1 00:00:00,000 --> 00:00:06,200 Welcome to the Azure Security Podcast, 2 00:00:06,200 --> 00:00:09,380 where we discuss topics relating to security, privacy, 3 00:00:09,380 --> 00:00:13,720 reliability, and compliance on the Microsoft Cloud Platform. 4 00:00:13,720 --> 00:00:16,680 Hey, everybody. Welcome to Episode 61. 5 00:00:16,680 --> 00:00:19,800 This week, it is myself, Michael, with Sarah and Mark. 6 00:00:19,800 --> 00:00:21,720 Glad I still taking a little bit of time off. 7 00:00:21,720 --> 00:00:22,960 We also have a guest this week. 8 00:00:22,960 --> 00:00:24,640 We have Elizabeth Stevens. 9 00:00:24,640 --> 00:00:27,680 She is a director of Cyber Risk Intel 10 00:00:27,680 --> 00:00:30,160 within our Cloud Operations Innovation Team, 11 00:00:30,160 --> 00:00:31,840 and she's here to talk to us about 12 00:00:31,840 --> 00:00:34,360 operational technology or OT security. 13 00:00:34,360 --> 00:00:35,720 But before we get to Elizabeth, 14 00:00:35,720 --> 00:00:37,840 let's take a quick lap around the news. 15 00:00:37,840 --> 00:00:39,360 Mark, why don't you kick things off? 16 00:00:39,360 --> 00:00:42,680 I've been trying something a little bit different out lately, 17 00:00:42,680 --> 00:00:45,080 and as I'm developing new slides 18 00:00:45,080 --> 00:00:48,720 for some of our architecture design session workshops, 19 00:00:48,720 --> 00:00:52,040 I'm actually posting them on LinkedIn and Twitter to get people's feedback. 20 00:00:52,040 --> 00:00:55,680 It's been actually pretty helpful in getting a lot of feedback on them, 21 00:00:55,680 --> 00:00:58,080 focused on patch management right now. 22 00:00:58,080 --> 00:01:04,480 We'll pop a couple of links into the show notes so you can check those out. 23 00:01:04,480 --> 00:01:08,800 Just figuring out what the right model looks like that works across IT, 24 00:01:08,800 --> 00:01:10,720 OT, IoT, etc. 25 00:01:10,720 --> 00:01:14,480 And the strategy that you can put a policy behind. 26 00:01:14,480 --> 00:01:18,240 Some of the anti-patterns and the anti-patterns 27 00:01:18,240 --> 00:01:20,800 are the opposite of best practices. 28 00:01:20,800 --> 00:01:24,680 And so some of the common mistakes that we see organizations make. 29 00:01:24,680 --> 00:01:28,200 So yeah, feel free to check those out and I'd love to get your feedback. 30 00:01:28,200 --> 00:01:29,840 A couple of bits of news from me. 31 00:01:29,840 --> 00:01:31,960 Hopefully everyone can understand my voice. 32 00:01:31,960 --> 00:01:36,160 I'm still a little bit hoarse from coming back from Hakusama Camp. 33 00:01:36,160 --> 00:01:43,600 So firstly, we've announced in our public preview that AKS or Azure Kubernetes Service, 34 00:01:43,600 --> 00:01:47,880 you can now use a confidential VM node pool. 35 00:01:47,880 --> 00:01:52,200 So what that means is that we're actually supporting 36 00:01:52,200 --> 00:01:56,400 using basically confidential computing in AKS. 37 00:01:56,400 --> 00:02:01,560 So if you've got some really super secret squirrel important things 38 00:02:01,560 --> 00:02:03,840 that need to have a protective memory space, 39 00:02:03,840 --> 00:02:06,160 you should go and check that out. 40 00:02:06,160 --> 00:02:08,240 And next up another AKS thing. 41 00:02:08,240 --> 00:02:13,240 AKS is now supporting key management system or KMS, plug-in integration. 42 00:02:13,240 --> 00:02:20,560 So that means that you can do encryption at rest in your Kubernetes data using Key Vault. 43 00:02:20,560 --> 00:02:22,360 So of course that's important. 44 00:02:22,360 --> 00:02:24,000 So we store our secrets. 45 00:02:24,000 --> 00:02:25,760 Of course you can use your bring your own key. 46 00:02:25,760 --> 00:02:30,560 So again, another one to have a look at if you're using AKS. 47 00:02:30,560 --> 00:02:37,480 Another thing we've just announced is that Azure Firewall Premium is now ICSA lab certified. 48 00:02:37,480 --> 00:02:43,840 So that is an addition to some of our other firewall certificates that we've got. 49 00:02:43,840 --> 00:02:49,680 That is actually specifically for our IPS, our intrusion prevention system. 50 00:02:49,680 --> 00:02:52,720 So of course if that's something that you need, 51 00:02:52,720 --> 00:03:01,080 maybe for your regulatory requirements or just something that it's good to know that we've got certified in, 52 00:03:01,080 --> 00:03:03,040 you can also go check that out. 53 00:03:03,040 --> 00:03:09,880 And then one other piece of news that is from a part of the world that I love, and Michael, I know you do too. 54 00:03:09,880 --> 00:03:17,000 We've also announced, we're always announcing new regions as you, as everybody knows, new data center regions. 55 00:03:17,000 --> 00:03:27,600 But in New Zealand, we have announced that our new data center region in New Zealand is going to be basically carbon neutral. 56 00:03:27,600 --> 00:03:35,000 So the whole data center region will be 100% powered by carbon free energy from the point that we open it. 57 00:03:35,000 --> 00:03:37,000 I think that's really cool. 58 00:03:37,000 --> 00:03:40,840 And I'm sure you know, if you look at Microsoft's sustainability things, 59 00:03:40,840 --> 00:03:44,960 we're always trying to make everything we do as sustainable as possible. 60 00:03:44,960 --> 00:03:51,480 But it's really cool to see that a brand new data center is going to be completely carbon free from the word go. 61 00:03:51,480 --> 00:03:55,840 And then last but not least, we are in application gateway. 62 00:03:55,840 --> 00:04:00,520 We've just opened our public preview for TLS 1.3 support. 63 00:04:00,520 --> 00:04:05,280 So of course, as we know, we're always moving up our TLS version numbers. 64 00:04:05,280 --> 00:04:10,640 And of course, using TLS 1.3 is preferable if you are able to. 65 00:04:10,640 --> 00:04:12,800 And so go check that out as well. 66 00:04:12,800 --> 00:04:16,360 That's me done with my news for today. 67 00:04:16,360 --> 00:04:19,360 I can't believe you stole that TLS 1.3 news item from me. 68 00:04:19,360 --> 00:04:20,240 I'm sorry. 69 00:04:20,240 --> 00:04:22,120 You know, that's my thing. 70 00:04:22,120 --> 00:04:23,800 Anyway, that's really huge to see though. 71 00:04:23,800 --> 00:04:31,840 SSL 2, SSL 3, TLS 1.0, 1.1 are well and truly relegated to the midst of history. 72 00:04:31,840 --> 00:04:35,400 TLS 1.2 is generally the default across the whole of Azure. 73 00:04:35,400 --> 00:04:38,720 So it's good to see us adding TLS 1.3 in there as well. 74 00:04:38,720 --> 00:04:44,040 And no doubt over time, we will see even more instances where TLS 1.3 will be selectable, 75 00:04:44,040 --> 00:04:48,880 especially for PAS services like Azure SQL DB or Azure Functions and so on. 76 00:04:48,880 --> 00:04:50,120 So that's really good to see. 77 00:04:50,120 --> 00:04:56,480 And also really happy to see that AKS using confidential VM node pools using the new AMD 78 00:04:56,480 --> 00:04:57,720 VM images. 79 00:04:57,720 --> 00:05:01,800 So Sarah said protected images or protected memory. 80 00:05:01,800 --> 00:05:03,200 Remember, it goes beyond that, right? 81 00:05:03,200 --> 00:05:04,240 It goes way beyond that. 82 00:05:04,240 --> 00:05:05,160 It's not just protected memory. 83 00:05:05,160 --> 00:05:10,640 It's encrypted and it's tamper detection controls on there using HMAX. 84 00:05:10,640 --> 00:05:12,360 And the keys are actually managed by the CPU. 85 00:05:12,360 --> 00:05:14,400 They're actually not managed by Azure at all. 86 00:05:14,400 --> 00:05:19,400 So they're designed in such a way that we assume, basically, we don't trust anything 87 00:05:19,400 --> 00:05:20,480 outside of the VM. 88 00:05:20,480 --> 00:05:25,120 So the trusted execution environment is actually the entire VM's memory space. 89 00:05:25,120 --> 00:05:26,680 And anything outside of that, we do not trust. 90 00:05:26,680 --> 00:05:27,960 And that includes Azure. 91 00:05:27,960 --> 00:05:31,960 We don't trust Azure admins or the Azure environment. 92 00:05:31,960 --> 00:05:34,720 So this is really, really great to see. 93 00:05:34,720 --> 00:05:40,520 And you'll see more of this over the coming months as well as we add more support for 94 00:05:40,520 --> 00:05:41,520 this. 95 00:05:41,520 --> 00:05:42,520 Other news items. 96 00:05:42,520 --> 00:05:45,240 We talked about this a couple of weeks ago. 97 00:05:45,240 --> 00:05:50,160 Windows authentication for Azure AD principles for SQL managed instance is now generally 98 00:05:50,160 --> 00:05:51,160 available. 99 00:05:51,160 --> 00:05:54,240 We talked to Sravani about this a few weeks ago. 100 00:05:54,240 --> 00:05:55,240 So that is now GA. 101 00:05:55,240 --> 00:06:01,120 And she actually did a fantastic job of explaining how it all hangs together. 102 00:06:01,120 --> 00:06:06,520 Also in GA, and this really caught my eye, generally available now is network security 103 00:06:06,520 --> 00:06:08,840 group support for private endpoints. 104 00:06:08,840 --> 00:06:12,960 When we first released private endpoints, they had neither network security group support 105 00:06:12,960 --> 00:06:15,560 nor did they have user defined routes. 106 00:06:15,560 --> 00:06:19,800 So both of those are now available in general availability. 107 00:06:19,800 --> 00:06:24,240 In public preview, Microsoft Azure load testing now supports private endpoints. 108 00:06:24,240 --> 00:06:29,040 I know I've mentioned this in multiple times in various podcasts. 109 00:06:29,040 --> 00:06:32,840 I said, hey, you're going to see more and more support over the years for better support 110 00:06:32,840 --> 00:06:33,840 for private endpoints. 111 00:06:33,840 --> 00:06:35,280 And this is just another example. 112 00:06:35,280 --> 00:06:39,280 It's not just a service adopting private endpoints. 113 00:06:39,280 --> 00:06:43,400 It's also other services being able to take advantage of services that are using private 114 00:06:43,400 --> 00:06:44,400 endpoints. 115 00:06:44,400 --> 00:06:47,800 So this is another good thing that's great to see. 116 00:06:47,800 --> 00:06:51,560 And I was going to finish off with a TL as one dot three support thing, but I guess Sarah 117 00:06:51,560 --> 00:06:53,200 stole that from me. 118 00:06:53,200 --> 00:06:55,240 So with that, that's the news out the way. 119 00:06:55,240 --> 00:06:56,240 All right. 120 00:06:56,240 --> 00:06:57,520 Let's turn our attention to our guest. 121 00:06:57,520 --> 00:07:03,920 This week it is Elizabeth Stevens and she's here to talk to us about basically OT security, 122 00:07:03,920 --> 00:07:05,760 so operational technology security. 123 00:07:05,760 --> 00:07:07,840 Elizabeth, thank you for joining us this week. 124 00:07:07,840 --> 00:07:10,400 Would you care to take a moment and just sort of explain what you do? 125 00:07:10,400 --> 00:07:12,880 My name is Elizabeth Stevens. 126 00:07:12,880 --> 00:07:18,480 And as you said before, I am a director of cyber risk intelligence for Microsoft. 127 00:07:18,480 --> 00:07:22,720 Our mission is to provide seamless, actionable and timely data center risk information that's 128 00:07:22,720 --> 00:07:29,920 integrated into the data center design and operational planning across all of our operations. 129 00:07:29,920 --> 00:07:35,160 We do this because of the current threat and the current escalation of threat. 130 00:07:35,160 --> 00:07:41,120 So from the, so I mean, it sounds like we're seeing not just the sophisticated nation states 131 00:07:41,120 --> 00:07:47,680 that are actually crossing that IoT, excuse me, the IT OT and probably IoT as well, environment 132 00:07:47,680 --> 00:07:51,000 lines kind of with ease over IP networks. 133 00:07:51,000 --> 00:07:56,280 It sounds like it's really spreading to all of the different criminal gangs and activists 134 00:07:56,280 --> 00:07:57,440 and whatnot as well. 135 00:07:57,440 --> 00:07:58,720 Would that be correct? 136 00:07:58,720 --> 00:08:04,040 Well, we've seen like the criminals and criminal organizations leverage the path of least resistance 137 00:08:04,040 --> 00:08:06,400 into any organization. 138 00:08:06,400 --> 00:08:09,560 They exploit the suppliers as we saw last year. 139 00:08:09,560 --> 00:08:11,440 They exploit embedded devices. 140 00:08:11,440 --> 00:08:14,200 They've even exploit physical security. 141 00:08:14,200 --> 00:08:19,440 Typically all of those things fall outside of, you know, what would be considered traditional 142 00:08:19,440 --> 00:08:24,000 security, but now as we move into the information age or we propel ourselves through the information 143 00:08:24,000 --> 00:08:28,880 age, all of those things are critical vulnerabilities that we need to think about. 144 00:08:28,880 --> 00:08:32,480 Like more recently, we've seen some of the cyber criminals continue to like improve the 145 00:08:32,480 --> 00:08:38,960 sophistication of their attacks, exponentially adopting capabilities and tactics and techniques 146 00:08:38,960 --> 00:08:42,320 that the nation state actors are using it as well. 147 00:08:42,320 --> 00:08:48,120 The problem for us is if we have a strong front, if we defend in the way that we are with our 148 00:08:48,120 --> 00:08:53,320 Azure tools and the the mark, Symos architectures and the way that we're sharing the information 149 00:08:53,320 --> 00:08:59,880 across across the globe, which is truly the right way to do it, then what's left the area 150 00:08:59,880 --> 00:09:05,400 of operational technology, the area that traditionally IT has not needed to protect because it wasn't 151 00:09:05,400 --> 00:09:07,120 really a high value target. 152 00:09:07,120 --> 00:09:11,520 Now as we continue to shift to the cloud, as the world continues to shift to the cloud, 153 00:09:11,520 --> 00:09:16,960 new customers are looking to Microsoft and to Azure service offerings, which means all 154 00:09:16,960 --> 00:09:21,280 of the little pieces that make up and the components that make up our tech organizations, 155 00:09:21,280 --> 00:09:26,240 the government organizations, even the defense contractors and our equipment manufacturers, 156 00:09:26,240 --> 00:09:30,840 as well as operators and integrators, all of those things are now becoming connected 157 00:09:30,840 --> 00:09:36,720 and in a way that doesn't traditionally align to the best practices nor the capabilities 158 00:09:36,720 --> 00:09:38,360 of our IT systems. 159 00:09:38,360 --> 00:09:42,600 So you have the advanced adversaries that are targeting both cloud customers to steal 160 00:09:42,600 --> 00:09:49,680 money data, IP, and then you have those same adversaries, those same threat vectors, trying 161 00:09:49,680 --> 00:09:55,800 to figure out ways to exploit the low tech OT in this case areas in order to do the exact 162 00:09:55,800 --> 00:09:56,800 same thing. 163 00:09:56,800 --> 00:10:00,960 You can break into secure networks and systems from any number of different things. 164 00:10:00,960 --> 00:10:04,520 We've seen that in the past and we're seeing it now in current state. 165 00:10:04,520 --> 00:10:10,000 And so whether it's the adversarial or even criminal organizations using persistence and 166 00:10:10,000 --> 00:10:15,720 aggressively monitoring systems and networks for the smallest opening or if it's the nation-state 167 00:10:15,720 --> 00:10:22,200 attackers or advanced persistent threat, those sophisticated attacks come even through our 168 00:10:22,200 --> 00:10:27,880 targeting, even our suppliers to gain access to the areas of our infrastructure and the 169 00:10:27,880 --> 00:10:29,960 world's infrastructure to complete their missions. 170 00:10:29,960 --> 00:10:32,760 They're not just looking at us to attack us. 171 00:10:32,760 --> 00:10:38,360 They're looking at all of the connected tissue that aligns to both our customers, our suppliers, 172 00:10:38,360 --> 00:10:44,960 and any open door to include the insider threat to access those high value targets and the 173 00:10:44,960 --> 00:10:46,760 high value resources. 174 00:10:46,760 --> 00:10:48,160 So I got a question for you. 175 00:10:48,160 --> 00:10:56,280 Say I'm an IT security professional and I've been protecting IT networks and patching and 176 00:10:56,280 --> 00:11:01,320 firewalls and learning the cloud and all the cool tools there and all that kind of stuff. 177 00:11:01,320 --> 00:11:09,800 What are the things as I am looking at this OT space that I need to do or not do to make 178 00:11:09,800 --> 00:11:11,720 sure that I'm doing it right? 179 00:11:11,720 --> 00:11:14,800 Because I know OT is different, but I don't know how. 180 00:11:14,800 --> 00:11:18,200 So how would you explain that to someone like that? 181 00:11:18,200 --> 00:11:26,120 Part of the concern in the industry is that cybersecurity has long been championed by 182 00:11:26,120 --> 00:11:31,960 our developers, our software designers, the people that have been architecting information 183 00:11:31,960 --> 00:11:34,480 technology systems for decades. 184 00:11:34,480 --> 00:11:42,040 Operational technology is built in sometimes systems that are 20 to 30 years old. 185 00:11:42,040 --> 00:11:44,480 These systems have been around for a very long time. 186 00:11:44,480 --> 00:11:48,800 They are excuse the phrase dumb devices in a lot of different ways. 187 00:11:48,800 --> 00:11:54,200 And then to complicate things, we're adding on pieces of information technology that allow 188 00:11:54,200 --> 00:11:58,480 these dumb systems to be monitored and controlled. 189 00:11:58,480 --> 00:12:04,400 A lot of what I would say if you're thinking from an architectural safety or even a zero 190 00:12:04,400 --> 00:12:11,280 trust perspective is don't treat the OT systems as if they are new and there's no way to protect 191 00:12:11,280 --> 00:12:15,760 them because there's been no attacks or there's been no information on them. 192 00:12:15,760 --> 00:12:22,520 Think about them as an IT component or an IT system that you just haven't the expertise 193 00:12:22,520 --> 00:12:23,520 on. 194 00:12:23,520 --> 00:12:31,640 So the key from a perspective of an OT professional being asked, how do you treat an OT system 195 00:12:31,640 --> 00:12:38,360 in a way that allows for you to do the same thing you would do for an IT system? 196 00:12:38,360 --> 00:12:45,320 The value and the truth about it is, is recognize that OT system protection aligns to the same 197 00:12:45,320 --> 00:12:51,160 best practices that IT system protection does as well. 198 00:12:51,160 --> 00:12:55,840 You want to ensure that you segment as much as you can. 199 00:12:55,840 --> 00:12:58,040 You want to protect the crown jewels. 200 00:12:58,040 --> 00:13:03,680 You want to make sure that you look at the type of, both the type of organizations, so 201 00:13:03,680 --> 00:13:09,520 whether they're national, organizational or individual, both from a perspective of who 202 00:13:09,520 --> 00:13:13,840 the threat is as well as what you're trying to protect. 203 00:13:13,840 --> 00:13:18,480 And then go through the list of the type of impacts just as if you were doing an attack 204 00:13:18,480 --> 00:13:23,680 vector or a kill chain, talk about the harm to operations, the harm to the assets, the 205 00:13:23,680 --> 00:13:25,320 harm to the individual. 206 00:13:25,320 --> 00:13:31,760 And never, ever, ever think because you've protected something with a firewall that there 207 00:13:31,760 --> 00:13:37,360 is not a physical and what I say is a logical way to attack it. 208 00:13:37,360 --> 00:13:45,920 And remember, just because you need to see, monitor or control an OT asset, your piece 209 00:13:45,920 --> 00:13:51,640 of equipment that you're connecting to that component may very well be the attack vector 210 00:13:51,640 --> 00:13:56,400 that is the easiest way for the entire organization to be exploited. 211 00:13:56,400 --> 00:14:00,140 So treat the entire system and this is the key, right? 212 00:14:00,140 --> 00:14:02,840 No one has the right answers to anything, right? 213 00:14:02,840 --> 00:14:06,680 Everyone has a lot of answers and everyone's trying to do their best. 214 00:14:06,680 --> 00:14:11,000 But the benefit of being here at Microsoft is that I get to work with Mark Simos and 215 00:14:11,000 --> 00:14:12,720 Sarah and Michael. 216 00:14:12,720 --> 00:14:17,120 And what that means is I get to bring my expertise and go, hey, do you know that that thing that 217 00:14:17,120 --> 00:14:20,880 you're calling a little black box can take down an entire data system? 218 00:14:20,880 --> 00:14:26,880 And you would go, oh, so putting that sensor there that's connected to an IP that's broadcasting 219 00:14:26,880 --> 00:14:30,240 so that someone can remote access may be a bad idea. 220 00:14:30,240 --> 00:14:33,920 And as long as we remember, and this is what we're doing across the industry, you've got 221 00:14:33,920 --> 00:14:38,920 OT professionals talking to IT professionals all under the umbrella of cybersecurity and 222 00:14:38,920 --> 00:14:40,320 cyber defense. 223 00:14:40,320 --> 00:14:45,080 You've got Microsoft talking to partners to include lessers. 224 00:14:45,080 --> 00:14:52,520 So our least data center partners, our utility partners and CISA and our partners overseas 225 00:14:52,520 --> 00:14:53,720 in Australia. 226 00:14:53,720 --> 00:14:58,600 The key is shared data, shared information and talking about all of these things at the 227 00:14:58,600 --> 00:15:02,680 level of not just let's talk about the MITRE attack framework. 228 00:15:02,680 --> 00:15:05,080 Let's not just talk about the NIST standards. 229 00:15:05,080 --> 00:15:10,000 We need to bring all of the competencies together in a way that allows for us to talk 230 00:15:10,000 --> 00:15:13,040 to each other and say, hey, this is my area of expertise. 231 00:15:13,040 --> 00:15:14,480 This is what that box does. 232 00:15:14,480 --> 00:15:16,040 We can't protect it that way. 233 00:15:16,040 --> 00:15:17,160 And here's why. 234 00:15:17,160 --> 00:15:24,320 And then allow for our IT partners or OT partners in this case or utility partners to say, hey, 235 00:15:24,320 --> 00:15:28,520 that doesn't work for us because it affects our customers, our data or organizational 236 00:15:28,520 --> 00:15:29,640 capabilities. 237 00:15:29,640 --> 00:15:34,320 The truth is, we learned all of this because we've gone to the cloud. 238 00:15:34,320 --> 00:15:39,440 We've learned all of this from the way that we operate in and around Azure and our other 239 00:15:39,440 --> 00:15:40,440 partners. 240 00:15:40,440 --> 00:15:41,800 That's what we need to do. 241 00:15:41,800 --> 00:15:45,280 We have to remember that the pieces are all there. 242 00:15:45,280 --> 00:15:46,880 And I know I'm a Marine. 243 00:15:46,880 --> 00:15:50,280 And so if you put something in front of me, I'm either going to go through it or over 244 00:15:50,280 --> 00:15:53,400 it or blow it up. 245 00:15:53,400 --> 00:15:56,240 But again, this is the hill that we've got to take. 246 00:15:56,240 --> 00:16:00,040 And if you don't think you've already been compromised by now, then you might want to 247 00:16:00,040 --> 00:16:01,040 get a new job. 248 00:16:01,040 --> 00:16:02,960 Did that answer the question, Mark? 249 00:16:02,960 --> 00:16:03,960 I think so. 250 00:16:03,960 --> 00:16:08,520 I mean, the big things I got from there is that it's universally the same principles, 251 00:16:08,520 --> 00:16:12,960 even though the implementation, whether or not you can patch a system might be different. 252 00:16:12,960 --> 00:16:19,040 And then just relationship and learning and mutual respect and asking questions, it seems 253 00:16:19,040 --> 00:16:24,240 to be a really key thing, that partnership element. 254 00:16:24,240 --> 00:16:25,840 I think it absolutely is. 255 00:16:25,840 --> 00:16:32,040 When we're talking about your area of expertise, the domains, when we're talking about zero 256 00:16:32,040 --> 00:16:36,960 trust, when we're talking about what a SISO needs to do, it all comes down to understanding 257 00:16:36,960 --> 00:16:41,000 how the system's pieces and components operate together. 258 00:16:41,000 --> 00:16:46,520 And so if you know a thing, because there's so many smart people out there, it's absolutely 259 00:16:46,520 --> 00:16:51,000 essential that you leverage what you know, but also recognize what you don't know. 260 00:16:51,000 --> 00:16:55,240 So from certain areas, like if we talk about the critical infrastructure bill in the US 261 00:16:55,240 --> 00:17:04,160 or the critical infrastructure bill in Australia, there's some specific components and specific 262 00:17:04,160 --> 00:17:09,800 guiding principles that we all align to, we define what our critical infrastructure is. 263 00:17:09,800 --> 00:17:13,760 And in some of our terms, that's the crown jewels, right? 264 00:17:13,760 --> 00:17:18,640 And so what's the difference between the crown jewels that we pick and the crown jewels 265 00:17:18,640 --> 00:17:21,040 that someone else might pick? 266 00:17:21,040 --> 00:17:22,960 There's very little difference. 267 00:17:22,960 --> 00:17:25,120 We have, at some point, we had 10. 268 00:17:25,120 --> 00:17:27,920 Australia now started with six and now has 14. 269 00:17:27,920 --> 00:17:34,960 They all outline and define domains that we should be paying attention to. 270 00:17:34,960 --> 00:17:39,320 Some of those domains happen to be things that are very IT specific. 271 00:17:39,320 --> 00:17:42,440 They may sound familiar to you. 272 00:17:42,440 --> 00:17:46,160 If I were to list them off, and you know I hate doing this, but if I were to list off 273 00:17:46,160 --> 00:17:52,560 some of the top level cybersecurity domains, these may not sound like OT to you, but access 274 00:17:52,560 --> 00:17:58,760 control, program management, awareness and training, security assessment and authorization, 275 00:17:58,760 --> 00:18:03,960 situational awareness, risk assessments, incident response, media protection, physical 276 00:18:03,960 --> 00:18:07,040 and environmental protection, supply chain risk management. 277 00:18:07,040 --> 00:18:12,360 Now that all sounds exactly, oh, don't forget PII, processing and transparency. 278 00:18:12,360 --> 00:18:15,520 That's a familiar list. 279 00:18:15,520 --> 00:18:21,080 So I would like to say that that's, hey, that's the cybersecurity domains, but guess what? 280 00:18:21,080 --> 00:18:25,360 Those are all on the OT cybersecurity domains list as well. 281 00:18:25,360 --> 00:18:31,560 So I think a big part of what's going to be facing outside of the threat itself, all of 282 00:18:31,560 --> 00:18:35,840 our organizations in the future, and a thing that I'm proud to be a part of Microsoft about, 283 00:18:35,840 --> 00:18:40,360 is the fact that people are going to say, like they often do when a new threat arises, 284 00:18:40,360 --> 00:18:43,400 we don't know what to do here because there's no past history. 285 00:18:43,400 --> 00:18:48,440 And the truth is, everything that we've done from a tactical perspective, from a strategic 286 00:18:48,440 --> 00:18:54,800 perspective and even down to how we develop our software and how we produce our products, 287 00:18:54,800 --> 00:19:00,680 is the right way to also protect our OT assets. 288 00:19:00,680 --> 00:19:06,680 And now, as we push forward and enable the entire world to have connectivity, or to even 289 00:19:06,680 --> 00:19:11,280 be able to control their systems that don't traditionally align to the things that we 290 00:19:11,280 --> 00:19:17,000 would consider IT because they're not their OT, their environmental protection systems, 291 00:19:17,000 --> 00:19:22,200 they're building automation systems, and in some cases, they're analog dials that open 292 00:19:22,200 --> 00:19:23,200 or close water. 293 00:19:23,200 --> 00:19:28,160 And let's not even forget the fact that cameras are now considered OT in many different places. 294 00:19:28,160 --> 00:19:29,160 Can you patch them? 295 00:19:29,160 --> 00:19:30,160 Don't know. 296 00:19:30,160 --> 00:19:31,160 We're going to try to. 297 00:19:31,160 --> 00:19:32,240 How do you access them? 298 00:19:32,240 --> 00:19:33,320 Don't know. 299 00:19:33,320 --> 00:19:34,680 We're going to try to. 300 00:19:34,680 --> 00:19:40,560 But the fact is, on one level, either you're accessing them physically with physical resources, 301 00:19:40,560 --> 00:19:46,120 which means your threat is insider threat or access threats, which we're good at stopping 302 00:19:46,120 --> 00:19:51,800 and we're good at educating about, or they're remote threats, which means they fall very 303 00:19:51,800 --> 00:19:57,280 squarely into the space of, yes, IT cybersecurity. 304 00:19:57,280 --> 00:20:00,240 So our power is combined just like Voltron. 305 00:20:00,240 --> 00:20:02,680 We can make this happen. 306 00:20:02,680 --> 00:20:05,240 We just got to remember that we're all in the same team. 307 00:20:05,240 --> 00:20:06,240 Yeah. 308 00:20:06,240 --> 00:20:11,600 And I know the culture is often different at different organizations between the OT teams 309 00:20:11,600 --> 00:20:16,040 that are used to pretty much running on their own, working with the factory folks that, 310 00:20:16,040 --> 00:20:22,280 you know, uptime and availability are the number one requirement, whereas in the IT world, 311 00:20:22,280 --> 00:20:27,600 the security folks tend to be more biased towards confidentiality with integrity and 312 00:20:27,600 --> 00:20:30,160 availability, of course, being in the triad. 313 00:20:30,160 --> 00:20:35,720 And so, you know, we tend to see some different cultures, different thinking that I've seen 314 00:20:35,720 --> 00:20:41,040 as these teams come together need to sort of, you know, kind of harmonize a little bit. 315 00:20:41,040 --> 00:20:43,480 Love to kind of hear your thoughts on that as well. 316 00:20:43,480 --> 00:20:48,720 Oh, I think it's my favorite thing to say, but I'll try to steer clear of the Marine 317 00:20:48,720 --> 00:20:51,600 Corps language, which is full of expletives. 318 00:20:51,600 --> 00:20:56,440 Obviously, the first thing we need to do is share a common language. 319 00:20:56,440 --> 00:21:01,040 I believe we all have the same mission, whether it's like I said, to protect life, critical 320 00:21:01,040 --> 00:21:05,920 infrastructure, facilities and resources, or to protect life or to protect revenue. 321 00:21:05,920 --> 00:21:10,240 What we need to do is, one, align on the mission that we're protecting whatever our crown jewels 322 00:21:10,240 --> 00:21:17,040 are, whatever our best resources are, in my case, it's the people from those threat actors. 323 00:21:17,040 --> 00:21:22,200 And if we align on the language, post aligning on the mission, then everything else will 324 00:21:22,200 --> 00:21:23,200 fall away. 325 00:21:23,200 --> 00:21:29,880 So, instead of using IT specific language and talking about your firewalls as if everyone 326 00:21:29,880 --> 00:21:35,480 knows what they are, or TLS, or SSL, or SQL, or whatever we want to talk about, even saying 327 00:21:35,480 --> 00:21:38,680 PII is problematic at this point for those that are in the military and those that are 328 00:21:38,680 --> 00:21:39,680 not. 329 00:21:39,680 --> 00:21:46,680 So, in the language, we align on what we consider our top domains, which we already are in silos. 330 00:21:46,680 --> 00:21:52,680 And then we start acting as a single system instead of compartmentalized pieces of the 331 00:21:52,680 --> 00:21:55,560 system who could potentially be working against each other. 332 00:21:55,560 --> 00:21:57,960 And that's where the synergies will be. 333 00:21:57,960 --> 00:22:00,880 That's why we work together with our partners. 334 00:22:00,880 --> 00:22:03,120 That's why we share the information. 335 00:22:03,120 --> 00:22:09,240 I mean, the CISO workshop that you guys delivered and are publicizing right now is a perfectly 336 00:22:09,240 --> 00:22:10,680 good example. 337 00:22:10,680 --> 00:22:15,440 Even on our side of the fence in CloudOps and innovation, we're running sessions with 338 00:22:15,440 --> 00:22:21,640 our top leaseers from the data centers to have conferences about what their biggest issues 339 00:22:21,640 --> 00:22:27,080 are and what we think we can do together to figure those things out. 340 00:22:27,080 --> 00:22:31,640 Whether it's about what the things that need to be defined, like for a factory, a factory 341 00:22:31,640 --> 00:22:35,080 in this case for me would be a data center or the pieces that make it up. 342 00:22:35,080 --> 00:22:40,520 Whether we're using CMMI maturity levels or a different type of maturity level, we're 343 00:22:40,520 --> 00:22:46,040 still going to do conduct the assessment, which means identify our threats and the sources 344 00:22:46,040 --> 00:22:51,560 and the events, identify our shared vulnerabilities, figure out the likelihood, obviously figuring 345 00:22:51,560 --> 00:22:58,400 out the risk and the easiest targets for our enemies, and then figure out what those impacts 346 00:22:58,400 --> 00:23:04,040 are and then share across the teams to decide where we've protected the best, the right 347 00:23:04,040 --> 00:23:09,160 responder for the right event, and make the right decisions at the right level with the 348 00:23:09,160 --> 00:23:10,160 right resources. 349 00:23:10,160 --> 00:23:11,880 That's what we're trying to do. 350 00:23:11,880 --> 00:23:16,320 One of my favorite expressions increasingly is security is a team spork. 351 00:23:16,320 --> 00:23:19,560 I mean, it's without all of us winning, none of us win. 352 00:23:19,560 --> 00:23:23,400 I feel like we've been in conversations before. 353 00:23:23,400 --> 00:23:28,800 I guess my question, Elizabeth, is, I mean, we've talked about a million things there. 354 00:23:28,800 --> 00:23:36,600 Yeah, as you said, we may have had this conversation before, but what would you say to some, because 355 00:23:36,600 --> 00:23:44,000 a lot of the people who listen to the podcast will be coming more security from an IT perspective, 356 00:23:44,000 --> 00:23:52,000 what would you want those people to know who may have not had much exposure to OT security? 357 00:23:52,000 --> 00:23:56,160 What would you want them to know and consider? 358 00:23:56,160 --> 00:23:58,920 Maybe where can they go to learn some more? 359 00:23:58,920 --> 00:24:05,120 Because I know that the first time I talked to you about OT security, I was like, wow, 360 00:24:05,120 --> 00:24:10,400 there's a whole load of stuff that I did not think about and have an awareness of. 361 00:24:10,400 --> 00:24:14,320 It definitely made me want to go and learn some more in my own time. 362 00:24:14,320 --> 00:24:18,920 I would suggest, so there's so many different places. 363 00:24:18,920 --> 00:24:24,120 Some of the frameworks, some of the frameworks like consequence-driven cyber-informed engineering, 364 00:24:24,120 --> 00:24:27,600 which were IT, that's a great start. 365 00:24:27,600 --> 00:24:30,680 I would go to the NIST standards, go to CISA. 366 00:24:30,680 --> 00:24:33,920 There's a lot of good education coming out there. 367 00:24:33,920 --> 00:24:38,400 Check out some of the Azure podcasts, as that's some of the things that are happening right 368 00:24:38,400 --> 00:24:39,400 now. 369 00:24:39,400 --> 00:24:45,560 The national, from the US perspective, the National Safety and Transportation Board 370 00:24:45,560 --> 00:24:51,360 has partnered with Microsoft to talk through some of the huge issues that the entire industry 371 00:24:51,360 --> 00:24:52,920 is looking at. 372 00:24:52,920 --> 00:24:59,120 A lot of the work and a lot of the safety places, the places that will be a strength, 373 00:24:59,120 --> 00:25:04,880 like pivotal for us, they're going to be places like OSHA, so Occupational Safety and Health 374 00:25:04,880 --> 00:25:07,200 Association, or MITRE. 375 00:25:07,200 --> 00:25:12,440 MITRE has their new MITRE attack framework for IoT devices. 376 00:25:12,440 --> 00:25:20,040 A lot of the information is there if you're thinking about what is OT, what is operational 377 00:25:20,040 --> 00:25:21,600 technology. 378 00:25:21,600 --> 00:25:27,320 If you work for an organization or a company that builds software, go to your data center 379 00:25:27,320 --> 00:25:28,320 operators. 380 00:25:28,320 --> 00:25:35,400 Go to the people that build the foundation on which your cloud operates. 381 00:25:35,400 --> 00:25:39,760 For the developers, if they're the muscle for our critical business units and the future 382 00:25:39,760 --> 00:25:46,160 of how we enable the world to do the work, talk to the people that, yes, may used to 383 00:25:46,160 --> 00:25:54,920 be server huggers that understand the backbone of how a data center or the building or that 384 00:25:54,920 --> 00:25:56,840 component is built. 385 00:25:56,840 --> 00:26:03,160 For me, talk to your environmental protection people. 386 00:26:03,160 --> 00:26:05,640 Talk to your electrical engineers. 387 00:26:05,640 --> 00:26:10,360 Talk to your building automation systems engineers. 388 00:26:10,360 --> 00:26:14,440 Talk to your data center construction engineers. 389 00:26:14,440 --> 00:26:19,560 These are the people that will be able to tell you what the components are almost literally 390 00:26:19,560 --> 00:26:24,600 from memory because they've been here for 20 to 30 years while you guys are treatment 391 00:26:24,600 --> 00:26:31,360 about code and in the matrix out there moving rocks and bricks to make things happen. 392 00:26:31,360 --> 00:26:37,920 You can also reach out to some of the people, like a large component of this information 393 00:26:37,920 --> 00:26:41,520 does in fact come from open source defense areas. 394 00:26:41,520 --> 00:26:45,600 If you know someone that flies an airplane, you all three might know someone that flies 395 00:26:45,600 --> 00:26:46,760 an airplane. 396 00:26:46,760 --> 00:26:48,040 This is key. 397 00:26:48,040 --> 00:26:50,680 This type of protection is key. 398 00:26:50,680 --> 00:26:55,720 Operational risk management out of the Naval Safety Organization covers a lot of this as 399 00:26:55,720 --> 00:26:57,880 well as some of the supply chains. 400 00:26:57,880 --> 00:27:06,280 So if you go Lean Six Sigma or you go into areas such as the NIST framework, you'll see 401 00:27:06,280 --> 00:27:10,840 a large amount of content that's there just for you to learn. 402 00:27:10,840 --> 00:27:18,280 Even Sysa has started putting out shorts on what exactly is OT and what exactly does it 403 00:27:18,280 --> 00:27:24,440 mean in the new cyber arena where there are advanced persistence threats and this is now 404 00:27:24,440 --> 00:27:28,800 your lowest hanging fruit, although it may be one of your most critical assets. 405 00:27:28,800 --> 00:27:33,080 The other key is if you don't go to NIST or you don't want to go to MITRE or you don't 406 00:27:33,080 --> 00:27:38,760 want to talk to your server hug and OT operator types, the guide to industrial control systems 407 00:27:38,760 --> 00:27:41,240 and security is pretty good. 408 00:27:41,240 --> 00:27:52,920 But what you could also try to do is sit down with your threats, so your physical threat 409 00:27:52,920 --> 00:27:59,480 intelligence teams, and they can walk you through the literal physical pieces and touchpoints 410 00:27:59,480 --> 00:28:06,000 around all of the data centers and all of your key physical space, so logical space, 411 00:28:06,000 --> 00:28:09,400 that will allow you to understand where all of these pieces touch. 412 00:28:09,400 --> 00:28:15,400 So I wanted to say out loud, look at the Purdue model, but that doesn't translate to anybody 413 00:28:15,400 --> 00:28:18,160 other than me and a bunch of OT geeks. 414 00:28:18,160 --> 00:28:23,440 But the truth is what you need to do is go to a table, get in a room with all of the 415 00:28:23,440 --> 00:28:28,120 people you know, your operational people, your tech people, the people that are supposed 416 00:28:28,120 --> 00:28:33,200 to be enabling and empowering these assets, and do a tabletop exercise, literally war 417 00:28:33,200 --> 00:28:34,200 game it. 418 00:28:34,200 --> 00:28:40,920 And do an operational simulation on insider threat with a USB. 419 00:28:40,920 --> 00:28:44,600 Now most of the IT people will be like, that's boring, we know not to do that. 420 00:28:44,600 --> 00:28:49,080 But once you see how far you can get with a single USB or hey, you want to patch all 421 00:28:49,080 --> 00:28:52,960 the time, you want to get your patches done, how are you going to do that in a hybrid workplace 422 00:28:52,960 --> 00:28:53,960 kind of space? 423 00:28:53,960 --> 00:28:59,240 Yeah, we should just throw a device on the network that will connect to the OT environment. 424 00:28:59,240 --> 00:29:00,320 But what does that mean? 425 00:29:00,320 --> 00:29:08,120 That means you just opened up, literally opened up access to services like generators, doors, 426 00:29:08,120 --> 00:29:14,080 ACs, which could very well be the difference between someone going home in the afternoon 427 00:29:14,080 --> 00:29:15,080 and not. 428 00:29:15,080 --> 00:29:17,040 So those are the kind of things that I would say do. 429 00:29:17,040 --> 00:29:22,520 I mean, we consider from an OT perspective, you consider like denial of service, and I 430 00:29:22,520 --> 00:29:27,440 say that to you, but like denial of service for an OT system could mean that you can't 431 00:29:27,440 --> 00:29:29,440 turn off a heater. 432 00:29:29,440 --> 00:29:35,120 You can't turn off a water flow, which means someone trapped in a compartment may not be 433 00:29:35,120 --> 00:29:36,920 able to get out of there. 434 00:29:36,920 --> 00:29:40,960 Operations subversion, which is exactly the same thing, sounds like what it means to me 435 00:29:40,960 --> 00:29:42,520 is what it means to you. 436 00:29:42,520 --> 00:29:45,320 You can't disengage, something that needs to be disengaged. 437 00:29:45,320 --> 00:29:51,040 Tampering is the same, manipulation is the same, and then safety can take on so many 438 00:29:51,040 --> 00:29:56,960 different angles, all of which could just be the difference between a bad day because 439 00:29:56,960 --> 00:30:03,280 of our availability zones or a bad day because an entire data center just got destroyed because 440 00:30:03,280 --> 00:30:06,040 something exploded that wasn't supposed to explode. 441 00:30:06,040 --> 00:30:07,760 That's how serious we are. 442 00:30:07,760 --> 00:30:10,560 It's not just a digital space where we're talking about revenue. 443 00:30:10,560 --> 00:30:12,600 It's literally in the OT space. 444 00:30:12,600 --> 00:30:18,680 We are talking about physical spaces that affect not just people's lives, but entire 445 00:30:18,680 --> 00:30:22,120 infrastructures, entire ecosystems. 446 00:30:22,120 --> 00:30:26,200 On a slightly lighter note, I can definitely tell that you are a marine because you talk 447 00:30:26,200 --> 00:30:30,720 about things that are supposed to explode, which is pretty much nothing in the IT space. 448 00:30:30,720 --> 00:30:33,440 I guess it depends on how you look at it, right? 449 00:30:33,440 --> 00:30:37,200 Yeah, I've never heard someone say something explode that wasn't supposed to explode. 450 00:30:37,200 --> 00:30:39,720 That's for the podcast, I'll tell you that. 451 00:30:39,720 --> 00:30:43,120 I think part of the reason that I'm here is because of people like you. 452 00:30:43,120 --> 00:30:47,080 If it wasn't a welcome space to be in, if we all didn't want to defend in the same space, 453 00:30:47,080 --> 00:30:50,840 Marines like me would be stuck behind closets somewhere so no one would actually let us 454 00:30:50,840 --> 00:30:52,360 out of our boxes. 455 00:30:52,360 --> 00:30:56,400 Mark, going deeper, part of what I'm saying is we have to understand our equipment and 456 00:30:56,400 --> 00:31:00,040 the capabilities to understand the attack surface area. 457 00:31:00,040 --> 00:31:02,640 I know that you work in this area at Microsoft. 458 00:31:02,640 --> 00:31:10,080 What are some of the capabilities, not necessarily OT, that Microsoft have to enable and empower 459 00:31:10,080 --> 00:31:11,080 the OT space? 460 00:31:11,080 --> 00:31:16,000 Yeah, so there's a couple of things that we've got in that space. 461 00:31:16,000 --> 00:31:22,320 One of the ones I think you alluded to earlier is that external attack surface management, 462 00:31:22,320 --> 00:31:27,000 which is very much taking an outside in, like what do you look like from the internet as 463 00:31:27,000 --> 00:31:31,000 an environment, your IT, your OT, et cetera, environment? 464 00:31:31,000 --> 00:31:33,880 And taking a look at that and what does that risk look like? 465 00:31:33,880 --> 00:31:37,400 What is an attacker's eye view of your assets? 466 00:31:37,400 --> 00:31:46,720 And so we recently announced the Microsoft Defender Thread Intelligence, which is pretty 467 00:31:46,720 --> 00:31:47,720 slick capability. 468 00:31:47,720 --> 00:31:51,080 It's based on our acquisition of risk IQ. 469 00:31:51,080 --> 00:31:57,280 And then the other piece that we have for the OT environments that organizations can 470 00:31:57,280 --> 00:32:04,320 look at is from our CyberX acquisition about a year and a half, two years ago, if I recall 471 00:32:04,320 --> 00:32:06,840 correctly, Defender for IoT. 472 00:32:06,840 --> 00:32:14,600 And that basically really is built for the OT environment as an XGR capability there, 473 00:32:14,600 --> 00:32:17,760 passive network scanning. 474 00:32:17,760 --> 00:32:21,640 And this is a word to the wise, don't ever do active scanning in OT. 475 00:32:21,640 --> 00:32:25,080 For those IT people that are used to that, it will take systems down. 476 00:32:25,080 --> 00:32:30,880 And sometimes they are 200 yards up in the air, up a long, cold, lonely ladder, and 200 477 00:32:30,880 --> 00:32:35,840 miles away from the nearest IT support facility. 478 00:32:35,840 --> 00:32:38,160 In a windmill or something like that. 479 00:32:38,160 --> 00:32:42,760 So very, very important to always be passive on those networks. 480 00:32:42,760 --> 00:32:47,960 And that's exactly how the Defender for IoT piece is built and has threat detection, inventory 481 00:32:47,960 --> 00:32:51,120 detection, et cetera, in OT environments. 482 00:32:51,120 --> 00:32:54,720 So those are the two main ones that pop into my head for OT. 483 00:32:54,720 --> 00:32:57,360 Let's bring this podcast to a close. 484 00:32:57,360 --> 00:33:02,200 Elizabeth, so one thing we always ask our guests is if you had one final thought to 485 00:33:02,200 --> 00:33:04,600 leave our listeners with, what would it be? 486 00:33:04,600 --> 00:33:11,440 So I would say whether you're IT or OT or a business decision maker, now is the time 487 00:33:11,440 --> 00:33:18,880 for us to band together as a committed group of professionals to figure out the best, fastest 488 00:33:18,880 --> 00:33:21,320 way to defeat our shared enemy. 489 00:33:21,320 --> 00:33:28,960 And that enemy doesn't care whether we're American, Australian, IBM, Microsoft, or Google, 490 00:33:28,960 --> 00:33:30,760 they're coming for us. 491 00:33:30,760 --> 00:33:33,200 We have the ability to make a difference. 492 00:33:33,200 --> 00:33:34,560 We need to do it together. 493 00:33:34,560 --> 00:33:35,560 Take the investment. 494 00:33:35,560 --> 00:33:36,560 Well, thanks, Elizabeth. 495 00:33:36,560 --> 00:33:38,560 And thank you so much for joining us this week. 496 00:33:38,560 --> 00:33:40,560 I'll be honest with you. 497 00:33:40,560 --> 00:33:44,440 This was one of those examples where I learned a lot of stuff I didn't know I didn't know. 498 00:33:44,440 --> 00:33:45,600 So that's always a good thing. 499 00:33:45,600 --> 00:33:47,720 So again, thank you so much for joining us. 500 00:33:47,720 --> 00:33:51,320 And to our listeners out there, thank you also for joining us this week. 501 00:33:51,320 --> 00:33:53,840 We hope you found this episode useful. 502 00:33:53,840 --> 00:33:55,920 Stay safe and we'll see you next time. 503 00:33:55,920 --> 00:33:59,000 Thanks for listening to the Azure Security Podcast. 504 00:33:59,000 --> 00:34:05,840 You can find show notes and other resources at our website azsecuritypodcast.net. 505 00:34:05,840 --> 00:34:10,600 If you have any questions, please find us on Twitter at azuresecpod. 506 00:34:10,600 --> 00:34:29,560 Background music is from ccmixter.com and licensed under the Creative Commons license.