1 00:00:00,000 --> 00:00:06,200 Welcome to the Azure Security Podcast, 2 00:00:06,200 --> 00:00:09,360 where we discuss topics relating to security, privacy, 3 00:00:09,360 --> 00:00:13,680 reliability, and compliance on the Microsoft Cloud Platform. 4 00:00:13,680 --> 00:00:16,800 Hey everybody, welcome to Episode 48. 5 00:00:16,800 --> 00:00:18,280 This week is the whole gang here, 6 00:00:18,280 --> 00:00:21,120 it's myself, Michael with Gladys Sarah and Mark. 7 00:00:21,120 --> 00:00:23,320 We also have a guest, Al Ederly, 8 00:00:23,320 --> 00:00:25,480 who's here to talk to us about 9 00:00:25,480 --> 00:00:27,960 compliance manager and security scores. 10 00:00:27,960 --> 00:00:29,120 But before we get to Al, 11 00:00:29,120 --> 00:00:30,880 why don't we take a lap around the news? 12 00:00:30,880 --> 00:00:32,040 Sarah, why don't you kick things off? 13 00:00:32,040 --> 00:00:34,480 Sure. I will kick things off with 14 00:00:34,480 --> 00:00:37,120 some very unsurprising coverage from myself. 15 00:00:37,120 --> 00:00:39,960 I'm going to talk about what's new and Sentinel. 16 00:00:39,960 --> 00:00:44,360 We did mention on the news that we had an event last week, 17 00:00:44,360 --> 00:00:49,080 which was talking about some of the new features and products, 18 00:00:49,080 --> 00:00:50,640 releases that we've had. 19 00:00:50,640 --> 00:00:54,520 We did it instead of RSA because RSA has been postponed. 20 00:00:54,520 --> 00:00:57,760 A lot of cool things from a lot of different products, 21 00:00:57,760 --> 00:00:59,920 but let me pick some of my favorites. 22 00:00:59,920 --> 00:01:01,600 First off, in Sentinel, 23 00:01:01,600 --> 00:01:05,200 we now have a MITRE support coverage mapping thing, 24 00:01:05,200 --> 00:01:06,280 which is very cool. 25 00:01:06,280 --> 00:01:08,120 I know a lot of customers been asking for it. 26 00:01:08,120 --> 00:01:09,400 If you go and open it up, 27 00:01:09,400 --> 00:01:13,080 you can see where you actually have coverage in Sentinel against 28 00:01:13,080 --> 00:01:16,800 those different tactics in the MITRE framework. 29 00:01:16,800 --> 00:01:19,720 You can also have a look at Azure Perview data. 30 00:01:19,720 --> 00:01:23,440 The other, the two that I'm really excited about is, 31 00:01:23,440 --> 00:01:27,200 you can search archived logs. 32 00:01:27,200 --> 00:01:28,520 When I say search, 33 00:01:28,520 --> 00:01:31,360 essentially we're doing something called basic logs. 34 00:01:31,360 --> 00:01:35,560 What it means is they're a lot cheaper to store things in. 35 00:01:35,560 --> 00:01:37,160 You can't do everything across them. 36 00:01:37,160 --> 00:01:38,920 They have some limitations, 37 00:01:38,920 --> 00:01:41,960 but it's basically a way to keep data for a longer period of time 38 00:01:41,960 --> 00:01:45,200 in Sentinel that you don't need to actively query, 39 00:01:45,200 --> 00:01:49,200 but you may need for something else later down the track. 40 00:01:49,200 --> 00:01:50,920 That's gone into public preview. 41 00:01:50,920 --> 00:01:54,040 That one's definitely worth checking out. 42 00:01:54,040 --> 00:01:57,840 Unless you can manually run playbooks on the incident trigger, 43 00:01:57,840 --> 00:01:59,760 which makes me a very happy lady, 44 00:01:59,760 --> 00:02:03,920 something that we've needed for quite a long time. 45 00:02:03,920 --> 00:02:07,800 I'm just going to stick with my Sentinel this week. 46 00:02:07,800 --> 00:02:10,360 Hey, Sarah, on the MITRE framework, 47 00:02:10,360 --> 00:02:11,840 that's MITRE attack, right? 48 00:02:11,840 --> 00:02:13,400 Yes. Oh, yes. 49 00:02:13,400 --> 00:02:15,120 I forget there's more than one MITRE now. 50 00:02:15,120 --> 00:02:16,720 There's a lot of different frameworks. 51 00:02:16,720 --> 00:02:17,520 Yes. Okay, cool. 52 00:02:17,520 --> 00:02:18,200 Yes. 53 00:02:18,200 --> 00:02:20,640 I have quite a few news items this week. 54 00:02:20,640 --> 00:02:23,640 The first one literally has just come across my desk. 55 00:02:23,640 --> 00:02:26,320 That is that in GitHub, 56 00:02:26,320 --> 00:02:27,680 we have this tool called CodeQL, 57 00:02:27,680 --> 00:02:29,760 which is a static analysis framework. 58 00:02:29,760 --> 00:02:33,080 We now have added machine learning to it. 59 00:02:33,080 --> 00:02:35,440 For those of you not familiar with CodeQL, 60 00:02:35,440 --> 00:02:37,000 so the best way I think about CodeQL is 61 00:02:37,000 --> 00:02:40,120 imagine static analysis with a query language. 62 00:02:40,120 --> 00:02:43,680 In other words, there's an engine that runs and analyzes your code, 63 00:02:43,680 --> 00:02:45,680 it builds up essentially a database of 64 00:02:45,680 --> 00:02:48,600 the abstract syntax tree, 65 00:02:48,600 --> 00:02:51,160 like data flow analysis and so on of the code. 66 00:02:51,160 --> 00:02:52,920 Then you can query that just like you can, 67 00:02:52,920 --> 00:02:56,440 essentially a database and the language is very SQL-esque. 68 00:02:56,440 --> 00:02:58,160 That's CodeQL. In fact, 69 00:02:58,160 --> 00:03:03,440 there are libraries of queries that you can download from GitHub. 70 00:03:03,440 --> 00:03:04,680 For example, you could say, 71 00:03:04,680 --> 00:03:06,840 if some data is entered at this point, 72 00:03:06,840 --> 00:03:08,240 then goes through here, here, and here, 73 00:03:08,240 --> 00:03:11,280 and then it is used in this particular way, 74 00:03:11,280 --> 00:03:12,920 and the data is of a certain shape, 75 00:03:12,920 --> 00:03:15,200 then that's a security vulnerability. 76 00:03:15,200 --> 00:03:17,760 The really nice thing is it's almost democratizing 77 00:03:17,760 --> 00:03:21,440 the way people build queries into static analysis tools. 78 00:03:21,440 --> 00:03:25,400 That's CodeQL. Well, now we've just added machine learning. 79 00:03:25,400 --> 00:03:27,360 Now, it's in preview right now, 80 00:03:27,360 --> 00:03:30,840 but this is actually really cool because if you take 81 00:03:30,840 --> 00:03:32,680 the way static analysis tools work, 82 00:03:32,680 --> 00:03:36,920 they basically do data flow analysis and so on and so forth. 83 00:03:36,920 --> 00:03:38,760 Whereas, so you've got CodeQL, 84 00:03:38,760 --> 00:03:40,480 you've got deep logical analysis, 85 00:03:40,480 --> 00:03:42,120 deductive reasoning. 86 00:03:42,120 --> 00:03:46,240 Well, machine learning now does essentially inductive reasoning. 87 00:03:46,240 --> 00:03:48,320 So it's inducing, you can actually say, 88 00:03:48,320 --> 00:03:51,320 hey, this code has a SQL injection vulnerability in it, 89 00:03:51,320 --> 00:03:54,240 and it can deduce the paths and the data 90 00:03:54,240 --> 00:03:55,320 that actually ends up getting there. 91 00:03:55,320 --> 00:03:56,520 So it's machine learning. 92 00:03:56,520 --> 00:03:58,720 You say, yeah, that really is a SQL injection vulnerability 93 00:03:58,720 --> 00:04:02,720 or cross-site scripting or direct resheverts or whatever, 94 00:04:02,720 --> 00:04:04,120 or memory corruption. 95 00:04:04,120 --> 00:04:05,480 But yeah, this is actually really cool to see. 96 00:04:05,480 --> 00:04:08,120 I think this is going to be a really important product 97 00:04:08,120 --> 00:04:10,520 moving forward. CodeQL already is, 98 00:04:10,520 --> 00:04:12,440 but I think adding machine learning is just adding 99 00:04:12,440 --> 00:04:15,640 that extra layer of applicability. 100 00:04:15,640 --> 00:04:17,600 The next one is a tool named CloudKnock 101 00:04:17,600 --> 00:04:19,560 to actually purchase this company last year. 102 00:04:19,560 --> 00:04:21,720 I saw a demo of this a couple of weeks ago. 103 00:04:21,720 --> 00:04:22,800 This is actually really cool. 104 00:04:22,800 --> 00:04:25,000 Essentially, the way I like to look at it 105 00:04:25,000 --> 00:04:27,600 is you deploy some solutions in Azure, 106 00:04:27,600 --> 00:04:30,600 or in fact, in this case, AWS or GCP, 107 00:04:30,600 --> 00:04:32,480 and you add RBAC policies, 108 00:04:32,480 --> 00:04:34,800 and you add authorization here and authorization there, 109 00:04:34,800 --> 00:04:36,280 and then over a period of time, 110 00:04:36,280 --> 00:04:38,680 you get this sort of permission creep, right? 111 00:04:38,680 --> 00:04:40,680 People leave the company, people change roles, 112 00:04:40,680 --> 00:04:43,640 people no longer need to have access to data, 113 00:04:43,640 --> 00:04:46,160 but the permission is still there. 114 00:04:46,160 --> 00:04:48,720 Well, CloudKnock lets you manage that. 115 00:04:48,720 --> 00:04:52,920 And again, I saw a demo of this a couple of weeks ago, 116 00:04:52,920 --> 00:04:54,040 and I was pretty blown away 117 00:04:54,040 --> 00:04:57,800 because you can actually see all the change 118 00:04:57,800 --> 00:05:00,280 in permissions over a period of time, 119 00:05:00,280 --> 00:05:02,560 and actually just start querying it to find out, 120 00:05:02,560 --> 00:05:06,160 do people actually need these kinds of permissions or not? 121 00:05:06,160 --> 00:05:07,920 And that extends not just from Azure, 122 00:05:07,920 --> 00:05:09,960 it's Azure, AWS and GCP, 123 00:05:09,960 --> 00:05:14,520 which again is demonstrative of Microsoft's commitments 124 00:05:14,520 --> 00:05:17,520 through cross-cloud strategies. 125 00:05:17,520 --> 00:05:19,240 The next one, which I'm gonna be honest, 126 00:05:19,240 --> 00:05:21,800 I've been waiting for this thing for a long time, 127 00:05:21,800 --> 00:05:25,480 and that is the ability to call APIs from your code 128 00:05:25,480 --> 00:05:28,680 to write your data to Microsoft, 129 00:05:28,680 --> 00:05:30,400 sorry, Azure Monitor logs. 130 00:05:31,360 --> 00:05:34,680 Sometimes you may want to have some custom data 131 00:05:34,680 --> 00:05:37,320 added to a log analytics workspace, 132 00:05:37,320 --> 00:05:39,680 while you can now do that relatively easily. 133 00:05:39,680 --> 00:05:41,040 It's in preview right now, 134 00:05:41,040 --> 00:05:42,120 the link's gonna be in the show notes, 135 00:05:42,120 --> 00:05:43,640 and you can sign up for that. 136 00:05:44,600 --> 00:05:47,000 The next one, not really security related, 137 00:05:47,000 --> 00:05:48,880 but I've had a lot of customers just recently talking 138 00:05:48,880 --> 00:05:50,640 about distributed denial of service attacks, 139 00:05:50,640 --> 00:05:52,760 certainly with the current geopolitical issues 140 00:05:52,760 --> 00:05:55,080 that are going on with the Russian and Ukraine, 141 00:05:55,080 --> 00:05:57,160 and a lot of customers have been talking about it, 142 00:05:57,160 --> 00:05:58,800 about making sure they have appropriate mitigations 143 00:05:58,800 --> 00:06:02,120 in place around DDoS and other defenses as well, 144 00:06:02,120 --> 00:06:04,040 but certainly DDoS. 145 00:06:04,040 --> 00:06:05,360 The tool that we now have available, 146 00:06:05,360 --> 00:06:09,080 it's in preview, it's called Azure Load Testing, 147 00:06:09,080 --> 00:06:12,760 and it's a way of simulating load across your Azure application, 148 00:06:12,760 --> 00:06:16,280 and frankly, if your application can't hand 149 00:06:16,280 --> 00:06:17,800 Azure Load Testing, it's probably not gonna be able 150 00:06:17,800 --> 00:06:20,560 to handle other kinds of attacks as well, 151 00:06:21,520 --> 00:06:23,680 other than the mitigations that come with Azure. 152 00:06:23,680 --> 00:06:25,360 So take a look at that, Azure Load Testing, 153 00:06:25,360 --> 00:06:26,640 not a direct security tool, 154 00:06:26,640 --> 00:06:30,400 but it certainly has some security ramifications. 155 00:06:30,400 --> 00:06:34,640 The next one is, we've just introduced this in preview, 156 00:06:34,640 --> 00:06:37,160 Azure Active Directory with a multi-stage 157 00:06:37,160 --> 00:06:39,520 access review process. 158 00:06:39,520 --> 00:06:42,280 Again, this is this sort of feature, 159 00:06:42,280 --> 00:06:45,320 this RBAC creep, right, this sort of permission creep, 160 00:06:45,320 --> 00:06:46,720 and in this example, you can say, 161 00:06:46,720 --> 00:06:49,280 okay, Fred needs access to something, 162 00:06:49,280 --> 00:06:51,720 and he can go through a pipeline to get review. 163 00:06:51,720 --> 00:06:53,560 Historically, we could do it with multiple people, 164 00:06:53,560 --> 00:06:55,520 but it was sort of, everyone had to be in the same air quotes 165 00:06:55,520 --> 00:06:57,280 in the same room at the same time. 166 00:06:57,280 --> 00:06:59,040 Now we actually have a process that can go into, 167 00:06:59,040 --> 00:07:01,480 into our workflow where someone can get signed off 168 00:07:01,480 --> 00:07:03,800 to allow them access to something. 169 00:07:03,800 --> 00:07:06,560 So that's awesome to see as well. 170 00:07:06,560 --> 00:07:07,920 The next item is a colleague of mine, 171 00:07:07,920 --> 00:07:10,480 Eric Bochane has started a new blog series 172 00:07:10,480 --> 00:07:11,960 called Introduction to Drafting 173 00:07:11,960 --> 00:07:14,120 a Winning Cybersecurity Strategy. 174 00:07:14,120 --> 00:07:15,920 It's really great material. 175 00:07:15,920 --> 00:07:18,640 Eric is one of those people who's really good at looking 176 00:07:18,640 --> 00:07:21,160 at the big picture, the sort of strategic picture 177 00:07:21,160 --> 00:07:22,640 around cybersecurity. 178 00:07:22,640 --> 00:07:23,680 It's really well written, 179 00:07:23,680 --> 00:07:25,520 and a lot of it is really good, 180 00:07:25,520 --> 00:07:27,800 just good old common sense. 181 00:07:27,800 --> 00:07:31,200 And finally, Cosmos DB now has a Defender product, 182 00:07:31,200 --> 00:07:33,200 Microsoft Defender for Cosmos DB. 183 00:07:33,200 --> 00:07:36,920 It's very similar to the way Microsoft Defender 184 00:07:36,920 --> 00:07:38,600 for SQL Server works, 185 00:07:38,600 --> 00:07:40,560 in that it looks for things like access 186 00:07:40,560 --> 00:07:43,840 from sort of suspicious locations, 187 00:07:43,840 --> 00:07:45,120 as well as what you might consider 188 00:07:45,120 --> 00:07:46,960 suspicious data exfiltration. 189 00:07:46,960 --> 00:07:49,920 So pretty similar to what we're doing in SQL Server today. 190 00:07:49,920 --> 00:07:50,760 That's in preview. 191 00:07:50,760 --> 00:07:54,520 So if using Cosmos DB, go ahead and kick the tires on it. 192 00:07:54,520 --> 00:07:55,640 Yeah, so from my side, 193 00:07:55,640 --> 00:07:59,080 there's really one key thing that I wanted to highlight. 194 00:07:59,080 --> 00:08:00,480 It's already been out there for a little bit, 195 00:08:00,480 --> 00:08:03,040 but I'm actually getting ready to do a webinar for it 196 00:08:03,040 --> 00:08:05,440 in a little bit live. 197 00:08:05,440 --> 00:08:08,720 The Zero Trust Commandments is out from the open group, 198 00:08:08,720 --> 00:08:10,960 and it's actually fully out. 199 00:08:10,960 --> 00:08:13,320 So you don't have to register anything like that 200 00:08:13,320 --> 00:08:15,320 for a free account and all that, like you used to. 201 00:08:15,320 --> 00:08:16,560 It's just you go to the link now. 202 00:08:16,560 --> 00:08:19,200 So we put the link in the show notes. 203 00:08:19,200 --> 00:08:22,440 But the Zero Trust Commandments are the successor, 204 00:08:22,440 --> 00:08:24,680 the replacement for the original Jericho Commandments 205 00:08:24,680 --> 00:08:27,680 that kind of kicked off the whole Zero Trust thing 206 00:08:27,680 --> 00:08:29,760 and treat deprimitization. 207 00:08:29,760 --> 00:08:31,000 And how do you think about security 208 00:08:31,000 --> 00:08:33,040 in sort of this new practical way 209 00:08:33,040 --> 00:08:36,440 that doesn't rely on everything at the edge, 210 00:08:36,440 --> 00:08:38,520 for detection, for blocking, et cetera. 211 00:08:39,400 --> 00:08:41,840 And how do we now protect in this age 212 00:08:41,840 --> 00:08:43,680 where your devices could be anywhere, 213 00:08:43,680 --> 00:08:46,480 your apps, your data could be anywhere? 214 00:08:46,480 --> 00:08:49,520 And so we really like the idea 215 00:08:49,520 --> 00:08:52,280 of the original Jericho Form Commandments 216 00:08:52,280 --> 00:08:54,480 that were very clear, non-negotiable. 217 00:08:54,480 --> 00:08:56,720 Here are the rules period. 218 00:08:56,720 --> 00:08:58,600 And so these Zero Trust Commandments are out. 219 00:08:58,600 --> 00:09:00,400 We kind of took that same style, 220 00:09:00,400 --> 00:09:02,120 updated them for the world today, 221 00:09:02,120 --> 00:09:04,360 took some direct and indirect inspiration 222 00:09:04,360 --> 00:09:05,640 from the original Jericho ones, 223 00:09:05,640 --> 00:09:07,760 and then adapted it to cloud and mobile 224 00:09:07,760 --> 00:09:09,160 and all the things that we deal with today, 225 00:09:09,160 --> 00:09:10,840 multi-cloud, you name it. 226 00:09:10,840 --> 00:09:14,080 And these are really the second step of three 227 00:09:14,080 --> 00:09:16,800 to actually having Zero Trust becoming a global standard, 228 00:09:16,800 --> 00:09:18,280 which is kind of cool. 229 00:09:18,280 --> 00:09:21,120 And we're actually gonna cover that in the webinar, 230 00:09:21,120 --> 00:09:24,000 so we'll add the link to that if it's available. 231 00:09:24,000 --> 00:09:27,720 But effectively, we've started with the core principles, 232 00:09:27,720 --> 00:09:30,320 defining Zero Trust, what it is, et cetera. 233 00:09:30,320 --> 00:09:31,840 And then those really hardcore, 234 00:09:31,840 --> 00:09:33,160 non-negotiable rules of the road 235 00:09:33,160 --> 00:09:34,280 and the Zero Trust Commandments 236 00:09:34,280 --> 00:09:35,680 is within the open group. 237 00:09:35,680 --> 00:09:37,960 By the way, the open group also does TOGAP, 238 00:09:37,960 --> 00:09:38,960 and they were the original ones 239 00:09:38,960 --> 00:09:40,840 that defined the Unix and POSIX standards, 240 00:09:40,840 --> 00:09:42,680 which was kind of crazy for me. 241 00:09:42,680 --> 00:09:46,440 I'm like, wow, these folks have been around for a while. 242 00:09:46,440 --> 00:09:49,160 And then the, and TOGAP is the open group 243 00:09:49,160 --> 00:09:51,400 architecture framework. 244 00:09:51,400 --> 00:09:53,760 So it's kind of enterprise architecture standard. 245 00:09:53,760 --> 00:09:55,360 And then the one that's coming up 246 00:09:55,360 --> 00:09:57,440 is the Zero Trust reference model. 247 00:09:57,440 --> 00:09:59,120 And so this is where we actually, 248 00:09:59,120 --> 00:10:00,960 and so the Zero Trust reference model 249 00:10:00,960 --> 00:10:04,280 that's coming out soon is where it becomes a standard. 250 00:10:04,280 --> 00:10:06,920 So we're taking the definitions, 251 00:10:06,920 --> 00:10:10,400 the rules and resolving those into a very specific, 252 00:10:10,400 --> 00:10:12,080 prescriptive model of, 253 00:10:12,080 --> 00:10:14,080 these are the different functions and capabilities 254 00:10:14,080 --> 00:10:16,080 that Zero Trust will produce. 255 00:10:16,080 --> 00:10:17,640 This is how they interact, 256 00:10:17,640 --> 00:10:19,080 how they work together, et cetera. 257 00:10:19,080 --> 00:10:21,960 So really making Zero Trust real, 258 00:10:21,960 --> 00:10:24,720 and putting it out there as an open standard, 259 00:10:24,720 --> 00:10:27,600 through the standard open review process, et cetera, 260 00:10:27,600 --> 00:10:29,080 that the open group uses. 261 00:10:29,080 --> 00:10:31,800 So lots more cool stuff to come there, 262 00:10:31,800 --> 00:10:33,920 but definitely check out the Zero Trust Commandments 263 00:10:33,920 --> 00:10:34,760 in the meantime. 264 00:10:34,760 --> 00:10:37,200 So these are the rules of the road for Zero Trust 265 00:10:37,200 --> 00:10:40,440 in a very clear, unequivocal, non-negotiable, 266 00:10:40,440 --> 00:10:41,520 I think is the term we used. 267 00:10:41,520 --> 00:10:43,080 That's all I got for this week. 268 00:10:43,080 --> 00:10:48,080 Today my focus will be on identity related releases. 269 00:10:48,520 --> 00:10:51,360 I am really excited about the unification work 270 00:10:51,360 --> 00:10:52,880 that we have been doing 271 00:10:52,880 --> 00:10:56,200 with Microsoft Defender Services. 272 00:10:56,200 --> 00:10:57,920 As many of you know, 273 00:10:57,920 --> 00:11:00,200 a few years ago we saw the need 274 00:11:00,200 --> 00:11:03,080 for enabling cross service collaboration 275 00:11:03,080 --> 00:11:05,080 and unification of insight 276 00:11:05,080 --> 00:11:08,120 in order to help customers to detect, respond, 277 00:11:08,120 --> 00:11:10,600 and recover faster. 278 00:11:10,600 --> 00:11:14,240 Well, Defender 4 Identity is now fully integrated 279 00:11:14,240 --> 00:11:19,240 into the Microsoft 365 Defender Unified Experience. 280 00:11:19,400 --> 00:11:21,840 If you haven't seen it, 281 00:11:21,840 --> 00:11:25,880 I recommend watching the Microsoft 365 Defender Unified 282 00:11:25,880 --> 00:11:30,880 Experience for XTRs video that the product group released. 283 00:11:30,880 --> 00:11:35,560 I have included the link in our website, 284 00:11:35,560 --> 00:11:38,600 but you could also search it in YouTube. 285 00:11:38,600 --> 00:11:43,280 Again, the title is Microsoft 365 Defender Unified Experience 286 00:11:43,280 --> 00:11:45,080 for XTR. 287 00:11:45,080 --> 00:11:47,800 In addition, in February 20th, 288 00:11:47,800 --> 00:11:51,480 Defender 4 Identity added the S-host attribute 289 00:11:51,480 --> 00:11:56,160 as part of the values that can be forward to your scene. 290 00:11:56,160 --> 00:11:59,000 The S-host provides the account, 291 00:11:59,000 --> 00:12:01,680 usually this is the machine account, 292 00:12:01,680 --> 00:12:04,480 that is involved in the alert. 293 00:12:04,480 --> 00:12:05,760 Before this update, 294 00:12:05,760 --> 00:12:09,320 we only send the user account. 295 00:12:09,320 --> 00:12:14,320 However, since many users can be used in multiple devices, 296 00:12:14,320 --> 00:12:17,400 we saw the opportunity to trigger automation 297 00:12:17,400 --> 00:12:20,520 within other Microsoft Defender Services 298 00:12:20,520 --> 00:12:23,320 by providing this value. 299 00:12:23,320 --> 00:12:26,240 You can review the full CEF format 300 00:12:26,240 --> 00:12:30,720 by visiting the link I have provided in our site. 301 00:12:30,720 --> 00:12:33,360 In addition, in that page, 302 00:12:33,360 --> 00:12:38,360 you will see a list of sample logs and expected values 303 00:12:39,480 --> 00:12:43,600 that we send to scenes, 304 00:12:43,600 --> 00:12:48,600 which comply with RFC 5424 and RFC 3164. 305 00:12:49,520 --> 00:12:51,160 All right, now the news is out of the way. 306 00:12:51,160 --> 00:12:53,320 Let's turn our attention to our guest. 307 00:12:53,320 --> 00:12:55,560 This week we have Al Erdley, 308 00:12:55,560 --> 00:13:00,440 who's here to talk to us about compliance and secure scores. 309 00:13:00,440 --> 00:13:02,480 Al, hey, welcome so much to the podcast. 310 00:13:02,480 --> 00:13:03,640 We'd like to spend a moment, 311 00:13:03,640 --> 00:13:05,880 introduce yourself to our listeners. 312 00:13:05,880 --> 00:13:07,760 Hey, yeah, thanks for having me. 313 00:13:07,760 --> 00:13:08,600 Great to be here. 314 00:13:08,600 --> 00:13:10,400 So yeah, my name's Al Erdley. 315 00:13:11,320 --> 00:13:13,840 So I joined Microsoft about a year ago, 316 00:13:13,840 --> 00:13:17,080 working in the Microsoft Technology Center in the UK. 317 00:13:17,080 --> 00:13:17,920 For those who don't know 318 00:13:17,920 --> 00:13:20,080 what the Microsoft Technology Centers are, 319 00:13:20,080 --> 00:13:24,640 we're a global network of teams working in different locations. 320 00:13:24,640 --> 00:13:27,360 And our mission is to deliver immersive experiences 321 00:13:27,360 --> 00:13:30,320 and deep technical engagements for clients. 322 00:13:30,320 --> 00:13:32,800 So we really try and enable customers 323 00:13:32,800 --> 00:13:37,440 to understand how to apply Microsoft technology. 324 00:13:37,440 --> 00:13:40,520 So we're really trying to help them overcome obstacles 325 00:13:40,520 --> 00:13:43,920 and understand the scope of what we can actually deliver 326 00:13:43,920 --> 00:13:45,880 from a Microsoft perspective. 327 00:13:45,880 --> 00:13:47,480 So one thing we're here to talk about 328 00:13:47,480 --> 00:13:51,680 is essentially secure score and compliance. 329 00:13:51,680 --> 00:13:53,160 So this is an area where, 330 00:13:53,160 --> 00:13:54,880 I spend quite a bit of time as well. 331 00:13:54,880 --> 00:13:59,160 I'm a big believer in compliance programs 332 00:13:59,160 --> 00:14:01,280 so long as people are realistic about them. 333 00:14:01,280 --> 00:14:04,440 For example, I've mentioned to many, many customers, 334 00:14:04,440 --> 00:14:05,440 just because you're compliant 335 00:14:05,440 --> 00:14:08,600 doesn't necessarily mean you're secure, you're compliant. 336 00:14:08,600 --> 00:14:10,880 They're not necessarily the same thing. 337 00:14:10,880 --> 00:14:13,360 But that being said, I think if you're not compliant, 338 00:14:13,360 --> 00:14:15,480 I can almost guarantee you're probably not secure 339 00:14:15,480 --> 00:14:17,160 in many cases as well. 340 00:14:17,160 --> 00:14:19,920 I'm working with the customer right now in healthcare 341 00:14:19,920 --> 00:14:21,960 and we're going through a similar exercise 342 00:14:21,960 --> 00:14:23,320 with them right now. 343 00:14:23,320 --> 00:14:26,160 So we're actually looking primarily at their 344 00:14:26,160 --> 00:14:31,160 Azure environment and looking at it from an ISO 27001 345 00:14:32,040 --> 00:14:34,800 perspective and then helping that to drive 346 00:14:34,800 --> 00:14:38,520 NIST SP 800-53 controls. 347 00:14:38,520 --> 00:14:41,520 So is that kind of the sort of stuff that you work on? 348 00:14:41,520 --> 00:14:43,720 I mean, you work on the tooling and technology 349 00:14:43,720 --> 00:14:46,520 and advice for customers in that area? 350 00:14:46,520 --> 00:14:47,360 Absolutely. 351 00:14:47,360 --> 00:14:51,160 So we work with clients like the client you're working with 352 00:14:51,160 --> 00:14:54,600 who they have a need to demonstrate 353 00:14:54,600 --> 00:14:58,560 that they are adhering to a standard of one sort or another. 354 00:14:58,560 --> 00:15:03,160 So whether that is a global standard like ISO 27001 355 00:15:03,160 --> 00:15:08,160 or NIST or whether it's an industry standard like HIPAA 356 00:15:08,160 --> 00:15:12,040 or something like GDPR, clients who need to be able 357 00:15:12,040 --> 00:15:17,040 to demonstrate how they are compliant to those regulations. 358 00:15:17,160 --> 00:15:19,720 We provide a lot of information for them 359 00:15:19,720 --> 00:15:22,480 to help them understand the capabilities. 360 00:15:22,480 --> 00:15:25,880 But then importantly, to help them understand 361 00:15:25,880 --> 00:15:27,640 what actions they need to take 362 00:15:27,640 --> 00:15:30,520 to actually get to that compliant state. 363 00:15:30,520 --> 00:15:33,560 How do they measure where they are to start with, 364 00:15:33,560 --> 00:15:36,360 work out what they need to actually do to get there, 365 00:15:36,360 --> 00:15:39,440 and then to help them plan what actions and activities 366 00:15:39,440 --> 00:15:42,520 they need to do to implement those standards. 367 00:15:42,520 --> 00:15:43,360 So when we're talking about this, 368 00:15:43,360 --> 00:15:44,640 are we talking about Azure 369 00:15:44,640 --> 00:15:47,440 or are we talking about Microsoft 365? 370 00:15:47,440 --> 00:15:49,720 It may be worthwhile explaining to our listeners 371 00:15:49,720 --> 00:15:53,880 the difference between Azure and Microsoft 365 372 00:15:53,880 --> 00:15:55,760 and some of the compliance requirements 373 00:15:55,760 --> 00:15:58,240 that encompass those two environments. 374 00:15:58,240 --> 00:16:00,360 Would you like to just spend a little moment to explain that? 375 00:16:00,360 --> 00:16:01,200 Absolutely. 376 00:16:01,200 --> 00:16:03,160 So where you're looking at, 377 00:16:03,160 --> 00:16:05,080 and I guess this almost comes down 378 00:16:05,080 --> 00:16:06,640 to the terminology as well, 379 00:16:06,640 --> 00:16:09,680 because we see a lot of different ways 380 00:16:09,680 --> 00:16:11,920 that the word in compliance is used 381 00:16:11,920 --> 00:16:13,960 in some of the context around this. 382 00:16:13,960 --> 00:16:17,480 So when we're thinking about Microsoft 365, 383 00:16:17,480 --> 00:16:19,280 it's software as a service. 384 00:16:19,280 --> 00:16:23,720 So we're really talking about how we configure that service 385 00:16:23,720 --> 00:16:27,080 and how we configure the different tools 386 00:16:27,080 --> 00:16:28,480 that somebody may have purchased 387 00:16:28,480 --> 00:16:30,440 based on their license levels. 388 00:16:30,440 --> 00:16:33,360 And making sure that those tools are configured 389 00:16:33,360 --> 00:16:36,320 to deliver on what they need to actually adhere to 390 00:16:36,320 --> 00:16:40,840 based on the requirements that they're trying to aim for. 391 00:16:40,840 --> 00:16:43,360 So when we're talking about Microsoft 365, 392 00:16:43,360 --> 00:16:44,720 we've got a few things in there. 393 00:16:44,720 --> 00:16:46,200 We've got compliance score, 394 00:16:46,200 --> 00:16:49,800 which is really talking about how they manage the content, 395 00:16:49,800 --> 00:16:51,800 how they manage the configuration 396 00:16:51,800 --> 00:16:53,440 of the compliance side of things 397 00:16:53,440 --> 00:16:56,200 in terms of measuring against the standards. 398 00:16:56,200 --> 00:16:58,560 And then you've got the secure score as well. 399 00:16:58,560 --> 00:17:00,320 That's really how we make sure 400 00:17:00,320 --> 00:17:03,240 that the environment is actually secured. 401 00:17:04,080 --> 00:17:07,040 They both play back to the standards 402 00:17:07,040 --> 00:17:08,480 that you might be trying to aim for. 403 00:17:08,480 --> 00:17:10,920 So those ISO and NIST standards. 404 00:17:10,920 --> 00:17:13,360 And then you've got Defender for Cloud, 405 00:17:13,360 --> 00:17:15,600 which is more of the Azure side. 406 00:17:15,600 --> 00:17:18,360 And because that's not so much of the software as a service, 407 00:17:18,360 --> 00:17:19,960 as platform as a service, 408 00:17:19,960 --> 00:17:21,800 that's more, there's more flexibility 409 00:17:21,800 --> 00:17:25,080 and there's more, I guess granularity in terms of, 410 00:17:25,080 --> 00:17:28,520 you might have two SQL instances that are both set up, 411 00:17:28,520 --> 00:17:30,480 but they're configured slightly differently. 412 00:17:30,480 --> 00:17:33,760 So you'd be looking at those different instances discreetly 413 00:17:33,760 --> 00:17:36,560 in terms of how well they actually comply 414 00:17:36,560 --> 00:17:39,280 to the requirements that you are aiming for. 415 00:17:39,280 --> 00:17:41,720 But when we're looking at the Microsoft 365 side of it, 416 00:17:41,720 --> 00:17:43,680 it's very much around how we configure 417 00:17:43,680 --> 00:17:48,360 the Microsoft 365 services that come with that tenant. 418 00:17:48,360 --> 00:17:50,920 That, you hit on something really interesting there. 419 00:17:50,920 --> 00:17:54,840 You said, compliance score and secure score. 420 00:17:54,840 --> 00:17:56,600 I've done a lot of work with secure score, 421 00:17:56,600 --> 00:17:58,800 especially in Microsoft Defender for Cloud, 422 00:17:58,800 --> 00:18:01,400 which was Azure Security Center. 423 00:18:01,400 --> 00:18:02,920 And a lot of customers that I've worked with 424 00:18:02,920 --> 00:18:06,080 have focused on helping drive that number up, 425 00:18:06,080 --> 00:18:07,280 not artificially, 426 00:18:07,280 --> 00:18:09,240 actually driving it up with real, 427 00:18:09,240 --> 00:18:10,480 making real demonstrable, 428 00:18:10,480 --> 00:18:12,640 security improvements to their environment. 429 00:18:12,640 --> 00:18:14,200 But it's been very much around, 430 00:18:14,200 --> 00:18:17,120 around as your, there as your deployments. 431 00:18:17,120 --> 00:18:18,920 And in the Microsoft Defender for Cloud, 432 00:18:18,920 --> 00:18:22,200 I also see that there are compliance items in there as well. 433 00:18:22,200 --> 00:18:25,320 So I'll say that, you must encrypt, 434 00:18:25,320 --> 00:18:28,880 for example, volumes at rest for SQL server, 435 00:18:28,880 --> 00:18:30,640 for example, multi-factual authentication, 436 00:18:30,640 --> 00:18:31,800 those kinds of things. 437 00:18:31,800 --> 00:18:33,600 And I'll then say, on that, 438 00:18:33,600 --> 00:18:36,760 maps onto NIST SP 800-53, blah, blah, blah, blah, blah, 439 00:18:36,760 --> 00:18:40,440 or it maps onto the Azure Security Benchmark, 440 00:18:40,440 --> 00:18:41,320 blah, blah, blah, blah, blah, 441 00:18:41,320 --> 00:18:45,280 or it maps onto the Center for Internet Security requirements, 442 00:18:45,280 --> 00:18:47,480 one, two, three, four, and so on. 443 00:18:47,480 --> 00:18:48,960 But that's not compliance score though, right? 444 00:18:48,960 --> 00:18:52,120 That is just how a set of controls in Azure maps 445 00:18:52,120 --> 00:18:53,480 to various compliance programs, 446 00:18:53,480 --> 00:18:55,520 but that is not compliance score. 447 00:18:55,520 --> 00:18:58,080 So could you explain compliance score? 448 00:18:58,080 --> 00:19:01,160 Yeah, so the compliance score element, 449 00:19:01,160 --> 00:19:03,240 I guess, is a different set of control. 450 00:19:03,240 --> 00:19:07,120 So it's really looking about how you're looking 451 00:19:07,120 --> 00:19:09,520 after your information where it's stored 452 00:19:09,520 --> 00:19:10,960 in Microsoft 365. 453 00:19:10,960 --> 00:19:14,760 So where you're classifying content, 454 00:19:14,760 --> 00:19:16,360 where you're labeling content, 455 00:19:16,360 --> 00:19:20,560 where you're applying the rules to protect that content. 456 00:19:20,560 --> 00:19:23,080 So whether it's data loss prevention, 457 00:19:23,080 --> 00:19:26,280 whether it's conditional access to make sure 458 00:19:26,280 --> 00:19:30,360 that you're bringing together the risk of the user, 459 00:19:30,360 --> 00:19:34,200 the location of the content, the risk of the device. 460 00:19:34,200 --> 00:19:36,440 But basically the compliance, 461 00:19:36,440 --> 00:19:40,360 we think of that more around how you're managing 462 00:19:40,360 --> 00:19:42,240 the content that you're storing 463 00:19:42,240 --> 00:19:44,320 and your interactions with that content 464 00:19:44,320 --> 00:19:46,480 as opposed to the secure score, 465 00:19:46,480 --> 00:19:50,400 which certainly in Microsoft 365 is looking more around 466 00:19:50,400 --> 00:19:54,240 how we secure the identity, how we authenticate, 467 00:19:54,240 --> 00:19:59,240 how we're minimizing the risk that somebody would present 468 00:19:59,240 --> 00:20:00,840 based on the device that they're using, 469 00:20:00,840 --> 00:20:04,040 the compliance of that device to certain benchmarks 470 00:20:04,040 --> 00:20:07,000 that you're setting as an organizational standard. 471 00:20:07,000 --> 00:20:10,200 So it splits in terms of the compliance score, 472 00:20:10,200 --> 00:20:13,640 content once you're in, how do you access that content 473 00:20:13,640 --> 00:20:17,640 insider risks, how you're using the content, 474 00:20:17,640 --> 00:20:20,440 preventing it leaking out of the organization 475 00:20:20,440 --> 00:20:21,840 as opposed to the secure score, 476 00:20:21,840 --> 00:20:23,480 which is how do we make sure 477 00:20:23,480 --> 00:20:26,800 that whoever's coming into the organization is secure 478 00:20:26,800 --> 00:20:28,240 and is trustworthy. 479 00:20:28,240 --> 00:20:30,160 So it's slightly different. 480 00:20:30,160 --> 00:20:31,600 So it gets the defender for cloud 481 00:20:31,600 --> 00:20:33,280 when you get to the Azure element, 482 00:20:33,280 --> 00:20:35,600 is more of that going back 15 years 483 00:20:35,600 --> 00:20:37,480 is what I would have called the hardening, 484 00:20:37,480 --> 00:20:40,160 the securing of the network, 485 00:20:40,160 --> 00:20:43,280 the implementations that you've got, 486 00:20:43,280 --> 00:20:45,720 the services that you've actually implemented, 487 00:20:45,720 --> 00:20:48,040 the configurations that you've set up. 488 00:20:48,040 --> 00:20:49,600 Does that make sense? 489 00:20:49,600 --> 00:20:50,560 Yeah, it does. 490 00:20:50,560 --> 00:20:52,120 I mean, is there an overlap? 491 00:20:52,120 --> 00:20:53,400 There is an overlap. 492 00:20:53,400 --> 00:20:54,240 Okay. 493 00:20:54,240 --> 00:20:57,240 There is, and I guess this is where, 494 00:20:57,240 --> 00:20:58,600 I hear a lot of clients go, 495 00:20:58,600 --> 00:21:02,040 well, why are there three places that you can go 496 00:21:02,040 --> 00:21:03,400 to get different scores? 497 00:21:03,400 --> 00:21:06,600 Why can't we just make it one location 498 00:21:06,600 --> 00:21:08,560 where you can see everything? 499 00:21:08,560 --> 00:21:12,400 And I guess that would ideally be a much easier way 500 00:21:12,400 --> 00:21:13,840 to manage everything. 501 00:21:13,840 --> 00:21:16,440 There's a few reasons why they're separated. 502 00:21:16,440 --> 00:21:19,320 One is the people who are managing them, 503 00:21:19,320 --> 00:21:20,640 they might actually be different. 504 00:21:20,640 --> 00:21:22,160 They might have different skill sets, 505 00:21:22,160 --> 00:21:25,720 different depth of understanding around different areas. 506 00:21:25,720 --> 00:21:29,280 And when you're thinking about the compliance manager, 507 00:21:29,280 --> 00:21:32,880 so the admin interface in Microsoft 365 508 00:21:32,880 --> 00:21:34,280 around compliance, 509 00:21:34,280 --> 00:21:37,680 there's a lot of secure access that you need. 510 00:21:37,680 --> 00:21:40,400 So there's a lot of elements within that 511 00:21:40,400 --> 00:21:41,920 that you're configuring and using 512 00:21:41,920 --> 00:21:44,760 to get that compliance score increased, 513 00:21:44,760 --> 00:21:48,200 where you have, I wouldn't say global admin, 514 00:21:48,200 --> 00:21:51,080 but you have very high levels of permissions 515 00:21:51,080 --> 00:21:54,440 to actually access contents across the board. 516 00:21:54,440 --> 00:21:58,160 Whereas the secure score is very much more traditional 517 00:21:58,160 --> 00:22:00,960 sort of infrastructure and identity management. 518 00:22:00,960 --> 00:22:02,640 So you've got different skill sets 519 00:22:02,640 --> 00:22:05,120 that's needed to actually manage these. 520 00:22:05,120 --> 00:22:07,880 And it also very much depends on the license levels 521 00:22:07,880 --> 00:22:10,480 that you've actually purchased as to what services 522 00:22:10,480 --> 00:22:13,280 you can actually use to increase these scores. 523 00:22:13,280 --> 00:22:17,360 All of these controls are played back to the standards 524 00:22:17,360 --> 00:22:19,000 that you're actually aiming for. 525 00:22:19,000 --> 00:22:24,000 If you're looking at something like NIST 800-53, 526 00:22:24,000 --> 00:22:28,440 we're looking at, there's what, about 1200 controls there, 527 00:22:28,440 --> 00:22:32,640 which results just for the Microsoft 365 side of it 528 00:22:32,640 --> 00:22:34,760 in about 5,000 recommendations 529 00:22:34,760 --> 00:22:37,440 of things that you should actually configure. 530 00:22:37,440 --> 00:22:40,800 So there's a lot of different recommendations 531 00:22:40,800 --> 00:22:43,240 of what you need to do to configure, 532 00:22:43,240 --> 00:22:48,240 to get the most out of the Microsoft 365 solutions 533 00:22:48,240 --> 00:22:53,280 and make them compliant with NIST SB-853. 534 00:22:53,280 --> 00:22:56,680 One of the things that we always try to do 535 00:22:56,680 --> 00:23:01,600 is beat up the tasks that the analysts are doing 536 00:23:01,600 --> 00:23:05,200 or the engineers are doing in the environment. 537 00:23:05,200 --> 00:23:08,280 So I was gonna lead it kind of like, 538 00:23:08,280 --> 00:23:11,120 you know, we are as part of our strategy, 539 00:23:11,120 --> 00:23:14,640 we're always talking about meantime to acknowledge 540 00:23:14,640 --> 00:23:19,640 or remediate and how do we enable customers 541 00:23:19,640 --> 00:23:24,080 to move on all the recommendations, right? 542 00:23:24,080 --> 00:23:25,720 Does that make sense? 543 00:23:25,720 --> 00:23:28,920 Yeah, I think that making it as easy as possible 544 00:23:28,920 --> 00:23:33,200 to actually implement these recommendations 545 00:23:33,200 --> 00:23:34,680 is something that I think a lot of work 546 00:23:34,680 --> 00:23:35,840 has been put in around that. 547 00:23:35,840 --> 00:23:40,080 So where you look at the recommendations in the interface, 548 00:23:40,080 --> 00:23:43,480 there's often a button to click to say configure it 549 00:23:43,480 --> 00:23:47,880 and to basically take you to exactly the right place 550 00:23:47,880 --> 00:23:50,760 to actually make the change that you need to make. 551 00:23:50,760 --> 00:23:54,800 So it is something that is made as easy as possible 552 00:23:54,800 --> 00:23:56,680 to allow people to manage. 553 00:23:56,680 --> 00:23:59,360 I think the other thing about those recommendations, 554 00:23:59,360 --> 00:24:01,520 you know, the number of recommendations is 555 00:24:01,520 --> 00:24:03,840 often clients will have, you know, 556 00:24:03,840 --> 00:24:07,200 potentially another solution in place. 557 00:24:07,200 --> 00:24:09,680 They might be using as an interim solution 558 00:24:09,680 --> 00:24:12,480 or they might be using as a permanent solution. 559 00:24:12,480 --> 00:24:14,840 So they can mitigate some of those recommendations 560 00:24:14,840 --> 00:24:17,480 where maybe they don't need to implement them 561 00:24:17,480 --> 00:24:19,480 because they've got an alternate solution 562 00:24:19,480 --> 00:24:21,440 and some of them might need more planning 563 00:24:21,440 --> 00:24:23,200 before they actually roll them out. 564 00:24:23,200 --> 00:24:26,240 So there's very much the sense 565 00:24:26,240 --> 00:24:28,840 that we're not just making those recommendations, 566 00:24:28,840 --> 00:24:30,960 we're giving clients the ability 567 00:24:30,960 --> 00:24:32,920 to manage those recommendations, 568 00:24:32,920 --> 00:24:36,080 to prioritize them and to track them 569 00:24:36,080 --> 00:24:38,360 as they actually roll them out and implement them. 570 00:24:38,360 --> 00:24:41,400 Having 5,000 recommendations is a little daunting 571 00:24:41,400 --> 00:24:44,280 for a lot of organizations when they first look at this. 572 00:24:44,280 --> 00:24:46,120 Yeah, so one thing you mentioned is not just 573 00:24:46,120 --> 00:24:48,320 other approximately 5,000 recommendations, 574 00:24:48,320 --> 00:24:52,080 but there's also 1,200 NIST SP 800-53 controls. 575 00:24:52,080 --> 00:24:54,120 What sort of coverage do we have of those controls? 576 00:24:54,120 --> 00:24:55,920 I mean, is it 50%, 60%? 577 00:24:55,920 --> 00:24:57,440 You know, kind of roughly what do we have? 578 00:24:57,440 --> 00:24:59,680 I mean, I realize that there's some stuff in NIST, 579 00:24:59,680 --> 00:25:02,240 again, I mean, specific NIST SP 800-53 580 00:25:02,240 --> 00:25:04,200 that is totally outside of our, 581 00:25:04,200 --> 00:25:06,200 or more accurately, the tenant's controls. 582 00:25:06,200 --> 00:25:08,160 So for example, things like, you know, 583 00:25:08,160 --> 00:25:10,560 doors on locks and so on is something that's a, 584 00:25:10,560 --> 00:25:13,080 you know, classic example of the shared responsibility model, 585 00:25:13,080 --> 00:25:13,920 right? 586 00:25:13,920 --> 00:25:17,640 That is something that we, as you take care of, 587 00:25:17,640 --> 00:25:20,200 but then there's other things that the tenant 588 00:25:20,200 --> 00:25:21,640 can take control of. 589 00:25:21,640 --> 00:25:24,400 So roughly, you know, what sort of coverage do we have there? 590 00:25:24,400 --> 00:25:25,880 I'm not sure of the exact percentage 591 00:25:25,880 --> 00:25:28,800 in terms of all of them, but what I would say is that, 592 00:25:29,800 --> 00:25:31,760 having been in a position where, you know, 593 00:25:31,760 --> 00:25:34,800 you're running an order and you're presenting 594 00:25:34,800 --> 00:25:37,480 information back of those recommendations, 595 00:25:37,480 --> 00:25:40,280 those are the technical recommendations about 596 00:25:40,280 --> 00:25:44,520 what can you configure to make your tenants more compliant 597 00:25:44,520 --> 00:25:46,960 to those requirements. 598 00:25:46,960 --> 00:25:49,760 You can also download a spreadsheet 599 00:25:49,760 --> 00:25:51,520 of all of the recommendations. 600 00:25:51,520 --> 00:25:54,440 And that spreadsheet actually has a whole load more 601 00:25:54,440 --> 00:25:56,800 recommendations which are outside of the remit 602 00:25:56,800 --> 00:25:57,720 of the technology. 603 00:25:57,720 --> 00:26:01,440 So where it's processes and documentation 604 00:26:01,440 --> 00:26:04,760 that the compliance manager can't really manage for you. 605 00:26:04,760 --> 00:26:07,600 So when you are in an organization 606 00:26:07,600 --> 00:26:09,800 and you're going through the auditing process 607 00:26:09,800 --> 00:26:12,240 and you have to demonstrate these things, 608 00:26:12,240 --> 00:26:15,960 there's probably another 5,000 or so controls 609 00:26:15,960 --> 00:26:19,320 or recommendations where you actually need to do those 610 00:26:19,320 --> 00:26:21,040 outside of the technology. 611 00:26:21,040 --> 00:26:23,360 So all of those documentation and process, 612 00:26:23,360 --> 00:26:25,920 you know, interviews with users, as you say, 613 00:26:25,920 --> 00:26:28,440 the things that we can't influence 614 00:26:28,440 --> 00:26:30,560 from a technology perspective. 615 00:26:30,560 --> 00:26:33,800 So there's probably 50% of the technology 616 00:26:33,800 --> 00:26:36,760 and 50% that is process and documentation 617 00:26:36,760 --> 00:26:40,240 based on when you actually export the full list 618 00:26:40,240 --> 00:26:42,000 in the Excel export. 619 00:26:42,000 --> 00:26:46,040 So going back to helping a customer drive 620 00:26:46,040 --> 00:26:49,760 all those recommendations forward as fast as possible, 621 00:26:49,760 --> 00:26:52,120 how do we help them prioritize? 622 00:26:52,120 --> 00:26:55,040 And the reason that I'm trying to focus on that 623 00:26:55,040 --> 00:26:58,720 is because I see other type of solutions 624 00:26:58,720 --> 00:27:03,520 that provide guidance, but then the customer 625 00:27:03,520 --> 00:27:06,640 have to go through the environment configuration 626 00:27:06,640 --> 00:27:10,920 and define which areas are being affected 627 00:27:10,920 --> 00:27:14,320 and what is the priority of each one of them. 628 00:27:14,320 --> 00:27:16,520 Can you explain a little bit about that? 629 00:27:16,520 --> 00:27:20,360 Each recommendation comes with a number of points 630 00:27:20,360 --> 00:27:23,320 that will contribute towards the scores. 631 00:27:23,320 --> 00:27:28,320 So the scores are usually measured as a percentage 632 00:27:28,320 --> 00:27:33,400 and the total number of points and the achievable points 633 00:27:33,400 --> 00:27:36,600 is based on the licensing that's available. 634 00:27:36,600 --> 00:27:38,520 So where we have a recommendation, 635 00:27:38,520 --> 00:27:42,960 each recommendation will have a number of points 636 00:27:42,960 --> 00:27:46,760 that will allow you to move forward with your score. 637 00:27:46,760 --> 00:27:49,560 So you can prioritize based on the number of points 638 00:27:49,560 --> 00:27:51,880 and to get the most bang for the buck 639 00:27:51,880 --> 00:27:55,080 in terms of the way that a configuration 640 00:27:55,080 --> 00:27:57,000 will help move you forward. 641 00:27:57,000 --> 00:27:59,520 And I guess one thing to point out here 642 00:27:59,520 --> 00:28:02,160 is that these three scores, the compliance score, 643 00:28:02,160 --> 00:28:05,200 the secure score, both in Microsoft 365 644 00:28:05,200 --> 00:28:08,360 and in the secure score in Defender for Cloud, 645 00:28:08,360 --> 00:28:11,200 they all have the recommendations. 646 00:28:11,200 --> 00:28:13,960 They refer back to the assessments 647 00:28:13,960 --> 00:28:16,480 and to the measures against the standards 648 00:28:16,480 --> 00:28:18,080 in slightly different ways. 649 00:28:18,080 --> 00:28:21,280 So the compliance score within the compliance manager 650 00:28:21,280 --> 00:28:24,480 is probably the most mature in terms of you can choose 651 00:28:24,480 --> 00:28:27,640 from I think it's about 700 different assessments 652 00:28:27,640 --> 00:28:30,000 and you can choose which ones to actually implement 653 00:28:30,000 --> 00:28:32,720 and that will give you those recommendations. 654 00:28:32,720 --> 00:28:35,920 They are very granular in terms of what they're allowing you 655 00:28:35,920 --> 00:28:36,420 to do. 656 00:28:36,420 --> 00:28:40,200 So you can have one recommendation that will hit multiple sets 657 00:28:40,200 --> 00:28:42,600 of requirements around the standards. 658 00:28:42,600 --> 00:28:45,680 The secure score doesn't have quite the same granularity, 659 00:28:45,680 --> 00:28:48,680 doesn't have quite the same control in terms of which ones 660 00:28:48,680 --> 00:28:51,000 do you want to aim for. 661 00:28:51,000 --> 00:28:54,920 And the Defender for Cloud has a set of standards, 662 00:28:54,920 --> 00:28:58,240 but you can't really choose some of the more granular ones 663 00:28:58,240 --> 00:29:02,960 in terms of the much more regional requirements. 664 00:29:02,960 --> 00:29:06,120 So where you've got state level legislation 665 00:29:06,120 --> 00:29:07,960 that you might want to adhere to, 666 00:29:07,960 --> 00:29:10,880 regions, specific industry ones, 667 00:29:10,880 --> 00:29:14,000 the compliance score will have far more choice 668 00:29:14,000 --> 00:29:15,800 in terms of the different assessments 669 00:29:15,800 --> 00:29:17,600 that you could be using there. 670 00:29:17,600 --> 00:29:21,360 So it sounds like it's a lot more granular than secure score. 671 00:29:21,360 --> 00:29:24,240 Don't get me wrong, I mean secure score is pretty granular, 672 00:29:24,240 --> 00:29:27,160 but it sounds like you go above and beyond 673 00:29:27,160 --> 00:29:30,920 very low level technical controls to higher level 674 00:29:30,920 --> 00:29:33,600 technical controls, but a heck of a lot more of them. 675 00:29:33,600 --> 00:29:35,560 Like looking at the technical requirements 676 00:29:35,560 --> 00:29:38,880 through a compliance lens, is that a fair comment? 677 00:29:38,880 --> 00:29:41,440 I mean, as a security center, sorry, Microsoft Defender 678 00:29:41,440 --> 00:29:44,120 for Cloud, I still say it. 679 00:29:44,120 --> 00:29:47,480 They are very technical, they're very specific to specific 680 00:29:47,480 --> 00:29:49,320 services within Azure. 681 00:29:49,320 --> 00:29:53,000 They're not necessarily purely compliance driven. 682 00:29:53,000 --> 00:29:55,040 I mean, we do show the mappings on some various compliance 683 00:29:55,040 --> 00:29:56,000 programs. 684 00:29:56,000 --> 00:29:58,480 But it's almost like the compliance part of it is like, 685 00:29:58,480 --> 00:30:00,360 I'm not going to say secondary, but it's, 686 00:30:00,360 --> 00:30:03,920 the prime focus is like, let's look at the technical controls 687 00:30:03,920 --> 00:30:06,760 by themselves, and these are best practices that you should do. 688 00:30:06,760 --> 00:30:08,600 Whereas in the Microsoft compliance, 689 00:30:08,600 --> 00:30:11,640 sorry, the Microsoft 365 compliance manager, 690 00:30:11,640 --> 00:30:13,920 compliance is like the goal. 691 00:30:13,920 --> 00:30:16,360 And then we look at what technical controls are required 692 00:30:16,360 --> 00:30:17,560 to support those goals. 693 00:30:17,560 --> 00:30:18,800 Is that a fair comment? 694 00:30:18,800 --> 00:30:21,280 Yeah, yeah, I think that is a fair comment. 695 00:30:21,280 --> 00:30:24,360 I mean, the secure score and the hardening, 696 00:30:24,360 --> 00:30:27,600 yeah, things that you are going to be looking at putting in place. 697 00:30:27,600 --> 00:30:31,640 There's probably more granularity in the compliance scores 698 00:30:31,640 --> 00:30:34,240 because of the number of different elements 699 00:30:34,240 --> 00:30:37,520 that they're actually measuring and the way that those 700 00:30:37,520 --> 00:30:42,960 are applied to the 700-odd assessments that are available. 701 00:30:42,960 --> 00:30:46,280 But that being said, there'll be a lot that is common 702 00:30:46,280 --> 00:30:49,200 across a lot of those requirements. 703 00:30:49,200 --> 00:30:53,640 So implementing MFA, for example, 704 00:30:53,640 --> 00:30:55,280 is something that you'd kind of think, 705 00:30:55,280 --> 00:30:57,920 well, that's a secure score kind of element, 706 00:30:57,920 --> 00:31:00,360 but it's in the compliance score as well. 707 00:31:00,360 --> 00:31:04,960 And it will apply to most of the requirements that are there. 708 00:31:04,960 --> 00:31:08,760 And it will have quite a high number of points associated with it. 709 00:31:08,760 --> 00:31:12,000 But then there's going to be some things that are far more granular, 710 00:31:12,000 --> 00:31:16,120 far more low level in terms of putting the automation in, 711 00:31:16,120 --> 00:31:20,560 that you might say, actually, we need to automatically apply labels. 712 00:31:20,560 --> 00:31:25,480 We need to automatically be classifying our data based on the content. 713 00:31:25,480 --> 00:31:28,720 So those types of elements tend to be the more granular, 714 00:31:28,720 --> 00:31:32,120 lower level elements that are in the compliance score. 715 00:31:32,120 --> 00:31:37,720 So we've kind of just touched on ISO 27001 and NIST SB 800-53, 716 00:31:37,720 --> 00:31:41,000 and you mentioned HIPAA, for example. 717 00:31:41,000 --> 00:31:45,560 Are there other compliance programs that we consider in the compliance manager? 718 00:31:45,560 --> 00:31:48,240 There's about 700-odd assessments. 719 00:31:48,240 --> 00:31:50,880 So there's some out-of-the-box assessments. 720 00:31:50,880 --> 00:31:54,360 So we have some secure benchmarks that are in there. 721 00:31:54,360 --> 00:31:57,560 We've got things like GDPR that's out of the box. 722 00:31:57,560 --> 00:32:02,960 But then there are a lot of more regional, more niche standards 723 00:32:02,960 --> 00:32:04,400 that you can get assessments for. 724 00:32:04,400 --> 00:32:08,360 So it will measure against things like the New Zealand, 725 00:32:08,360 --> 00:32:13,080 GCIO, Spain, ENS, the Japan, FISC. 726 00:32:13,080 --> 00:32:17,000 Then we've got things like FedRAMP, we've got NIST, we've got DOD. 727 00:32:17,000 --> 00:32:22,320 There's all sorts of different types of assessments that are available, 728 00:32:22,320 --> 00:32:26,800 depending on what an organisation needs to adhere to. 729 00:32:26,800 --> 00:32:30,680 So they could choose those assessments based on their industry, 730 00:32:30,680 --> 00:32:34,800 based on where they are working, where they are operating. 731 00:32:34,800 --> 00:32:39,600 And the nice thing about these scores is that it will come up with one recommendation 732 00:32:39,600 --> 00:32:43,680 that will tick the box across multiple assessments. 733 00:32:43,680 --> 00:32:49,800 So if you are assessing yourself against ISO, NIST, GDPR, FedRAMP, 734 00:32:49,800 --> 00:32:54,360 then one recommendation could apply to requirements in all of those. 735 00:32:54,360 --> 00:32:58,200 So how do we ensure that there's no drift? 736 00:32:58,200 --> 00:33:03,120 Many companies are looking at different compliance requirements, 737 00:33:03,120 --> 00:33:04,680 security compliance. 738 00:33:04,680 --> 00:33:10,640 So how do we make sure that they don't lose track of what is happening 739 00:33:10,640 --> 00:33:14,480 accordingly to these compliance requirements? 740 00:33:14,480 --> 00:33:15,520 A great question. 741 00:33:15,520 --> 00:33:20,040 And I think it really highlights, actually, that this isn't a one-off exercise 742 00:33:20,040 --> 00:33:22,160 that you do and then it's done. 743 00:33:22,160 --> 00:33:25,600 So there's a few things that are in place within these scores. 744 00:33:25,600 --> 00:33:28,200 So you can see the change in time. 745 00:33:28,200 --> 00:33:34,800 So Microsoft updates the guidance in terms of how you adhere to the legislation, 746 00:33:34,800 --> 00:33:36,640 how you adhere to the standards. 747 00:33:36,640 --> 00:33:41,600 So if we update the technology, then there might be new options 748 00:33:41,600 --> 00:33:44,720 that you need to consider and configure appropriately. 749 00:33:44,720 --> 00:33:49,120 The assessments that we're using in terms of the checks that we're doing against a tenant, 750 00:33:49,120 --> 00:33:53,440 those will evolve as the requirements of the standards change, 751 00:33:53,440 --> 00:33:56,800 but also as the way the technology changes as well. 752 00:33:56,800 --> 00:33:59,480 So you need to keep on top of those updates. 753 00:33:59,480 --> 00:34:04,880 So check in on a regular basis to make sure that you are accepting updates 754 00:34:04,880 --> 00:34:09,400 to the assessments that you're using and then reviewing what you're actually doing 755 00:34:09,400 --> 00:34:14,480 in response to those as well and making sure that you are consciously checking 756 00:34:14,480 --> 00:34:19,880 should you change something, is there something new that you need to do is a key part of it. 757 00:34:19,880 --> 00:34:22,200 The scores don't stay static. 758 00:34:22,200 --> 00:34:26,560 They do carry on changing as we change the assessments. 759 00:34:26,560 --> 00:34:32,800 And the other thing that's in quite a few of these is that to adhere to some of these requirements, 760 00:34:32,800 --> 00:34:36,000 you need to be checking things like the audit logs and checking incidents 761 00:34:36,000 --> 00:34:40,840 and making sure that you're actually responding to the outputs of some of the configurations 762 00:34:40,840 --> 00:34:43,120 that we're recommending you put in. 763 00:34:43,120 --> 00:34:48,240 So you can't just set it all up and go, OK, on the 1st of January, 764 00:34:48,240 --> 00:34:54,680 we've got a score of 100% because it will slowly go down if you don't check it. 765 00:34:54,680 --> 00:34:59,200 So there is drift reports in there to show you what's changed, 766 00:34:59,200 --> 00:35:01,600 how your score has changed over time. 767 00:35:01,600 --> 00:35:06,920 And as I said, there are updates to the assessments which will change the recommendations 768 00:35:06,920 --> 00:35:10,280 that you need to carry out and how you need to configure things. 769 00:35:10,280 --> 00:35:15,160 My guess is, though, that the changes to assessments are relatively rigorous. 770 00:35:15,160 --> 00:35:18,120 What I mean by that, we don't just go and make changes. 771 00:35:18,120 --> 00:35:23,000 If a compliance program changes, then we would make changes to obviously, 772 00:35:23,000 --> 00:35:27,280 also if our technology changes and obviously, yes, we would add new compliance requirements 773 00:35:27,280 --> 00:35:28,720 or new compliance checks. 774 00:35:28,720 --> 00:35:30,840 But we don't just sort of like really nearly just go in and just like, 775 00:35:30,840 --> 00:35:32,240 hey, that sounds like a good idea. 776 00:35:32,240 --> 00:35:34,480 Let's go and add something. 777 00:35:34,480 --> 00:35:37,160 I know that your ideogeness is going to get mad at me when I say this, 778 00:35:37,160 --> 00:35:41,560 but the Microsoft Defender for Cloud Secure Score, 779 00:35:41,560 --> 00:35:45,760 they're constantly adding new checks, but they're not driven by any compliance program. 780 00:35:45,760 --> 00:35:51,560 They're driven by folks saying, hey, we really need to start looking at these kinds of things. 781 00:35:51,560 --> 00:35:55,800 So for example, there's a set of requirements or sets of checks that are coming out soon. 782 00:35:55,800 --> 00:36:01,440 They're currently in preview for making sure that endpoints all use TLS, for example. 783 00:36:01,440 --> 00:36:05,040 And if you have an endpoint that doesn't have TLS, your Secure Score is going to drop 784 00:36:05,040 --> 00:36:06,680 when those things go live. 785 00:36:06,680 --> 00:36:11,640 But my guess is that the checks that we do in the compliance score are a little bit more... 786 00:36:11,640 --> 00:36:15,040 Rigger is probably not the right word, but I'll just use the word rigorous right now. 787 00:36:15,040 --> 00:36:18,760 Yeah, I mean, they change all the time. 788 00:36:18,760 --> 00:36:23,160 And it's not always adding lots of things that need to be updated. 789 00:36:23,160 --> 00:36:29,880 Sometimes it's just changing the way they're checking and because the legislation has changed slightly. 790 00:36:29,880 --> 00:36:34,480 In most cases, it's more because there's a new option that's been released. 791 00:36:34,480 --> 00:36:39,560 There's a new element of the technology which needs to be taken into account 792 00:36:39,560 --> 00:36:46,240 in order to make sure that you are retaining the level of compliance that you had previously. 793 00:36:46,240 --> 00:36:51,040 But if you don't check it, then the score just will continuously go down. 794 00:36:51,040 --> 00:36:56,520 So you do need to actively be checking for those updates, consciously checking, 795 00:36:56,520 --> 00:37:00,480 do I need to actually make a change to something because of those updates? 796 00:37:00,480 --> 00:37:07,760 At some point, the rubber has to hit the road and an organization has to go through the whole compliance process 797 00:37:07,760 --> 00:37:13,320 with an independent auditor because we can't do it, Microsoft can't do it, as you can't do it, 798 00:37:13,320 --> 00:37:15,800 the customer can't do it, it has to be someone independent. 799 00:37:15,800 --> 00:37:22,320 So how do we see this compliance score and Microsoft compliance sense of being used in the real world? 800 00:37:22,320 --> 00:37:25,680 Like when an auditor is involved, what do we see? 801 00:37:25,680 --> 00:37:28,360 How do the auditors use this information, if at all? 802 00:37:28,360 --> 00:37:34,200 In my experience before joining Microsoft, we used a lot of these tools to actually get ourselves to 803 00:37:34,200 --> 00:37:37,600 being compliant with things like ISO 27001. 804 00:37:37,600 --> 00:37:44,360 And as you say, Microsoft can't certify an organization that they are compliance, we can't self certify. 805 00:37:44,360 --> 00:37:46,520 So we need to have auditors coming in. 806 00:37:46,520 --> 00:37:52,920 One of the things that we did with the auditors was to agree how we were going to provide evidence of our compliance. 807 00:37:52,920 --> 00:37:59,000 So asking the question, what do you need me to show you when you come back in six months time 808 00:37:59,000 --> 00:38:01,960 so that I can demonstrate that I'm compliant? 809 00:38:01,960 --> 00:38:09,040 These tools really help in that respect because we can then show an auditor, our compliance manager, 810 00:38:09,040 --> 00:38:15,200 so we can show them what we've done, we can show them that we are following the recommended best practice 811 00:38:15,200 --> 00:38:21,160 in terms of how we're configuring the platform, how we're configuring a Microsoft 365 tenant. 812 00:38:21,160 --> 00:38:25,840 And if they want to see those granular configurations, we can show them that. 813 00:38:25,840 --> 00:38:28,560 We can show them the audit logs if they want to see that. 814 00:38:28,560 --> 00:38:33,240 We've then got the tools to be able to show them that and we can export the status, 815 00:38:33,240 --> 00:38:38,200 we can file that as a record of the point in time as part of that audit. 816 00:38:38,200 --> 00:38:47,240 So long as the auditors understand what we are showing them and they understand that we are providing that evidence, 817 00:38:47,240 --> 00:38:49,720 then that works out very well. 818 00:38:49,720 --> 00:38:56,880 And as I said earlier, a lot of what an auditor might actually be asking for may be things that are less technical. 819 00:38:56,880 --> 00:39:02,800 They're not the configuration of the technology, but the processes that surround the technology. 820 00:39:02,800 --> 00:39:06,120 How do you respond to an incident that is raised? 821 00:39:06,120 --> 00:39:12,840 How do you respond to a violation of a sharing policy or a DLP policy, data loss prevention? 822 00:39:12,840 --> 00:39:19,720 And those are processes that we can't manage from within the tenant, within the compliance manager. 823 00:39:19,720 --> 00:39:26,280 So we need to be clear with the auditors up from what we can show and tell them that's what we're going to show them, 824 00:39:26,280 --> 00:39:34,400 so they understand exactly what they're seeing and the value that it has in relation to the audit. 825 00:39:34,400 --> 00:39:40,360 I think the other thing that we found whilst I was going through this with an organisation was 826 00:39:40,360 --> 00:39:46,560 some of our insurers were looking at these same tools, not from a compliance side to speak, 827 00:39:46,560 --> 00:39:54,720 but from a securities perspective to say, if we know that you have the right processes and the right security setup in place, 828 00:39:54,720 --> 00:40:00,240 then some of the insurance premiums could be reduced as well based on the same kind of evidence. 829 00:40:00,240 --> 00:40:05,960 Yeah, she's funny she bring up the last point. I've been working with some folks in this area as well 830 00:40:05,960 --> 00:40:10,960 and where they're looking at things like Microsoft Defender for Cloud, Secure Score. 831 00:40:10,960 --> 00:40:14,640 Actually, that's what we're looking at right now is exactly for this reason, 832 00:40:14,640 --> 00:40:22,080 is let's come up with a list of Secure Score settings or outcomes to show that not only is there a level of due diligence being done, 833 00:40:22,080 --> 00:40:31,680 but also that there are certain things in place that will actually reduce the cost of the premiums, as you say, for cybersecurity insurance. 834 00:40:31,680 --> 00:40:36,240 In fact, one thing we've even been talking about is if your Secure Score is below a certain level, 835 00:40:36,240 --> 00:40:39,680 get it up to the specific level before we'll even talk to you. 836 00:40:39,680 --> 00:40:46,760 I think that's reasonable, right? This is something that's very objective, it's an objective measurement. 837 00:40:46,760 --> 00:40:53,280 If you're not doing the basics, then you're probably going to get whacked anyway and I probably wouldn't ensure you either, to be honest with you. 838 00:40:53,280 --> 00:40:59,560 Not that I'm an insurance company, but I'm an underwriter by any stretch, but I probably wouldn't ensure you either. 839 00:40:59,560 --> 00:41:05,000 So it's great to see that actually. I think that's really positive, I think, for the industry as a whole. 840 00:41:05,000 --> 00:41:12,480 Yeah, and I think, as you say, it's putting your own effort in, making sure that you're getting to a certain point. 841 00:41:12,480 --> 00:41:21,800 I mean, I've seen organisations that I've been speaking to around this thinking, well, do we target our team to say that we need the scores to be over 80% 842 00:41:21,800 --> 00:41:27,080 and that's a performance target to keep those scores at a certain level. 843 00:41:27,080 --> 00:41:32,960 So yeah, it's a good metric to have at our disposal, how we use it. 844 00:41:32,960 --> 00:41:35,760 We just need to make sure that we're using it appropriately. 845 00:41:35,760 --> 00:41:41,000 I had one client who said they wanted to set a target to make it 100%. 846 00:41:41,000 --> 00:41:45,040 I don't think I've ever seen a secure score or a compliant score of 100%. 847 00:41:45,040 --> 00:41:51,120 I don't even know whether it's actually possible to get to that point because it is constantly evolving. 848 00:41:51,120 --> 00:41:55,320 But it is a good measure to start with and to start those conversations with. 849 00:41:55,320 --> 00:42:01,200 Oh, I've seen people hit 100% and I'm going to be honest with you, they basically exempted themselves from a whole bunch of stuff. 850 00:42:01,200 --> 00:42:03,480 And I just don't agree with that at all. 851 00:42:03,480 --> 00:42:09,280 And as you say, you may be 100% today, but tomorrow that might change as we onboard some new checks. 852 00:42:09,280 --> 00:42:14,320 Again, discussions that I've had with customers, I had one just recently where they wanted to exempt something. 853 00:42:14,320 --> 00:42:17,600 And I'm like, no, in fact, it was multifactorial authentication. 854 00:42:17,600 --> 00:42:23,320 I'm like, no, there's a reason why subscription owners require multifactorial authentication. 855 00:42:23,320 --> 00:42:31,080 There are very strong, good, practical reasons why owners of a subscription should have multifactorial authentication. 856 00:42:31,080 --> 00:42:32,120 I'm not going to exempt it. 857 00:42:32,120 --> 00:42:34,520 I think that's completely wrong. 858 00:42:34,520 --> 00:42:41,800 So yeah, I'm very leery actually at people wanting just to make a score, just to reach a score by whatever means. 859 00:42:41,800 --> 00:42:46,520 And in fact, this conversation I've just had recently was basically, yes, we want to raise our secure score, 860 00:42:46,520 --> 00:42:50,840 but we're going to make sure we're raising the secure score with stuff that really matters 861 00:42:50,840 --> 00:42:57,320 and making sure that we're actually really doing the right things and certainly not exempting ourselves from certain checks. 862 00:42:57,320 --> 00:43:05,680 Yeah, I'm a little bit leery of just wanting to make a score for the sake of making a score without thinking of the true security ramifications of what they're doing. 863 00:43:05,680 --> 00:43:07,800 And frankly, there are diminishing returns as well. 864 00:43:07,800 --> 00:43:14,040 But you get to a point where the real security benefit starts to not be as not as impactful as it were. 865 00:43:14,040 --> 00:43:16,040 Certain things are way more impactful than other things. 866 00:43:16,040 --> 00:43:19,240 So for example, multifactorial authentication is just massive, right? 867 00:43:19,240 --> 00:43:22,360 And it's worth it 10%, whatever it is. 868 00:43:22,360 --> 00:43:24,280 And there are other ones that are not as impactful. 869 00:43:24,280 --> 00:43:27,800 And that's also represented in the percentage improvement. 870 00:43:27,800 --> 00:43:34,760 But let's focus on the big ones that really make a huge difference, not just from a compliance perspective, 871 00:43:34,760 --> 00:43:38,040 but just from an overall doing the right thing perspective. 872 00:43:38,040 --> 00:43:46,120 So following on what Michael just mentioned, there's people that have sent different items such as MFA. 873 00:43:46,120 --> 00:43:56,840 Is there any way to keep track of this and follow up on these items to make sure that in the future as the environment evolves, 874 00:43:56,840 --> 00:44:05,720 the customer can continue looking at the particular items that they have accepted or even new updates? 875 00:44:05,720 --> 00:44:09,480 So yes, they can see when the assessments are updated. 876 00:44:09,480 --> 00:44:13,960 That's basically saying that the checks or the recommendations have changed. 877 00:44:13,960 --> 00:44:19,400 And so when they see those changes come through, they can have a look at all of them. 878 00:44:19,400 --> 00:44:26,680 So it can show, you know, you can use the filters to show everything or just to show the things that you haven't exempted. 879 00:44:26,680 --> 00:44:30,040 So you can still see the ones that you've chosen to exempt. 880 00:44:30,040 --> 00:44:32,120 You can still see any updates to those. 881 00:44:32,120 --> 00:44:37,640 So you can be flagged when things have changed and therefore when you have to revisit it as well. 882 00:44:37,640 --> 00:44:40,120 That's one final thought on that. 883 00:44:40,120 --> 00:44:43,560 And that is if you're exempting something, you better have a really good reason for exempting it. 884 00:44:43,560 --> 00:44:52,360 Because remember, an auditor is going to look at this and there better be a really good reason for exempting yourself from satisfying some requirement. 885 00:44:52,360 --> 00:44:57,960 The most common reason for exempting I found is because they have something that is not detected by our tooling. 886 00:44:57,960 --> 00:45:00,040 That's quite common and that's fine. 887 00:45:00,040 --> 00:45:05,080 But exempting something just because you don't think it's a good idea is probably not the right answer. 888 00:45:05,080 --> 00:45:07,640 Anyway, that's just my sort of final thoughts on that. 889 00:45:07,640 --> 00:45:13,240 And talking of final thoughts, our one thing we ask our guests on every episode is, 890 00:45:13,240 --> 00:45:16,920 if you had one final thought to leave our listeners with, what would it be? 891 00:45:16,920 --> 00:45:24,040 My final thought on this would be, think carefully about what you want to achieve in terms of the compliance and the standards you want to achieve. 892 00:45:24,040 --> 00:45:31,400 And then plan and work with your auditors to actually work through this process so that you can achieve that certification. 893 00:45:31,400 --> 00:45:40,840 Because that's in the end, the main aim is to be able to demonstrate that you are actually adhering to a standard so that you get the credibility for it. 894 00:45:40,840 --> 00:45:44,120 So plan with your order to in terms of what you want to achieve. 895 00:45:44,120 --> 00:45:47,080 Hey Al, thank you so much for joining us this week. 896 00:45:47,080 --> 00:45:51,320 Great having you on, especially covering a topic that's actually near and dear to my heart, 897 00:45:51,320 --> 00:45:56,600 which is not just security but also the compliance implications of these various security standards. 898 00:45:56,600 --> 00:46:01,560 I know every customer that I've ever worked with in Asia, Microsoft 365, 899 00:46:01,560 --> 00:46:04,920 they all struggle with meeting compliance requirements. 900 00:46:04,920 --> 00:46:08,680 So it's great that we have a fantastic tooling to help help them achieve those goals. 901 00:46:08,680 --> 00:46:16,920 And as you mentioned, you need to sort of work with your auditors to make sure that we're all in agreement on what kind of artifacts and evidence you're going to provide. 902 00:46:16,920 --> 00:46:22,920 And what parts of the Microsoft 365 tooling will provide appropriate evidence to help satisfy the audit requirements. 903 00:46:22,920 --> 00:46:24,280 So again, thank you so much for joining. 904 00:46:24,280 --> 00:46:25,160 I really appreciate it. 905 00:46:25,160 --> 00:46:28,120 And to all our listeners out there, again, thank you so much for listening. 906 00:46:28,120 --> 00:46:29,480 I hope you enjoyed this one. 907 00:46:29,480 --> 00:46:31,400 Stay safe and we'll see you next time. 908 00:46:31,400 --> 00:46:34,280 Thanks for listening to the Azure Security Podcast. 909 00:46:34,280 --> 00:46:37,960 You can find show notes and other resources at our website. 910 00:46:37,960 --> 00:46:41,080 azsecuritypodcast.net. 911 00:46:41,080 --> 00:46:45,880 If you have any questions, please find us on Twitter at azuresetpod. 912 00:46:45,880 --> 00:47:09,240 Background music is from ccmixter.com and licensed under the Creative Commons license.