1
00:00:00,000 --> 00:00:06,200
Welcome to the Azure Security Podcast,

2
00:00:06,200 --> 00:00:09,380
where we discuss topics relating to security, privacy,

3
00:00:09,380 --> 00:00:13,560
reliability, and compliance on the Microsoft Cloud Platform.

4
00:00:13,560 --> 00:00:16,720
Hey everybody, welcome to Episode 52.

5
00:00:16,720 --> 00:00:18,720
52 means we've been going for two years,

6
00:00:18,720 --> 00:00:19,860
officially two years.

7
00:00:19,860 --> 00:00:21,920
So it's our second birthday today.

8
00:00:21,920 --> 00:00:25,800
Really excited. I didn't think we ever would get to where we're at,

9
00:00:25,800 --> 00:00:27,400
but really, really proud of this podcast.

10
00:00:27,400 --> 00:00:30,160
So some fantastic guests over the years,

11
00:00:30,160 --> 00:00:31,360
like last two years,

12
00:00:31,360 --> 00:00:33,280
and hopefully we have many,

13
00:00:33,280 --> 00:00:35,680
many more years going forward.

14
00:00:35,680 --> 00:00:37,960
This week, we have myself, Michael,

15
00:00:37,960 --> 00:00:39,600
we have Mark and Sarah.

16
00:00:39,600 --> 00:00:41,120
Gladys is out right now,

17
00:00:41,120 --> 00:00:42,560
and we also have a guest,

18
00:00:42,560 --> 00:00:44,920
Shai Amar, who's here to talk to us about

19
00:00:44,920 --> 00:00:47,000
Microsoft Defender for Containers.

20
00:00:47,000 --> 00:00:48,480
But before we get to Shai,

21
00:00:48,480 --> 00:00:50,080
let's have a lap around the news.

22
00:00:50,080 --> 00:00:51,200
Mark, why don't you kick things off?

23
00:00:51,200 --> 00:00:56,160
So we're actually getting ready for build and RSA.

24
00:00:56,160 --> 00:00:58,640
So not a whole lot of specific news.

25
00:00:58,640 --> 00:01:01,280
So I thought I'd take the opportunity to reinforce

26
00:01:01,280 --> 00:01:05,440
some just ongoing critical best practices around.

27
00:01:05,440 --> 00:01:08,600
When we look at the most damaging attacks that are out there,

28
00:01:08,600 --> 00:01:10,960
it's still unfortunately ransomware,

29
00:01:10,960 --> 00:01:13,120
which are really extortion attacks.

30
00:01:13,120 --> 00:01:16,080
So just want to make sure that folks had

31
00:01:16,080 --> 00:01:17,280
a current perspective on that,

32
00:01:17,280 --> 00:01:20,920
which is you have consistently focus on backups first,

33
00:01:20,920 --> 00:01:24,360
make sure that can back up the systems that matter,

34
00:01:24,360 --> 00:01:26,320
and that you can restore them quickly,

35
00:01:26,320 --> 00:01:28,040
being the much more important part.

36
00:01:28,040 --> 00:01:29,720
What we've learned there is,

37
00:01:29,720 --> 00:01:35,480
it's really a team sport between security and IT and business folks.

38
00:01:35,480 --> 00:01:38,280
Because the only people that can answer the question of,

39
00:01:38,280 --> 00:01:39,800
if everything is down today,

40
00:01:39,800 --> 00:01:42,280
would you need running tomorrow morning first?

41
00:01:42,280 --> 00:01:43,960
That's the business folks.

42
00:01:43,960 --> 00:01:46,760
Then what does that translate to in terms of

43
00:01:46,760 --> 00:01:49,960
specific systems and technical assets, etc.?

44
00:01:49,960 --> 00:01:51,440
Well, that's your IT team.

45
00:01:51,440 --> 00:01:53,240
Then how do you best protect those

46
00:01:53,240 --> 00:01:54,800
against the attacks we're seeing?

47
00:01:54,800 --> 00:01:56,400
Well, that's the security team.

48
00:01:56,400 --> 00:01:58,640
So really going through that process,

49
00:01:58,640 --> 00:02:02,400
working with your business and IT partners and security in there

50
00:02:02,400 --> 00:02:05,320
is super, super critical to make sure

51
00:02:05,320 --> 00:02:07,680
that you are able to recover quickly.

52
00:02:07,680 --> 00:02:09,720
Then the next step for it,

53
00:02:09,720 --> 00:02:13,560
which also applies in any other attack as well,

54
00:02:13,560 --> 00:02:16,680
to reduce the damage is of course privilege access.

55
00:02:16,680 --> 00:02:20,440
You can do a lot more damage as an attacker with admin account,

56
00:02:20,440 --> 00:02:22,440
than you can with a standard user account.

57
00:02:22,440 --> 00:02:24,760
The securing privilege access,

58
00:02:24,760 --> 00:02:28,520
we do have that full end-to-end strategy,

59
00:02:28,520 --> 00:02:31,720
plan, technology and specific steps outlined

60
00:02:31,720 --> 00:02:33,400
on how to protect your most important,

61
00:02:33,400 --> 00:02:36,520
most impactful technical IT accounts,

62
00:02:36,520 --> 00:02:38,840
like global admins, enterprise admins,

63
00:02:38,840 --> 00:02:40,200
domain admins and the like,

64
00:02:40,200 --> 00:02:44,360
as well as your other privileged and sensitive roles,

65
00:02:44,360 --> 00:02:48,440
like developers, like a Swift terminals,

66
00:02:48,440 --> 00:02:51,960
where effectively people make financial transactions,

67
00:02:51,960 --> 00:02:53,400
maybe trading terminals, et cetera,

68
00:02:53,400 --> 00:02:54,360
depending on your business.

69
00:02:55,240 --> 00:02:57,160
So those super high impact things

70
00:02:57,960 --> 00:03:00,840
are also covered by that privileged access guidance.

71
00:03:00,840 --> 00:03:03,800
And that's just the AKMS slash SPA or SPA,

72
00:03:03,800 --> 00:03:04,520
as we like to call it,

73
00:03:04,520 --> 00:03:07,160
for securing privileged accesses out there.

74
00:03:07,160 --> 00:03:09,400
Okay, so I guess it's my turn.

75
00:03:09,400 --> 00:03:10,760
Kind of the same as Mark.

76
00:03:11,480 --> 00:03:13,560
It's a little bit quiet on the news front,

77
00:03:13,560 --> 00:03:15,480
because we're leading up to RSA.

78
00:03:15,480 --> 00:03:18,760
So there's going to be lots of news in the next few weeks.

79
00:03:18,760 --> 00:03:20,600
I'll also apologize if I sound stuffy,

80
00:03:20,600 --> 00:03:21,960
because I got COVID.

81
00:03:21,960 --> 00:03:24,280
We don't all record in the same room, by the way.

82
00:03:24,280 --> 00:03:26,600
So I'm not giving anyone COVID.

83
00:03:27,880 --> 00:03:29,880
Definitely a couple of things.

84
00:03:29,880 --> 00:03:30,920
Obviously it would be wrong

85
00:03:30,920 --> 00:03:32,680
if I didn't talk about my baby Sentinel.

86
00:03:33,320 --> 00:03:36,360
We've got a couple of public previews,

87
00:03:36,920 --> 00:03:38,040
which have come out.

88
00:03:38,040 --> 00:03:39,960
We've got similar incidents.

89
00:03:39,960 --> 00:03:42,680
So when you raise an incident in Sentinel,

90
00:03:42,680 --> 00:03:45,720
it will now also suggest similar incidents,

91
00:03:45,720 --> 00:03:48,040
whether they've been closed,

92
00:03:48,040 --> 00:03:49,800
or just anything that we've seen.

93
00:03:49,800 --> 00:03:51,160
So that might be,

94
00:03:51,160 --> 00:03:53,400
it will help you see if you've got other incidents

95
00:03:53,400 --> 00:03:56,200
that might be part of a larger attack story.

96
00:03:56,200 --> 00:03:56,920
And the other thing,

97
00:03:57,640 --> 00:03:59,560
I don't know, Michael or Mark,

98
00:03:59,560 --> 00:04:00,920
if you have done this yet,

99
00:04:00,920 --> 00:04:02,840
but this week just gone,

100
00:04:02,840 --> 00:04:07,400
I did my SC100 exam in beta,

101
00:04:07,400 --> 00:04:09,400
Microsoft Security Architect.

102
00:04:09,400 --> 00:04:10,920
Because it's in beta,

103
00:04:10,920 --> 00:04:12,600
I haven't got my result yet.

104
00:04:12,600 --> 00:04:15,000
My fingers crossed I passed it first time.

105
00:04:15,000 --> 00:04:17,400
Go and check that out if you're interested,

106
00:04:17,400 --> 00:04:19,160
if you're keen on your Microsoft certs,

107
00:04:19,160 --> 00:04:21,000
because that's a pretty new one

108
00:04:21,000 --> 00:04:22,200
that's definitely,

109
00:04:22,200 --> 00:04:24,680
I think a lot of people will be wanting to take.

110
00:04:24,680 --> 00:04:28,520
But if you've never taken a beta exam in Microsoft land,

111
00:04:29,080 --> 00:04:31,320
you don't get your results straight away.

112
00:04:31,320 --> 00:04:32,760
You get them a little bit later.

113
00:04:33,320 --> 00:04:35,000
So that's always worth bearing in mind.

114
00:04:36,200 --> 00:04:38,200
Hey, it's funny you should bring that up about SC100,

115
00:04:38,200 --> 00:04:41,800
because you and I also did our AZ500 refresh, right?

116
00:04:41,800 --> 00:04:42,760
Roughly the same time.

117
00:04:43,320 --> 00:04:44,360
We did.

118
00:04:44,360 --> 00:04:45,400
Yeah.

119
00:04:45,400 --> 00:04:46,120
For those of you who don't know,

120
00:04:46,120 --> 00:04:47,960
we actually did our AZ500,

121
00:04:47,960 --> 00:04:50,680
which is the security services or something

122
00:04:50,680 --> 00:04:51,720
as your security services.

123
00:04:51,720 --> 00:04:53,720
We did it the same week without even knowing

124
00:04:53,720 --> 00:04:56,280
that each other had taken the exam the same week.

125
00:04:56,280 --> 00:04:58,280
I barely passed, I'm not to be honest with you.

126
00:04:58,920 --> 00:05:01,080
Knowing Sarah, she probably aced it, but anyway.

127
00:05:02,440 --> 00:05:04,360
Yeah, but now that it's been a couple of years or something,

128
00:05:04,360 --> 00:05:05,400
I don't know how long it is,

129
00:05:06,200 --> 00:05:07,400
you have to have it refreshed.

130
00:05:07,960 --> 00:05:09,240
So I'm going to tell you right now,

131
00:05:09,240 --> 00:05:13,240
if you have AZ500, do not let it lapse.

132
00:05:13,240 --> 00:05:16,760
The refresh is actually dead, dead simple.

133
00:05:16,760 --> 00:05:20,360
Compared to the exam, it's probably two orders of magnitude easier.

134
00:05:20,360 --> 00:05:22,680
All you need to do is just go to the Microsoft learning page.

135
00:05:22,680 --> 00:05:23,960
I'll put a link in the share notes

136
00:05:23,960 --> 00:05:24,920
and click all the way through,

137
00:05:24,920 --> 00:05:26,360
see if you're eligible for the refresh.

138
00:05:26,360 --> 00:05:29,400
And if you are, you'll be given like a little sort of learning path,

139
00:05:29,400 --> 00:05:30,360
go through the learning path,

140
00:05:30,360 --> 00:05:32,920
and at the end will be a, what I thought was actually that,

141
00:05:32,920 --> 00:05:36,360
like a test test, just a sort of a sample test.

142
00:05:36,920 --> 00:05:38,680
Turns out, no, that's actually the real thing.

143
00:05:39,480 --> 00:05:41,560
And later that evening, I wrote an email saying,

144
00:05:41,560 --> 00:05:44,520
congratulations, you've refreshed your AZ500.

145
00:05:44,520 --> 00:05:47,560
Oh man, that was way easy.

146
00:05:47,560 --> 00:05:50,200
So yeah, do not let it lapse.

147
00:05:50,200 --> 00:05:51,720
I am literally not kidding.

148
00:05:51,720 --> 00:05:55,000
It is two orders of magnitude easier than the exam.

149
00:05:55,000 --> 00:05:56,120
The exam's horrible.

150
00:05:56,840 --> 00:05:59,240
Is that similar to your thoughts as well, Sarah, on the,

151
00:05:59,240 --> 00:06:00,440
I don't know, what's called refresh?

152
00:06:00,440 --> 00:06:01,800
I don't even know what it's called.

153
00:06:01,800 --> 00:06:04,520
Yeah, I can't remember exactly how it's phrased,

154
00:06:04,520 --> 00:06:06,120
but I totally agree.

155
00:06:06,760 --> 00:06:08,040
And actually it's also the same

156
00:06:08,040 --> 00:06:10,440
for some of the other Microsoft certs out there.

157
00:06:10,440 --> 00:06:12,520
I know for my Azure architect,

158
00:06:12,520 --> 00:06:14,760
and I think it's AZ,

159
00:06:16,200 --> 00:06:19,560
I think it's something like 303 and 304 nowadays.

160
00:06:19,560 --> 00:06:21,640
Definitely do your refresh,

161
00:06:21,640 --> 00:06:27,320
because the refresh is very, very easy compared to the real thing.

162
00:06:27,960 --> 00:06:30,680
It will take you not very long at all.

163
00:06:30,680 --> 00:06:36,120
And just as Michael said, when I did my first refresh,

164
00:06:36,120 --> 00:06:38,040
I thought I was going to have to sit and do,

165
00:06:38,040 --> 00:06:41,400
at least, actually a whole exam again.

166
00:06:41,400 --> 00:06:43,720
But no, it's much, much easier.

167
00:06:43,720 --> 00:06:47,240
So yeah, I'll just back up what he said.

168
00:06:47,240 --> 00:06:49,480
Don't let it lapse, do the refresh.

169
00:06:49,480 --> 00:06:52,200
You get lots of reminders.

170
00:06:52,200 --> 00:06:56,520
So you get like 90 days, 60 days, 30 days.

171
00:06:56,520 --> 00:07:00,680
So make sure you do it so much easier than doing the exam again.

172
00:07:01,480 --> 00:07:03,160
All right. Now we've got that out of the way.

173
00:07:03,160 --> 00:07:04,520
Let's talk about my news.

174
00:07:04,520 --> 00:07:05,400
I only have a couple of items.

175
00:07:05,400 --> 00:07:06,200
Actually, it's funny, yeah.

176
00:07:06,200 --> 00:07:07,400
Like you two, I was looking at the news,

177
00:07:07,400 --> 00:07:09,240
I'm like, man, the security news is light.

178
00:07:09,240 --> 00:07:11,480
And then I realized when Mark said it this morning,

179
00:07:11,480 --> 00:07:13,880
yeah, that's why it's, RSA is coming up

180
00:07:13,880 --> 00:07:17,080
and the build conference is coming up next week as well,

181
00:07:17,080 --> 00:07:19,560
which, you know, quite normally we keep big,

182
00:07:19,560 --> 00:07:21,160
big announcements for those kinds of events.

183
00:07:21,160 --> 00:07:22,600
So that kind of makes sense.

184
00:07:22,600 --> 00:07:24,440
So I literally only have two items.

185
00:07:24,440 --> 00:07:27,480
Item number one is Azure Virtual Machines

186
00:07:27,480 --> 00:07:33,400
in the DCS version three series now have extended coverage.

187
00:07:33,400 --> 00:07:36,360
So they're now available in Australia East,

188
00:07:36,360 --> 00:07:39,400
Japan East, South Central US and Southeast Asia.

189
00:07:40,280 --> 00:07:42,920
These are the virtual machine types

190
00:07:42,920 --> 00:07:45,000
that support confidential computing.

191
00:07:45,000 --> 00:07:49,000
So they have Intel SGX or Software Guard extensions,

192
00:07:49,720 --> 00:07:51,880
CPUs in the VM.

193
00:07:51,880 --> 00:07:53,320
So they can be used for confidential computers.

194
00:07:53,320 --> 00:07:56,440
So for example, products like Azure SQL Database

195
00:07:56,440 --> 00:07:59,400
can use it for always encrypted with secure enclaves.

196
00:07:59,400 --> 00:08:03,960
So the part of the query engine runs inside of the secure enclave.

197
00:08:03,960 --> 00:08:05,480
So that's really cool to see.

198
00:08:05,480 --> 00:08:08,600
Huge, huge, huge fan of confidential computing VMs.

199
00:08:08,600 --> 00:08:10,040
So that's good to see.

200
00:08:10,040 --> 00:08:11,720
The second one, so we now have,

201
00:08:11,720 --> 00:08:13,320
oh, by the way, that was in public preview

202
00:08:13,320 --> 00:08:14,520
for those new regions.

203
00:08:15,080 --> 00:08:17,640
The generally available now we have

204
00:08:17,640 --> 00:08:21,160
Azure Arc enabled servers support for private endpoints.

205
00:08:21,960 --> 00:08:25,240
So this allows you to manage your windows and Linux servers

206
00:08:25,240 --> 00:08:28,360
from Azure without sending network traffic

207
00:08:28,360 --> 00:08:29,480
over the public internet.

208
00:08:30,280 --> 00:08:33,080
So if you've got these Azure Arc enabled servers,

209
00:08:33,080 --> 00:08:36,840
which on-prem, for example, the traffic

210
00:08:36,840 --> 00:08:38,520
does not go over the public internet.

211
00:08:38,520 --> 00:08:39,400
This is really great to see.

212
00:08:39,400 --> 00:08:41,240
I know a lot of customers are huge fans,

213
00:08:41,240 --> 00:08:42,840
especially when it comes to sensitive data,

214
00:08:42,840 --> 00:08:43,800
even if it's encrypted,

215
00:08:43,800 --> 00:08:45,320
just not sending it over the internet at all.

216
00:08:45,960 --> 00:08:47,240
So this is great to see as well.

217
00:08:48,040 --> 00:08:49,720
And that's kind of basically all I have.

218
00:08:49,720 --> 00:08:53,320
So with that, let's turn our attention to our guest.

219
00:08:53,880 --> 00:08:56,280
This week we have Shai Amar,

220
00:08:56,280 --> 00:09:00,120
who's here to talk to us about Microsoft Defender for Containers.

221
00:09:00,120 --> 00:09:02,200
Hey, Shai, thank you so much for joining us this week.

222
00:09:02,200 --> 00:09:03,160
Would you like to spend a moment,

223
00:09:03,160 --> 00:09:04,840
and just give our listeners a better background?

224
00:09:05,960 --> 00:09:07,320
Yeah, thank you for having me.

225
00:09:07,320 --> 00:09:07,960
Thank you all.

226
00:09:08,520 --> 00:09:10,120
As you mentioned, my name is Shai Amar,

227
00:09:10,120 --> 00:09:12,760
and I'm working as a Program Manager at Microsoft these days.

228
00:09:13,320 --> 00:09:16,200
Actually, I'm coming from the Microsoft Customer Experience

229
00:09:16,200 --> 00:09:19,080
Engineering team for Microsoft Defender for Cloud.

230
00:09:19,080 --> 00:09:22,120
So what we talk about today is actually one of the plans

231
00:09:22,120 --> 00:09:24,120
that we have in the Defender for Cloud product,

232
00:09:24,120 --> 00:09:26,040
which is the Defender for Container.

233
00:09:26,680 --> 00:09:29,560
I'm working at Microsoft over seven years for now.

234
00:09:29,560 --> 00:09:31,720
So I will start the journey as a customer engineer,

235
00:09:31,720 --> 00:09:35,560
and then move to a role of the CSA, Cloud Solution Architect.

236
00:09:35,560 --> 00:09:36,840
I will start with the platform,

237
00:09:36,840 --> 00:09:39,320
and in these days, focus in the security area.

238
00:09:39,880 --> 00:09:42,920
So actually, the team that I'm coming and working,

239
00:09:42,920 --> 00:09:46,280
we are helping a lot of our customers with deployment

240
00:09:46,280 --> 00:09:48,280
of specific Defender for Cloud plans,

241
00:09:48,280 --> 00:09:50,360
improving sub-secure scores,

242
00:09:50,360 --> 00:09:53,800
and even being their voice inside the engineering team,

243
00:09:53,800 --> 00:09:56,040
like capturing feedbacks and sharing that feedback

244
00:09:56,760 --> 00:09:58,440
within our product management.

245
00:09:58,440 --> 00:10:02,920
And I'm very happy to be here and excited to actually talk about this topic.

246
00:10:02,920 --> 00:10:04,840
I'll add a couple of questions around,

247
00:10:05,880 --> 00:10:09,560
because basically, a container is a very stripped-down VM

248
00:10:09,560 --> 00:10:12,440
that you sort of attach to an application,

249
00:10:12,440 --> 00:10:15,480
so you can kind of move it between infrastructure and slide it.

250
00:10:15,480 --> 00:10:17,320
Would that be kind of a good, accurate description?

251
00:10:18,440 --> 00:10:21,160
Yeah, actually, that's a good one to start with,

252
00:10:21,160 --> 00:10:25,480
because sometimes when we are referring to the container plans

253
00:10:25,480 --> 00:10:31,640
or either talking about the container security, or unlike the traditional compute,

254
00:10:31,640 --> 00:10:35,640
the containerized application, our elastic spawn, and repeatedly,

255
00:10:35,640 --> 00:10:39,880
so images that are actually involving in that phase are immutable,

256
00:10:39,880 --> 00:10:41,240
and containers are short-lived.

257
00:10:41,240 --> 00:10:43,960
So most of the time, customers that are asking about this topic,

258
00:10:44,840 --> 00:10:47,720
they're really concerned about the security pipeline.

259
00:10:47,720 --> 00:10:49,800
Where should they start the journey with?

260
00:10:49,800 --> 00:10:53,480
With that said, actually, every time we're talking about this topic,

261
00:10:53,480 --> 00:10:55,960
we must understand what is the security landscape, right?

262
00:10:55,960 --> 00:10:58,840
What are the traits that we have in the Kubernetes,

263
00:10:58,840 --> 00:11:00,840
or either if it's native or a native one?

264
00:11:01,640 --> 00:11:04,280
Like you asked, Mark, I want to highlight two things here.

265
00:11:04,280 --> 00:11:06,520
So first of all, as part of this journey,

266
00:11:06,520 --> 00:11:10,920
when customers actually start and onboarding some of the Kubernetes,

267
00:11:10,920 --> 00:11:15,800
either it could be AKS or even on-prem one or multi-cloud,

268
00:11:15,800 --> 00:11:18,280
most of the time, they are asking them,

269
00:11:18,280 --> 00:11:19,400
where should they start with?

270
00:11:19,400 --> 00:11:23,400
It's like, okay, I have now cluster which security trends

271
00:11:23,400 --> 00:11:24,520
landscape I should tackle.

272
00:11:24,520 --> 00:11:28,280
This is something that I need to do scan or even research,

273
00:11:28,280 --> 00:11:31,960
or just ask myself if it's something that I need to cover

274
00:11:31,960 --> 00:11:34,760
against any kind of metrics or kind of thing.

275
00:11:34,760 --> 00:11:38,600
So what we have done recently, we actually announced a new plan,

276
00:11:38,600 --> 00:11:41,000
and this is actually the topic for today.

277
00:11:41,880 --> 00:11:45,320
We announced a new plan, which is called the Microsoft Defender for Container.

278
00:11:45,320 --> 00:11:49,160
What we tried to do is actually merge two areas.

279
00:11:49,160 --> 00:11:52,840
One of them is the Kubernetes and the other is the container registry,

280
00:11:52,840 --> 00:11:54,600
which we can discuss later.

281
00:11:55,400 --> 00:11:59,480
So the major one of this is actually to collaborate.

282
00:11:59,480 --> 00:12:02,760
What Microsoft has done is she took a part in the center project,

283
00:12:03,320 --> 00:12:06,200
and that project was contributed knowledge

284
00:12:06,200 --> 00:12:09,480
that the company gained in the field with container security.

285
00:12:10,040 --> 00:12:15,080
And Microsoft unparalleled visibility actually gave that metrics,

286
00:12:15,080 --> 00:12:17,080
if everyone familiar with the MITRE,

287
00:12:17,080 --> 00:12:22,520
so we collaborate and expand that metrics to be part of the container plans

288
00:12:22,520 --> 00:12:23,400
that we have today.

289
00:12:23,400 --> 00:12:27,080
So now offering a lot of capabilities around threat detection.

290
00:12:28,360 --> 00:12:32,520
But this is actually to highlight your question about where we could start,

291
00:12:32,520 --> 00:12:38,200
or maybe just ask ourselves what or where we should start with.

292
00:12:38,200 --> 00:12:42,520
So we must aware, first of all, in which stage we are choosing,

293
00:12:42,520 --> 00:12:44,760
like if it's native or native, it's one thing,

294
00:12:44,760 --> 00:12:50,360
but really understand about the MITRE and actually the threat landscape that's involving.

295
00:12:50,360 --> 00:12:55,080
And so what we are having today is more giving a sense of that coverage

296
00:12:55,080 --> 00:12:56,120
inside the product.

297
00:12:57,880 --> 00:13:00,920
Having said that, I just want to highlight two things here.

298
00:13:00,920 --> 00:13:05,160
One is actually, if you're not familiar with Defender for Cloud,

299
00:13:05,160 --> 00:13:10,520
is more about a solution that we have today to give us also capability around

300
00:13:10,520 --> 00:13:14,280
the Cloud Secure Post-Dream Management and the Cloud Workload Protection solution.

301
00:13:14,280 --> 00:13:18,680
But let's focus, like you mentioned, Mark earlier, about the area of containers.

302
00:13:19,320 --> 00:13:23,800
It's sort of an interesting distinction, because when you use something like

303
00:13:23,800 --> 00:13:29,160
Azure Kubernetes Services, like AKS, a lot of that sort of shared responsibility

304
00:13:29,880 --> 00:13:31,400
is on the Cloud provider.

305
00:13:31,400 --> 00:13:38,760
But if you're hosting container services on AVM in Azure or on prem or AWS or wherever,

306
00:13:38,760 --> 00:13:44,920
you essentially have more to monitor and worry about that isn't being secured by the Cloud provider.

307
00:13:44,920 --> 00:13:45,400
Correct?

308
00:13:45,400 --> 00:13:49,720
Yeah, absolutely. And that's a great topic as well.

309
00:13:49,720 --> 00:13:54,360
So yeah, most of the time when customer actually on board and AKS,

310
00:13:54,360 --> 00:14:01,480
the native management cluster, like you mentioned, by the way, it could be AKS or EKS for AWS or GKE.

311
00:14:01,480 --> 00:14:06,200
And we are covered, by the way, all of them today in the new plan, which is great,

312
00:14:06,200 --> 00:14:09,320
because we announced recently also supportability for that.

313
00:14:09,320 --> 00:14:10,920
This is relevant to multi-Cloud.

314
00:14:10,920 --> 00:14:13,560
But yes, this is like the model of shared responsibility.

315
00:14:13,560 --> 00:14:20,680
Most of the time when you're on board, you are having two areas which you should focus on.

316
00:14:20,680 --> 00:14:22,200
One is the control plane.

317
00:14:22,200 --> 00:14:26,280
And this is actually the area when you're on board the native Kubernetes cluster.

318
00:14:26,280 --> 00:14:31,320
You have the coverage from that infra from your Cloud provider.

319
00:14:31,320 --> 00:14:34,280
So most of the time you're thinking, okay, I have the control plane,

320
00:14:34,280 --> 00:14:37,880
it's covered by the vendor, I don't need to take care a lot of.

321
00:14:37,880 --> 00:14:40,920
And there is the other which we called the data plane.

322
00:14:40,920 --> 00:14:45,640
So the data plane is actually where you are most of the time thinking about,

323
00:14:45,640 --> 00:14:49,160
okay, now I published an application, it's now it's alive.

324
00:14:49,160 --> 00:14:51,000
Okay, how should I tackle this?

325
00:14:51,000 --> 00:14:57,400
Because this is the place where the shared responsibility model is actually coming to a decision

326
00:14:57,400 --> 00:15:00,280
when you need to understand more about the landscape.

327
00:15:00,280 --> 00:15:05,000
What I mentioned earlier, the threat landscape of the managed Kubernetes, right?

328
00:15:05,000 --> 00:15:10,760
So we should focus in some area to understand more about this threat landscape.

329
00:15:10,760 --> 00:15:15,640
One of the areas when we always try to highlight on the control plane is the API.

330
00:15:15,640 --> 00:15:19,640
API is actually the in the Kubernetes cluster, even it's the manage.

331
00:15:19,640 --> 00:15:24,120
This is where the place when we have the control plane API.

332
00:15:24,120 --> 00:15:27,160
And it could be valuable for misconfigured images.

333
00:15:27,160 --> 00:15:32,040
For example, we can deploy something that is coming from untrusted repository.

334
00:15:32,040 --> 00:15:34,680
And then you can ask yourself, okay, that's fine.

335
00:15:34,680 --> 00:15:42,280
I can confirm that everything is coming from a secured repo and it's like trusted and everything seems so far so good.

336
00:15:42,280 --> 00:15:46,920
So what could be like happen from attack techniques variation?

337
00:15:46,920 --> 00:15:52,600
So it could be a variety of things like, for example, if someone want to communicate with the cluster, even myself,

338
00:15:52,600 --> 00:15:55,720
it could be exposed to some compromised account, right?

339
00:15:55,720 --> 00:15:58,840
Or even like traffic that could be unauthorized.

340
00:15:58,840 --> 00:16:06,200
And that's come the place when we collaborate with the understood of control plane in the cluster on the data plane.

341
00:16:06,200 --> 00:16:12,760
So even that, we can do things that can make unfoll or exposed to some malicious stuff.

342
00:16:12,760 --> 00:16:16,200
Let's say, for example, I need to manage this cluster.

343
00:16:16,200 --> 00:16:22,920
So I need to do kind of an AF capability like management installing Kubeflow, etc.

344
00:16:22,920 --> 00:16:25,960
And then I forgot to close the management port.

345
00:16:25,960 --> 00:16:29,320
So it's like exposed to the internet and kind of stuff.

346
00:16:29,320 --> 00:16:32,840
So this kind of variation of things could happen daily, right?

347
00:16:32,840 --> 00:16:36,840
Even for the ops and the other teams, others take all this in the team.

348
00:16:36,840 --> 00:16:45,080
So we need to take care from that point and really understand good about the landscape, the threat landscape, even for managed Kubernetes.

349
00:16:45,080 --> 00:16:51,800
And we can go separately to understand about AKS, EKS on the other, because everyone on them we can cover separately.

350
00:16:51,800 --> 00:16:57,960
But most of the threat landscape would be the same in the manager on shared responsibility model.

351
00:16:57,960 --> 00:17:00,760
Is to understand about the common attack techniques.

352
00:17:00,760 --> 00:17:05,160
Most of them will be coming from the volable images that could be exploited.

353
00:17:05,160 --> 00:17:12,040
The other could be even like a backdoor containers or even access to exposed application.

354
00:17:12,040 --> 00:17:19,000
So this could be a variety of stuff that could be fall to two areas, what we call the control plane and the data plane as well.

355
00:17:19,000 --> 00:17:23,000
Gotcha. So it sounds like there's quite a variety of attacks that are possible.

356
00:17:23,000 --> 00:17:35,000
I'm curious which ones are sort of the top ones that we see the most that organizations would need to worry about, particularly in that sort of SaaS oriented thing where the cloud provider takes care of the control plane.

357
00:17:35,000 --> 00:17:37,000
Yeah, that's a good one.

358
00:17:37,000 --> 00:17:45,960
So yeah, we see a lot of them, but actually we can even give an example of a real world wide attack range illustration that you know happened recently.

359
00:17:45,960 --> 00:17:53,960
So one of them was the crypto mining crypto mining attack actually in the in the containers, the environment.

360
00:17:53,960 --> 00:17:55,960
They aren't you at all.

361
00:17:55,960 --> 00:18:05,960
But what we saw in the in the Microsoft defender for cloud solution, we regularly detect the right range of mining activities that run inside the containers.

362
00:18:05,960 --> 00:18:11,960
And unusually, those activities are running inside the volable containers such as web application.

363
00:18:11,960 --> 00:18:15,960
We already know this could be kind of known for abilities.

364
00:18:15,960 --> 00:18:23,960
And recently, just for an example, there was a new crypto mining campaign that targets specifically Kubernetes environment.

365
00:18:23,960 --> 00:18:28,960
And actually you can ask yourself, okay, what is the different and what differs this attack from other crypto mining attack.

366
00:18:28,960 --> 00:18:36,960
And what we saw here is its scale, meaning with only two hours of malicious containers, only two hours.

367
00:18:36,960 --> 00:18:41,960
There was a huge deployment, 10th of Kubernetes cluster was deployed.

368
00:18:41,960 --> 00:18:49,960
And actually the containers, when we look deeply was when running an images from a public repository, it was the Monero miner one.

369
00:18:49,960 --> 00:18:53,960
And this image actually run an XM rig.

370
00:18:53,960 --> 00:18:57,960
But it's not to understand really the type of the miner.

371
00:18:57,960 --> 00:19:03,960
It's more about to understand the capability of the attack and the scale that it could be affected.

372
00:19:03,960 --> 00:19:13,960
Because rapidly we saw growth from the scaling, which could be a very popular, you know, some open source library that can use the Kubernetes cluster of that example.

373
00:19:13,960 --> 00:19:22,960
By the way, we saw from that elementary that the Kubernetes was deployed from a public repository and we able to figure that.

374
00:19:22,960 --> 00:19:27,960
Same actor that deployed the crypto mining container also enumerated the cluster resource.

375
00:19:27,960 --> 00:19:30,960
So what is done in case, okay, cluster is one thing.

376
00:19:30,960 --> 00:19:33,960
What about the things that I'm really take care of.

377
00:19:33,960 --> 00:19:37,960
So we saw that it was include the Kubernetes secrets.

378
00:19:37,960 --> 00:19:42,960
This could might lead to exposure of connection string passwords and other secrets.

379
00:19:42,960 --> 00:19:53,960
So when you're talking about cluster or Kubernetes specific for this kind of attack, it's more about not just using the compute is also getting some sensitivity data from it.

380
00:19:53,960 --> 00:19:58,960
Can you talk a little bit about the features of Defender for containers?

381
00:19:58,960 --> 00:20:02,960
We're talking a lot about the attacks and I love hearing about attacks because they're always interesting.

382
00:20:02,960 --> 00:20:10,960
But what sort of controls and features do we have within the product that would help mitigate these types of attack?

383
00:20:10,960 --> 00:20:12,960
Yeah, that's a great one.

384
00:20:12,960 --> 00:20:19,960
So actually today with the Microsoft Defender for container, we are protecting multi-cloud and hybrid container deployments.

385
00:20:19,960 --> 00:20:22,960
Meaning by that that we are focusing in multi-pile stages.

386
00:20:22,960 --> 00:20:28,960
One, we call this an hardening and you can ask, okay, what should I think about hardening?

387
00:20:28,960 --> 00:20:35,960
So hardening is more about the place where you continually assess and improve your security posture of the containers environments and workload.

388
00:20:35,960 --> 00:20:41,960
So it's like asking yourself a questions, okay, did I do everything that is related to my API?

389
00:20:41,960 --> 00:20:47,960
Did I make sure that I have deployed containers only for trusted depository data trust?

390
00:20:47,960 --> 00:20:52,960
That's kind of developer right can do some of deployment around and then I want to force things.

391
00:20:52,960 --> 00:20:59,960
I want to make sure that no one will do kind of the deployment in the early stage in the CI CD pipeline, for example.

392
00:20:59,960 --> 00:21:05,960
So this is the one of the major aspects that we are handling.

393
00:21:05,960 --> 00:21:08,960
And the other one is the vulnerability management.

394
00:21:08,960 --> 00:21:17,960
So you probably know that in containers there's a lot of usage with public repo sometimes and open source repos.

395
00:21:17,960 --> 00:21:22,960
And sometimes you can deploy things which coming with the vulnerable stuff.

396
00:21:22,960 --> 00:21:28,960
So you need a great, I would say visibility and capability and that's what we do as well.

397
00:21:28,960 --> 00:21:31,960
So we can reduce the attack surface by continuous scanning.

398
00:21:31,960 --> 00:21:34,960
What we do today, we actually scan those images.

399
00:21:34,960 --> 00:21:41,960
So if you publish or either pulling or pushing some container images to your repo, so we actually scan them.

400
00:21:41,960 --> 00:21:50,960
And we can identify and manage the vulnerabilities and give you the awareness of that vulnerabilities in that area.

401
00:21:50,960 --> 00:21:59,960
The other stuff which we should focus also and we mentioned earlier even on the question when Mark was raised is more about the advanced threat detection, right?

402
00:21:59,960 --> 00:22:04,960
So we also want to have capabilities about the runtime threats.

403
00:22:04,960 --> 00:22:13,960
So when I actually have a cluster that is running pods and container benets, I need to have capabilities such as alert and insight.

404
00:22:13,960 --> 00:22:20,960
So what we have done today, we are collecting this alert and giving like correlation with the MITRE tactics.

405
00:22:20,960 --> 00:22:26,960
So we have over 60 alerts that are described well in the documentation.

406
00:22:26,960 --> 00:22:32,960
And then come into place, okay, I have AKS. This is something from Azure.

407
00:22:32,960 --> 00:22:45,960
What about else? So we are covering today the multi-cloud support, which means that we have coverage today also for AWS, the EKS cluster, and also for GCP, which is the GKE.

408
00:22:45,960 --> 00:22:57,960
And what we have done actually to achieve that, we give customer the capabilities to onboard CSPM and the CDWP plan, which stands for Cloud Workload Protection, based on our connector.

409
00:22:57,960 --> 00:23:11,960
So you can actually connect your Azure Defender for Cloud solution also to give capability to scan those Kubernetes cluster within AWS and GCP.

410
00:23:11,960 --> 00:23:19,960
And this is like the tools that we have today. And of course, capabilities like deployment at scale.

411
00:23:19,960 --> 00:23:35,960
So if you have a variety of cluster across your subscription environment, we give you capabilities to do this via policy, Azure policy, that you can assign based on some initiative and just give you a sense of how you can achieve that at scale,

412
00:23:35,960 --> 00:23:40,960
meaning that you don't need to mess with each one of the cluster to have our solution.

413
00:23:40,960 --> 00:23:53,960
The other thing I wanted to ask you, Shai, was you touched on earlier talking about container registries, because, well, as you quite rightly pointed out, having a clean container registry with good images in is really important.

414
00:23:53,960 --> 00:23:59,960
And of course, if you just download things from random repos, you don't know what could be in there.

415
00:23:59,960 --> 00:24:13,960
But do we have any other specific container registry controls or things that we can do to help secure those, because it's such a weak point for containers?

416
00:24:13,960 --> 00:24:22,960
Yeah, absolutely, Sarah. Thank you for pointing that. Because it's really to understand about what I need to configure to have this capability.

417
00:24:22,960 --> 00:24:38,960
So today, I can say I like to use the acronym of zero configuration, because if you enable today the Microsoft if an effort container planning the solution, we will automatically discovery and onboarding your ACR ACR stand for Azure container registry that you have today.

418
00:24:38,960 --> 00:24:57,960
So what will happen every time that you will push, pull or either input, like you mentioned, we will do the scanning for you. So if something will come vulnerable inside, so you will be able to give and just notify inside the recommendation blade about the availability that we have found.

419
00:24:57,960 --> 00:25:12,960
And it's like having a bird eye right view for registry vulnerabilities. So you can, for example, make some steps to block those deployment in early stages. What I mean like stop this at early stages.

420
00:25:12,960 --> 00:25:26,960
Let's think about organization. They have a pipeline. They have a landscape, right? So we assume that if you are starting like in a dev stage or dev landscape, you want to figure out what you have deployed or misconfigure deploy.

421
00:25:26,960 --> 00:25:39,960
For example, for untrusted and if it's valuable, you want to stop it, right? You don't want to be in a situation when you deploy some stuff like to the production and then you will fall like in a state what we called in in active mode, right?

422
00:25:39,960 --> 00:25:47,960
You don't have capabilities to do some active stuff because we know we can never be like and go first than the attacker.

423
00:25:47,960 --> 00:26:03,960
So that capability, Sarah, with scanning, pulling and even importing things to the container registry, give us a more like a bird eye view and just thinking from the landscape where we should focus like in the stage of the deployment like cycle.

424
00:26:03,960 --> 00:26:15,960
Because when I talking about Kubernetes most of the time, this is something that we are starting from the dev stage and want to be in production like most more understand about those risks.

425
00:26:15,960 --> 00:26:24,960
With the runtime itself, we are continue scanning the running images. So we also give that visibility and of running images and vulnerabilities.

426
00:26:24,960 --> 00:26:36,960
So let's summarize this. So in one end, we won't like to have a scanning, right? A scanning mechanism tool that will scan us the registry, make sure that we are highlighting everything that is vulnerable.

427
00:26:36,960 --> 00:26:48,960
And of course, then we can reach out and say, look, you have deployed something is vulnerable. Please make sure that is not. We will not allow this to be part of our next landscape like say integration, preprode, etc.

428
00:26:48,960 --> 00:27:00,960
Pre production, for example. So when we want to make sure this is something that we clear out on the other one, we can be like more falsely, meaning by falsely, we can actually deny things.

429
00:27:00,960 --> 00:27:10,960
We can tell, okay, we are not allow you to deploy anything that is coming from untrusted location. That's the only repose that we allow you to deploy from.

430
00:27:10,960 --> 00:27:25,960
And that's we are in stage of more like strict and even like sometimes block stuff, don't allow to develop or to do this kind of a pushing or even importing some stuff to the to the repo.

431
00:27:25,960 --> 00:27:41,960
We depend on the strategy we want to have because if we want to develop first, sometimes we can block it like on the first stage. But sometimes we need to merge right into the line to the lifecycle because this always will be the complex when you ask yourself, which things I should do first

432
00:27:41,960 --> 00:27:53,960
like do I need to go with deny or should I do scanning and then like stop it at early stages. So this is like in overall what we have today in the vulnerability management scanning area.

433
00:27:53,960 --> 00:28:09,960
So I've got one last question about container registries. Does Defender for Containers cover other? Does it cover generic container registries? Is it just Microsoft? Just because of course there are lots of different types of container registries out there.

434
00:28:09,960 --> 00:28:14,960
I know it does multi cloud, but I just wanted to double check with registries.

435
00:28:14,960 --> 00:28:30,960
Yeah, that's a great question. It's also raised up a lot from our customers. So today we are supporting the ACR that is native in Azure, but we have a full description and fully documentation around what is like on on supported today.

436
00:28:30,960 --> 00:28:49,960
So what I can tell you that if you want like to exclude it or either trust by other like repositories. So what we can give today is like using some policy on Azure policy definition that you can streak to specific registries that you can allow.

437
00:28:49,960 --> 00:29:07,960
So let's say for example that they want to allow specific registry that I want to allow so I can use kind of of Azure policy to restrict that as well. But native. Yeah, this is currently what we have and this is fully described in the in the official DAC that we have in the different

438
00:29:07,960 --> 00:29:09,960
container. We can share that link later as well.

439
00:29:09,960 --> 00:29:21,960
So I was working with a customer just recently an insurance customer on secure scores, which is part of Microsoft Defender for cloud. They wanted to get their secure score up and sort of manage the secure score moving forward.

440
00:29:21,960 --> 00:29:30,960
One item that was flagged, frankly sort of terrified some of us was as your policy for gatekeeper.

441
00:29:30,960 --> 00:29:39,960
Can you comment a little bit about what that is and why it's important. One thing that we found is once we'd enabled it that we we had issues inside of Kubernetes.

442
00:29:39,960 --> 00:29:47,960
There were configuration settings, but they can only be discovered because we had the as your policy for gatekeeper. So would you like to just sort of comments on that a little bit.

443
00:29:47,960 --> 00:30:04,960
Yeah, absolutely. Thank you for pointing this out. This is a good one because what we have changed recently and actually we want to be more native right in the end when customer deploy any kind of a KS cluster either way to be a KS or GKE.

444
00:30:04,960 --> 00:30:21,960
Most of the time when we're talking about gatekeeper or even the demon said, for example, those are capability that are building into the cluster. So meaning that today we have when we are talking about native deployment that we have done.

445
00:30:21,960 --> 00:30:33,960
So like the defender for container if you enable it today, we actually using a native deployment way and what's the meaning behind of that, meaning that we are actually deployed to fix the defender profile, which is the Kubernetes

446
00:30:33,960 --> 00:30:49,960
demon said what it provides us is provide us the runtime protection and collect security signal. So then you ask yourself, OK, why I need it at all. So if you remember when I explained earlier when you want to detect things that happen inside the cluster, meaning

447
00:30:49,960 --> 00:31:06,960
that in the nodes themselves, we need to collect signal right and events. Then we choose to use the demon said because demon said is more native to our cluster is built. So in that area, I think it was good and was understand by the way we're using that having also using capability, which is called

448
00:31:06,960 --> 00:31:25,960
EBPF without going any deeply on that. If if you're not familiar, so EBPF is more like a technology that origins within Linux kernel. So it's not something that is related to Microsoft if enough for container. It's more about capabilities like in the Linux to run sandboxes

449
00:31:25,960 --> 00:31:47,960
program in operating system kernel. It's you safely and efficient to extend capabilities of the kernel without requiring any kind of kernel chain source code or even load the model, which is great. On the other end, you mentioned the gatekeeper, which is the Azure policy Aidon and then what could happen. So what we are doing with the gatekeeper, we enable you to apply it scale capabilities

450
00:31:47,960 --> 00:32:07,960
on the data plane policies and enforce them. For example, frictionless, we can use what we call the fixed remediation to enable that policy add on. It could give you a lot of benefits when you're hardening even the cluster like having things like do not allow deploy something that is coming from untrusted location.

451
00:32:07,960 --> 00:32:25,960
So I must understand for the case that you have described when you're expanding this policy is also things that you need to aware from the recommendation that we provide you inside the solution. So what I will provide like suggesting to do first is just go through the

452
00:32:25,960 --> 00:32:44,960
recommendation and make sure that everything aware is aligned to the deployment stage because when we're talking about misconfiguration sometimes we marked everything that is not configured correctly as an unhealthy run. So you can be sure that is something is not configured correctly

453
00:32:44,960 --> 00:33:01,960
or everything not in an unhealthy state besides unhealthy. So my recommendation to do if you enable this kind of enable make sure you have enabled the defender for container plan on your subscription level and then look at the cluster and make sure you have the two capabilities that we mentioned like enabled.

454
00:33:01,960 --> 00:33:14,960
The one is the defender profile and the other is the Azure policy add on which is the one that extend the gatekeeper and beneath you have the full recommendation inside the cluster just to make sure you are fit and aligned.

455
00:33:14,960 --> 00:33:32,960
Hey, can you just explain really briefly just for those who are not aware of what gatekeeper actually is and what you know and it's important in a Kubernetes environment. Yeah, absolutely. When we actually talk about gatekeeper is not something that we are calling in in Azure is more about to

456
00:33:32,960 --> 00:33:51,960
extend again the the structure of Kubernetes. So when we talk about Kubernetes and gatekeeper is more about understanding out what is can really provide us. So when we're talking about gatekeeper it giving us capabilities to allow and deny policies inside the cluster.

457
00:33:51,960 --> 00:34:08,960
So thinking about like something we call this admission controller. For example, you want to do things like the nighting so even do some management inside the cluster. So one thing that you can use is actually the capabilities of admission control, which is part of the gatekeeper.

458
00:34:08,960 --> 00:34:23,960
So this is is just a brief right so this is not something that we say in general. So if you think about what is gatekeeper at all. So it's actually allow the Kubernetes cluster administrator actually to implement policies.

459
00:34:23,960 --> 00:34:39,960
So it's all about policies in the end. So you want to ensure compliance. You want to ensure something like is related to best practices. I use some policy agent to validate it. The mission control and then you're okay. What could I achieve with admission control.

460
00:34:39,960 --> 00:34:56,960
Like I mentioned, you can deny things to be happen at first. For example, former entrusted location and things like that. So most of the thing when we're using that capability is give us a lot of benefit because it's already there. And we can use a lot of compliance and

461
00:34:56,960 --> 00:35:12,960
each to ensure that our cluster is really aligned to what we called to our baseline of security threat. And let's skip that we mentioned earlier according to the baseline want to achieve. So actually for those of you who are not aware. So I just mentioned eBPF.

462
00:35:12,960 --> 00:35:29,960
I put a link in the show notes. eBPF is an isolation technology. It was born in Linux, but it's available in other operating systems including Windows. So I put a link in there. It's actually really interesting technology. By the way, for those of you looking to work out what eBPF stands for, it stands for absolutely nothing whatsoever.

463
00:35:29,960 --> 00:35:32,960
So don't go trying to find out what the acronym is.

464
00:35:32,960 --> 00:35:45,960
On the topic of as your policy for gatekeepers, I mentioned working with this customer. And one thing they noticed straight away is that their ingestion rates into log analytics were pretty elevated after they turned this on.

465
00:35:45,960 --> 00:36:00,960
And so one thing that we were talking to the customer, we looked at their log analytics workspaces. We found that they were using the pay as you go consumption model, which is by far the most expensive and you should never be using it except for small experiments.

466
00:36:00,960 --> 00:36:11,960
That's about it. So is any area, is any sort of improvements that you guys are making in this area to make log analytics ingestion a little bit more palatable?

467
00:36:11,960 --> 00:36:27,960
Yeah, actually we have done with the new plan. We announced actually we removed the dependency on MMA. So this is a lot of customers shared the feedback with us that MMA caused them some complication when they're on board the cluster.

468
00:36:27,960 --> 00:36:35,960
So today with the new plan, we are not rely we don't have this dependency to have the MMA as part of the provisioning.

469
00:36:35,960 --> 00:36:37,960
And MMA is Microsoft.

470
00:36:37,960 --> 00:36:46,960
So yeah, yeah, the log analytics one. Yeah, you're right. So I use this like a short acronym. Yeah, but you refer to the log analytics.

471
00:36:46,960 --> 00:36:58,960
But on the ingestion way, you're right. So sometimes customer connect right, the the different for cloud solution or either other seems like solution right like Sentinel, for example, or third party.

472
00:36:58,960 --> 00:37:10,960
So the ingestion is really depends on on actually the tier that you declare. But what what I've mentioned earlier regarding this kind of integration that we have today.

473
00:37:10,960 --> 00:37:18,960
So today, the dependency of MMA is not there. But when we're talking about ingestion and other stuff, yeah, it should be like measured, right?

474
00:37:18,960 --> 00:37:27,960
So we need to fully understand what is the use case because today we have a connector that we can connect to any kind of seems solution.

475
00:37:27,960 --> 00:37:39,960
And it's rely on the workspace right on the log analytics workspace. So yeah, it should be measured. These things could happen if you're not aware from the aspect that you want to trigger or monitor, right?

476
00:37:39,960 --> 00:37:51,960
So we just need to make sure that everything is done from the perspective of understand with ingestion. We are talking about is more related to alert or something similar.

477
00:37:51,960 --> 00:38:01,960
Because in the end, you can always make things like, you know, make sure about the capacity or measurements about the log analytics.

478
00:38:01,960 --> 00:38:20,960
Two things need to remind is also in gentian and retention, right? So there's two aspects you need to consider. But that's that's a good thing because the dependency was really, you know, well, the removal of the dependency at the lot to our customers as well to to, you know, to continue the journey with the

479
00:38:20,960 --> 00:38:28,960
containers. But yes, you need to keep in mind also on the gentian and the retention from that stage, which is another topic.

480
00:38:28,960 --> 00:38:39,960
Yeah, so just make sure I get it right. So the Microsoft monitoring agent removing that reliance. Does that reduce the the quantity of data going into the log analytics workspaces?

481
00:38:39,960 --> 00:38:54,960
Yeah, I will say, but it's need to be confirmed against the environment because we use it as a dependency to onboard the plan. So I'm not sure if the issue was referring to ingestion data that is raw data, you know, like security, alert and etc.

482
00:38:54,960 --> 00:39:08,960
Or it's more rely about this dependency if it was a rely to this dependency, for example. So yeah, it could remove that cast. But if it's more about the amount of the injunction that they're receiving, this is another topic that you'd consider, you know, measured and be sure

483
00:39:08,960 --> 00:39:18,960
there are a line there log analytics workspaces with the retention and of course the injunction right against the tears that you mentioned and not use pay as you go and

484
00:39:18,960 --> 00:39:28,960
I really want to stress that. So one thing that we learned from this customer was, first of all, you know, do review your log analytics workspaces and again, this has got nothing to do with Microsoft Defender for containers. This is just

485
00:39:28,960 --> 00:39:41,960
general good practice. Yeah, so look at what you're using make sure it's the cost of the more cost efficient one. And again, to your point, you know, you don't need to necessarily retain stuff in a log analytics workspace, you know, forever, you can certainly offload it.

486
00:39:41,960 --> 00:39:56,960
So things like Azure Data Explorer. And there's also new models coming out for, you know, sort of more cost effective workspaces that have a slower sort of access time they're not really designed for ingestion they're designed for querying and querying only.

487
00:39:56,960 --> 00:40:11,960
So yeah, so keep an eye on that and also make sure that someone within the organization is just keeping an eye on making sure that all the appropriate log analytics workspaces, you know, but being sort of maintained and there needs to be a plan right there needs to be someone focusing on the cost of those things.

488
00:40:11,960 --> 00:40:27,960
Yeah, absolutely. One thing we are using in the product and you can probably we can suggest the same. We providing some workbooks that give us visualization on that area so every kind of plan that you enable. And if you want to estimate how it going to cast if I use this and this so today we leverage and

489
00:40:27,960 --> 00:40:43,960
have a disk capabilities inside the product. So this is something that you can use as well. This is not something like build everywhere what but for variety of stuff that we have inside it could help a lot based on my experience with customers having kind of visualization view that is relied on

490
00:40:43,960 --> 00:40:52,960
workbook can be really advantage. Yeah, 100%. Hey, so you have any any sort of like, you know, sort of top couple of tips that you'd like to give people.

491
00:40:52,960 --> 00:41:09,960
Yeah, so actually, first of all, if you have communities and any kind of them and you are don't know what is actually based on your security landscape, you need you can enable this plan and make sure that you are aware from the recommendation be sure that you are aware from the

492
00:41:09,960 --> 00:41:23,960
threat landscape that I mentioned earlier, because most of the time you will not be able to track any application right any kind of application that you have everywhere. So this could give you a sense about the threat landscape and everything there.

493
00:41:23,960 --> 00:41:41,960
The other stuff that I will always like to mention is be sure that your cluster either if it's a native or could be a multi cloud, no matter what be sure that they are in healthy state from the secure posture way. It could be one thing to end them proactive right and be in active.

494
00:41:41,960 --> 00:41:43,960
That's my tips for that.

495
00:41:43,960 --> 00:41:50,960
All right, so if you had one final fall I just one thought that you would leave people with what would it be.

496
00:41:50,960 --> 00:42:07,960
My thought will be always know your environment, especially for containers don't think about like the same as as virtual machine just think about the more you need to understand is about your trend landscape as cover at all to understand more you can use the

497
00:42:07,960 --> 00:42:19,960
Defender for container to do that. And the other one is also know better about the threat landscape that is related to your specific Kubernetes environment.

498
00:42:19,960 --> 00:42:26,960
So I will say thank you so much for joining us this week. I know that you're incredibly busy and I appreciate you taking the time.

499
00:42:26,960 --> 00:42:30,960
Spend time with us to go over this. This really cool product.

500
00:42:30,960 --> 00:42:40,960
As for those of you not aware that actually there was actually two products right at one point was Defender for Kubernetes and Defender for containers right we sort of consolidated into into one exactly yeah yeah yeah.

501
00:42:40,960 --> 00:42:47,960
So again, yes, thanks again for joining and to all our listeners out there. Thank you for listening. Stay safe and we'll see you next time.

502
00:42:47,960 --> 00:42:56,960
Thanks for joining to the Azure Security podcast. You can find show notes and other resources at our website azsecuritypodcast.net.

503
00:42:56,960 --> 00:43:18,960
If you have any questions, please find us on Twitter at Azure Setpod background music is from CC mixer.com and licensed under the Creative Commons license.