1 00:00:00,000 --> 00:00:06,200 Welcome to the Azure Security Podcast, 2 00:00:06,200 --> 00:00:09,360 where we discuss topics relating to security, privacy, 3 00:00:09,360 --> 00:00:13,720 reliability, and compliance on the Microsoft Cloud Platform. 4 00:00:13,720 --> 00:00:16,840 Hey everybody, welcome to Episode 60. 5 00:00:16,840 --> 00:00:19,320 This week we have a almost full house. 6 00:00:19,320 --> 00:00:21,840 It's myself, Michael, Mark, and Gladys. 7 00:00:21,840 --> 00:00:23,560 Sarah might be able to make it. 8 00:00:23,560 --> 00:00:26,720 She's actually stuck in a traffic jam right now in New Zealand. 9 00:00:26,720 --> 00:00:28,600 If any of you know New Zealand roads, 10 00:00:28,600 --> 00:00:29,840 if you're stuck in a traffic jam, 11 00:00:29,840 --> 00:00:31,320 you are stuck in a traffic jam. 12 00:00:31,320 --> 00:00:33,560 There's probably no way around. 13 00:00:33,560 --> 00:00:34,960 We also have a guest this week, 14 00:00:34,960 --> 00:00:36,120 we have Safina Begum, 15 00:00:36,120 --> 00:00:39,800 who's here to talk to us about Microsoft Defender for Cloud, 16 00:00:39,800 --> 00:00:42,320 and some of the stuff that we frankly haven't talked about 17 00:00:42,320 --> 00:00:44,920 when talking about Defender for Cloud in the past. 18 00:00:44,920 --> 00:00:47,600 But before we get to Safina, 19 00:00:47,600 --> 00:00:49,720 why don't we take a quick lap around the news? 20 00:00:49,720 --> 00:00:51,360 Gladys, why don't you kick things off? 21 00:00:51,360 --> 00:00:53,280 Yes. Hello, everyone. 22 00:00:53,280 --> 00:00:54,840 It's good to be back. 23 00:00:54,840 --> 00:00:58,320 There is so much that has happened the last two months, 24 00:00:58,320 --> 00:01:02,600 that it's been difficult to select what to talk about 25 00:01:02,600 --> 00:01:04,320 as part of the news. 26 00:01:04,320 --> 00:01:07,600 We are working on the development of SC100, 27 00:01:07,600 --> 00:01:11,160 which we had talked before in this podcast. 28 00:01:11,160 --> 00:01:14,880 Everyone, Michael, Sarah, and Mark, 29 00:01:14,880 --> 00:01:17,800 have been collaborating and giving ideas 30 00:01:17,800 --> 00:01:19,600 to improve this certification. 31 00:01:19,600 --> 00:01:23,080 So it's been an awesome learning experience. 32 00:01:23,080 --> 00:01:25,840 This is the first time that I have done something like that. 33 00:01:25,840 --> 00:01:31,280 In addition, we are also collaborating in a book for SC100. 34 00:01:31,280 --> 00:01:34,960 I did not realize how much work this takes. 35 00:01:34,960 --> 00:01:36,960 Hats to you, Mark, 36 00:01:36,960 --> 00:01:39,440 when you're creating presentation and videos. 37 00:01:39,440 --> 00:01:41,960 Oh, my God, this takes a long time. 38 00:01:41,960 --> 00:01:44,480 Thank God I'm getting a lot of feedback from the team, 39 00:01:44,480 --> 00:01:47,320 from Yuri, how to make it better. 40 00:01:47,320 --> 00:01:51,200 So it's been fantastic starting this. 41 00:01:51,200 --> 00:01:54,160 I know that Michael also has been writing books. 42 00:01:54,160 --> 00:01:56,400 Oh, my God, I don't know how you guys do it. 43 00:01:56,400 --> 00:02:00,080 But hats off to you guys. 44 00:02:00,080 --> 00:02:03,320 Before talking about the news, 45 00:02:03,320 --> 00:02:07,760 first, I want to talk about a new name that we introduced, 46 00:02:07,760 --> 00:02:09,960 Microsoft Entra. 47 00:02:09,960 --> 00:02:15,080 Microsoft Entra is a unification of a set of services 48 00:02:15,080 --> 00:02:18,160 that focus on identity and access management. 49 00:02:18,160 --> 00:02:21,960 This includes Microsoft Entra Azure AD, 50 00:02:21,960 --> 00:02:25,360 Microsoft Entra Permission Management, 51 00:02:25,360 --> 00:02:28,600 which is what we call before Cloud Knox, 52 00:02:28,600 --> 00:02:31,600 and Microsoft Entra Verified ID, 53 00:02:31,600 --> 00:02:36,520 which is our implementation of decentralized credential. 54 00:02:36,520 --> 00:02:39,080 This is the news that I wanted to share, 55 00:02:39,080 --> 00:02:40,680 Verified ID. 56 00:02:40,680 --> 00:02:45,680 I'm really excited about the work that we are doing with this. 57 00:02:45,680 --> 00:02:49,600 If you're not familiar with these, 58 00:02:49,600 --> 00:02:51,920 let me give you a quick background. 59 00:02:51,920 --> 00:02:55,800 Organizations always want to try to centralize identity 60 00:02:55,800 --> 00:02:59,160 in a way that makes it more manageable for them, 61 00:02:59,160 --> 00:03:02,320 but that leads to some gap with users. 62 00:03:02,320 --> 00:03:05,480 They don't have control or much visibility 63 00:03:05,480 --> 00:03:07,640 of their own identities. 64 00:03:07,640 --> 00:03:11,560 So this is a capability of the users 65 00:03:11,560 --> 00:03:14,160 having a little bit more control of what is shared 66 00:03:14,160 --> 00:03:16,480 and what they get. 67 00:03:16,480 --> 00:03:20,360 The common comparison is like a driver's license. 68 00:03:20,360 --> 00:03:24,280 You use the driver's license to authenticate yourself 69 00:03:24,280 --> 00:03:27,840 against banks, colleges, and things like that. 70 00:03:27,840 --> 00:03:31,720 Well, this verifiable ID or Verified ID 71 00:03:32,960 --> 00:03:35,800 will basically act in a similar manner. 72 00:03:36,840 --> 00:03:39,480 The blog that was released recently, 73 00:03:39,480 --> 00:03:41,040 and we're putting the link, 74 00:03:41,040 --> 00:03:43,960 basically is talking about new releases 75 00:03:43,960 --> 00:03:48,600 in different capabilities that we are developing 76 00:03:48,600 --> 00:03:52,120 with Verifiable Credentials. 77 00:03:52,120 --> 00:03:56,000 The first one is you have to use Authenticator app 78 00:03:56,000 --> 00:03:59,560 in order to store this credential. 79 00:03:59,560 --> 00:04:02,080 In the past, there were no way to back up 80 00:04:02,080 --> 00:04:05,280 and restore this verifiable credential. 81 00:04:05,280 --> 00:04:08,640 Well, now there is a way to back it up. 82 00:04:08,640 --> 00:04:13,080 In addition, they have released API for developers 83 00:04:13,080 --> 00:04:14,480 and administrators. 84 00:04:14,480 --> 00:04:17,280 I recommend reviewing the documentation 85 00:04:17,280 --> 00:04:20,480 because there's quite a bit that is being released 86 00:04:20,480 --> 00:04:25,200 and the roadmap forward is certainly exciting. 87 00:04:25,200 --> 00:04:28,560 I also wanna talk about Microsoft Defender 88 00:04:28,560 --> 00:04:31,840 Thread Intelligence, Formalit RISC IQ. 89 00:04:31,840 --> 00:04:36,440 Basically, it is a way to track thread actor activity 90 00:04:36,440 --> 00:04:37,680 and patterns. 91 00:04:37,680 --> 00:04:40,280 We just released this recently. 92 00:04:40,280 --> 00:04:43,680 I'm providing a link for the blog as well. 93 00:04:43,680 --> 00:04:48,680 And last, in mid-July, we had our Inspire conference. 94 00:04:49,480 --> 00:04:53,040 This is usually our partner conference, 95 00:04:53,040 --> 00:04:55,760 but there were a lot of announcements made. 96 00:04:55,760 --> 00:04:59,560 And I'm really excited about a summary or a section 97 00:04:59,560 --> 00:05:04,560 that Satya had where he spoke about many of these capabilities 98 00:05:07,080 --> 00:05:08,640 that we are releasing. 99 00:05:08,640 --> 00:05:12,120 I was especially excited about him mentioning 100 00:05:12,120 --> 00:05:14,520 Azure Space and Azure Orbital, 101 00:05:14,520 --> 00:05:18,520 which is something that I've been collaborating 102 00:05:18,520 --> 00:05:20,840 to improve the security for. 103 00:05:21,720 --> 00:05:25,600 So I recommend if you miss Inspire, 104 00:05:25,600 --> 00:05:28,800 just go to the link provided in podcast 105 00:05:28,800 --> 00:05:30,640 and watch the sessions. 106 00:05:30,640 --> 00:05:33,200 There's quite a bit of information in there. 107 00:05:33,200 --> 00:05:36,280 I definitely want to echo what Gladys said 108 00:05:36,280 --> 00:05:39,320 is that writing and creating all this stuff 109 00:05:39,320 --> 00:05:42,160 is actually quite a bit of hard work. 110 00:05:42,160 --> 00:05:43,440 And that's kind of the theme, 111 00:05:43,440 --> 00:05:46,880 because I don't have any specific news items on this, 112 00:05:46,880 --> 00:05:49,400 but I did have some interesting observations. 113 00:05:49,400 --> 00:05:52,160 The CESA workshop just recently went out. 114 00:05:52,160 --> 00:05:54,240 And so now I can kind of talk about it a little bit more 115 00:05:54,240 --> 00:05:57,720 in the architecture design session that we're building 116 00:05:57,720 --> 00:05:59,240 to follow it. 117 00:05:59,240 --> 00:06:01,960 And one of the things as I was going through this, 118 00:06:01,960 --> 00:06:04,680 because we basically had a designer reference program, 119 00:06:04,680 --> 00:06:07,400 reference strategy, reference architectures, 120 00:06:07,400 --> 00:06:09,280 reference implementation plans, 121 00:06:09,280 --> 00:06:11,640 cross-all of security is really the undertaking 122 00:06:11,640 --> 00:06:12,480 that we're doing here. 123 00:06:12,480 --> 00:06:14,440 So that folks have a comparison point 124 00:06:14,440 --> 00:06:17,320 or a starting point for their own planning. 125 00:06:17,320 --> 00:06:20,040 And one of the things that really struck me 126 00:06:20,040 --> 00:06:24,120 as we went through it is just how hard cybersecurity is. 127 00:06:24,120 --> 00:06:26,640 And it's not just straight up hard work, right? 128 00:06:26,640 --> 00:06:28,160 And there's long hours and it's tough. 129 00:06:28,160 --> 00:06:29,840 And it's a little bit of a newer discipline 130 00:06:29,840 --> 00:06:33,440 in the realm of human studies 131 00:06:33,440 --> 00:06:38,440 of psychology and war and sociology and science 132 00:06:40,080 --> 00:06:41,440 and all those kinds of things that we've been doing 133 00:06:41,440 --> 00:06:44,840 for like centuries and millennia as a human race. 134 00:06:44,840 --> 00:06:48,360 But it's actually, there's a lot of things about it 135 00:06:48,360 --> 00:06:51,600 that are just innately difficult, at least right now. 136 00:06:51,600 --> 00:06:54,040 Like, we were looking at, okay, how do we map in 137 00:06:54,040 --> 00:06:57,640 the business outcomes of cybersecurity to the defenses 138 00:06:57,640 --> 00:07:00,320 and all these initiatives that you have to put in 139 00:07:00,320 --> 00:07:01,960 to defend against it, prevent 140 00:07:01,960 --> 00:07:04,120 and detect, respond, recover. 141 00:07:04,120 --> 00:07:06,600 And they don't map cleanly. 142 00:07:06,600 --> 00:07:09,040 They're not like one-to-one mapping or one-to-one mapping. 143 00:07:09,040 --> 00:07:11,120 You do this one thing and you get six things back 144 00:07:11,120 --> 00:07:13,400 or you take six things, you get one thing back. 145 00:07:13,400 --> 00:07:16,360 They're all like many to many mappings. 146 00:07:16,360 --> 00:07:18,720 Just like we're looking in the space of privilege access 147 00:07:18,720 --> 00:07:19,960 as a small example. 148 00:07:19,960 --> 00:07:22,360 And you have to face things like phishing attacks 149 00:07:22,360 --> 00:07:26,600 and lateral traversal and all the forms of credential theft 150 00:07:26,600 --> 00:07:28,560 and all those kinds of things. 151 00:07:28,560 --> 00:07:30,680 And then you have all these different defenses 152 00:07:30,680 --> 00:07:33,800 that map in, privilege workstations 153 00:07:33,800 --> 00:07:36,320 and all these other kinds of detections and response 154 00:07:36,320 --> 00:07:40,440 and pieces, but they all kind of influence 155 00:07:40,440 --> 00:07:42,560 all the different kinds of attacks. 156 00:07:42,560 --> 00:07:44,880 And then the business outcomes you get from that 157 00:07:44,880 --> 00:07:46,360 are not always clear. 158 00:07:46,360 --> 00:07:47,400 These are the right things to do. 159 00:07:47,400 --> 00:07:48,880 The most important things to do on the attack, 160 00:07:48,880 --> 00:07:51,800 but they all contribute to a bunch of different types 161 00:07:51,800 --> 00:07:54,600 of these things are much safer. 162 00:07:54,600 --> 00:07:57,040 You have visibility across your environment, et cetera. 163 00:07:57,040 --> 00:08:00,800 I mean, it's just a really complex space 164 00:08:00,800 --> 00:08:03,760 and it makes it very hard to relate it to other people 165 00:08:03,760 --> 00:08:06,160 and to do your own sort of internal planning. 166 00:08:06,160 --> 00:08:08,040 So that's just like one of the things that I picked up 167 00:08:08,040 --> 00:08:09,320 as I was kind of going through this 168 00:08:09,320 --> 00:08:11,560 and trying to organize and put it together 169 00:08:11,560 --> 00:08:13,800 and work with all the smart people at Microsoft 170 00:08:13,800 --> 00:08:16,440 to have access to industry, et cetera. 171 00:08:16,440 --> 00:08:20,080 And it just struck me that like this is a hard job. 172 00:08:20,080 --> 00:08:21,480 And on top of that, when you especially, 173 00:08:21,480 --> 00:08:23,320 you look at like the CSUN program level, 174 00:08:23,320 --> 00:08:26,600 but to a degree the technical jobs as well 175 00:08:26,600 --> 00:08:31,040 is it crosses the lines and you have to interact 176 00:08:31,040 --> 00:08:33,640 with legal and communications. 177 00:08:33,640 --> 00:08:35,160 And it's got psychological elements 178 00:08:35,160 --> 00:08:36,840 that are trying to influence people's behavior 179 00:08:36,840 --> 00:08:39,240 for anti-fish testing and whatnot, 180 00:08:39,240 --> 00:08:42,680 which is not a technical problem, it's a human problem. 181 00:08:42,680 --> 00:08:44,800 And then you got politics coming into it 182 00:08:44,800 --> 00:08:47,040 with all the stuff going on because, 183 00:08:47,040 --> 00:08:49,560 how many cyber attacks are starting to become 184 00:08:49,560 --> 00:08:51,320 influenced by geopolitical events? 185 00:08:51,320 --> 00:08:52,760 And then you got criminal justice, 186 00:08:52,760 --> 00:08:55,880 specifically extradition across borders that plays a part. 187 00:08:55,880 --> 00:08:57,400 And then you have business management of the people 188 00:08:57,400 --> 00:08:59,320 that you're working with to try and get the goals 189 00:08:59,320 --> 00:09:01,280 of what's most important out of them. 190 00:09:01,280 --> 00:09:05,640 I mean, it's just amazing to me how hard this discipline is. 191 00:09:05,640 --> 00:09:07,880 So that was just some observations I made 192 00:09:07,880 --> 00:09:09,480 as we're kind of going through this process. 193 00:09:09,480 --> 00:09:10,480 And I was just struck by. 194 00:09:10,480 --> 00:09:12,640 When did you become a philosopher? 195 00:09:12,640 --> 00:09:14,000 I've been one for a while. 196 00:09:14,000 --> 00:09:16,400 I just kind of hide it most of the time. 197 00:09:16,400 --> 00:09:17,680 You bring up an important point though. 198 00:09:17,680 --> 00:09:21,800 I mean, when we get new employees and some of them say, 199 00:09:21,800 --> 00:09:23,520 hey, you know, we really want to get into cybersecurity. 200 00:09:23,520 --> 00:09:26,760 I mean, my first response is, you know, okay, 201 00:09:26,760 --> 00:09:28,160 what part of cybersecurity? 202 00:09:28,160 --> 00:09:31,120 I mean, it's a massive, massive area. 203 00:09:31,120 --> 00:09:32,600 I mean, I was just putting a blog post together 204 00:09:32,600 --> 00:09:35,160 just over the last couple of days. 205 00:09:35,160 --> 00:09:37,200 And you're right, you know, 206 00:09:37,200 --> 00:09:39,600 that even though I'm the author of the blog post, 207 00:09:39,600 --> 00:09:41,200 you know, has involved the developers, 208 00:09:41,200 --> 00:09:42,800 has involved the program managers, 209 00:09:42,800 --> 00:09:43,960 have had to involve legal, 210 00:09:43,960 --> 00:09:45,920 not for any legal reason, 211 00:09:45,920 --> 00:09:48,280 but you know, there are legal implications 212 00:09:48,280 --> 00:09:50,640 with some of the stuff that I'm writing. 213 00:09:50,640 --> 00:09:52,440 Same with the marketing people. 214 00:09:52,440 --> 00:09:55,160 And the sort of communications folks, right? 215 00:09:55,160 --> 00:09:56,280 Just to make sure that, you know, 216 00:09:56,280 --> 00:09:57,720 the right things are being said correctly 217 00:09:57,720 --> 00:09:59,400 and being done correctly. 218 00:09:59,400 --> 00:10:01,600 And then, you know, there's code level issues, 219 00:10:01,600 --> 00:10:04,920 there's design level issues, there's deployment issues. 220 00:10:04,920 --> 00:10:07,360 And that may not be one single person, right? 221 00:10:07,360 --> 00:10:08,520 There could be a lot of different people 222 00:10:08,520 --> 00:10:09,760 or with different skills who know 223 00:10:09,760 --> 00:10:12,640 that their area exceedingly well. 224 00:10:12,640 --> 00:10:14,000 In some cases, there's, 225 00:10:14,000 --> 00:10:16,080 you just got to start pulling in more and more people 226 00:10:16,080 --> 00:10:18,320 and they may have different agendas. 227 00:10:18,320 --> 00:10:19,640 But yeah, you're absolutely right. 228 00:10:19,640 --> 00:10:21,280 Yeah, and even the technical parts of it, 229 00:10:21,280 --> 00:10:24,560 like the difference between being a reverse engineer 230 00:10:24,560 --> 00:10:27,600 versus an architect versus a network expert 231 00:10:27,600 --> 00:10:30,160 versus an identity and access expert, 232 00:10:30,160 --> 00:10:34,520 like those are all completely self-sustained, 233 00:10:34,520 --> 00:10:37,040 huge complex disciplines among themselves. 234 00:10:37,040 --> 00:10:38,920 Well, and even that's an interesting point 235 00:10:38,920 --> 00:10:40,440 because, you know, in our group, 236 00:10:40,440 --> 00:10:41,720 in the Azure Data Platform, 237 00:10:41,720 --> 00:10:45,600 we hired a whole bunch of people just recently. 238 00:10:45,600 --> 00:10:48,800 And I was on, I think just about all the interview loops, 239 00:10:48,800 --> 00:10:50,480 except one that I recused myself 240 00:10:50,480 --> 00:10:52,560 because I actually know the person really well. 241 00:10:52,560 --> 00:10:56,480 What was interesting is how many of all the interviewees 242 00:10:56,480 --> 00:10:59,560 that I had were exceptional. 243 00:10:59,560 --> 00:11:01,560 But it was interesting, and probably about half of them, 244 00:11:01,560 --> 00:11:04,120 because of the nature of cybersecurity, 245 00:11:04,120 --> 00:11:06,600 they were definitely a strong Microsoft hire 246 00:11:06,600 --> 00:11:10,600 for Microsoft in a different part of cybersecurity 247 00:11:10,600 --> 00:11:12,760 because it's, because their skills, 248 00:11:12,760 --> 00:11:14,840 map-ons are a different area that, you know, 249 00:11:14,840 --> 00:11:17,120 isn't the sort of stuff that we were doing at the time. 250 00:11:17,120 --> 00:11:19,040 But they're still really, really good at cybersecurity, 251 00:11:19,040 --> 00:11:20,880 just different cybersecurity. 252 00:11:20,880 --> 00:11:22,600 So, you know, that harks back to the whole thing 253 00:11:22,600 --> 00:11:26,320 about this man-made science being absolutely massive. 254 00:11:26,320 --> 00:11:28,480 Yeah, it's just a crazy thing we're on. 255 00:11:28,480 --> 00:11:31,360 And it kind of explains why we have mission-oriented people 256 00:11:31,360 --> 00:11:34,000 that are willing to run into this complexity 257 00:11:34,000 --> 00:11:36,480 because, you know, they feel the impact 258 00:11:36,480 --> 00:11:38,600 and it's the right thing to do. 259 00:11:38,600 --> 00:11:41,200 So I have one item, it's nice and nerdy, 260 00:11:41,200 --> 00:11:43,920 and it's right up my alley. 261 00:11:43,920 --> 00:11:44,920 So for those of you that are aware, 262 00:11:44,920 --> 00:11:46,080 this is really important. 263 00:11:46,080 --> 00:11:48,920 So in fact, if you're sort of dozed off a little bit, 264 00:11:48,920 --> 00:11:52,040 you'll wake up because this is incredibly important. 265 00:11:52,040 --> 00:11:54,920 So towards the end of this year, 266 00:11:54,920 --> 00:11:57,360 we'll be making some updates across Azure 267 00:11:57,360 --> 00:12:00,960 in the root certificates that we use for TLS. 268 00:12:00,960 --> 00:12:03,960 So I think right now across Azure, 269 00:12:03,960 --> 00:12:08,960 every certificate chains back to a Baltimore Cybertrust route. 270 00:12:09,280 --> 00:12:12,360 We're gonna be expanding that to include things like 271 00:12:12,360 --> 00:12:15,960 DigiCert Global Route and DeTrust Route, 272 00:12:15,960 --> 00:12:17,840 as well as a couple of others. 273 00:12:17,840 --> 00:12:19,360 Now, the odds are really good 274 00:12:19,360 --> 00:12:21,800 that this won't impact you at all. 275 00:12:21,800 --> 00:12:25,840 However, if you're using certificate pinning, 276 00:12:25,840 --> 00:12:28,400 you might run into problems. 277 00:12:28,400 --> 00:12:31,640 So I wanna put a link in the show notes, 278 00:12:31,640 --> 00:12:34,680 but please make sure you take a look at it 279 00:12:34,680 --> 00:12:37,880 and make sure that your code, you know, 280 00:12:37,880 --> 00:12:39,360 isn't using things like certificate pinning 281 00:12:39,360 --> 00:12:42,480 and restricting, you know, the routes that you're using. 282 00:12:42,480 --> 00:12:43,960 Another example actually in Windows 283 00:12:43,960 --> 00:12:46,960 is a thing called CTLs, Certificate Trust Lists. 284 00:12:46,960 --> 00:12:49,600 So you may have dozen routes installed on a machine 285 00:12:49,600 --> 00:12:53,440 and you may say, I only wanna trust two. 286 00:12:53,440 --> 00:12:55,240 And that's a certificate trust list. 287 00:12:55,240 --> 00:12:56,760 And that, by the way, certificate trust lists 288 00:12:56,760 --> 00:12:59,000 in Windows have been around forever. 289 00:12:59,000 --> 00:13:01,160 They're way predate pinning. 290 00:13:01,160 --> 00:13:03,200 But yeah, if you're using things like CTLs or pinning, 291 00:13:03,200 --> 00:13:04,400 you might run into a problem. 292 00:13:04,400 --> 00:13:06,960 So please, you know, have a look at your code 293 00:13:06,960 --> 00:13:10,040 or your systems, make sure that you're not restricting yourself 294 00:13:10,040 --> 00:13:13,840 just to the Baltimore Cybertrust Route CA certificate 295 00:13:13,840 --> 00:13:16,160 because if you do that, then, you know, 296 00:13:16,160 --> 00:13:18,360 the application might not work in the future. 297 00:13:18,360 --> 00:13:21,960 So please go ahead and check your applications. 298 00:13:21,960 --> 00:13:23,800 All right, so now we've got the news out of the way. 299 00:13:23,800 --> 00:13:26,760 Let's move our attention to our guest. 300 00:13:26,760 --> 00:13:30,880 This week we have Safina, who's here to talk to us 301 00:13:30,880 --> 00:13:33,600 about Microsoft Defender for Cloud. 302 00:13:33,600 --> 00:13:35,240 So as I've already mentioned, 303 00:13:35,240 --> 00:13:37,280 when we're sort of in the green room chatting, 304 00:13:37,280 --> 00:13:39,240 I mean, we've already had Yuri, 305 00:13:39,240 --> 00:13:41,400 Yuri Deoginus on the podcast, 306 00:13:41,400 --> 00:13:43,760 twice to talk about Defender for Cloud. 307 00:13:43,760 --> 00:13:46,640 So Safina's here to talk to us about Defender for Cloud 308 00:13:46,640 --> 00:13:48,680 but from a slightly different perspective. 309 00:13:48,680 --> 00:13:51,200 So Safina, thank you so much for joining us this week. 310 00:13:51,200 --> 00:13:52,280 Would you like to take a moment, 311 00:13:52,280 --> 00:13:53,920 sort of introduce yourself to our guests 312 00:13:53,920 --> 00:13:57,880 because sort of what you do and then let's get stuck into this. 313 00:13:57,880 --> 00:13:59,160 Absolutely, Michael. 314 00:13:59,160 --> 00:14:00,600 Thank you so much for having me. 315 00:14:00,600 --> 00:14:03,840 I'm so glad to be here and contributing and collaborating 316 00:14:03,840 --> 00:14:06,320 with these amazing bunch of people. 317 00:14:06,320 --> 00:14:08,960 And happy to talk about Microsoft Defender for Cloud 318 00:14:08,960 --> 00:14:12,160 with an emphasis of multi-cloud functionality 319 00:14:12,160 --> 00:14:13,680 that Defender for Cloud offers. 320 00:14:13,680 --> 00:14:16,760 Before that, I just want to introduce myself. 321 00:14:16,760 --> 00:14:21,160 I'm a program manager at Microsoft Cybersecurity Engineering. 322 00:14:21,160 --> 00:14:24,800 I'm focused on Microsoft Defender for Cloud product here. 323 00:14:24,800 --> 00:14:28,760 I've been with Microsoft for 15 years in several roles 324 00:14:28,760 --> 00:14:33,120 and now doing what I love the most, cybersecurity. 325 00:14:33,120 --> 00:14:35,560 To be specific, what I do at Microsoft 326 00:14:35,560 --> 00:14:39,000 is helping organizations prevent pre-attacks, 327 00:14:39,920 --> 00:14:41,440 yeah, in one line. 328 00:14:41,440 --> 00:14:45,640 So here I'm here to talk about Microsoft Defender for Cloud. 329 00:14:45,640 --> 00:14:49,560 So I'm sure you might already know about Microsoft Defender 330 00:14:49,560 --> 00:14:53,840 for Cloud from the earlier podcast that Yuri Dajinous did. 331 00:14:53,840 --> 00:14:55,840 But just to give you a bit of overview 332 00:14:55,840 --> 00:14:58,840 for the new audiences that we have here, 333 00:14:58,840 --> 00:15:03,360 Microsoft Defender for Cloud covers the two main broad pillars 334 00:15:03,360 --> 00:15:06,400 of cloud security, which is cloud security, 335 00:15:06,400 --> 00:15:10,720 posture management, and cloud workload platform protection, 336 00:15:10,720 --> 00:15:16,440 which we often call it as CSPM and CWPP offerings. 337 00:15:16,440 --> 00:15:20,080 And this coverage is for all of your Azure, 338 00:15:20,080 --> 00:15:23,040 on-prem, and multi-cloud resources, 339 00:15:23,040 --> 00:15:27,240 which we will deep dive into it a bit later. 340 00:15:27,240 --> 00:15:29,360 But just to give you a background 341 00:15:29,360 --> 00:15:32,920 of what cloud security posture management feature does 342 00:15:32,920 --> 00:15:37,560 is it assesses the resources that you have onboarded to Azure 343 00:15:37,560 --> 00:15:42,000 and helps you secure configuration of the resources 344 00:15:42,000 --> 00:15:44,000 by providing your recommendations 345 00:15:44,000 --> 00:15:46,800 if there are any misconfigurations on the resources 346 00:15:46,800 --> 00:15:51,640 that you are your organizational people have spun up, right? 347 00:15:51,640 --> 00:15:54,320 And the security posture of your resources 348 00:15:54,320 --> 00:15:59,720 is actually assessed by a defined set of security controls, 349 00:15:59,720 --> 00:16:03,840 which make up to the secure score of an organization. 350 00:16:03,840 --> 00:16:06,680 So you will receive a specific secure score 351 00:16:06,680 --> 00:16:09,480 based on the misconfigurations that Defender for Cloud 352 00:16:09,480 --> 00:16:11,920 has a product identify. 353 00:16:11,920 --> 00:16:15,600 Now, you might be thinking what policy Defender for Cloud 354 00:16:15,600 --> 00:16:19,120 uses in order to assess this connected resources 355 00:16:19,120 --> 00:16:22,240 and provide guidance to you. 356 00:16:22,240 --> 00:16:25,120 When you enable Defender for Cloud in your environment, 357 00:16:25,120 --> 00:16:29,040 you are assigned a policy called Azure Security Benchmark. 358 00:16:29,040 --> 00:16:31,160 And that's the standard we use in order 359 00:16:31,160 --> 00:16:34,200 to assess your connected resources. 360 00:16:34,200 --> 00:16:37,480 And we compare it with the guidance in Azure Security 361 00:16:37,480 --> 00:16:41,200 Benchmark, and we provide you recommendations 362 00:16:41,200 --> 00:16:44,840 within the dashboard if there are any misconfigurations 363 00:16:44,840 --> 00:16:50,360 that we identify in your organizational environment. 364 00:16:50,360 --> 00:16:54,600 And then you can use this score to understand your security 365 00:16:54,600 --> 00:16:58,040 posture, how you're doing in terms of the score, 366 00:16:58,040 --> 00:17:00,200 and what are the misconfigurations 367 00:17:00,200 --> 00:17:03,400 that you have to remediate, and so on. 368 00:17:03,400 --> 00:17:07,360 There's a whole list of articles that we 369 00:17:07,360 --> 00:17:09,920 have posted in our TechNet community, 370 00:17:09,920 --> 00:17:12,240 as well as in our Microsoft documentation, 371 00:17:12,240 --> 00:17:15,240 which I would recommend you to review it in order 372 00:17:15,240 --> 00:17:19,960 to check how to remediate any recommendation. 373 00:17:19,960 --> 00:17:21,560 Now, this is about secure score, 374 00:17:21,560 --> 00:17:25,920 but I wanted to touch upon one other area which Defender 375 00:17:25,920 --> 00:17:27,600 for Cloud offers. 376 00:17:27,600 --> 00:17:31,240 It has also a capability that it continuously 377 00:17:31,240 --> 00:17:34,440 compares the configuration of your resources 378 00:17:34,440 --> 00:17:38,280 with the requirements in the industry standards, regulations, 379 00:17:38,280 --> 00:17:39,320 and benchmark. 380 00:17:39,320 --> 00:17:41,800 Like, for example, many organizations 381 00:17:41,800 --> 00:17:46,840 may want to be compliant with NIST, with CIS benchmarks, 382 00:17:46,840 --> 00:17:50,960 or any other organizational specific security requirements. 383 00:17:50,960 --> 00:17:53,680 So you can find all of these standards, 384 00:17:53,680 --> 00:17:57,200 and many of these standards, in Defender for Cloud dashboard 385 00:17:57,200 --> 00:17:59,920 that you can assign to your subscriptions, 386 00:17:59,920 --> 00:18:02,560 and you can measure compliance to understand 387 00:18:02,560 --> 00:18:06,720 if you are meeting specific compliance requirements or not. 388 00:18:06,720 --> 00:18:10,400 And if there are any misconfigurations, 389 00:18:10,400 --> 00:18:13,640 again, Defender for Cloud is going to show you 390 00:18:13,640 --> 00:18:15,520 in the dashboard, and so on. 391 00:18:15,520 --> 00:18:18,960 So that's the CSPM part Defender for Cloud offers. 392 00:18:18,960 --> 00:18:21,760 Yeah, I just want to make sure that everyone 393 00:18:21,760 --> 00:18:23,760 understands this. 394 00:18:23,760 --> 00:18:28,560 So the NIST controls, that's NIST SP800-53, right? 395 00:18:28,560 --> 00:18:29,040 That's right. 396 00:18:29,040 --> 00:18:30,560 So everyone just needs to be aware that we're only 397 00:18:30,560 --> 00:18:32,040 talking about the technical controls here, right? 398 00:18:32,040 --> 00:18:34,640 We're not talking about things like what your policies are 399 00:18:34,640 --> 00:18:37,080 around hiring people and where the locks are on the doors 400 00:18:37,080 --> 00:18:38,600 and that sort of stuff. 401 00:18:38,600 --> 00:18:41,120 But with that being said, it's incredibly important 402 00:18:41,120 --> 00:18:43,960 that people understand that you may have all your technical 403 00:18:43,960 --> 00:18:48,480 controls in place, but you can also read the NIST SP800-53 404 00:18:48,480 --> 00:18:52,240 and all the other various audits that we've had against Azure. 405 00:18:52,240 --> 00:18:54,000 So you can see what we're doing, because remember, 406 00:18:54,000 --> 00:18:55,920 it's a whole share of responsibility model, right? 407 00:18:55,920 --> 00:18:58,360 The stuff that the tenant has to do and the stuff 408 00:18:58,360 --> 00:19:00,000 that Azure does. 409 00:19:00,000 --> 00:19:02,800 And it's incredibly important that when 410 00:19:02,800 --> 00:19:04,400 you're talking about compliance, you've 411 00:19:04,400 --> 00:19:06,240 got to really look at both. 412 00:19:06,240 --> 00:19:08,440 But we made those available through independent audits 413 00:19:08,440 --> 00:19:09,680 that are available. 414 00:19:09,680 --> 00:19:13,040 So one thing you touched on briefly, 415 00:19:13,040 --> 00:19:16,400 which I think is going to be the goal of this or the subject, 416 00:19:16,400 --> 00:19:21,280 I should say, of this podcast, is basically multi-cloud, 417 00:19:21,280 --> 00:19:21,680 right? 418 00:19:21,680 --> 00:19:23,600 So this is something that's really cool, 419 00:19:23,600 --> 00:19:26,360 because I think Mark and Gladys can sort of back me up 420 00:19:26,360 --> 00:19:26,960 on this one. 421 00:19:26,960 --> 00:19:29,160 But certainly, every single customer I've ever 422 00:19:29,160 --> 00:19:33,520 spoken to, ever, with the exception of maybe one or two, 423 00:19:33,520 --> 00:19:36,000 maybe, are multi-cloud. 424 00:19:36,000 --> 00:19:40,520 A lot of customers I work with will be on Azure and, say, AWS, 425 00:19:40,520 --> 00:19:42,400 for example, for various reasons. 426 00:19:42,400 --> 00:19:46,120 So there was a large company I was working with, a large finance 427 00:19:46,120 --> 00:19:48,320 company, one of the largest in the US. 428 00:19:48,320 --> 00:19:51,520 And they had a policy of rolling out on Azure 429 00:19:51,520 --> 00:19:53,440 and rolling out on AWS. 430 00:19:53,440 --> 00:19:57,200 And they made the judgment as to which environment 431 00:19:57,200 --> 00:19:59,720 they were going to deploy on based on certain criteria. 432 00:19:59,720 --> 00:20:01,440 I don't actually know what those criteria were. 433 00:20:01,440 --> 00:20:04,520 But they ended up with an approximately 50-50 split 434 00:20:04,520 --> 00:20:05,080 across the two. 435 00:20:05,080 --> 00:20:08,200 So having something like Microsoft Defender for cloud 436 00:20:08,200 --> 00:20:11,480 being multi-cloud, I think, is one fascinating. 437 00:20:11,480 --> 00:20:13,840 And two, probably something a lot of customers 438 00:20:13,840 --> 00:20:17,600 have really found a great deal of use of. 439 00:20:17,600 --> 00:20:20,800 So can you just sort of explain briefly what that means? 440 00:20:20,800 --> 00:20:24,280 What it entails and how it ends up 441 00:20:24,280 --> 00:20:25,960 sort of looking in the real world? 442 00:20:25,960 --> 00:20:26,920 What does it look like? 443 00:20:26,920 --> 00:20:27,840 I mean, what do you do? 444 00:20:27,840 --> 00:20:29,480 What do you end up with a single dashboard? 445 00:20:29,480 --> 00:20:31,000 Do you have a whole bunch of dashboards? 446 00:20:31,000 --> 00:20:32,960 I have no clue to be honest with you. 447 00:20:32,960 --> 00:20:34,120 That's a great question. 448 00:20:34,120 --> 00:20:37,400 Yeah, the whole point of us providing multi-cloud 449 00:20:37,400 --> 00:20:39,480 functionalities so that customers 450 00:20:39,480 --> 00:20:42,560 have a single pane of glass to look at all the environments, 451 00:20:42,560 --> 00:20:50,120 be it Azure, on-prem, multi-cloud, AWS, or GCP. 452 00:20:50,120 --> 00:20:53,320 I briefly want to talk about Cloud Workload Platform 453 00:20:53,320 --> 00:20:55,760 Protection as well, because that's 454 00:20:55,760 --> 00:20:58,040 one of the things that I specified. 455 00:20:58,040 --> 00:21:00,120 Just want to make sure everybody understands 456 00:21:00,120 --> 00:21:02,920 that Defender for Cloud comes with the capability of thread 457 00:21:02,920 --> 00:21:06,560 detection and protection to your workloads as well. 458 00:21:06,560 --> 00:21:09,160 So just want to leave that here. 459 00:21:09,160 --> 00:21:12,560 That's CWPP, Cloud Workload Platform Protection 460 00:21:12,560 --> 00:21:14,560 that Defender for Cloud offers. 461 00:21:14,560 --> 00:21:18,600 Now, talking about multi-cloud, so like you rightly said, 462 00:21:18,600 --> 00:21:21,640 Michael, with Cloud Workloads commonly 463 00:21:21,640 --> 00:21:24,840 spanning multiple cloud platforms, 464 00:21:24,840 --> 00:21:27,600 cloud security services must do the same. 465 00:21:27,600 --> 00:21:30,080 So with that idea, we introduced the protection 466 00:21:30,080 --> 00:21:33,440 towards AWS and GCP workloads as well, 467 00:21:33,440 --> 00:21:37,400 where you can protect your AWS-based resources. 468 00:21:37,400 --> 00:21:40,200 All you do is you connect your AWS account 469 00:21:40,200 --> 00:21:42,680 to an Azure subscription, and then you 470 00:21:42,680 --> 00:21:45,360 enable the protection plans that we offer. 471 00:21:45,360 --> 00:21:47,400 We offer a number of protection plans 472 00:21:47,400 --> 00:21:50,680 today that I'll speak about. 473 00:21:50,680 --> 00:21:54,200 So like you said, Michael, you can have, 474 00:21:54,200 --> 00:21:56,400 within the Defender for Cloud, the moment you 475 00:21:56,400 --> 00:22:00,040 connect your AWS account, today you 476 00:22:00,040 --> 00:22:02,040 have capability where you can connect 477 00:22:02,040 --> 00:22:06,360 either your organizational account or a management group 478 00:22:06,360 --> 00:22:07,240 account. 479 00:22:07,240 --> 00:22:09,680 When you do that, all the AWS accounts 480 00:22:09,680 --> 00:22:12,600 will automatically be connected to Defender for Cloud. 481 00:22:12,600 --> 00:22:17,080 And when you do that, you will notice in a single dashboard, 482 00:22:17,080 --> 00:22:19,840 which is in the Defender for Cloud dashboard itself, 483 00:22:19,840 --> 00:22:23,560 where you see recommendations today for Azure and on-prem, 484 00:22:23,560 --> 00:22:26,760 you'll start seeing further multi-cloud functionalities 485 00:22:26,760 --> 00:22:29,320 as well, like AWS or GCP, depending 486 00:22:29,320 --> 00:22:31,000 on what you've connected. 487 00:22:31,000 --> 00:22:33,360 Yeah, so it's as simple as that. 488 00:22:33,360 --> 00:22:37,400 We try to make the onboarding as simple as possible. 489 00:22:37,400 --> 00:22:41,640 So all you do is connecting your AWS account 490 00:22:41,640 --> 00:22:45,240 and giving permissions to that particular account 491 00:22:45,240 --> 00:22:50,360 to access the resources from the Defender for Cloud 492 00:22:50,360 --> 00:22:51,640 perspective. 493 00:22:51,640 --> 00:22:53,760 There are some prerequisites that you'll 494 00:22:53,760 --> 00:22:55,600 have to follow, which is documented 495 00:22:55,600 --> 00:22:59,440 within our documentation page, where 496 00:22:59,440 --> 00:23:03,240 you need to have access to the AWS account to start with. 497 00:23:03,240 --> 00:23:06,480 And then we offer different plans 498 00:23:06,480 --> 00:23:09,440 within this particular offering. 499 00:23:09,440 --> 00:23:13,400 So Defender for Cloud's Cloud Security posture management 500 00:23:13,400 --> 00:23:17,800 features extends the features that I spoke about earlier 501 00:23:17,800 --> 00:23:20,160 in this podcast. 502 00:23:20,160 --> 00:23:24,480 It all extends to your AWS resources. 503 00:23:24,480 --> 00:23:27,920 And the great part is this is an agentless plan 504 00:23:27,920 --> 00:23:32,240 that assesses your AWS resources according to the AWS 505 00:23:32,240 --> 00:23:34,800 specific security recommendations. 506 00:23:34,800 --> 00:23:37,680 So you don't have to really install an agent or something. 507 00:23:37,680 --> 00:23:42,800 As long as you have a, when you install the connector, 508 00:23:42,800 --> 00:23:46,080 you will be able to, you are actually 509 00:23:46,080 --> 00:23:48,680 granting permissions to that connector 510 00:23:48,680 --> 00:23:52,800 to be able to access this particular account. 511 00:23:52,800 --> 00:23:54,760 So when you do that, the resources 512 00:23:54,760 --> 00:23:59,560 will be assessed for compliance with built-in standards 513 00:23:59,560 --> 00:24:01,320 specific to AWS. 514 00:24:01,320 --> 00:24:06,600 Like for example, we have number of compliance standards 515 00:24:06,600 --> 00:24:09,400 that we have available within Defender for Cloud dashboard 516 00:24:09,400 --> 00:24:11,760 that you can see under regulatory compliance, which 517 00:24:11,760 --> 00:24:17,000 is AWS CIS, PCI, and AWS foundational best practices 518 00:24:17,000 --> 00:24:18,360 that you can view. 519 00:24:18,360 --> 00:24:19,960 Yeah. 520 00:24:19,960 --> 00:24:22,720 So you mentioned like the agent and the agentless 521 00:24:22,720 --> 00:24:24,000 and the account connection. 522 00:24:24,000 --> 00:24:26,600 I mean, is that Azure Arc? 523 00:24:26,600 --> 00:24:27,880 Yeah, that's a great question. 524 00:24:27,880 --> 00:24:33,040 So for every AWS machine connected to Azure 525 00:24:33,040 --> 00:24:37,120 with Azure Arc enabled servers, in those scenarios, 526 00:24:37,120 --> 00:24:38,800 you would need Azure Arc. 527 00:24:38,800 --> 00:24:44,440 If you are not connecting your AWS VMs to Azure, 528 00:24:44,440 --> 00:24:47,040 to Defender for Cloud, in those scenarios, 529 00:24:47,040 --> 00:24:49,920 you don't even require Azure Arc. 530 00:24:49,920 --> 00:24:54,600 So when you are, I guess, installing or enabling 531 00:24:54,600 --> 00:24:57,000 Defender for Cloud, and I'm asking this 532 00:24:57,000 --> 00:25:01,960 because another customer that I was talking to last week 533 00:25:01,960 --> 00:25:03,880 had similar question. 534 00:25:03,880 --> 00:25:06,400 When you install Azure Arc, there's 535 00:25:06,400 --> 00:25:10,600 modules that get approved for them to install, 536 00:25:10,600 --> 00:25:13,800 so like Defender for Cloud or Defender for Endpoint 537 00:25:13,800 --> 00:25:14,880 or whatever. 538 00:25:14,880 --> 00:25:16,160 Is that correct? 539 00:25:16,160 --> 00:25:17,160 Yeah. 540 00:25:17,160 --> 00:25:19,960 So to give you a background of Azure Arc, right? 541 00:25:19,960 --> 00:25:25,400 Azure Arc lets you manage your Windows and Linux 542 00:25:25,400 --> 00:25:28,000 physical servers and even virtual machines that 543 00:25:28,000 --> 00:25:31,760 is hosted outside of Azure on your corporate network. 544 00:25:31,760 --> 00:25:35,160 And using Azure Arc capability, you 545 00:25:35,160 --> 00:25:37,440 can connect your hybrid machines. 546 00:25:37,440 --> 00:25:38,880 You can install. 547 00:25:38,880 --> 00:25:42,640 All you do is you install the Azure connected machine 548 00:25:42,640 --> 00:25:44,560 agent on each machine. 549 00:25:44,560 --> 00:25:47,480 And this agent doesn't really do anything. 550 00:25:47,480 --> 00:25:51,320 Like it doesn't replace the Azure Log Analytics agent 551 00:25:51,320 --> 00:25:53,280 or Azure Monitor agents that we have. 552 00:25:53,280 --> 00:25:57,440 But all it does is it helps you connect your hybrid machines 553 00:25:57,440 --> 00:25:58,680 to Azure. 554 00:25:58,680 --> 00:26:02,160 With the help of which, you can proactively monitor 555 00:26:02,160 --> 00:26:04,840 the OS and the workloads that's running on the machine. 556 00:26:04,840 --> 00:26:07,400 You can manage it using automation workbooks 557 00:26:07,400 --> 00:26:10,480 and manages using Defender for Cloud. 558 00:26:10,480 --> 00:26:15,080 So even for the AWS scenario here, 559 00:26:15,080 --> 00:26:20,480 so if you want to connect in AWS EC2 instance 560 00:26:20,480 --> 00:26:23,440 to Defender for Cloud, in those scenarios, 561 00:26:23,440 --> 00:26:25,680 you will be using Azure Arc. 562 00:26:25,680 --> 00:26:30,240 And if you don't want to create an AWS EC2 instance, 563 00:26:30,240 --> 00:26:32,280 you don't have to really use Azure Arc, 564 00:26:32,280 --> 00:26:34,560 and you won't be charged for that machine. 565 00:26:34,560 --> 00:26:39,320 But the permissions that we get when you actually connect 566 00:26:39,320 --> 00:26:42,520 the connector through Defender for Cloud dashboard, 567 00:26:42,520 --> 00:26:45,040 that itself is enough to be able to monitor 568 00:26:45,040 --> 00:26:50,200 the virtual machines that you have on AWS consoles. 569 00:26:50,200 --> 00:26:56,880 And we use AWS system manager agent in the back end 570 00:26:56,880 --> 00:27:00,560 in order to be able to analyze how your virtual machines are 571 00:27:00,560 --> 00:27:01,520 doing and so on. 572 00:27:01,520 --> 00:27:04,840 And Defender for Cloud will provide you recommendations 573 00:27:04,840 --> 00:27:06,040 based on that. 574 00:27:06,040 --> 00:27:08,280 So I know that in the past, people 575 00:27:08,280 --> 00:27:13,880 used to install the Log Analytics agent in order 576 00:27:13,880 --> 00:27:16,760 to get data into Defender for Cloud. 577 00:27:16,760 --> 00:27:20,280 If once you change it through Arc, how does that change 578 00:27:20,280 --> 00:27:25,000 and what capability is enabled when you're 579 00:27:25,000 --> 00:27:27,240 managing a multi-cloud? 580 00:27:27,240 --> 00:27:29,240 That's a great question. 581 00:27:29,240 --> 00:27:33,360 So if you have used Azure Arc and if you 582 00:27:33,360 --> 00:27:37,240 want to enable Azure Arc connected machines to Defender 583 00:27:37,240 --> 00:27:40,960 for Cloud, Log Analytics agent is still required. 584 00:27:40,960 --> 00:27:43,680 A Log Analytics agent on Azure Arc machines, 585 00:27:43,680 --> 00:27:46,880 and that is to ensure that the selected workspace has 586 00:27:46,880 --> 00:27:49,000 security solution installed. 587 00:27:49,000 --> 00:27:51,840 And then the Log Analytics agent, 588 00:27:51,840 --> 00:27:54,440 you can configure it at the subscription level 589 00:27:54,440 --> 00:27:57,840 and all of your multi-cloud AWS and GCP projects, 590 00:27:57,840 --> 00:27:59,960 depending on what you have connected 591 00:27:59,960 --> 00:28:03,920 under the same subscriptions, will inherit the subscription 592 00:28:03,920 --> 00:28:05,080 settings. 593 00:28:05,080 --> 00:28:09,200 And we do have a functionality called auto provisioning 594 00:28:09,200 --> 00:28:10,560 as well. 595 00:28:10,560 --> 00:28:14,080 That's a super cool feature that we have. 596 00:28:14,080 --> 00:28:17,000 Auto provisioning will install the necessary agents 597 00:28:17,000 --> 00:28:21,480 and extensions that is used by Defender for Cloud 598 00:28:21,480 --> 00:28:22,800 to your resources. 599 00:28:22,800 --> 00:28:26,600 Like for example, we might require a Log Analytics agent 600 00:28:26,600 --> 00:28:28,880 if you have Azure Arc machines. 601 00:28:28,880 --> 00:28:32,200 It automatically installs the Log Analytics agent 602 00:28:32,200 --> 00:28:36,080 the moment you have auto provisioning button enabled. 603 00:28:36,080 --> 00:28:37,640 And that's for free of charge. 604 00:28:37,640 --> 00:28:39,600 It's generally available for you. 605 00:28:39,600 --> 00:28:43,280 And depending on what extension is required for which machine, 606 00:28:43,280 --> 00:28:48,240 it actually helps reduce management overhead. 607 00:28:48,240 --> 00:28:50,640 You don't have to specifically go to the machines 608 00:28:50,640 --> 00:28:54,360 and install all the required agent and extensions. 609 00:28:54,360 --> 00:28:58,760 So a Defender for Cloud analyzes it and does it by default. 610 00:28:58,760 --> 00:29:04,480 All the capabilities, once you go through a multi-cloud Arc 611 00:29:04,480 --> 00:29:09,960 between AWS and Azure and GCP, all the capabilities work 612 00:29:09,960 --> 00:29:11,360 similarly? 613 00:29:11,360 --> 00:29:12,800 Absolutely, yeah. 614 00:29:12,800 --> 00:29:16,920 So like I said, the Cloud Security posture management 615 00:29:16,920 --> 00:29:22,720 feature is for free, which means we review the AWS and GCP 616 00:29:22,720 --> 00:29:26,360 environment, just like how we review the Azure environment 617 00:29:26,360 --> 00:29:26,880 rate. 618 00:29:26,880 --> 00:29:28,720 We review the resources. 619 00:29:28,720 --> 00:29:31,120 And it finds if there are any misconfigurations, 620 00:29:31,120 --> 00:29:35,680 it is able to provide you a secure score as well for AWS 621 00:29:35,680 --> 00:29:36,520 and GCP. 622 00:29:36,520 --> 00:29:39,800 So we have it in the Defender for Cloud dashboard. 623 00:29:39,800 --> 00:29:42,080 There is a really good toggle that we 624 00:29:42,080 --> 00:29:48,360 have where you can just see Azure score or AWS score or GCP 625 00:29:48,360 --> 00:29:50,720 score depending on what you're interested in. 626 00:29:50,720 --> 00:29:53,600 That makes it more clear to understand 627 00:29:53,600 --> 00:29:57,000 how you're doing in different cloud environments, 628 00:29:57,000 --> 00:29:59,480 how secure you are, and so on. 629 00:29:59,480 --> 00:30:02,040 So all the capabilities follow. 630 00:30:02,040 --> 00:30:05,360 In Azure, we do have a number of Defender Plans, 631 00:30:05,360 --> 00:30:08,760 Defender Coverage, like Defender for servers, 632 00:30:08,760 --> 00:30:11,920 Defender for SQL containers, and many more. 633 00:30:11,920 --> 00:30:14,800 But for multi-cloud functionality, 634 00:30:14,800 --> 00:30:20,920 we do have today three plans that you can enable. 635 00:30:20,920 --> 00:30:24,320 You can enable Defender for containers plan. 636 00:30:24,320 --> 00:30:31,400 If you want to monitor your EKS cluster, which will, 637 00:30:31,400 --> 00:30:34,080 I'm sure you might have used Defender for Kubernetes 638 00:30:34,080 --> 00:30:36,680 plan in Azure, it's the same. 639 00:30:36,680 --> 00:30:40,920 It extends its container threat detection and advanced 640 00:30:40,920 --> 00:30:45,560 defenses to your Amazon EKS Linux clusters. 641 00:30:45,560 --> 00:30:49,120 And we have Defender for servers offering as well 642 00:30:49,120 --> 00:30:52,640 for multi-cloud that brings threat detection and advanced 643 00:30:52,640 --> 00:30:56,960 defenses to your windows and Linux EC2 instances. 644 00:30:56,960 --> 00:31:00,520 And this plan includes integrated license 645 00:31:00,520 --> 00:31:03,880 for Defender for endpoint, which is super cool actually, 646 00:31:03,880 --> 00:31:07,680 because you can get the security baselines and OS level 647 00:31:07,680 --> 00:31:11,080 assessments and vulnerability scanning at want night, 648 00:31:11,080 --> 00:31:15,040 just like how you've been getting it for Azure resources 649 00:31:15,040 --> 00:31:18,160 so far, you can get the same functionality with Defender 650 00:31:18,160 --> 00:31:24,880 for servers offering for AWS and GCP workloads as well. 651 00:31:24,880 --> 00:31:28,080 We also include vulnerability assessment solutions 652 00:31:28,080 --> 00:31:32,840 for your virtual machines and for container registries. 653 00:31:32,840 --> 00:31:36,360 And we also have a SQL plan available, 654 00:31:36,360 --> 00:31:39,520 where it brings the threat detection and defenses 655 00:31:39,520 --> 00:31:45,840 for your SQL servers running on AWS EC2, AWS RDS, 656 00:31:45,840 --> 00:31:49,000 custom for SQL server, and so on. 657 00:31:49,000 --> 00:31:51,200 Though I just spoke about AWS now, 658 00:31:51,200 --> 00:31:54,480 but all of this is applicable for GCP as well. 659 00:31:54,480 --> 00:31:57,480 We have the same capabilities that we 660 00:31:57,480 --> 00:32:00,240 offer for GCP workloads as well. 661 00:32:00,240 --> 00:32:01,080 This is really cool. 662 00:32:01,080 --> 00:32:03,240 So I mean, in the user interface, 663 00:32:03,240 --> 00:32:05,080 does it look like it's one thing or is it 664 00:32:05,080 --> 00:32:07,240 like we're dealing with three totally separate things? 665 00:32:07,240 --> 00:32:10,440 I mean, I'm sure everyone on this session 666 00:32:10,440 --> 00:32:12,400 would agree that customers prefer something 667 00:32:12,400 --> 00:32:14,760 that's a little bit homogenous and looks 668 00:32:14,760 --> 00:32:16,120 like you're dealing with the same thing. 669 00:32:16,120 --> 00:32:17,080 So does it look that way? 670 00:32:17,080 --> 00:32:20,360 I mean, does it look like it's a, I'm looking at my AWS stuff, 671 00:32:20,360 --> 00:32:23,560 my Azure stuff, and my GCP stuff, all in one homogenous 672 00:32:23,560 --> 00:32:26,000 environment, or does it look like it's bolted on? 673 00:32:26,000 --> 00:32:30,680 It's actually all integrated into one single dashboard. 674 00:32:30,680 --> 00:32:33,960 So if you have looked at Defender for Cloud dashboard 675 00:32:33,960 --> 00:32:37,080 and if you've looked at recommendations until now, 676 00:32:37,080 --> 00:32:39,560 you would see all the Azure recommendations 677 00:32:39,560 --> 00:32:41,840 under the recommendations blade. 678 00:32:41,840 --> 00:32:46,520 So now, once you have AWS or GCP account connected, 679 00:32:46,520 --> 00:32:50,480 you will start seeing the AWS and GCP recommendations 680 00:32:50,480 --> 00:32:54,080 in the same place, just right next to the Azure. 681 00:32:54,080 --> 00:32:56,840 And that's why we have this toggle as well. 682 00:32:56,840 --> 00:33:00,440 You could pick and choose to see what recommendations 683 00:33:00,440 --> 00:33:04,040 do you want to see and if there AWS or GCP, 684 00:33:04,040 --> 00:33:06,320 the moment you click on AWS or GCP, 685 00:33:06,320 --> 00:33:08,760 it will reload the pane. 686 00:33:08,760 --> 00:33:12,520 So the broad approach here brings Defender for Cloud 687 00:33:12,520 --> 00:33:14,840 closer to being the single pane of glass 688 00:33:14,840 --> 00:33:19,640 for all of your security, cloud security efforts, AWS, GCP, 689 00:33:19,640 --> 00:33:22,680 on-prem, or Azure. 690 00:33:22,680 --> 00:33:23,680 That's really nice. 691 00:33:23,680 --> 00:33:25,520 And I think you summed it up nicely there 692 00:33:25,520 --> 00:33:27,200 with the single pane of glass. 693 00:33:27,200 --> 00:33:29,840 I think that's really, that's really, really cool. 694 00:33:29,840 --> 00:33:31,920 So there's obviously a lot of engineering gone into that, 695 00:33:31,920 --> 00:33:36,520 but we've hidden a lot of the complexities of this, 696 00:33:36,520 --> 00:33:37,640 which is cool. 697 00:33:37,640 --> 00:33:40,720 And the fact that it's agentless as well, I think, 698 00:33:40,720 --> 00:33:42,480 is really exciting too, because people just 699 00:33:42,480 --> 00:33:45,120 don't want to start having to manage one. 700 00:33:45,120 --> 00:33:46,560 They're not just managing AWS, they're 701 00:33:46,560 --> 00:33:48,160 managing a whole set of other agents, 702 00:33:48,160 --> 00:33:50,840 but now they don't have to do that because there is no agents. 703 00:33:50,840 --> 00:33:53,560 So that's a really, really good design thing as well. 704 00:33:53,560 --> 00:33:55,640 Absolutely. 705 00:33:55,640 --> 00:33:56,640 Cost. 706 00:33:56,640 --> 00:33:58,040 We've got to ask that question. 707 00:33:58,040 --> 00:33:59,320 What about the cost? 708 00:33:59,320 --> 00:34:04,600 So the cloud security posture management feature is free. 709 00:34:04,600 --> 00:34:07,840 But if you are looking for additional plans that we offer, 710 00:34:07,840 --> 00:34:10,840 like I just mentioned, Defender for SQL or Defender 711 00:34:10,840 --> 00:34:15,000 for Containers or Defender for Servers. 712 00:34:15,000 --> 00:34:17,000 So for Defender for SQL, the plan 713 00:34:17,000 --> 00:34:21,200 is built at the same price as the top Azure resources. 714 00:34:21,200 --> 00:34:26,600 Like, for example, for Defender for SQL, 715 00:34:26,600 --> 00:34:30,560 we bill a couple of dollars for every SQL machine. 716 00:34:30,560 --> 00:34:32,440 So it's going to be the same price 717 00:34:32,440 --> 00:34:35,000 as that of the Azure resources. 718 00:34:35,000 --> 00:34:37,360 I also spoke about the plan that we offer, 719 00:34:37,360 --> 00:34:39,800 Defender for Containers. 720 00:34:39,800 --> 00:34:42,280 That plan is in preview at the moment. 721 00:34:42,280 --> 00:34:45,600 So it's free during preview, but after which, 722 00:34:45,600 --> 00:34:48,880 it will be billed for AWS at the same price 723 00:34:48,880 --> 00:34:51,760 as that of the Azure resources. 724 00:34:51,760 --> 00:34:56,480 But for every AWS machine connected to Azure, 725 00:34:56,480 --> 00:35:00,440 with Azure Arc enabled servers, Defender for Server plans 726 00:35:00,440 --> 00:35:04,520 is billed at the same price as that of the Microsoft Defender 727 00:35:04,520 --> 00:35:07,640 for Server plan for Azure machines. 728 00:35:07,640 --> 00:35:13,560 But if an AWS EC2 doesn't require an Azure Arc agent, 729 00:35:13,560 --> 00:35:17,320 then you won't be charged for that machine whatsoever. 730 00:35:17,320 --> 00:35:19,920 I want to talk about the automation piece. 731 00:35:19,920 --> 00:35:23,800 So when there is a threat, it is important for you 732 00:35:23,800 --> 00:35:26,400 to identify it at the right time. 733 00:35:26,400 --> 00:35:30,000 And then it's more critical to act upon it immediately 734 00:35:30,000 --> 00:35:33,000 before it passes to the next phase of cybersecurity kill 735 00:35:33,000 --> 00:35:33,640 change. 736 00:35:33,640 --> 00:35:36,240 And that's where automations will help. 737 00:35:36,240 --> 00:35:38,760 And automation, like I'm sure you understand, 738 00:35:38,760 --> 00:35:42,320 that it reduces the overhead to a lot of extent. 739 00:35:42,320 --> 00:35:44,720 So Defender for Cloud has this capability 740 00:35:44,720 --> 00:35:49,080 where you can take help of the logic apps on security alerts, 741 00:35:49,080 --> 00:35:52,800 on recommendations, and changes to the regulatory compliance. 742 00:35:52,800 --> 00:35:55,520 So for example, you might want Defender for Cloud 743 00:35:55,520 --> 00:36:00,240 to send an email to a specific user when an alert occurs. 744 00:36:00,240 --> 00:36:02,600 Even further, you might want Defender for Cloud 745 00:36:02,600 --> 00:36:04,560 to automatically act upon the alert 746 00:36:04,560 --> 00:36:07,280 before it causes a harm to the organization. 747 00:36:07,280 --> 00:36:09,880 All of this and much more is possible through Defender 748 00:36:09,880 --> 00:36:11,600 for Cloud. 749 00:36:11,600 --> 00:36:15,680 We have a GitHub repository where me and my team 750 00:36:15,680 --> 00:36:19,520 work on publishing the automations 751 00:36:19,520 --> 00:36:22,680 with the help of logic apps, with the help of workbooks, 752 00:36:22,680 --> 00:36:30,080 that we have just so that we can help you reduce 753 00:36:30,080 --> 00:36:35,200 the overhead to remediate a recommendation or remediation, 754 00:36:35,200 --> 00:36:37,240 to help you with the remediation. 755 00:36:37,240 --> 00:36:40,880 And we do have a quick fix capability 756 00:36:40,880 --> 00:36:44,200 that you have probably used in Azure. 757 00:36:44,200 --> 00:36:48,800 And that continues for the multi-cloud functionality 758 00:36:48,800 --> 00:36:49,360 as well. 759 00:36:49,360 --> 00:36:53,240 The quick fix will help you quickly fix 760 00:36:53,240 --> 00:36:56,480 a specific misconfiguration that Defender for Cloud 761 00:36:56,480 --> 00:36:57,680 is reporting. 762 00:36:57,680 --> 00:37:01,680 And we also are very transparent in terms of the logic, 763 00:37:01,680 --> 00:37:06,520 like what's the logic that we are running behind. 764 00:37:06,520 --> 00:37:08,680 When you click on that quick fix button, 765 00:37:08,680 --> 00:37:10,360 what is happening in the back end, 766 00:37:10,360 --> 00:37:14,160 you can see all the logic right on the dashboard itself. 767 00:37:14,160 --> 00:37:16,880 Yeah, one of the things I was kind of curious about 768 00:37:16,880 --> 00:37:20,000 is, I've got some opinions on this, 769 00:37:20,000 --> 00:37:25,200 but I'm curious who you're seeing is using Defender for Cloud. 770 00:37:25,200 --> 00:37:26,680 Are you seeing? 771 00:37:26,680 --> 00:37:32,760 Because there's the engineers and the architects and whatnot 772 00:37:32,760 --> 00:37:35,440 that are designing the preventive controls. 773 00:37:35,440 --> 00:37:39,000 There's security operations that has to consume the alerts. 774 00:37:39,000 --> 00:37:42,720 But who's kind of working with it to make sure that, hey, 775 00:37:42,720 --> 00:37:44,680 the teams are actually applying the fixes, 776 00:37:44,680 --> 00:37:48,680 improving their score and compliance status, et cetera. 777 00:37:48,680 --> 00:37:50,120 Is this like a governance team? 778 00:37:50,120 --> 00:37:53,600 Is this like a patch management vulnerability scanning team? 779 00:37:53,600 --> 00:37:56,400 Because we're starting to see some of those merge, 780 00:37:56,400 --> 00:37:59,720 but I'm curious what you're seeing as far as users 781 00:37:59,720 --> 00:38:00,960 of the console. 782 00:38:00,960 --> 00:38:03,560 We work with a number of customers. 783 00:38:03,560 --> 00:38:09,080 So all the customers that we work with are a wide range 784 00:38:09,080 --> 00:38:13,640 of people with some of them are security architects, 785 00:38:13,640 --> 00:38:16,280 some of them are patch management people. 786 00:38:16,280 --> 00:38:20,520 So like Defender for Cloud offers protection 787 00:38:20,520 --> 00:38:22,800 towards various workloads. 788 00:38:22,800 --> 00:38:28,160 So there are several teams that actually use Defender for Cloud 789 00:38:28,160 --> 00:38:33,440 to understand how they are doing in terms of their own technology 790 00:38:33,440 --> 00:38:37,160 that they own, like SQL or Kubernetes or containers 791 00:38:37,160 --> 00:38:39,040 and so on and so forth. 792 00:38:39,040 --> 00:38:44,800 So security architects, CISOs, there 793 00:38:44,800 --> 00:38:47,960 are a lot of security teams that we work with Dain and they 794 00:38:47,960 --> 00:38:52,320 are out of whom we help assess these misconfigurations 795 00:38:52,320 --> 00:38:53,960 and help remediate. 796 00:38:53,960 --> 00:38:56,880 We actually struggled with that when we were writing, designing, 797 00:38:56,880 --> 00:38:58,520 developing secure Azure solutions. 798 00:38:58,520 --> 00:39:00,120 Because originally, we were going to actually 799 00:39:00,120 --> 00:39:02,320 have a chapter just on Defender for Cloud. 800 00:39:02,320 --> 00:39:04,400 And in the end, we ended up not doing it. 801 00:39:04,400 --> 00:39:08,680 Instead, what we did is we sprinkled Defender for Cloud 802 00:39:08,680 --> 00:39:14,560 information often as sidebars in almost every chapter. 803 00:39:14,560 --> 00:39:16,600 And we think that actually worked better because it was sort 804 00:39:16,600 --> 00:39:18,200 of like, here's an area that you need 805 00:39:18,200 --> 00:39:20,840 to be cognizant of when you're building secure solutions. 806 00:39:20,840 --> 00:39:24,480 Oh, and by the way, here's how Microsoft Defender for Cloud 807 00:39:24,480 --> 00:39:29,320 can help provide, can help fill this little gap. 808 00:39:29,320 --> 00:39:32,520 And so we felt that that was actually much more 809 00:39:32,520 --> 00:39:36,120 appropriate, a much better way of involving Defender 810 00:39:36,120 --> 00:39:37,440 for Cloud information. 811 00:39:37,440 --> 00:39:39,160 I don't know, to be honest with you, 812 00:39:39,160 --> 00:39:41,120 I don't actually know how to answer your question, Mark. 813 00:39:41,120 --> 00:39:43,240 I think everyone needs to be aware of it. 814 00:39:43,240 --> 00:39:44,720 That's just my two cents. 815 00:39:44,720 --> 00:39:45,360 Yeah. 816 00:39:45,360 --> 00:39:47,920 Yeah, because one of the things we've seen on sort of the leading 817 00:39:47,920 --> 00:39:51,360 edge organizations, which we captured into the CISO workshop 818 00:39:51,360 --> 00:39:57,040 actually, was I feel like there's this missing posture management 819 00:39:57,040 --> 00:40:01,120 team, sort of like a sister function to security operations. 820 00:40:01,120 --> 00:40:03,240 Because security operations is there, 821 00:40:03,240 --> 00:40:04,680 they're the firefighters, right? 822 00:40:04,680 --> 00:40:06,520 Something's bad, the attackers here. 823 00:40:06,520 --> 00:40:09,920 And that's their top focus, has to be that. 824 00:40:09,920 --> 00:40:12,560 But there's also this need for an operational team that's 825 00:40:12,560 --> 00:40:15,240 like actively engaging on a day-to-day basis, 826 00:40:15,240 --> 00:40:17,840 that's fixing your preventive controls 827 00:40:17,840 --> 00:40:19,720 and fixing your gaps and visibility, 828 00:40:19,720 --> 00:40:22,560 sort of like an active part of governance. 829 00:40:22,560 --> 00:40:24,120 And so it's kind of a leading question. 830 00:40:24,120 --> 00:40:25,920 So I hope you don't mind that. 831 00:40:25,920 --> 00:40:28,320 But ultimately, we're seeing this need for a team 832 00:40:28,320 --> 00:40:31,720 that we probably should have created 20 years ago that's 833 00:40:31,720 --> 00:40:35,360 actually working on that and saying, hey, asset owners, 834 00:40:35,360 --> 00:40:40,200 servers owners, container owners, do you need help? 835 00:40:40,200 --> 00:40:42,800 Like we're seeing that your numbers are going down or going up. 836 00:40:42,800 --> 00:40:46,120 And what do you need to do to be successful? 837 00:40:46,120 --> 00:40:48,840 And we've got some experts here for you, some of which 838 00:40:48,840 --> 00:40:50,920 we probably recruited from your teams, 839 00:40:50,920 --> 00:40:53,840 that are passionate about security and helping 840 00:40:53,840 --> 00:40:55,600 you get your stuff secure. 841 00:40:55,600 --> 00:41:00,600 Like it's been sort of like a unicorn or a volunteer effort 842 00:41:00,600 --> 00:41:02,840 in some organizations to make this happen. 843 00:41:02,840 --> 00:41:07,280 But it really needs to be an actual function with people 844 00:41:07,280 --> 00:41:09,880 dedicated to it, et cetera, because the SOC's never 845 00:41:09,880 --> 00:41:11,960 going to do a good job of that. 846 00:41:11,960 --> 00:41:16,360 And people that are gold on getting new stuff out, 847 00:41:16,360 --> 00:41:18,960 they're not particularly incentive to do that. 848 00:41:18,960 --> 00:41:21,160 And so it's just sort of an interesting thing 849 00:41:21,160 --> 00:41:24,600 that we're starting to see form up in a few customers. 850 00:41:24,600 --> 00:41:27,160 Well, actually, Mark, you and I have spoken about this. 851 00:41:27,160 --> 00:41:28,800 I was working with an insurance company. 852 00:41:28,800 --> 00:41:31,760 And they ended up having a small number of people 853 00:41:31,760 --> 00:41:34,680 sort of part of their day job was essentially 854 00:41:34,680 --> 00:41:38,480 handling secure score and also preventing it 855 00:41:38,480 --> 00:41:43,440 from going down as new checks came online. 856 00:41:43,440 --> 00:41:45,040 Because as she says to them, I said, 857 00:41:45,040 --> 00:41:47,640 if you guys just roll out Defender for Cloud 858 00:41:47,640 --> 00:41:53,000 and your secure score is 76, if you leave it alone, 859 00:41:53,000 --> 00:41:54,840 in a few weeks, it'll be down to 60, 860 00:41:54,840 --> 00:41:56,520 because we're going to roll out new checks. 861 00:41:56,520 --> 00:41:59,360 So someone needs to be tasked with making sure 862 00:41:59,360 --> 00:42:03,520 that they're keeping track of what's coming down the pike. 863 00:42:03,520 --> 00:42:05,800 So yeah, I think you're absolutely right. 864 00:42:05,800 --> 00:42:08,320 I think someone needs to be dedicated to looking after this. 865 00:42:08,320 --> 00:42:10,320 And it can't be the traditional approach 866 00:42:10,320 --> 00:42:13,640 that we typically see of a vulnerability team, which 867 00:42:13,640 --> 00:42:16,360 is what I like to call scan and shame. 868 00:42:16,360 --> 00:42:18,360 We're not here to just make you feel bad. 869 00:42:18,360 --> 00:42:20,240 We're actually here to help, like genuinely. 870 00:42:20,240 --> 00:42:21,960 Like, yeah, we have reports and all that, 871 00:42:21,960 --> 00:42:24,240 just like everybody else can look at the dashboard. 872 00:42:24,240 --> 00:42:26,840 But if you need help and you've never done this 873 00:42:26,840 --> 00:42:29,040 and you need best practices and you need tooling 874 00:42:29,040 --> 00:42:31,640 or you need someone to tell your management that this 875 00:42:31,640 --> 00:42:35,320 is important or whatever it is, like you need a team that's 876 00:42:35,320 --> 00:42:39,720 doing that and helping, not just telling you you suck. 877 00:42:39,720 --> 00:42:40,840 Absolutely. 878 00:42:40,840 --> 00:42:43,000 Yeah, and I think, yeah, I agree 100%. 879 00:42:43,000 --> 00:42:45,240 And in fact, to that point, there's not just knowledge 880 00:42:45,240 --> 00:42:47,120 of Defender for Cloud and secure score. 881 00:42:47,120 --> 00:42:50,840 It's also the knowledge that's required and say containers 882 00:42:50,840 --> 00:42:53,520 or SQL or whatever you're monitoring, storage, 883 00:42:53,520 --> 00:42:54,840 whatever you're monitoring, right? 884 00:42:54,840 --> 00:42:56,880 Those skills need to be rolled into it as well. 885 00:42:56,880 --> 00:42:59,560 So I realize we're probably continuing the whole philosophical 886 00:42:59,560 --> 00:43:01,800 aspect, which is fine. 887 00:43:01,800 --> 00:43:02,920 It's contagious. 888 00:43:02,920 --> 00:43:05,320 It is, yeah. 889 00:43:05,320 --> 00:43:08,280 All right, Safina, let's bring this thing to an end. 890 00:43:08,280 --> 00:43:10,200 So one thing we always ask our guests 891 00:43:10,200 --> 00:43:13,240 is if you had one thought to leave our listeners with, 892 00:43:13,240 --> 00:43:14,240 what would it be? 893 00:43:14,240 --> 00:43:19,400 Yeah, so I would want our listeners to go ahead 894 00:43:19,400 --> 00:43:22,160 and deploy Defender for Cloud. 895 00:43:22,160 --> 00:43:24,200 When you start deploying Defender for Cloud, 896 00:43:24,200 --> 00:43:25,600 it's for free to start with. 897 00:43:25,600 --> 00:43:28,960 Like I said, if you are deploying AWS or GCP 898 00:43:28,960 --> 00:43:30,880 or just for the Azure environments, 899 00:43:30,880 --> 00:43:34,120 this cloud security posture management is free. 900 00:43:34,120 --> 00:43:39,160 So go ahead and deploy it and you can see the benefit 901 00:43:39,160 --> 00:43:41,720 that you receive from Defender for Cloud. 902 00:43:41,720 --> 00:43:45,440 And then once you're satisfied, you can go ahead 903 00:43:45,440 --> 00:43:48,480 and enable the additional plans like Defender for SQL, 904 00:43:48,480 --> 00:43:51,920 Defender for Kubernetes and whatnot, right, that we have. 905 00:43:51,920 --> 00:43:53,760 And make benefit out of it. 906 00:43:53,760 --> 00:43:55,880 And like Mark mentioned, it's not 907 00:43:55,880 --> 00:44:00,560 that one person who actually should be responsible 908 00:44:00,560 --> 00:44:02,160 to look at the secure score. 909 00:44:02,160 --> 00:44:04,640 It's the whole team, whole organization 910 00:44:04,640 --> 00:44:08,040 that needs to really look at the secure score, 911 00:44:08,040 --> 00:44:11,840 see the misconfigurations, and to be able to resolve it 912 00:44:11,840 --> 00:44:15,200 as soon as possible before it actually passes down 913 00:44:15,200 --> 00:44:17,160 to the whole organization. 914 00:44:17,160 --> 00:44:19,080 Okay, well, let's bring this thing to an end. 915 00:44:19,080 --> 00:44:21,440 So Safina, thank you so much for joining us this week. 916 00:44:21,440 --> 00:44:23,360 I know you're very busy and I know 917 00:44:23,360 --> 00:44:26,280 Microsoft Defender for Cloud is a hugely important product. 918 00:44:26,280 --> 00:44:29,600 So I appreciate you taking the time, taking some of this. 919 00:44:29,600 --> 00:44:30,720 Thanks for having me. 920 00:44:30,720 --> 00:44:32,440 It's great to speak to you guys. 921 00:44:32,440 --> 00:44:33,360 Thank you. 922 00:44:33,360 --> 00:44:34,840 And to our listeners out there, 923 00:44:34,840 --> 00:44:36,600 thank you so much for joining us this week. 924 00:44:36,600 --> 00:44:38,560 Take care and we'll see you next time. 925 00:44:38,560 --> 00:44:41,480 Thanks for listening to the Azure Security Podcast. 926 00:44:41,480 --> 00:44:44,040 You can find show notes and other resources 927 00:44:44,040 --> 00:44:47,360 at our website, azsecuritypodcast.net. 928 00:44:48,280 --> 00:44:49,840 If you have any questions, 929 00:44:49,840 --> 00:44:52,120 please find us on Twitter at Azure Sec Pod. 930 00:44:52,120 --> 00:44:54,760 Background music is from ccmixter.com 931 00:44:54,760 --> 00:45:23,760 and licensed under the Creative Commons license.