Azure resource is a SQL database and I have it behind a third party NBA, right?

621
00:35:50,360 --> 00:35:51,840
Network virtual appliance.

622
00:35:51,840 --> 00:35:54,000
So maybe I'm using a Palo Alto.

623
00:35:54,000 --> 00:35:59,080
And this is where I think logic apps is super powerful is I can take that alert inside of

624
00:35:59,080 --> 00:36:00,080
Sentinel.

625
00:36:00,080 --> 00:36:04,120
I can correlate with some raw data that I'm bringing in from my Palo Alto to make sure

626
00:36:04,120 --> 00:36:06,680
it's legit or if I want to see if there's anything else going on.

627
00:36:06,680 --> 00:36:11,000
And in my playbook, you can actually go remediate the resource.

628
00:36:11,000 --> 00:36:17,840
So maybe I do something on the NSG in front of that SQL or I can even go integrate with

629
00:36:17,840 --> 00:36:23,480
a Palo Alto and we have a couple examples that in our public GitHub repo, we have a

630
00:36:23,480 --> 00:36:24,480
new connector.

631
00:36:24,480 --> 00:36:28,080
But when we first did it, we actually used an Azure function and we would pass in an

632
00:36:28,080 --> 00:36:32,400
IP address to the Azure function and the Azure function would call the Palo Alto API

633
00:36:32,400 --> 00:36:34,360
and add it to a block list.

634
00:36:34,360 --> 00:36:38,160
And so now, you know, I've taken this resource that is behind my firewall that has potentially

635
00:36:38,160 --> 00:36:39,160
been attacked.

636
00:36:39,160 --> 00:36:42,880
I have this IP address I know I want to block and now I've integrated and this is back to

637
00:36:42,880 --> 00:36:47,600
the orchestration power and SOAR to really, you know, reach out to Palo Alto and add that

638
00:36:47,600 --> 00:36:48,600
to a block list, right?

639
00:36:48,600 --> 00:36:51,560
And it could be any, any firewall vendor could be any other resource, but I think this is

640
00:36:51,560 --> 00:36:54,080
where SOAR shows its real power, right?

641
00:36:54,080 --> 00:36:55,600
Because I could even add steps in there.

642
00:36:55,600 --> 00:36:56,920
Hey, open a ticket.

643
00:36:56,920 --> 00:37:00,680
We send a Teams notification to my SOC, you know, do all kinds of different things that

644
00:37:00,680 --> 00:37:05,360
I want to do as preliminary steps and then go take action on that even with third party,

645
00:37:05,360 --> 00:37:10,360
you know, maybe things that just have an API access, you can go connect to those things

646
00:37:10,360 --> 00:37:13,360
and basically integrate them really easily.

647
00:37:13,360 --> 00:37:17,480
So as a developer, whenever I hear about writing any kind of code, whether it's low

648
00:37:17,480 --> 00:37:23,080
code or C++ code, one of the first things that comes to mind, especially when we're

649
00:37:23,080 --> 00:37:27,720
talking about enterprise level deployments is versioning and version control.

650
00:37:27,720 --> 00:37:31,160
So does this technology have version control?

651
00:37:31,160 --> 00:37:33,840
Man, logic, great question.

652
00:37:33,840 --> 00:37:38,200
Logic Apps did an awesome job in this, the team over there, even in the Azure portal,

653
00:37:38,200 --> 00:37:39,440
they have versioning, right?

654
00:37:39,440 --> 00:37:43,400
So you can see your previous versions, when you click on it, you can see both the code

655
00:37:43,400 --> 00:37:46,680
version and the designer version, which is really nice because it's, you know, you can

656
00:37:46,680 --> 00:37:52,280
see the playbook and its graphical form, which is really how most people develop Logic Apps.

657
00:37:52,280 --> 00:37:58,280
But again, the great thing is it's all based on ARM underneath the hood, right?

658
00:37:58,280 --> 00:38:05,000
So because it's an Azure resource, you can take that, run it, take it, put it in CI CD,

659
00:38:05,000 --> 00:38:07,560
get control, all of those different things, right?

660
00:38:07,560 --> 00:38:10,600
And control that source however you want to do it, right?

661
00:38:10,600 --> 00:38:13,640
It's just infrastructure as code.

662
00:38:13,640 --> 00:38:17,760
So one thing we ask all our guests is, is there one final thought you would like to leave

663
00:38:17,760 --> 00:38:19,240
with our listeners?

664
00:38:19,240 --> 00:38:22,640
Yeah, I'm going to change that and say not a thought.

665
00:38:22,640 --> 00:38:25,080
I'm going to give folks a challenge, right?

666
00:38:25,080 --> 00:38:30,720
I really challenge folks to go try to create a simple, single playbook using Logic Apps

667
00:38:30,720 --> 00:38:34,640
with their Azure Defender with any type of resource.

668
00:38:34,640 --> 00:38:39,560
There's lots of connectors inside of Azure, so in Azure Logic Apps.

669
00:38:39,560 --> 00:38:44,040
So my recommendation is pick some scenario that you automate and let's see if you can

670
00:38:44,040 --> 00:38:45,040
do it.

671
00:38:45,040 --> 00:38:49,200
So I think it's something as simple as once I get an alert, send a team's message or send

672
00:38:49,200 --> 00:38:54,000
an email to somebody, create a ticket, try something super simple, and then start looking

673
00:38:54,000 --> 00:38:55,320
at what's your next steps.

674
00:38:55,320 --> 00:38:56,680
But that's the challenge.

675
00:38:56,680 --> 00:39:01,640
Build that first playbook because it's super easy and I think people a little hesitant

676
00:39:01,640 --> 00:39:08,000
to try it, but once they do, they really get into it and it goes fast.

677
00:39:08,000 --> 00:39:09,160
So let's bring this to an end.

678
00:39:09,160 --> 00:39:11,720
Hey, Nick, thanks so much for joining us this week.

679
00:39:11,720 --> 00:39:15,640
I know you're very busy and we appreciate you taking the time to speak with us.

680
00:39:15,640 --> 00:39:20,560
As I mentioned at the beginning, Nick and Anthony have a new book coming out on Azure

681
00:39:20,560 --> 00:39:23,920
Network Security, so head on out and buy a copy.

682
00:39:23,920 --> 00:39:26,440
I certainly learned a great deal, Nick.

683
00:39:26,440 --> 00:39:27,440
Thank you so much.

684
00:39:27,440 --> 00:39:30,200
We trust that all our listeners learned a great deal too.

685
00:39:30,200 --> 00:39:31,680
And to our listeners, thanks for listening.

686
00:39:31,680 --> 00:39:33,600
Stay safe and we'll see you next time.

687
00:39:33,600 --> 00:39:36,560
Thanks for listening to the Azure Security Podcast.

688
00:39:36,560 --> 00:39:43,400
You can find show notes and other resources at our website azsecuritypodcast.net.

689
00:39:43,400 --> 00:39:48,560
If you have any questions, please find us on Twitter at Azure Setpod.

690
00:39:48,560 --> 00:40:08,320
Music is from ccmixter.com and licensed under the Creative Commons license.