1 00:00:00,000 --> 00:00:06,220 Welcome to the Azure Security Podcast, 2 00:00:06,220 --> 00:00:09,380 where we discuss topics relating to security, privacy, 3 00:00:09,380 --> 00:00:13,740 reliability, and compliance on the Microsoft Cloud Platform. 4 00:00:13,740 --> 00:00:18,100 Hey everybody, welcome to Episode 44 and welcome to 2022. 5 00:00:18,100 --> 00:00:19,560 This week we have the full gang, 6 00:00:19,560 --> 00:00:22,180 we have myself, Michael, we have Sarah Gladys and Mark. 7 00:00:22,180 --> 00:00:23,700 We also have a guest, Jess, 8 00:00:23,700 --> 00:00:25,140 who was here to talk to us about, 9 00:00:25,140 --> 00:00:29,460 frankly, just some of the boring security stuff that's really important. 10 00:00:29,460 --> 00:00:31,980 It's not necessarily the shiny objects, 11 00:00:31,980 --> 00:00:34,480 but we'll leave that when we get to Jess. 12 00:00:34,480 --> 00:00:35,800 But before we get to Jess, 13 00:00:35,800 --> 00:00:38,220 let's talk about the news and some of the stuff that front and 14 00:00:38,220 --> 00:00:39,580 center on people's minds. 15 00:00:39,580 --> 00:00:40,920 I'll kick things off. 16 00:00:40,920 --> 00:00:43,420 A couple of things really took my interest over the last few weeks. 17 00:00:43,420 --> 00:00:46,140 The first of which is in Azure Key Vault, 18 00:00:46,140 --> 00:00:50,140 we now have automatic key rotation in public preview. 19 00:00:50,140 --> 00:00:54,260 Now, I want to caveat with this with something critically important. 20 00:00:54,260 --> 00:00:57,540 I read a blog post some time ago about, 21 00:00:57,540 --> 00:01:01,260 please be pedantic with your words when you're talking about cryptography. 22 00:01:01,260 --> 00:01:05,860 That is no less true when you're talking about key rotation, 23 00:01:05,860 --> 00:01:09,060 because you have to know which keys you're rotating. 24 00:01:09,060 --> 00:01:13,460 The way Azure Key Vault works in this scenario is it is 25 00:01:13,460 --> 00:01:15,260 rotating key encryption keys, 26 00:01:15,260 --> 00:01:17,980 which is generally required for compliance requirements. 27 00:01:17,980 --> 00:01:22,100 The chance that good is not going to be rotating data encryption keys. 28 00:01:22,100 --> 00:01:23,980 That's a whole nother ball of wax, 29 00:01:23,980 --> 00:01:25,500 that's a very difficult topic. 30 00:01:25,500 --> 00:01:29,260 Not many products actually support that very well. 31 00:01:29,260 --> 00:01:32,940 That being said, Azure SQL DB with always encrypted actually does support it, 32 00:01:32,940 --> 00:01:34,900 data encryption key rotation. 33 00:01:34,900 --> 00:01:38,780 This is available now in public preview, it's great to see it. 34 00:01:38,780 --> 00:01:42,540 You can basically say, I want those key encryption keys rotated 35 00:01:42,540 --> 00:01:45,580 every 12 months or something to be in compliance. 36 00:01:45,580 --> 00:01:47,060 But again, I want to point out, 37 00:01:47,060 --> 00:01:49,380 most of the time this is going to be key encryption keys, 38 00:01:49,380 --> 00:01:51,260 not data encryption keys. 39 00:01:51,260 --> 00:01:54,700 Next one is in Azure Storage. 40 00:01:54,700 --> 00:02:00,460 We now have attribute-based access control conditions in public preview. 41 00:02:00,460 --> 00:02:01,620 This is actually really cool. 42 00:02:01,620 --> 00:02:06,380 You can actually put a rule on say a blob store that says, 43 00:02:06,380 --> 00:02:11,500 if someone has these attributes essentially in their OAuth token, 44 00:02:11,500 --> 00:02:13,340 then allow access. 45 00:02:13,340 --> 00:02:15,940 So what you're basically doing is having 46 00:02:15,940 --> 00:02:21,460 declarative rules based on the contents of someone's authentication context. 47 00:02:21,460 --> 00:02:24,820 This is really great to see some customers I've worked with 48 00:02:24,820 --> 00:02:28,740 been asking questions about attribute-based access control 49 00:02:28,740 --> 00:02:31,740 rather than role-based access control or RBAC. 50 00:02:31,740 --> 00:02:34,900 So this is a welcome addition to the stable. 51 00:02:34,900 --> 00:02:36,660 The last one is, 52 00:02:36,660 --> 00:02:37,420 I would be honest with you, 53 00:02:37,420 --> 00:02:38,860 I've never come across a customer who wants this, 54 00:02:38,860 --> 00:02:40,700 but apparently some people obviously do. 55 00:02:40,700 --> 00:02:42,340 Again, in Azure Storage, 56 00:02:42,340 --> 00:02:48,940 you can now access a storage account from a virtual network and subnet in any region. 57 00:02:48,940 --> 00:02:51,540 Historically, you had to be in the same region. 58 00:02:51,540 --> 00:02:55,420 So if you're accessing say storage accounts from, 59 00:02:55,420 --> 00:02:56,460 let's make something up, 60 00:02:56,460 --> 00:02:59,620 and Azure Function, that storage account and the Azure Function 61 00:02:59,620 --> 00:03:00,740 had to be in the same region, 62 00:03:00,740 --> 00:03:02,660 that is no longer the case. 63 00:03:02,660 --> 00:03:05,420 That is all I have in the news department. 64 00:03:05,420 --> 00:03:07,780 Hello, everyone and happy new year. 65 00:03:07,780 --> 00:03:09,700 Like many others in Microsoft, 66 00:03:09,700 --> 00:03:12,980 I took a very long break for the holidays, 67 00:03:12,980 --> 00:03:16,100 so I do not have a lot of news to inform. 68 00:03:16,100 --> 00:03:18,820 However, I found few good information 69 00:03:18,820 --> 00:03:23,540 that I think it would be helpful to many of our listeners. 70 00:03:23,540 --> 00:03:30,340 First, the Microsoft Security Community is continuing to present many free live presentation 71 00:03:30,340 --> 00:03:33,500 about capabilities within our cloud services. 72 00:03:33,500 --> 00:03:35,860 For example, January 12th, 73 00:03:35,860 --> 00:03:41,580 Microsoft Defender for Cloud will be introducing the Microsoft Defender for Containers. 74 00:03:41,580 --> 00:03:45,500 January 19th, Microsoft Sentinel will present 75 00:03:45,500 --> 00:03:52,060 the present and future of user entity behavior analytics in Microsoft Sentinel. 76 00:03:52,060 --> 00:03:58,580 January 20th, Microsoft Defender for Cloud will be presenting what's new in the last three months. 77 00:03:58,580 --> 00:04:02,420 In February, there's several other presentations, 78 00:04:02,420 --> 00:04:05,020 especially from Microsoft Sentinel. 79 00:04:05,020 --> 00:04:10,460 One is becoming a Jupyter Notebooks Ninja, that's February 3rd, 80 00:04:10,460 --> 00:04:17,180 and the next one is Auto-Major Microsoft Sentinel 3-H with Risk IQ Threat Intelligence, 81 00:04:17,180 --> 00:04:19,180 that's February 10th. 82 00:04:19,180 --> 00:04:23,980 For details and registration, please go to aka.ms.com 83 00:04:23,980 --> 00:04:26,580 slash Security Community. 84 00:04:26,580 --> 00:04:30,060 And if you want to see past recorded video, 85 00:04:30,060 --> 00:04:34,740 please go to aka.ms.com 86 00:04:34,740 --> 00:04:38,460 As many of you that follow me in LinkedIn, 87 00:04:38,460 --> 00:04:42,020 you see me posting all the time about all the free training, 88 00:04:42,020 --> 00:04:48,500 webcast, podcast, and other Microsoft type of training that we provide. 89 00:04:48,500 --> 00:04:52,740 We even have websites that provide free training. 90 00:04:52,740 --> 00:04:58,260 As you know, we need more people with security background to help secure our customers. 91 00:04:58,260 --> 00:05:03,220 So here is a way to gain some of the knowledge needed. 92 00:05:03,220 --> 00:05:08,100 The next item I wanted to talk about is a blog that Stewart Kwan published 93 00:05:08,100 --> 00:05:14,540 in early December, talking about Azure AD Custom Security Attributes in ABAC, 94 00:05:14,540 --> 00:05:19,540 or Attribute-Based Access Control. 95 00:05:19,540 --> 00:05:21,740 As I mentioned in previous podcasts, 96 00:05:21,740 --> 00:05:26,340 I am really excited about the capabilities that ABAC brings, 97 00:05:26,340 --> 00:05:36,020 since it adds more capability to extend user attributes to do verifications. 98 00:05:36,020 --> 00:05:41,940 For example, in some scenarios, you may need to store sensitive information about users 99 00:05:41,940 --> 00:05:46,940 in Azure AD and make sure that only users, 100 00:05:46,940 --> 00:05:51,500 authorized users can read and manage this information. 101 00:05:51,500 --> 00:05:57,820 Or you may need to categorize and report on enterprise applications with attributes, 102 00:05:57,820 --> 00:06:01,540 such as business, unit, or sensitivity. 103 00:06:01,540 --> 00:06:09,860 As this becomes available, I think it just will extend the key value payer verification needed 104 00:06:09,860 --> 00:06:14,660 to control a lot of different access in the digital state. 105 00:06:14,660 --> 00:06:20,100 So if you get a chance, take a look at that blog, since it is very informative. 106 00:06:20,100 --> 00:06:27,260 Actually, all Stewart Kwan content that I have seen is really, really informative. 107 00:06:27,260 --> 00:06:34,340 I always love the authentication basics videos that he posted on YouTube. 108 00:06:34,340 --> 00:06:37,260 So if you haven't seen them, take a look at them. 109 00:06:37,260 --> 00:06:40,580 Last, I wanted to mention another blog named, 110 00:06:40,580 --> 00:06:47,100 Simplify Your Identity Provisioning with these new Azure AD capabilities. 111 00:06:47,100 --> 00:06:49,340 With the updates described, 112 00:06:49,340 --> 00:06:57,140 our organization will be now able to allow password writeback from the cloud when using 113 00:06:57,140 --> 00:07:00,100 Azure AD Connect Cloud Sync. 114 00:07:00,100 --> 00:07:07,980 Provision to on-premises application, verify their system cross domain identity management 115 00:07:07,980 --> 00:07:11,740 or scheme, provisioning endpoints, and much more. 116 00:07:11,740 --> 00:07:15,700 So if you have a chance, just take a look at that blog. 117 00:07:15,700 --> 00:07:20,420 Big thing on my radar here is the cyber reference architecture. 118 00:07:20,420 --> 00:07:24,500 I threw a quick Twitter and LinkedIn post on this and got more than I expected. 119 00:07:24,500 --> 00:07:29,340 I think it was like a quarter million feed views or something like that on LinkedIn. 120 00:07:29,340 --> 00:07:32,220 So very popular. 121 00:07:32,220 --> 00:07:36,620 Made some changes to the cyber reference architecture posted up. 122 00:07:36,620 --> 00:07:42,780 A couple of big ones are adding SASE or Secure Access Service Edge, S-A-S-E. 123 00:07:42,780 --> 00:07:48,660 So we have a section in there explaining SASE and which Microsoft capabilities map to that 124 00:07:48,660 --> 00:07:50,580 framework. 125 00:07:50,580 --> 00:07:53,980 We also added a zero trust transformation journey. 126 00:07:53,980 --> 00:08:00,340 So think of this like how do we get from a flat network, over time, five to ten years, 127 00:08:00,340 --> 00:08:05,660 this kind of history at Microsoft, to a sort of full on zero trust journey. 128 00:08:05,660 --> 00:08:08,580 And what are the different stages, the priorities, what you do first. 129 00:08:08,580 --> 00:08:12,540 It's got some nice little morphs and transitions there to show you visually how those things 130 00:08:12,540 --> 00:08:15,860 change over time. 131 00:08:15,860 --> 00:08:21,140 And then the defender for IoT and OT and all the IoT and OT attacks were added to the attack 132 00:08:21,140 --> 00:08:22,140 chain diagram. 133 00:08:22,140 --> 00:08:30,620 I added a couple modifications of people diagram and actually added a new people diagram that 134 00:08:30,620 --> 00:08:34,860 kind of aligns different roles to like a plan build run, governance prevention response, 135 00:08:34,860 --> 00:08:38,940 identify, protect, detect, respond, recover kind of framework. 136 00:08:38,940 --> 00:08:44,820 So kind of a little different view on roles and how to kind of map security to standard 137 00:08:44,820 --> 00:08:46,300 business plan build run stuff. 138 00:08:46,300 --> 00:08:50,900 A bunch of zero trust updates, added the zero trust commandments, the latest version of 139 00:08:50,900 --> 00:08:56,340 the ramp, the rapid modernization program on what to do first, next and after that as 140 00:08:56,340 --> 00:08:59,980 you kind of modernize your stuff with zero trust strategy. 141 00:08:59,980 --> 00:09:03,980 And then some tweaks around threat intelligence and whatnot. 142 00:09:03,980 --> 00:09:09,620 Big one that people were asking for was, hey, you have new product names like one of this 143 00:09:09,620 --> 00:09:10,620 can be updated. 144 00:09:10,620 --> 00:09:15,740 So I get that a lot after our marketing department decides that they found better names. 145 00:09:15,740 --> 00:09:18,260 So that is all taken care of in there. 146 00:09:18,260 --> 00:09:23,060 So that was the thing that sort of was big for me in the last month or so. 147 00:09:23,060 --> 00:09:25,540 So before we get to Jess, let's talk about the elephants in the room. 148 00:09:25,540 --> 00:09:30,980 I mean, obviously this broke early December, mid December last year. 149 00:09:30,980 --> 00:09:31,980 And that is log 4J. 150 00:09:31,980 --> 00:09:37,700 I know a lot of our customers are still struggling trying to come to grips with, you know, what 151 00:09:37,700 --> 00:09:39,700 instances they have of log 4J. 152 00:09:39,700 --> 00:09:44,980 I'd like to give you my sort of two cents on the issue before Mark and Sarah, if you 153 00:09:44,980 --> 00:09:46,980 have any thoughts. 154 00:09:46,980 --> 00:09:48,140 It's really interesting looking at this bug. 155 00:09:48,140 --> 00:09:50,260 Actually, there was a series of bugs. 156 00:09:50,260 --> 00:09:56,980 The first one was basically through logging, you could actually manipulate the inputs to 157 00:09:56,980 --> 00:10:00,220 JNDI, which is the Java naming and directory interface. 158 00:10:00,220 --> 00:10:07,340 And what made this interesting from my perspective is they really sort of violated a principle 159 00:10:07,340 --> 00:10:11,540 that I've believed in for 20-something years. 160 00:10:11,540 --> 00:10:14,700 And that is that all input is evil until proven otherwise. 161 00:10:14,700 --> 00:10:17,700 In fact, in running SecureCoder, I should have a copy of the book in front of me. 162 00:10:17,700 --> 00:10:20,500 I was actually looking at it earlier today. 163 00:10:20,500 --> 00:10:23,460 Chapter 10 is literally all input is evil. 164 00:10:23,460 --> 00:10:27,940 And that's the problem that that's ultimately the problem that this particular bug had. 165 00:10:27,940 --> 00:10:31,460 They accepted input from an untrusted source and then used that to build essentially a 166 00:10:31,460 --> 00:10:33,580 privileged operation. 167 00:10:33,580 --> 00:10:39,660 Other input trust problems are things like SQL injection, XML injection, LDAP injection, 168 00:10:39,660 --> 00:10:43,100 direct-retroversal, all these other kind of vulnerabilities where you take some input, 169 00:10:43,100 --> 00:10:46,340 you don't validate it for correctness, and then you use that to perform some kind of 170 00:10:46,340 --> 00:10:47,980 sensitive operation. 171 00:10:47,980 --> 00:10:49,900 And that's ultimately the problem here. 172 00:10:49,900 --> 00:10:54,260 I've often joked when I've been teaching developers around Secure Software Development, 173 00:10:54,260 --> 00:10:58,060 we can talk about all different classes of vulnerability, but ultimately the one lesson 174 00:10:58,060 --> 00:11:01,940 you have to learn as a developer is that all input is evil. 175 00:11:01,940 --> 00:11:05,940 You need to make sure that any data that you get from an untrusted source is validated 176 00:11:05,940 --> 00:11:06,940 for correctness. 177 00:11:06,940 --> 00:11:10,500 And I mean validated for correctness, not validated for badness, because that assumes 178 00:11:10,500 --> 00:11:13,620 you know all the bad things and no one is that clever, believe me. 179 00:11:13,620 --> 00:11:16,100 You need to check for validity and making sure that it's correct. 180 00:11:16,100 --> 00:11:18,380 And if it's not correct, you reject the request. 181 00:11:18,380 --> 00:11:20,300 It's really that simple. 182 00:11:20,300 --> 00:11:23,980 And this ultimately is just an input trust problem. 183 00:11:23,980 --> 00:11:27,700 The interesting thing is that there was actually a black hat talk in 2016. 184 00:11:27,700 --> 00:11:30,300 I've got a link in the show notes. 185 00:11:30,300 --> 00:11:31,900 And they actually say the exact same thing. 186 00:11:31,900 --> 00:11:37,140 It's like basically don't use untrusted input for calls to JNDI, the Java naming and directory 187 00:11:37,140 --> 00:11:38,140 interface. 188 00:11:38,140 --> 00:11:39,620 I mean it's there in black and white. 189 00:11:39,620 --> 00:11:40,900 So that's all I want to say. 190 00:11:40,900 --> 00:11:44,860 I think it's part of a much bigger problem that we still see across the whole industry 191 00:11:44,860 --> 00:11:49,180 where people are blindly believing that input coming in is correct. 192 00:11:49,180 --> 00:11:50,180 That is not the case. 193 00:11:50,180 --> 00:11:53,940 So if you've got code where you blindly accept input and you don't validate it for correctness, 194 00:11:53,940 --> 00:11:56,500 there's a bug in there waiting to happen. 195 00:11:56,500 --> 00:11:59,300 If you're lucky, the application just crashes. 196 00:11:59,300 --> 00:12:03,420 And if you're unlucky, you've got a problem like the Mog 4j problem. 197 00:12:03,420 --> 00:12:08,180 The angle that I was that sort of struck me on this and sort of channeling a little bit 198 00:12:08,180 --> 00:12:13,260 of my internal chess here, it just reinforces how important the difficult stuff is like 199 00:12:13,260 --> 00:12:14,820 inventorying and patching. 200 00:12:14,820 --> 00:12:20,980 And, you know, I hate to say the word S bomb because it's not quite ready for the scale 201 00:12:20,980 --> 00:12:27,900 and prime time, but like those kinds of things, just knowing what you have to be able to take 202 00:12:27,900 --> 00:12:30,060 care of it is so critical. 203 00:12:30,060 --> 00:12:35,140 And recognizing that there are limitations in the tooling and technology available today. 204 00:12:35,140 --> 00:12:40,180 But one of the rules that I sort of think about from more of an infrastructure perspective 205 00:12:40,180 --> 00:12:44,940 is if it's easy to do something, you're going to have a sprawl problem. 206 00:12:44,940 --> 00:12:47,980 So if it's easy to copy data, you're going to have a data sprawl problem. 207 00:12:47,980 --> 00:12:53,100 If it's easy to just add in code and it's just easy to do for anyone, you're going to 208 00:12:53,100 --> 00:12:55,460 have a code sprawl problem. 209 00:12:55,460 --> 00:12:57,940 If it's easy to create a VM, you're going to have a VM sprawl problem. 210 00:12:57,940 --> 00:12:59,420 That's just how it goes. 211 00:12:59,420 --> 00:13:02,580 If it's easy for people to do things, great, you just unlock business value. 212 00:13:02,580 --> 00:13:07,580 You also just unlock the sprawl problem that could impact security and IT and other things. 213 00:13:07,580 --> 00:13:13,860 And so that's kind of the thing that I really took away from this is we have to be ready 214 00:13:13,860 --> 00:13:17,820 for that is that there's these low friction, easy copy. 215 00:13:17,820 --> 00:13:19,580 There will be everywhere things. 216 00:13:19,580 --> 00:13:23,420 And that is going to have a negative corollary. 217 00:13:23,420 --> 00:13:26,340 So that was kind of my lesson learned out of the chaos. 218 00:13:26,340 --> 00:13:31,100 And I feel for all the IT folks out there that had to deal with this and especially the waves 219 00:13:31,100 --> 00:13:34,940 of updates and having to sort of go back to what you just did. 220 00:13:34,940 --> 00:13:41,260 Yeah, that caused my inner IT person and my old ops memories to just cringe. 221 00:13:41,260 --> 00:13:44,020 Michael and Mark have given their kind of 10 cents. 222 00:13:44,020 --> 00:13:49,500 But I guess I'll just talk about because everybody knows unless this is the first time you're 223 00:13:49,500 --> 00:13:53,140 listening to the podcast that my baby is Azure Sentinel. 224 00:13:53,140 --> 00:13:58,940 And of course, one of the things we were being asked straight away is by customers is, well, 225 00:13:58,940 --> 00:14:04,220 how can we use Sentinel and how can we use Microsoft tools to detect this in our environment? 226 00:14:04,220 --> 00:14:07,460 Now we'll put a link in the show notes. 227 00:14:07,460 --> 00:14:10,340 Everyone was very busy before Christmas. 228 00:14:10,340 --> 00:14:15,940 And it has been updated since then, updating all of our tools, tooling and products where 229 00:14:15,940 --> 00:14:18,340 we could to help people detect things. 230 00:14:18,340 --> 00:14:23,820 So in Sentinel, we've got a solution which is full of detection queries and hunting 231 00:14:23,820 --> 00:14:29,380 queries, Defender for Cloud and Defender for Endpoint also have things too. 232 00:14:29,380 --> 00:14:32,060 So yeah, it's been pretty busy. 233 00:14:32,060 --> 00:14:39,100 And as Mark said, I also had a lot of sympathy for the operations people who will have had 234 00:14:39,100 --> 00:14:41,540 a really rough couple of weeks with this. 235 00:14:41,540 --> 00:14:44,780 And of course it happened just before the holidays. 236 00:14:44,780 --> 00:14:50,860 So I hope for those of you that, well, definitely, I'm sure at least there are some people out 237 00:14:50,860 --> 00:14:52,460 there that had their plans affected. 238 00:14:52,460 --> 00:14:56,660 I really hope that you get a bit of a rest now in the new year. 239 00:14:56,660 --> 00:14:58,220 Now it's all calmed down a bit. 240 00:14:58,220 --> 00:15:03,220 And fingers crossed, we'll have a little bit more time before the next security thing that 241 00:15:03,220 --> 00:15:06,300 will happen because that is the circle of life. 242 00:15:06,300 --> 00:15:09,300 So it'll happen again with something as we all know. 243 00:15:09,300 --> 00:15:10,300 Here's one thing else. 244 00:15:10,300 --> 00:15:14,180 I wasn't going to talk about this, but the more I think about it, the more I need to 245 00:15:14,180 --> 00:15:15,180 talk about it. 246 00:15:15,180 --> 00:15:18,340 One thing that drives me a little bit bonkers. 247 00:15:18,340 --> 00:15:22,300 So I look at the, you know, I was going through the patches today for log4j. 248 00:15:22,300 --> 00:15:27,540 And one thing I've never understood is, so I look at one of the patches for log4j and 249 00:15:27,540 --> 00:15:33,740 it fixes like almost a dozen things, including changing port numbers from like default 514 250 00:15:33,740 --> 00:15:36,240 to 512. 251 00:15:36,240 --> 00:15:38,460 And again, I don't understand all the innards of log4j. 252 00:15:38,460 --> 00:15:39,780 I've never actually used it. 253 00:15:39,780 --> 00:15:45,060 So I realize I'm not coming at this from a level of knowledge when it comes to log4j. 254 00:15:45,060 --> 00:15:47,100 But the Apache folks do this a lot. 255 00:15:47,100 --> 00:15:50,940 They're issuing a security update, but it actually fixes a whole bunch of other stuff 256 00:15:50,940 --> 00:15:55,300 too or changes the way some features work too. 257 00:15:55,300 --> 00:15:57,300 I honestly don't like that. 258 00:15:57,300 --> 00:16:01,420 My preference is if you've got a security patch, it's like just fix the problem or the 259 00:16:01,420 --> 00:16:03,820 related security problems. 260 00:16:03,820 --> 00:16:07,740 Don't add features or change other features because if there's a regression in there, 261 00:16:07,740 --> 00:16:10,500 like for all we know, someone may have been using port 514. 262 00:16:10,500 --> 00:16:12,460 And again, I don't know. 263 00:16:12,460 --> 00:16:14,300 Now you just change the default port to 512. 264 00:16:14,300 --> 00:16:16,060 So now your application breaks. 265 00:16:16,060 --> 00:16:21,440 So you deployed a critical security update and your application breaks because they 266 00:16:21,440 --> 00:16:23,820 change something else on the patch as well. 267 00:16:23,820 --> 00:16:26,020 I honestly don't like that. 268 00:16:26,020 --> 00:16:31,340 I think a security fix should be as surgical as humanly possible. 269 00:16:31,340 --> 00:16:35,060 I mean, if there are other security vulnerabilities, sure, fix them as well. 270 00:16:35,060 --> 00:16:37,580 But I don't think you should change functionality otherwise. 271 00:16:37,580 --> 00:16:39,340 And that's just my opinion. 272 00:16:39,340 --> 00:16:43,660 It's been a bugbearer of mine for probably close to 20 years. 273 00:16:43,660 --> 00:16:46,260 And this is actually the first time I think I've actually mentioned it publicly, let alone 274 00:16:46,260 --> 00:16:47,260 on a podcast. 275 00:16:47,260 --> 00:16:49,060 But anyway, just my opinion. 276 00:16:49,060 --> 00:16:50,060 Yeah. 277 00:16:50,060 --> 00:16:53,100 I mean, I definitely understand where you're coming from, especially on something as high 278 00:16:53,100 --> 00:16:54,260 profile as this. 279 00:16:54,260 --> 00:16:56,820 You definitely want to be clean and surgical. 280 00:16:56,820 --> 00:17:00,180 If you're talking about a routine thing where you have to deliver a whole bunch of stuff 281 00:17:00,180 --> 00:17:03,220 every month anyway, it's a little bit of a different story. 282 00:17:03,220 --> 00:17:07,340 But when you've got a special thing that you know half the world is going to be applying 283 00:17:07,340 --> 00:17:09,980 and the other half is going to regret not applying. 284 00:17:09,980 --> 00:17:13,620 I tend to agree with you on the cleanliness, but I think that we have to differentiate 285 00:17:13,620 --> 00:17:18,420 like this kind of emergency from kind of a routine thing. 286 00:17:18,420 --> 00:17:20,900 Because the reality is it's like maintenance. 287 00:17:20,900 --> 00:17:22,980 You got to change the oil in your car. 288 00:17:22,980 --> 00:17:25,660 That has to be just a normal part of how things go. 289 00:17:25,660 --> 00:17:28,700 You have to selectively figure out what you bundle and what you don't. 290 00:17:28,700 --> 00:17:32,100 But there's a decent volume because software is complicated. 291 00:17:32,100 --> 00:17:34,740 I'm not a fan of analogies either. 292 00:17:34,740 --> 00:17:36,740 Just saying, you know. 293 00:17:36,740 --> 00:17:40,420 But anyway, my view has always been that if you've had to make an argument by way of 294 00:17:40,420 --> 00:17:42,220 analogy, then your argument's weak. 295 00:17:42,220 --> 00:17:44,340 But anyway, I'll just leave it at that. 296 00:17:44,340 --> 00:17:46,420 Anyway, let's get back on topic. 297 00:17:46,420 --> 00:17:47,420 Okay. 298 00:17:47,420 --> 00:17:50,180 So I get to introduce our guest this week. 299 00:17:50,180 --> 00:17:54,660 Our special guest is Jess Dodson, who I know from Australia. 300 00:17:54,660 --> 00:17:57,500 Jess, do you want to introduce yourself? 301 00:17:57,500 --> 00:18:01,380 And tell us how long you've been at Microsoft and what you do. 302 00:18:01,380 --> 00:18:02,380 Absolutely. 303 00:18:02,380 --> 00:18:05,820 So my name is Jess Dodson, as Sarah has said. 304 00:18:05,820 --> 00:18:07,820 I'm a senior customer engineer. 305 00:18:07,820 --> 00:18:09,500 I've probably been with Microsoft now. 306 00:18:09,500 --> 00:18:13,820 I'm coming up to three years this May, which is very, very nice. 307 00:18:13,820 --> 00:18:16,060 I've probably been doing tech now. 308 00:18:16,060 --> 00:18:20,820 I'm coming up to 20 years, which is also making me feel very, very old. 309 00:18:20,820 --> 00:18:26,100 So I started off as a sysadmin and kind of slid from operations into security. 310 00:18:26,100 --> 00:18:31,460 And I kind of like having that background of operations from a security perspective, 311 00:18:31,460 --> 00:18:34,380 because I think it often gets missed. 312 00:18:34,380 --> 00:18:39,700 So Jess, the reason that we invited you on, of course, was to talk about one of your pet 313 00:18:39,700 --> 00:18:40,860 peeves. 314 00:18:40,860 --> 00:18:44,820 And I know you have done many conference talks about this in the past. 315 00:18:44,820 --> 00:18:47,660 So I know what they are. 316 00:18:47,660 --> 00:18:55,500 But just before we dive into it, what is your main pet peeve generally about things you 317 00:18:55,500 --> 00:18:57,140 see day to day? 318 00:18:57,140 --> 00:19:04,060 Trying to get people just to do what we consider to be basic security hygiene, basic security 319 00:19:04,060 --> 00:19:08,900 best practice, and it's just not being done. 320 00:19:08,900 --> 00:19:11,900 So I know that there's been a discussion about Log4J. 321 00:19:11,900 --> 00:19:17,660 And for me, probably the big one that comes out of that, if you don't know what you have, 322 00:19:17,660 --> 00:19:20,340 how are you going to be able to protect it? 323 00:19:20,340 --> 00:19:24,980 So if you don't have an inventory of your systems, if you don't know what systems you 324 00:19:24,980 --> 00:19:29,620 have, what operating systems they're running, what applications are in your environments, 325 00:19:29,620 --> 00:19:36,180 how are you supposed to be able to protect it when something like Log4J comes out? 326 00:19:36,180 --> 00:19:40,220 And I don't know any organization that's doing this well. 327 00:19:40,220 --> 00:19:45,900 And I don't understand why it is so hard for people to understand. 328 00:19:45,900 --> 00:19:47,340 At the same time, I do. 329 00:19:47,340 --> 00:19:48,340 It's boring. 330 00:19:48,340 --> 00:19:49,340 It's not fun. 331 00:19:49,340 --> 00:19:50,540 It's not sexy. 332 00:19:50,540 --> 00:19:52,900 It's not using new and shiny tools. 333 00:19:52,900 --> 00:19:54,740 It's really monotonous. 334 00:19:54,740 --> 00:19:55,940 No one likes documentation. 335 00:19:55,940 --> 00:19:57,700 No one likes documentation. 336 00:19:57,700 --> 00:19:59,060 So I do understand it. 337 00:19:59,060 --> 00:20:02,940 But why are we not seeing it done more? 338 00:20:02,940 --> 00:20:04,700 You know, it's interesting to bring that up. 339 00:20:04,700 --> 00:20:06,940 Back in the day, you know, Galaxy far, far away. 340 00:20:06,940 --> 00:20:09,580 Actually, it must have been around 2002, I think. 341 00:20:09,580 --> 00:20:14,940 So my boss and I, my boss at the time was a gentleman by the name of Steve Lipner. 342 00:20:14,940 --> 00:20:21,100 He coined a term, which was giblets, which is basically components that you depend on 343 00:20:21,100 --> 00:20:23,980 that you don't actually create yourself. 344 00:20:23,980 --> 00:20:27,980 And really the product that sort of raised that to our attention was SQL Server. 345 00:20:27,980 --> 00:20:31,660 Because when the slammer worm hit, a lot of people had SQL servers and didn't actually 346 00:20:31,660 --> 00:20:35,060 realize it because they were using the developer edition of SQL Server, which is essentially 347 00:20:35,060 --> 00:20:36,820 an embedded version of the database. 348 00:20:36,820 --> 00:20:39,620 You know, it's not the classic SQL servers. 349 00:20:39,620 --> 00:20:42,180 You know, it's essentially a stripped down embedded version. 350 00:20:42,180 --> 00:20:46,820 And we see a very similar thing here with the Log4J stuff, right, is they've got this 351 00:20:46,820 --> 00:20:47,820 embedded library. 352 00:20:47,820 --> 00:20:49,780 A lot of people didn't know they had it. 353 00:20:49,780 --> 00:20:53,100 You know, this is what led to a lot of, you know, a lot of successful attacks because 354 00:20:53,100 --> 00:20:56,180 people didn't know they were even using it. 355 00:20:56,180 --> 00:21:00,220 And so I think you bring up a really interesting point that there needs to be better inventory 356 00:21:00,220 --> 00:21:01,220 management. 357 00:21:01,220 --> 00:21:04,980 So you know what, we've got a VM over there that's running this and we've got a VM over 358 00:21:04,980 --> 00:21:07,980 there that's running that and we've got a Cosmos DB here and we've got a SQL Server there 359 00:21:07,980 --> 00:21:11,380 and we've got a, you know, Azure functions or, you know, whatever, it doesn't come in 360 00:21:11,380 --> 00:21:12,380 at any platform. 361 00:21:12,380 --> 00:21:14,260 It's not just, you know, not just Azure. 362 00:21:14,260 --> 00:21:15,860 So yeah, I think you bring up an important point there. 363 00:21:15,860 --> 00:21:20,300 I mean, unless you know what you have, you don't know if you have vulnerabilities or 364 00:21:20,300 --> 00:21:25,860 not, if there are vulnerability strikes, then, you know, it could be really problematic. 365 00:21:25,860 --> 00:21:32,460 Another example I saw here was with Kubernetes when Kubernetes had a serious issue a few 366 00:21:32,460 --> 00:21:33,460 years ago. 367 00:21:33,460 --> 00:21:34,460 It was an amplification vulnerability. 368 00:21:34,460 --> 00:21:39,660 It was working with a finance customer and they honestly did not know where all their 369 00:21:39,660 --> 00:21:42,620 Kubernetes systems were on-prem. 370 00:21:42,620 --> 00:21:47,100 They could easily find them in the cloud, whether it was in this example, AWS and Azure, but 371 00:21:47,100 --> 00:21:48,620 on-prem they had no clue. 372 00:21:48,620 --> 00:21:51,300 And all they knew is they had to go and find them and find them quickly and that's a patch 373 00:21:51,300 --> 00:21:54,580 them quickly, but they had no idea what they had. 374 00:21:54,580 --> 00:21:59,700 And I know, Mike, you're going to nail me for having another analogy here, but especially, 375 00:21:59,700 --> 00:22:04,060 yeah, because one of the things I always talk about whenever I'm giving like senior leadership 376 00:22:04,060 --> 00:22:09,740 guidance and try and slip in there somewhere is, you know, these systems are like, you 377 00:22:09,740 --> 00:22:11,540 know, having a fleet of cars or planes. 378 00:22:11,540 --> 00:22:16,700 If you don't maintain them, you're toast because I think the problem with paying attention 379 00:22:16,700 --> 00:22:20,220 to these kinds of things is it shouldn't be about whether it's boring or not. 380 00:22:20,220 --> 00:22:22,700 It should be about whether it's important or not. 381 00:22:22,700 --> 00:22:26,940 And if your senior leadership doesn't care and isn't making your IT and business people 382 00:22:26,940 --> 00:22:32,340 prioritize proper maintenance, then how are you going to expect them to listen to the 383 00:22:32,340 --> 00:22:36,700 security people when the business leaders say, yeah, I'm not paying you to maintain 384 00:22:36,700 --> 00:22:37,700 stuff. 385 00:22:37,700 --> 00:22:39,220 I'm paying you to do new features, right? 386 00:22:39,220 --> 00:22:43,140 Like if it's not important at that level and they don't recognize the risk of it, you're 387 00:22:43,140 --> 00:22:45,820 going to be fighting an uphill battle every day. 388 00:22:45,820 --> 00:22:53,180 And I think when we talk about the ROI on things like this, I think reactive versus proactive 389 00:22:53,180 --> 00:22:54,660 is what it comes down to. 390 00:22:54,660 --> 00:23:00,980 And I think a lot of organizations don't see the ROI in that proactive work. 391 00:23:00,980 --> 00:23:04,380 And we don't do a very good job of selling it either. 392 00:23:04,380 --> 00:23:10,220 From a security operations perspective, a lot of security operations stuff, I don't think 393 00:23:10,220 --> 00:23:16,500 they know how to sell that to their organizations that this is what the return would be. 394 00:23:16,500 --> 00:23:22,780 So an example for me would very much be around some of the ransomware stuff that we saw going 395 00:23:22,780 --> 00:23:24,580 around. 396 00:23:24,580 --> 00:23:30,940 Proactive maintenance would have saved some of those organizations millions of dollars 397 00:23:30,940 --> 00:23:41,100 when it came to DR and BCP and backup and HA and yet because it wasn't put in place, 398 00:23:41,100 --> 00:23:44,300 they ended up having to spend millions of dollars in ransom instead. 399 00:23:44,300 --> 00:23:48,780 So Jess, I have a question for you because I've made this observation that there's sort 400 00:23:48,780 --> 00:23:53,540 of like this magic line in organization crosses when they actually get a sock manager, like 401 00:23:53,540 --> 00:23:58,300 someone in the management team, the leadership team that can advocate for, hey, it's going 402 00:23:58,300 --> 00:24:02,780 to cost a bunch more from a bunch more incidents if y'all don't start doing patching and all 403 00:24:02,780 --> 00:24:03,780 these other things. 404 00:24:03,780 --> 00:24:07,700 Like it costs me money and I'm going to have to take it out of budget and headcount and 405 00:24:07,700 --> 00:24:08,700 whatever. 406 00:24:08,700 --> 00:24:12,260 Like I've seen that there's that sort of like magic change point when organizations make 407 00:24:12,260 --> 00:24:16,580 that commitment to security operations or a sock or whatever you want to call it. 408 00:24:16,580 --> 00:24:19,180 I mean, do you see the same thing there? 409 00:24:19,180 --> 00:24:20,380 100%. 410 00:24:20,380 --> 00:24:26,780 I think Bum's on Seats, which is what I call it, is more important than tools because a 411 00:24:26,780 --> 00:24:29,980 lot of the time it comes down to people. 412 00:24:29,980 --> 00:24:35,220 It comes down to who is able to look at the things. 413 00:24:35,220 --> 00:24:40,820 And if you have particularly management who is advocating for all of the operation staff 414 00:24:40,820 --> 00:24:46,020 and from a security perspective and from that proactive perspective, if you have someone 415 00:24:46,020 --> 00:24:50,700 who's willing to do that, not only will you get the ability to do that proactive work, 416 00:24:50,700 --> 00:24:55,380 you're more likely to get more headcount as well, which gives you the ability to do the 417 00:24:55,380 --> 00:24:56,380 things that you want to do. 418 00:24:56,380 --> 00:25:00,620 If all you're doing is fighting fires, you're never going to get the chance to do any of 419 00:25:00,620 --> 00:25:02,060 that proactive work. 420 00:25:02,060 --> 00:25:04,300 So it's just going to go by the wayside. 421 00:25:04,300 --> 00:25:07,860 And a lot of that comes down to not having enough Bum's on Seats. 422 00:25:07,860 --> 00:25:10,260 That's literally what I think it comes down to. 423 00:25:10,260 --> 00:25:15,260 And I've spoken about that one before, that all of the tools in the world are fantastic, 424 00:25:15,260 --> 00:25:20,100 but if there is no one to look at it, if there is no one to utilize those tools, what is 425 00:25:20,100 --> 00:25:21,100 the point? 426 00:25:21,100 --> 00:25:25,260 So inventory is like one of the first things that you brought up. 427 00:25:25,260 --> 00:25:30,780 What other areas do you think more customers need to spend more time and more focus on? 428 00:25:30,780 --> 00:25:35,100 For me, I think some of the other big ones, and I feel a little bit bad because I know 429 00:25:35,100 --> 00:25:38,340 that a lot of the people who will listen to this are going to be technical people. 430 00:25:38,340 --> 00:25:43,460 So I can already feel a lot of them cringing going, oh, that's me. 431 00:25:43,460 --> 00:25:48,180 I call it dog food, and that is you need to eat your own dog food. 432 00:25:48,180 --> 00:25:53,900 If you are expecting your users to do it, you should be doing it yourself. 433 00:25:53,900 --> 00:25:58,820 I know that from the perspective of being the person putting in a lot of those changes 434 00:25:58,820 --> 00:26:03,620 from a security perspective, if you are not willing to do it, if you come off as a hypocrite 435 00:26:03,620 --> 00:26:08,220 and saying, no, I'm making my users do this, but I'm not going to do it myself, a really 436 00:26:08,220 --> 00:26:12,220 good example of that is local administrative rights on workstations. 437 00:26:12,220 --> 00:26:16,140 If you are ensuring that there is no local administrative rights on your workstation for 438 00:26:16,140 --> 00:26:22,460 your users, but you still maintain local administrative rights on your standard workstation with your 439 00:26:22,460 --> 00:26:26,620 standard account, we shouldn't be doing that, and it's something that we really need to 440 00:26:26,620 --> 00:26:28,900 get better at from a security operation. 441 00:26:28,900 --> 00:26:32,100 Right, and you're talking about it from a productivity perspective, right? 442 00:26:32,100 --> 00:26:38,260 So Jim Bob, the admin, who is an admin in the environment, just doing their email and 443 00:26:38,260 --> 00:26:42,500 just browsing the web and doing their online banking and what have you within the organisation, 444 00:26:42,500 --> 00:26:43,860 they should not be an admin. 445 00:26:43,860 --> 00:26:45,220 Oh, 100% not. 446 00:26:45,220 --> 00:26:51,700 They don't need administrative rights, but at the same time, even as security operations, 447 00:26:51,700 --> 00:26:53,580 we don't need to either. 448 00:26:53,580 --> 00:26:58,780 Yes, we do still need to be able to do some administrative functions, but that doesn't 449 00:26:58,780 --> 00:27:03,780 mean that we should be modifying the rules for us. 450 00:27:03,780 --> 00:27:09,140 If we are expecting our users to jump through hoops in order to be able to get any form 451 00:27:09,140 --> 00:27:14,140 of administrative rights, then we should be doing the same for ourselves. 452 00:27:14,140 --> 00:27:17,580 Because if we're not willing to do it, why should we be expecting our users to? 453 00:27:17,580 --> 00:27:22,020 Remember some years ago, I was working with a, I'm not going to say who it is, but it 454 00:27:22,020 --> 00:27:25,220 was a legal institution. 455 00:27:25,220 --> 00:27:28,380 And they'd been hit really badly with malware. 456 00:27:28,380 --> 00:27:33,460 It turns out that patient zero was actually a person who was in the reception running 457 00:27:33,460 --> 00:27:36,500 as admin, his local admin on the machine. 458 00:27:36,500 --> 00:27:41,660 And so that person was running as admin, and the attack came through that person, and the 459 00:27:41,660 --> 00:27:43,100 person's admin on that machine. 460 00:27:43,100 --> 00:27:45,980 And it was just pretty easy from that point forward. 461 00:27:45,980 --> 00:27:48,820 So I see this problem as well a lot with developers. 462 00:27:48,820 --> 00:27:51,540 A lot of developers think they have to run as admin. 463 00:27:51,540 --> 00:27:53,940 99 times out of 100, you don't. 464 00:27:53,940 --> 00:27:55,860 There are some scenarios, but they're relatively rare. 465 00:27:55,860 --> 00:27:58,260 And with automation, you probably don't even need that anyway. 466 00:27:58,260 --> 00:28:02,900 One of my favorites in the Windows environment is, well, I need to be an admin to debug my 467 00:28:02,900 --> 00:28:03,900 application. 468 00:28:03,900 --> 00:28:04,900 No, you don't. 469 00:28:04,900 --> 00:28:06,900 Well, there's a debug privilege. 470 00:28:06,900 --> 00:28:10,420 I'm like, yes, there's a debug privilege, but that's only if you're debugging a process 471 00:28:10,420 --> 00:28:12,100 that's not running under your account. 472 00:28:12,100 --> 00:28:14,820 It's not for debugging your own code. 473 00:28:14,820 --> 00:28:16,580 A lot of people don't realize things like that. 474 00:28:16,580 --> 00:28:19,660 So yeah, I see this a lot with developers as well. 475 00:28:19,660 --> 00:28:25,780 And trying to pull admin rights from developers is often an uphill battle, but it's for everyone 476 00:28:25,780 --> 00:28:27,860 else's safety, ultimately. 477 00:28:27,860 --> 00:28:28,860 And I love developers. 478 00:28:28,860 --> 00:28:29,860 I do. 479 00:28:29,860 --> 00:28:33,860 They hold a little soft spot in my heart, but I do agree that trying to get those rights 480 00:28:33,860 --> 00:28:36,020 off them is really, really tricky. 481 00:28:36,020 --> 00:28:42,020 I also think that particularly when we're looking at where some of our risk vectors are in our 482 00:28:42,020 --> 00:28:47,460 environments, Sandpit environments and development environments and proof of concept environments 483 00:28:47,460 --> 00:28:55,300 are where I tend to see a lot of those nasty things coming in because they're not as tightly 484 00:28:55,300 --> 00:28:56,300 controlled. 485 00:28:56,300 --> 00:28:57,300 It's dev. 486 00:28:57,300 --> 00:28:58,300 It doesn't matter. 487 00:28:58,300 --> 00:28:59,300 We don't really need to worry about it. 488 00:28:59,300 --> 00:29:00,300 No, no, no, no, no. 489 00:29:00,300 --> 00:29:01,300 You do need to worry about that. 490 00:29:01,300 --> 00:29:07,300 If it is attached to your production environment, if it is using your production identity systems 491 00:29:07,300 --> 00:29:13,260 and it is touching any of your production data, you need to worry about them. 492 00:29:13,260 --> 00:29:18,100 And I see that quite a lot, particularly, and I know that Sarah will find this hilarious. 493 00:29:18,100 --> 00:29:23,660 When setting up Sentinel, when you connect Sentinel up and start streaming stuff in, 494 00:29:23,660 --> 00:29:28,820 it is often those dev tests, Sandpit environments that start flagging quite heavily. 495 00:29:28,820 --> 00:29:29,820 Oh, yes. 496 00:29:29,820 --> 00:29:31,180 I do know about this. 497 00:29:31,180 --> 00:29:38,260 And I also have to, I have seen, again, not naming any particular organizations because 498 00:29:38,260 --> 00:29:40,700 I've seen it in more than one during my career. 499 00:29:40,700 --> 00:29:46,500 I have seen some very, for one of the very sloppy dev and test environments because it 500 00:29:46,500 --> 00:29:48,180 doesn't matter because it's dev. 501 00:29:48,180 --> 00:29:50,300 It doesn't matter because it's test. 502 00:29:50,300 --> 00:29:54,900 And we know that actually attackers go and look, specifically because of this, attackers 503 00:29:54,900 --> 00:30:01,020 will go and look for those environments because they know that there's likely their security 504 00:30:01,020 --> 00:30:03,580 controls aren't as good. 505 00:30:03,580 --> 00:30:09,940 And as Jess said, of course, you can, if they all get hooked up to a seam, whether it's 506 00:30:09,940 --> 00:30:15,500 Sentinel or something else, that can generate some noise pretty quickly. 507 00:30:15,500 --> 00:30:17,260 So yeah, it's definitely a thing. 508 00:30:17,260 --> 00:30:22,660 And just to add on that developers thing as well with the developers having high admin, 509 00:30:22,660 --> 00:30:28,260 I've also seen, and again, I've seen it more than once, security teams give themselves 510 00:30:28,260 --> 00:30:30,260 very high admin access. 511 00:30:30,260 --> 00:30:34,700 And when you ask and say, hey, why does the team need this access? 512 00:30:34,700 --> 00:30:37,100 She said, well, it's the security team. 513 00:30:37,100 --> 00:30:38,100 We trust them. 514 00:30:38,100 --> 00:30:39,100 They need it. 515 00:30:39,100 --> 00:30:42,260 And of course, these privilege says you don't need it. 516 00:30:42,260 --> 00:30:46,900 If you don't actually need it to complete a task at any point during your job, it's access 517 00:30:46,900 --> 00:30:47,900 you shouldn't have. 518 00:30:47,900 --> 00:30:50,380 So yeah, it's not just the devs. 519 00:30:50,380 --> 00:30:51,900 It can be other people as well. 520 00:30:51,900 --> 00:30:54,700 It was just the thing I wanted to add in there. 521 00:30:54,700 --> 00:30:58,780 The thing that I always am a big fan of because it's like, just set up the guardrails the 522 00:30:58,780 --> 00:31:02,020 same dev all the way through, and then you have no surprises as you move from dev to 523 00:31:02,020 --> 00:31:04,420 test to prod or whatever you call your stages. 524 00:31:04,420 --> 00:31:07,540 Like I've always been a huge fan of that. 525 00:31:07,540 --> 00:31:10,740 And the other thing that, you know, as we were kind of building the Paul and the ESC 526 00:31:10,740 --> 00:31:15,460 architecture and whatnot, we realized was kind of a nice trade off is if you force them 527 00:31:15,460 --> 00:31:19,900 onto an admin workstation, it's like, well, if you want admin privileges, you need a separate 528 00:31:19,900 --> 00:31:22,100 workstation. 529 00:31:22,100 --> 00:31:25,140 Maybe I don't need them that much. 530 00:31:25,140 --> 00:31:28,180 So that was one of the funny things as we're developing that that we kind of tapped into 531 00:31:28,180 --> 00:31:29,980 the psychology that's a beautiful segue. 532 00:31:29,980 --> 00:31:33,780 And when I look at the list of things that Jess wants to talk about, the next one is 533 00:31:33,780 --> 00:31:37,980 actually exactly that privileged access workstations. 534 00:31:37,980 --> 00:31:41,540 So Jess, you want to give us your thoughts on that? 535 00:31:41,540 --> 00:31:45,540 Privileged access workstations are something that we definitely do advocate for and we 536 00:31:45,540 --> 00:31:48,180 want to see more of. 537 00:31:48,180 --> 00:31:52,220 I'm yet to see them done what I would consider to be like gold standard. 538 00:31:52,220 --> 00:31:57,420 And I think that's probably the issue that I have with privileged access workstations 539 00:31:57,420 --> 00:32:04,620 is that people seem to think that you have to get it right first go. 540 00:32:04,620 --> 00:32:10,540 And I don't think that is necessarily the case. 541 00:32:10,540 --> 00:32:17,660 When it comes to getting something like pause in, something is better than nothing. 542 00:32:17,660 --> 00:32:21,380 And I hate to use this quote, but it is true. 543 00:32:21,380 --> 00:32:23,820 So the enemy of progress is perfection. 544 00:32:23,820 --> 00:32:28,820 There is no point in saying, I'm not going to do it until I get it perfect. 545 00:32:28,820 --> 00:32:32,500 But you're better off trying to do something than doing absolutely nothing. 546 00:32:32,500 --> 00:32:33,500 All right. 547 00:32:33,500 --> 00:32:36,460 I'm going to get the popcorn out because I want to hear what Mark has to say on this. 548 00:32:36,460 --> 00:32:39,420 No, I'm actually in agreement with it. 549 00:32:39,420 --> 00:32:41,940 I might have had a different opinion eight or 10 years ago. 550 00:32:41,940 --> 00:32:43,020 Oh my God. 551 00:32:43,020 --> 00:32:46,740 When we first came up with the USA and PAW architectures and recommendations and guidance 552 00:32:46,740 --> 00:32:52,020 around it, the idea of an admin desktop was not necessarily our original idea, but we 553 00:32:52,020 --> 00:32:55,900 did codify it and formalize it. 554 00:32:55,900 --> 00:33:00,300 But we've been just trying to make it easier and easier ever since. 555 00:33:00,300 --> 00:33:05,740 The big update we did about a year ago now was, hey, just use the cloud to manage and 556 00:33:05,740 --> 00:33:06,740 secure it. 557 00:33:06,740 --> 00:33:10,020 It's actually going to be more secure and it's a heck of a lot easier to deploy than 558 00:33:10,020 --> 00:33:16,340 going through all sorts of crazy on-prem AD isolation, GPO kind of stuff. 559 00:33:16,340 --> 00:33:21,340 We want it to be as easy as possible and we're constantly looking for what is a good logical 560 00:33:21,340 --> 00:33:22,340 step in. 561 00:33:22,340 --> 00:33:28,020 That's one easy, but two provides a meaningful step up in security. 562 00:33:28,020 --> 00:33:32,700 Always trying to, as much as we can, avoid that psychological barrier thing because, 563 00:33:32,700 --> 00:33:37,380 yes, we want to limit the amount of admins and use the PAW to do that if we can. 564 00:33:37,380 --> 00:33:40,780 But at the same time, we don't want people to go, I'm not going to do the PAW because 565 00:33:40,780 --> 00:33:42,420 that's too hard. 566 00:33:42,420 --> 00:33:44,420 And we're always trying to figure out the ramp up. 567 00:33:44,420 --> 00:33:47,260 I just realized a lot of people may not even know what a PAW is. 568 00:33:47,260 --> 00:33:52,020 Do you want to just spend real quickly just explaining super-duper quickly what a privileged 569 00:33:52,020 --> 00:33:53,940 access workstation is and why? 570 00:33:53,940 --> 00:33:54,940 Yes. 571 00:33:54,940 --> 00:34:02,380 So PAW, privileged access workstation, effectively the idea is that instead of using your standard 572 00:34:02,380 --> 00:34:07,380 issue OS that you do the web browsing and the dangerous stuff and clicking on email 573 00:34:07,380 --> 00:34:11,940 links, you actually have a separate operating system for that. 574 00:34:11,940 --> 00:34:16,780 You can do a separate operating system by having two physical pieces of hardware. 575 00:34:16,780 --> 00:34:18,820 Or you can have a separate VM. 576 00:34:18,820 --> 00:34:24,300 Now, you have to be very careful on this because a host OS can control a VM that's hosted 577 00:34:24,300 --> 00:34:25,300 on it. 578 00:34:25,300 --> 00:34:29,900 So you end up having to have a trusted underlying OS tied to the physical hardware. 579 00:34:29,900 --> 00:34:32,500 And then your productivity stuff lives in a VM. 580 00:34:32,500 --> 00:34:36,940 But ultimately, it's just a separate OS where admin stuff is done versus user stuff. 581 00:34:36,940 --> 00:34:38,700 And actually suggests this point, right? 582 00:34:38,700 --> 00:34:45,860 In a perfect world, you would have separate devices, but it's better to have a VM running 583 00:34:45,860 --> 00:34:49,700 on a host and separate the jobs that way. 584 00:34:49,700 --> 00:34:54,820 Your admin workloads from your non-admin workloads versus having the same machine doing admin 585 00:34:54,820 --> 00:34:56,620 and productivity at the same time. 586 00:34:56,620 --> 00:34:57,620 Yeah. 587 00:34:57,620 --> 00:35:00,580 It's just drawing a line between it and security boundary, if you will. 588 00:35:00,580 --> 00:35:05,580 So I just want to give you a couple of examples of this that I've seen over the last year, 589 00:35:05,580 --> 00:35:06,580 actually. 590 00:35:06,580 --> 00:35:09,740 I'm not going to say anything, but one was healthcare, one was finance. 591 00:35:09,740 --> 00:35:16,300 One was a company who said that if you ever touch production from a non-privileged access 592 00:35:16,300 --> 00:35:18,900 workstation, you will lose your job. 593 00:35:18,900 --> 00:35:25,340 So that's simple because they don't want anyone in production from their productivity keyboards 594 00:35:25,340 --> 00:35:30,220 because, like you say, their email slash phishing attacks, you can't guarantee that 595 00:35:30,220 --> 00:35:32,940 those air quotes keyboards are clean. 596 00:35:32,940 --> 00:35:35,500 And that's the whole point of a privileged access workstation. 597 00:35:35,500 --> 00:35:39,820 The second one was we're building a threat model for a customer and we have this Azure 598 00:35:39,820 --> 00:35:40,820 storage account. 599 00:35:40,820 --> 00:35:44,020 And as we go through the threat model, I'm like, okay, so what sort of accessibility 600 00:35:44,020 --> 00:35:45,020 does that storage account have? 601 00:35:45,020 --> 00:35:49,460 And it turns out it contained relatively sensitive information, but it's also accessible to the 602 00:35:49,460 --> 00:35:50,460 world. 603 00:35:50,460 --> 00:35:52,220 It didn't have any kind of IP restrictions on it. 604 00:35:52,220 --> 00:35:54,420 I'm like, you're kidding, right? 605 00:35:54,420 --> 00:35:57,380 I mean, please tell me there's some kind of isolation on this. 606 00:35:57,380 --> 00:35:59,060 It turns out that there wasn't. 607 00:35:59,060 --> 00:36:04,900 So one of the engineers actually on the call from his laptop on the Teams meeting actually 608 00:36:04,900 --> 00:36:07,740 went straight into production from his laptop. 609 00:36:07,740 --> 00:36:12,420 And so I actually sent a message to the, essentially the sponsor of this project. 610 00:36:12,420 --> 00:36:17,140 I'm like, did I just see what he just did then? 611 00:36:17,140 --> 00:36:22,780 He went straight into production from his normal developer laptop and the person they 612 00:36:22,780 --> 00:36:28,060 sent me a message back saying, yeah, I said, that's possibly worse than having the internet 613 00:36:28,060 --> 00:36:30,580 accessible storage account. 614 00:36:30,580 --> 00:36:31,740 We need to talk about that. 615 00:36:31,740 --> 00:36:35,180 So where do we chat about a little bit later and they, you know, they changed some of their 616 00:36:35,180 --> 00:36:39,500 policies and so on to not allow dev straight straight into production. 617 00:36:39,500 --> 00:36:45,500 So Jess, we've done inventory, eating your own dog food, least privilege and admin rights. 618 00:36:45,500 --> 00:36:48,260 We've done pause, no need to be perfect. 619 00:36:48,260 --> 00:36:51,020 What else is on your, your hit list? 620 00:36:51,020 --> 00:36:53,260 I think this one's going to be a little bit close to your heart. 621 00:36:53,260 --> 00:36:57,060 And I think you told me that you snaffled this one from Mark as well. 622 00:36:57,060 --> 00:37:03,540 For me, logging, and I love my sticker of collection is not detection. 623 00:37:03,540 --> 00:37:08,820 There's no point in collecting the stuff if you're not going to look at it. 624 00:37:08,820 --> 00:37:12,820 So I have a really good example of this one working for an organization, not going to 625 00:37:12,820 --> 00:37:19,300 name any names where they had turned on at the very top level of their domain file auditing 626 00:37:19,300 --> 00:37:25,340 and they were ingesting somewhere between one and two terabytes of data into their log 627 00:37:25,340 --> 00:37:31,660 analytics and Sentinel was costing a bucket load and they'd been doing this inside their 628 00:37:31,660 --> 00:37:35,780 on-prem scene for years. 629 00:37:35,780 --> 00:37:38,420 And yet they couldn't explain to me why they needed it. 630 00:37:38,420 --> 00:37:40,060 Oh no, we need to have that turned on. 631 00:37:40,060 --> 00:37:41,060 Why? 632 00:37:41,060 --> 00:37:43,700 What information are you going to get out of it? 633 00:37:43,700 --> 00:37:49,540 So when it comes to logging data, absolutely, you do need to collect your data, but unless 634 00:37:49,540 --> 00:37:54,060 you are doing something with it and you are tuning the information that you're getting 635 00:37:54,060 --> 00:37:59,740 out of it and making sure that what you're getting out of your logs is valuable, you're 636 00:37:59,740 --> 00:38:02,140 literally just paying for file storage. 637 00:38:02,140 --> 00:38:03,140 That's all you're doing. 638 00:38:03,140 --> 00:38:11,220 Now, this one is very close to my heart, Jess, because I have seen this numerous times that 639 00:38:11,220 --> 00:38:12,220 folks just pop. 640 00:38:12,220 --> 00:38:13,980 They just move everything. 641 00:38:13,980 --> 00:38:17,380 If they had an on-prem scene or if they didn't, they're just like, oh logs, let's put them 642 00:38:17,380 --> 00:38:21,180 straight into log analytics or Sentinel or whatever. 643 00:38:21,180 --> 00:38:27,460 And that is a premium product and there is a premium cost involved with ingestion. 644 00:38:27,460 --> 00:38:33,340 And really, if you're not actively using those logs for hunting or you're not, if you're 645 00:38:33,340 --> 00:38:38,220 not proactively using them for hunting or you're not reactively using them for detection, 646 00:38:38,220 --> 00:38:42,820 you probably do need to, and I'm not one to bang on about costs and stuff. 647 00:38:42,820 --> 00:38:47,340 I mean, personally, I'm far too technical and I largely sort of switch off when we start 648 00:38:47,340 --> 00:38:51,700 talking about costs, but it is something everyone has to bear in mind. 649 00:38:51,700 --> 00:38:57,660 And you do need to think about if you're not using those logs for anything, why are you 650 00:38:57,660 --> 00:39:01,180 ingesting them or is there somewhere else you can put them? 651 00:39:01,180 --> 00:39:06,860 Because we know that there are many organizations throughout the world and in different industry 652 00:39:06,860 --> 00:39:10,700 verticals who have some kind of retention requirement. 653 00:39:10,700 --> 00:39:13,420 It could be two years, five years, seven years. 654 00:39:13,420 --> 00:39:17,460 Seven years seems to be the sweet spot nowadays for a lot of places. 655 00:39:17,460 --> 00:39:22,380 But think about, do you actually need it in your, in your seam or is there like a cheaper 656 00:39:22,380 --> 00:39:23,380 place? 657 00:39:23,380 --> 00:39:24,380 Can you put it in blob? 658 00:39:24,380 --> 00:39:26,380 Can you put it in Azure Data Explorer? 659 00:39:26,380 --> 00:39:31,460 There are other sort of more cost effective ways potentially depending on how you need 660 00:39:31,460 --> 00:39:32,580 to use the logs. 661 00:39:32,580 --> 00:39:37,300 So yeah, honestly, that is a conversation I have time and time and time again, Jess. 662 00:39:37,300 --> 00:39:38,780 So yes, I know all about this. 663 00:39:38,780 --> 00:39:40,540 Oh, sir, I think collection isn't detection. 664 00:39:40,540 --> 00:39:42,700 Definitely sounds like a markism to me. 665 00:39:42,700 --> 00:39:49,420 It is a markism and I will admit that I stole his phrase and put it on a sticker, but I 666 00:39:49,420 --> 00:39:51,380 don't hide that I stole his phrase. 667 00:39:51,380 --> 00:39:52,620 So I'm okay with it. 668 00:39:52,620 --> 00:39:56,140 I think I originally stole that because it's always a chain of theft, right? 669 00:39:56,140 --> 00:40:00,540 I think I originally stole that from an awesome MCS consultant named John Rodriguez. 670 00:40:00,540 --> 00:40:02,300 I think that's where I, that was my upstream. 671 00:40:02,300 --> 00:40:03,780 I have no idea where he stole it from. 672 00:40:03,780 --> 00:40:06,780 Well, no, in John, he definitely stole it from somewhere else. 673 00:40:06,780 --> 00:40:14,380 Okay, so we've had on the list so far inventory, eat your own dog food, lease privilege, privileged 674 00:40:14,380 --> 00:40:21,980 access workstations, no need to be perfect and log management and collection isn't detection. 675 00:40:21,980 --> 00:40:23,500 What's next on the list, Jess? 676 00:40:23,500 --> 00:40:32,540 So tied very nicely into logging is your seam, sim, whatever you want to call it, any of 677 00:40:32,540 --> 00:40:34,820 your security systems and if your threat protection products. 678 00:40:34,820 --> 00:40:38,980 A lot of the time when I'm going into organizations, I'm helping them set that up. 679 00:40:38,980 --> 00:40:45,380 So I help a lot of customers set up Sentinel, set up Defender for Cloud, set up Defender 680 00:40:45,380 --> 00:40:51,620 for Cloud for Cloud apps, Defender for identity, all of those and they're great products, but 681 00:40:51,620 --> 00:40:54,700 they aren't set and forget. 682 00:40:54,700 --> 00:41:01,340 They are systems that constantly require tuning and it ties in very nicely to the whole logging 683 00:41:01,340 --> 00:41:05,940 collection because unless you are tuning those systems and the information that they are 684 00:41:05,940 --> 00:41:09,660 sending through to your seam, you will be getting noise. 685 00:41:09,660 --> 00:41:12,980 You will be getting false positives or benign positives. 686 00:41:12,980 --> 00:41:15,940 You will be seeing information that isn't of use to you. 687 00:41:15,940 --> 00:41:18,180 So you need to make sure that you are tuning them. 688 00:41:18,180 --> 00:41:22,180 You need to make sure that there is maintenance being done on these systems because they aren't 689 00:41:22,180 --> 00:41:23,900 just set and forget. 690 00:41:23,900 --> 00:41:28,900 So for a lot of customers that I go into, I come in, I help set up Sentinel, six, 12 691 00:41:28,900 --> 00:41:31,500 months later, I come back, nothing has changed. 692 00:41:31,500 --> 00:41:34,220 I'm like, why haven't we added in new analytic rules? 693 00:41:34,220 --> 00:41:36,460 Why are there not new log sources connected? 694 00:41:36,460 --> 00:41:40,340 Why haven't we tweaked these particular analytic rules because things have changed in how you're 695 00:41:40,340 --> 00:41:43,340 operating or how your systems are configured? 696 00:41:43,340 --> 00:41:45,700 Why hasn't anything changed? 697 00:41:45,700 --> 00:41:49,740 So I'm definitely going to pop corn out for this one because Sarah tells me that as you 698 00:41:49,740 --> 00:41:55,460 sent noise, absolutely awesome and you're telling us that you got to sort of feeding 699 00:41:55,460 --> 00:41:56,460 it. 700 00:41:56,460 --> 00:41:58,140 So Sarah, what do you have to add there? 701 00:41:58,140 --> 00:42:03,780 I agree 100% with what Jess has to say, but I mean, like your perspective from a Sentinel 702 00:42:03,780 --> 00:42:04,780 perspective. 703 00:42:04,780 --> 00:42:12,300 Sentinel is awesome, but Jess is absolutely right and that it isn't entirely set and forget. 704 00:42:12,300 --> 00:42:18,700 So what we do, the whole point of Sentinel is that we have lots of out-of-the-box content 705 00:42:18,700 --> 00:42:24,140 that you can turn on, but we always do say you should have a look at the logic in there 706 00:42:24,140 --> 00:42:29,300 and you should check that it actually suits your organization because they're written 707 00:42:29,300 --> 00:42:33,900 by our security researchers, these detections and their hunting queries, but we still can't 708 00:42:33,900 --> 00:42:36,820 write them completely cookie cutter. 709 00:42:36,820 --> 00:42:39,140 Some of them may not be appropriate. 710 00:42:39,140 --> 00:42:45,740 So and we also, and we're building this out a lot at the moment in Sentinel, if you've 711 00:42:45,740 --> 00:42:51,540 been following Sentinel for a while, that we have also got now smart tuning. 712 00:42:51,540 --> 00:42:59,340 So if something's generating a lot of alerts and you're marking them an incidence and you're 713 00:42:59,340 --> 00:43:04,540 marking them as false positives, you can actually see that flow down into Sentinel, which means 714 00:43:04,540 --> 00:43:08,900 you know that you need to go and possibly look at retuning that rule. 715 00:43:08,900 --> 00:43:17,180 So as awesome as Sentinel is, we definitely make it as easy as we possibly can to do that. 716 00:43:17,180 --> 00:43:23,380 See it's not that you can set and forget it and I'm sure that any product, Microsoft 717 00:43:23,380 --> 00:43:27,860 Security product person from any of our sister products would say exactly the same thing 718 00:43:27,860 --> 00:43:28,860 for theirs. 719 00:43:28,860 --> 00:43:34,140 We try and minimize that overhead as best we can, but we can't get rid of it. 720 00:43:34,140 --> 00:43:38,980 And at the risk of triggering people have heard this quote way too much, but the way I think 721 00:43:38,980 --> 00:43:44,820 about it is like the Spider-Man thing, with great power comes great responsibility. 722 00:43:44,820 --> 00:43:48,860 The more customization, the more you can tailor it, the more you can do this, the more you 723 00:43:48,860 --> 00:43:53,820 can extend it, the more that you have the responsibility to do that, right? 724 00:43:53,820 --> 00:43:56,760 The more that you have to maintain it and make sure it's on track. 725 00:43:56,760 --> 00:44:01,020 If it's a self-driving car and it steers for you, okay, and some of the XGR features are 726 00:44:01,020 --> 00:44:02,140 like that. 727 00:44:02,140 --> 00:44:06,700 But if it's something where you have to actually steer it and you get all the great road feedback 728 00:44:06,700 --> 00:44:11,020 and all that kind of stuff, because I'm really trying to annoy you with the analogies, like 729 00:44:11,020 --> 00:44:12,100 sorry. 730 00:44:12,100 --> 00:44:16,980 The more that you have control over it, the more that you have responsibility to keep it 731 00:44:16,980 --> 00:44:18,780 on track and tuned. 732 00:44:18,780 --> 00:44:25,660 And that's just it, because attackers, they don't get paid if they don't evolve their 733 00:44:25,660 --> 00:44:27,900 stuff and evade things. 734 00:44:27,900 --> 00:44:31,620 So it's a constant battle to always keep up with that leading edge of what the attackers 735 00:44:31,620 --> 00:44:32,620 are trying this week. 736 00:44:32,620 --> 00:44:36,700 Which are, from a practical perspective, Sarah, I'll just let you thoughts on this. 737 00:44:36,700 --> 00:44:42,060 So the Log4J stuff that we have in Sentinel, we've obviously issued some kind of background 738 00:44:42,060 --> 00:44:46,460 baseline checks that are in the product. 739 00:44:46,460 --> 00:44:52,460 Would we expect to see those evolve over time as new attacks or new exploits or even new 740 00:44:52,460 --> 00:44:54,420 vulnerabilities are found in the product? 741 00:44:54,420 --> 00:44:55,580 Yeah, definitely. 742 00:44:55,580 --> 00:45:02,260 In fact, for the Log4J solution that we released, it's already, it's definitely had at least 743 00:45:02,260 --> 00:45:04,340 one or two updates. 744 00:45:04,340 --> 00:45:07,500 And that was just as the situation was evolving. 745 00:45:07,500 --> 00:45:12,220 We added in additional hunting queries, some of them were tweaked a little bit. 746 00:45:12,220 --> 00:45:17,620 I believe the tweaks were to do with, at least some of the tweaks were to do with the IOC 747 00:45:17,620 --> 00:45:19,860 list that were associated with it. 748 00:45:19,860 --> 00:45:24,580 And so in the Sentinel content hub, where we have this out of the box stuff, you can 749 00:45:24,580 --> 00:45:30,860 actually see now where something is due an update because we do keep updating things. 750 00:45:30,860 --> 00:45:36,180 So Microsoft is actually doing it as well where we can because even our stuff, we have 751 00:45:36,180 --> 00:45:37,180 to tune. 752 00:45:37,180 --> 00:45:39,220 Customers have to do the same thing. 753 00:45:39,220 --> 00:45:41,620 So yeah, definitely stuff will change. 754 00:45:41,620 --> 00:45:45,500 And as we see new attacks come out, we will release new things. 755 00:45:45,500 --> 00:45:50,700 It might be sometimes it's we're going to release brand new detections and hunting queries 756 00:45:50,700 --> 00:45:52,380 to for new attacks. 757 00:45:52,380 --> 00:45:56,340 It might be that we see slightly different tactics and we tweak things. 758 00:45:56,340 --> 00:45:57,660 It'll depend on what happens. 759 00:45:57,660 --> 00:46:01,940 But yeah, even Microsoft and within the core stuff of what we do in the Sentinel product, 760 00:46:01,940 --> 00:46:04,060 we're always reviewing and updating things. 761 00:46:04,060 --> 00:46:07,380 And IOC meaning indicators of compromise. 762 00:46:07,380 --> 00:46:08,380 Yes. 763 00:46:08,380 --> 00:46:09,380 Thank you for reminding me. 764 00:46:09,380 --> 00:46:11,460 And IOC is an indicator of compromise. 765 00:46:11,460 --> 00:46:18,660 If you're not familiar with that acronym, it's an IOC is something that we know is bad 766 00:46:18,660 --> 00:46:20,100 to give it the very high level. 767 00:46:20,100 --> 00:46:24,500 So it could be a URL, it could be an IP address, it might be a file hash. 768 00:46:24,500 --> 00:46:31,220 And generally, if you see an IOC in your logs, that might be an indicator that you've got 769 00:46:31,220 --> 00:46:33,220 something going on. 770 00:46:33,220 --> 00:46:35,940 It's not definitely, but it's probably something you want to look at. 771 00:46:35,940 --> 00:46:39,780 I just want to go down that little rabbit hole from a market like your comment and Jess 772 00:46:39,780 --> 00:46:40,780 as well. 773 00:46:40,780 --> 00:46:44,500 So IOC, and I realize we're getting sort of on a tangent here. 774 00:46:44,500 --> 00:46:49,300 I mean, that's indicator of compromise, not indication of attack, right? 775 00:46:49,300 --> 00:46:52,340 I mean, attacks easy. 776 00:46:52,340 --> 00:46:55,740 Indicator of compromise means that you've found something that may indicate that you've 777 00:46:55,740 --> 00:46:57,740 actually been compromised, not just attacked. 778 00:46:57,740 --> 00:46:58,740 Is that fair? 779 00:46:58,740 --> 00:46:59,740 Yeah. 780 00:46:59,740 --> 00:47:07,340 I would say if someone's got into your logs and so therefore the IOC is in your logs, 781 00:47:07,340 --> 00:47:13,260 so it's got into your environment somehow, I think it's definitely worth investigating 782 00:47:13,260 --> 00:47:17,340 to see if you actually have been compromised because someone's obviously breached your 783 00:47:17,340 --> 00:47:20,980 perimeter if an IOC is turning up in your logs. 784 00:47:20,980 --> 00:47:24,860 Well, I mean, the thing about it is an indicator, right? 785 00:47:24,860 --> 00:47:27,740 And it's a matter of probability. 786 00:47:27,740 --> 00:47:33,140 Because we put out, everybody puts out, hey, this is part of an attack. 787 00:47:33,140 --> 00:47:35,220 And there are false positives, right? 788 00:47:35,220 --> 00:47:40,340 And it's just a question of what the false positive rate is of that and is it a false 789 00:47:40,340 --> 00:47:43,220 positive or true positive? 790 00:47:43,220 --> 00:47:49,060 So IOC is definitely something worth investigating because, hey, this was based on a real attack 791 00:47:49,060 --> 00:47:51,540 and this is a sign of something. 792 00:47:51,540 --> 00:47:55,420 But it's by no means in my experience a guarantee that it's absolutely there. 793 00:47:55,420 --> 00:47:59,460 There is always, hopefully, a low false positive hit rate on those. 794 00:47:59,460 --> 00:48:02,300 And that's true of all products, all sources. 795 00:48:02,300 --> 00:48:03,300 Yeah. 796 00:48:03,300 --> 00:48:06,160 And I think when it comes to those indicator of compromise, a lot of the time they do come 797 00:48:06,160 --> 00:48:07,160 with probability. 798 00:48:07,160 --> 00:48:12,820 So you actually get that this is how confident we are that this is definitely an indicator 799 00:48:12,820 --> 00:48:16,820 of a compromise or this is how confident we are that this is definitely a risk that 800 00:48:16,820 --> 00:48:18,980 you need to be aware of. 801 00:48:18,980 --> 00:48:25,380 I think the whole idea of assume breach and assume compromise, like it's no longer 802 00:48:25,380 --> 00:48:29,300 I am completely protected and I am in my fortress and nothing can penetrate. 803 00:48:29,300 --> 00:48:35,740 It is there is likely to already be something within my environment and I have to do everything 804 00:48:35,740 --> 00:48:42,580 I can to prevent them from being able to exaltrate data or laterally move or being 805 00:48:42,580 --> 00:48:45,920 able to obtain administrative credentials, those kind of things. 806 00:48:45,920 --> 00:48:51,580 So when you see those IOCs popping up in your logs and you are paying attention to them, 807 00:48:51,580 --> 00:48:57,020 it's more of a, hey, you need to remember that you have to be constantly vigilant. 808 00:48:57,020 --> 00:49:03,020 And I think that's more prevalent now than ever before. 809 00:49:03,020 --> 00:49:06,420 We need to just remember that there are always things we need to be looking for. 810 00:49:06,420 --> 00:49:07,420 All right. 811 00:49:07,420 --> 00:49:10,420 So we certainly covered a huge swath of topics today. 812 00:49:10,420 --> 00:49:16,580 We covered inventory, eat your own dog food, least privilege, privileged access workstations. 813 00:49:16,580 --> 00:49:18,380 No need to be perfect. 814 00:49:18,380 --> 00:49:21,260 Log management, collection is in detection. 815 00:49:21,260 --> 00:49:23,260 Everything is not set and forget. 816 00:49:23,260 --> 00:49:28,500 Obviously, women's a little bit of a wild goose chase there, but I think it's really important 817 00:49:28,500 --> 00:49:32,660 to understand what tools do them, frankly, what they don't do them, where the human interaction 818 00:49:32,660 --> 00:49:34,220 is required. 819 00:49:34,220 --> 00:49:40,460 So one thing we ask our guest, Jess, on every podcast is if you had one thought to leave 820 00:49:40,460 --> 00:49:43,180 our listeners with, what would it be? 821 00:49:43,180 --> 00:49:45,980 So it's kind of summing up everything. 822 00:49:45,980 --> 00:49:53,580 So for me, it's tools are amazing and tools can help you so much, but they aren't going 823 00:49:53,580 --> 00:49:57,340 to help you if you don't have your basics right. 824 00:49:57,340 --> 00:50:01,780 And I know that the basics might be boring and they are time consuming and they can be 825 00:50:01,780 --> 00:50:03,460 very monotonous. 826 00:50:03,460 --> 00:50:08,660 And there's likely to be a lot of internal and political considerations in regards to 827 00:50:08,660 --> 00:50:09,660 it. 828 00:50:09,660 --> 00:50:13,020 You might be ruffling some feathers, but at the same time, you have to fight for them. 829 00:50:13,020 --> 00:50:17,620 And I've found that that is the way things move forward. 830 00:50:17,620 --> 00:50:24,100 You need to be that change in your organization that fights for these proactive things to 831 00:50:24,100 --> 00:50:25,100 get done. 832 00:50:25,100 --> 00:50:26,700 And you can't know everything. 833 00:50:26,700 --> 00:50:28,580 So you have to ask for help. 834 00:50:28,580 --> 00:50:32,660 You have to ask for people to come on that journey with you. 835 00:50:32,660 --> 00:50:36,940 Because without the basics, the shiny means nothing. 836 00:50:36,940 --> 00:50:39,020 Yeah, I agree 100%. 837 00:50:39,020 --> 00:50:43,740 I mean, probably the most secure organizations I've ever seen have gotten the basics right. 838 00:50:43,740 --> 00:50:46,620 They don't necessarily have the latest and greatest and shiniest tools. 839 00:50:46,620 --> 00:50:51,700 I mean, they obviously use shiny tools, but they've really nailed the basics. 840 00:50:51,700 --> 00:50:53,300 And I think that's critically important. 841 00:50:53,300 --> 00:50:57,700 Actually, the funny thing is that the basics kind of haven't really changed over the years. 842 00:50:57,700 --> 00:50:58,700 They really haven't. 843 00:50:58,700 --> 00:51:01,140 The basics are just fundamentals. 844 00:51:01,140 --> 00:51:04,700 So yeah, I concur 100%. 845 00:51:04,700 --> 00:51:07,100 So with that, let's bring this podcast to an end. 846 00:51:07,100 --> 00:51:08,940 Jess, thank you so much for joining us this week. 847 00:51:08,940 --> 00:51:10,900 I know I can speak on behalf of all of us. 848 00:51:10,900 --> 00:51:12,580 Thank you so much for joining us. 849 00:51:12,580 --> 00:51:16,740 We've always learned something or a new perspective on things. 850 00:51:16,740 --> 00:51:19,620 And you've obviously brought that to this podcast as well. 851 00:51:19,620 --> 00:51:22,740 And to all our listeners out there, again, welcome to 2022. 852 00:51:22,740 --> 00:51:26,940 I hope this year is a little bit better than the last couple of years. 853 00:51:26,940 --> 00:51:28,220 Thank you again for listening. 854 00:51:28,220 --> 00:51:30,100 Stay safe and we'll see you next time. 855 00:51:30,100 --> 00:51:33,020 Thanks for listening to the Azure Security Podcast. 856 00:51:33,020 --> 00:51:39,860 You can find show notes and other resources at our website, azsecuritypodcast.net. 857 00:51:39,860 --> 00:51:45,020 If you have any questions, please find us on Twitter at Azure SecPod. 858 00:51:45,020 --> 00:52:05,420 The music is from ccmixter.com and licensed under the Creative Commons license.