1
00:00:00,000 --> 00:00:06,200
Welcome to the Azure Security Podcast,

2
00:00:06,200 --> 00:00:09,360
where we discuss topics relating to security, privacy,

3
00:00:09,360 --> 00:00:13,720
reliability, and compliance on the Microsoft Cloud Platform.

4
00:00:13,720 --> 00:00:17,520
Hey everybody, welcome to Episode 62.

5
00:00:17,520 --> 00:00:20,400
This week, we actually have a full cast with the whole gang here.

6
00:00:20,400 --> 00:00:23,120
We have myself, Michael, Sarah, Gladys, and Mark.

7
00:00:23,120 --> 00:00:24,840
We also have a guest, Josh,

8
00:00:24,840 --> 00:00:29,240
who is here to talk to us about Microsoft Defender for Endpoint,

9
00:00:29,240 --> 00:00:30,840
in terms of resiliency.

10
00:00:30,840 --> 00:00:33,040
But before we get to our guest,

11
00:00:33,040 --> 00:00:34,760
let's just take a little lap around the news.

12
00:00:34,760 --> 00:00:36,280
Mark, why don't you kick things off?

13
00:00:36,280 --> 00:00:42,240
Yeah, one of the things that has been very much top of mind for me lately is patching.

14
00:00:42,240 --> 00:00:47,200
So, folks are probably familiar with the CISO workshop that we just released,

15
00:00:47,200 --> 00:00:52,000
and we're continuing on with those architecture design session elements.

16
00:00:52,000 --> 00:00:56,800
One of the topics for the end-end security one that's coming up next is

17
00:00:56,800 --> 00:01:01,440
basically patching and backup and security hygiene things,

18
00:01:01,440 --> 00:01:03,000
in addition to of course,

19
00:01:03,000 --> 00:01:05,280
all the different technical initiatives.

20
00:01:05,280 --> 00:01:10,240
It was really interesting as we kicked this over and started digging into it,

21
00:01:10,240 --> 00:01:11,720
to understand it a little bit better.

22
00:01:11,720 --> 00:01:16,080
It ended up being the problems that lead to the patching problems.

23
00:01:16,080 --> 00:01:21,000
The root cause is really around how organizations look at IT and security in general.

24
00:01:21,000 --> 00:01:24,920
They seem to have this underlying assumption that

25
00:01:24,920 --> 00:01:30,320
magically IT doesn't require maintenance or updates.

26
00:01:30,320 --> 00:01:32,400
This is often implicit assumption.

27
00:01:32,400 --> 00:01:33,720
It's not always explicit.

28
00:01:33,720 --> 00:01:38,960
But it was an interesting realization that the reason why we're suffering from this is,

29
00:01:38,960 --> 00:01:41,200
because there's no budget and money to maintain it.

30
00:01:41,200 --> 00:01:44,480
You look at a fleet of trucks or a fleet of planes,

31
00:01:44,480 --> 00:01:46,040
you're not going to be,

32
00:01:46,040 --> 00:01:53,160
nobody's going to want to fly in like a 1962 something or other or deliver for their flight,

33
00:01:53,160 --> 00:01:58,720
and nobody's going to want to deliver their goods in a 1928 AA Ford truck.

34
00:01:58,720 --> 00:02:03,920
But yet we're doing that with our software and it was built for the time,

35
00:02:03,920 --> 00:02:08,120
which could be the 80s or the 90s or sometimes even before.

36
00:02:08,120 --> 00:02:12,880
We do that with technology and that's why we are in this problem now is,

37
00:02:12,880 --> 00:02:20,760
essentially, all these apps and whatnot and systems are basically orphans in the large IT ops orphanage.

38
00:02:20,760 --> 00:02:24,840
It's really been interesting to dig into that and understand it and then figure out,

39
00:02:24,840 --> 00:02:27,200
okay, how do we fix this at scale?

40
00:02:27,200 --> 00:02:29,960
That's something I've been working on a lot.

41
00:02:29,960 --> 00:02:36,240
I'll put a link in the show notes to some of the tweets where I'm sharing some of the material as we develop it.

42
00:02:36,240 --> 00:02:44,760
But it's been a really interesting set of realizations and so that's really been consuming my mind to try and figure out this problem and what to do about it.

43
00:02:44,760 --> 00:02:57,560
Okay, so I have just one thing to talk about today, which is the public preview in AKS or Azure Kubernetes service for something called operation abort.

44
00:02:57,560 --> 00:03:07,760
So like the name suggests, it's something that allows you to abort something that's going on in your cluster or agent pool during the middle of the operation.

45
00:03:07,760 --> 00:03:17,760
Now, unsurprisingly, that isn't going to gracefully end your operation. It's going to stop at whatever it was doing at the time that you ran the abort command.

46
00:03:17,760 --> 00:03:22,840
But if you need to do that because mistakes get made, it is something that you can do.

47
00:03:22,840 --> 00:03:29,040
This is really kind of like a backup, worst case scenario thing, but something people have been asking for.

48
00:03:29,040 --> 00:03:32,960
So now you can do it if you need to. So that's pretty sweet.

49
00:03:32,960 --> 00:03:39,200
Is that like kind of a break glass thing? Like something catastrophic happened, so we need to just bring this thing to a halt now.

50
00:03:39,200 --> 00:03:40,760
Pretty much.

51
00:03:40,760 --> 00:03:48,440
Cool. So from my point of view, I've been playing with Cusco query language.

52
00:03:48,440 --> 00:03:52,280
I'm not working all the time in a hunting, right?

53
00:03:52,280 --> 00:04:01,400
And what I have found myself is that every so often, I need to go into the advanced hunting of Microsoft 365.

54
00:04:01,400 --> 00:04:06,160
And I learned KQL, again, Cusco query language.

55
00:04:06,160 --> 00:04:12,160
I use it. I learn it really good. And then I don't use it anymore. I forget it.

56
00:04:12,160 --> 00:04:21,040
So actually, I got really excited when I heard about Microsoft Defender Guided mode, which is now going in public preview.

57
00:04:21,040 --> 00:04:30,440
This is a friendly way for analysts to query the database for endpoint identity, email collaboration and cloud apps.

58
00:04:30,440 --> 00:04:41,920
Actually, without knowing Cusco query language, basically you're using building blocks style of construction query through drop down menu,

59
00:04:41,920 --> 00:04:44,720
containing available filters and conditions.

60
00:04:44,720 --> 00:04:53,080
So I have included a video, a short video that they have or how to do these as part of our website.

61
00:04:53,080 --> 00:05:00,320
The other thing is there's a Microsoft Defender expert for hunting, which is now general available.

62
00:05:00,320 --> 00:05:04,280
This is a way for Defender experts for hunting.

63
00:05:04,280 --> 00:05:16,360
And I'm talking about our Microsoft experts hunting and helping investigate anything they find in a customer type of environment.

64
00:05:16,360 --> 00:05:25,200
And then the hand of the contextual alerts information along with the remediation instruction to the customer.

65
00:05:25,200 --> 00:05:32,440
So it's a quick way for customers to respond to the threat happening in their environment.

66
00:05:32,440 --> 00:05:34,600
And that's all for me.

67
00:05:34,600 --> 00:05:36,400
I have a lot of news this week.

68
00:05:36,400 --> 00:05:40,520
So I'm not going to spend much time sort of going over it or giving any sort of commentary.

69
00:05:40,520 --> 00:05:42,160
So let's just dive straight in.

70
00:05:42,160 --> 00:05:49,760
The first one is Azure Database for MySQL, flexible server data encryption now supports customer managed keys.

71
00:05:49,760 --> 00:05:51,720
A lot of customers want to control their own keys.

72
00:05:51,720 --> 00:05:57,040
They're required by compliance programs or something. So that's always a good thing to see.

73
00:05:57,040 --> 00:06:06,200
Next one is in public preview is the ability to encrypt managed disks in a cross tenant using a customer managed key as well.

74
00:06:06,200 --> 00:06:07,520
All right. So actually, there's two of them.

75
00:06:07,520 --> 00:06:08,440
There's two news articles here.

76
00:06:08,440 --> 00:06:10,480
One is the ability to encrypt managed disks.

77
00:06:10,480 --> 00:06:17,400
And the other one is to encrypt storage accounts using a key that is in another tenant.

78
00:06:17,400 --> 00:06:20,360
They may think, well, why on earth would you want to do that?

79
00:06:20,360 --> 00:06:28,200
The reason you want to do that is because some of our customers have SaaS solutions, software as a service solutions,

80
00:06:28,200 --> 00:06:32,400
and they want to be able to have customers in their own tenants,

81
00:06:32,400 --> 00:06:36,480
which means that, you know, if someone's managing the key, it may be in a different tenant.

82
00:06:36,480 --> 00:06:39,640
So that's why those two scenarios exist.

83
00:06:39,640 --> 00:06:40,480
That's really good to see.

84
00:06:40,480 --> 00:06:43,000
And that is in public preview.

85
00:06:43,000 --> 00:06:47,840
Back to my current team, automatic key rotation for transparent data encryption.

86
00:06:47,840 --> 00:06:53,000
Bring your own key is now available in preview for Azure SQL database.

87
00:06:53,000 --> 00:06:56,840
So TDE, transparent data encryption is sort of volume encryption.

88
00:06:56,840 --> 00:06:59,640
And there's a whole key hierarchy that goes on.

89
00:06:59,640 --> 00:07:02,960
And the root of that is a key that's held in Key Vault.

90
00:07:02,960 --> 00:07:05,160
It says an RSA key held in Key Vault.

91
00:07:05,160 --> 00:07:09,520
Well, now you can automatically rotate that based off of, you know, whatever the policy is.

92
00:07:09,520 --> 00:07:11,720
And in fact, that's actually a feature that's built into Key Vault.

93
00:07:11,720 --> 00:07:14,080
For those of you not aware, you can.

94
00:07:14,080 --> 00:07:17,520
So for example, you can do with storage accounts today as well.

95
00:07:17,520 --> 00:07:18,240
That's nice as well.

96
00:07:18,240 --> 00:07:20,520
But remember, you are rotating the key encryption keys here.

97
00:07:20,520 --> 00:07:23,240
You're not rotating the data encryption keys.

98
00:07:23,240 --> 00:07:29,840
Back to SQL and generally available is managed private endpoints support for Synapse SQL output.

99
00:07:29,840 --> 00:07:35,640
So data coming out of Synapse, you can now use a managed managed private endpoints on that.

100
00:07:35,640 --> 00:07:39,320
Interestingly, the documentation says that setting up is simple.

101
00:07:39,320 --> 00:07:44,280
It is a simple two step operation, which I've yet to see because it's private endpoints.

102
00:07:44,280 --> 00:07:45,920
But they say it's a simple setup.

103
00:07:45,920 --> 00:07:48,560
So hey, I'll take their word for it.

104
00:07:48,560 --> 00:07:56,320
Next one is you can now authenticate to service bus using managed identities as well.

105
00:07:56,320 --> 00:07:58,360
You're going to see more and more of this.

106
00:07:58,360 --> 00:08:01,960
I think I've mentioned these a few times across the board.

107
00:08:01,960 --> 00:08:05,320
There are big changes happening and have been happening for a few years now in Azure.

108
00:08:05,320 --> 00:08:10,000
So for example, managed identities for client authentication, private endpoints for isolation

109
00:08:10,000 --> 00:08:11,480
and more customer managed key.

110
00:08:11,480 --> 00:08:14,280
So these are big areas of improvement across the board.

111
00:08:14,280 --> 00:08:17,640
And so this is just another one of those scenarios that's using a managed identity.

112
00:08:17,640 --> 00:08:20,960
So remember, managed identity is useful as clients authentication.

113
00:08:20,960 --> 00:08:26,840
While it's not a topic of managed identities, you can now use a managed identity to connect

114
00:08:26,840 --> 00:08:29,520
to Azure Cache for Redis.

115
00:08:29,520 --> 00:08:35,400
Now, what happens here is Azure Cache for Redis has a managed identity and uses that

116
00:08:35,400 --> 00:08:37,480
to authenticate to storage.

117
00:08:37,480 --> 00:08:42,040
So you can now put permissions on a storage account that say that particular Redis cache

118
00:08:42,040 --> 00:08:47,440
or Azure Cache for Redis can actually write or whatever policies you want.

119
00:08:47,440 --> 00:08:51,240
So again, really nice to see one of the beauties of managed identities is you don't have to

120
00:08:51,240 --> 00:08:52,960
worry about the credential.

121
00:08:52,960 --> 00:08:56,120
It's all handled by Azure Active Directory.

122
00:08:56,120 --> 00:09:01,600
And the last one, still managed identities, is back to my home base.

123
00:09:01,600 --> 00:09:07,040
Azure SQL Database now supports user assigned managed identities.

124
00:09:07,040 --> 00:09:12,000
So if you're connecting out from the database out to something, you can now use Azure SQL

125
00:09:12,000 --> 00:09:18,040
to use a user assigned managed identity to restrict access to some resource, just that

126
00:09:18,040 --> 00:09:19,920
SQL instance, for example.

127
00:09:19,920 --> 00:09:26,240
So that is all the news I have this week, two sort of broad categories, crypto and managed

128
00:09:26,240 --> 00:09:27,240
identities.

129
00:09:27,240 --> 00:09:28,720
That's always good to see.

130
00:09:28,720 --> 00:09:31,760
So let's turn our attention now to our guest.

131
00:09:31,760 --> 00:09:37,200
This week we have Josh Bregman, who's here to talk to us about Microsoft Defender for

132
00:09:37,200 --> 00:09:38,200
Endpoints.

133
00:09:38,200 --> 00:09:42,160
I mean, not just Microsoft Defender for Endpoints, but Microsoft Defender for Endpoint from a

134
00:09:42,160 --> 00:09:46,720
sort of a Tampa resilience perspective, which I think is an incredibly important topic.

135
00:09:46,720 --> 00:09:49,320
So Josh, thank you so much for joining us this week.

136
00:09:49,320 --> 00:09:51,960
We'd like to take a moment and just sort of introduce yourself to our listeners.

137
00:09:51,960 --> 00:09:55,360
So first of all, thanks for having me on the podcast.

138
00:09:55,360 --> 00:09:56,720
So my name is Josh Bregman.

139
00:09:56,720 --> 00:10:01,440
I'm a product manager on the Microsoft Defender for Endpoint team.

140
00:10:01,440 --> 00:10:08,480
I've been with Microsoft just over a year, but I've got 25 years cybersecurity product experience,

141
00:10:08,480 --> 00:10:09,680
pretty much done every job in software.

142
00:10:09,680 --> 00:10:14,800
I've been a developer, I've been a consultant at the pre-sales sales, big company, small

143
00:10:14,800 --> 00:10:15,800
companies.

144
00:10:15,800 --> 00:10:20,800
Prior to this, I was chief operating officer of 40 person network detection and response

145
00:10:20,800 --> 00:10:22,640
startup, finding anomalies in the net flow.

146
00:10:22,640 --> 00:10:28,200
So kind of all things cyber for a long time and very fortunate to have joined the Endpoint

147
00:10:28,200 --> 00:10:30,840
team last year.

148
00:10:30,840 --> 00:10:37,240
My focus area is human operated ransomware and advanced persistent threats.

149
00:10:37,240 --> 00:10:42,080
And so within the product portfolio, I'm responsible for a couple of features there, including

150
00:10:42,080 --> 00:10:46,000
Tampa protection and troubleshooting mode.

151
00:10:46,000 --> 00:10:51,720
Let's talk a little bit about kind of Microsoft Defender friend points and your focus area

152
00:10:51,720 --> 00:10:52,720
on it.

153
00:10:52,720 --> 00:10:56,720
Can you kind of give us a little bit of an overview of what those are focused on doing

154
00:10:56,720 --> 00:10:59,520
and then kind of what your part to play in is?

155
00:10:59,520 --> 00:11:03,880
For people who are not aware, Microsoft Defender for Endpoint is Microsoft's Endpoint Protection

156
00:11:03,880 --> 00:11:05,440
platform.

157
00:11:05,440 --> 00:11:11,120
It keeps devices Endpoint safe from bad things happening from cyber attacks.

158
00:11:11,120 --> 00:11:15,920
And if we think about it, it's a rich set of capabilities.

159
00:11:15,920 --> 00:11:19,000
Mark, some of the stuff that you were talking about with patching, we've got a threatened

160
00:11:19,000 --> 00:11:23,680
vulnerability management component, which is looking for vulnerabilities, raising them

161
00:11:23,680 --> 00:11:31,240
up, prioritizing them, giving people actions to take to help keep their environments safe

162
00:11:31,240 --> 00:11:33,160
and patching up to date.

163
00:11:33,160 --> 00:11:35,560
It's really a super important problem.

164
00:11:35,560 --> 00:11:37,800
I'm glad you talked about it.

165
00:11:37,800 --> 00:11:40,360
Let's figure out how to solve that together.

166
00:11:40,360 --> 00:11:43,160
So that's about lowering the risk.

167
00:11:43,160 --> 00:11:47,240
Then there's a protection piece to it, which is about attack surface reduction.

168
00:11:47,240 --> 00:11:50,440
So it's a set of controls that keep common things from happening.

169
00:11:50,440 --> 00:11:54,960
So application controls, device control, network protection, control and folder access,

170
00:11:54,960 --> 00:12:00,800
post-intrusion prevention, locking down office applications, web content filtering.

171
00:12:00,800 --> 00:12:03,960
Then there's a next generation protection capability.

172
00:12:03,960 --> 00:12:07,600
It's not your mother slash father's antivirus.

173
00:12:07,600 --> 00:12:13,240
This is very advanced, very sophisticated machine learning, working through complicated

174
00:12:13,240 --> 00:12:18,600
algorithms to work both on-prem and the cloud to leverage all of the sort of intelligence

175
00:12:18,600 --> 00:12:23,000
that we have to stop threats as we find them on devices.

176
00:12:23,000 --> 00:12:27,880
Then we get into our detection capabilities or endpoint detection response, robust set

177
00:12:27,880 --> 00:12:33,080
of indicators of compromise, file and computer response actions, remote shell, lots of data,

178
00:12:33,080 --> 00:12:37,960
custom alerting, automatic response actions, and advanced hunting powered by Custo, like

179
00:12:37,960 --> 00:12:38,960
Gladys said.

180
00:12:38,960 --> 00:12:43,400
Then we've got automated investigation and remediation, which is sort of like a security

181
00:12:43,400 --> 00:12:44,920
analyst in a box.

182
00:12:44,920 --> 00:12:51,320
So it's taking actions as a security analyst to scale your operations, investigate threats

183
00:12:51,320 --> 00:12:54,240
and take actions on your behalf.

184
00:12:54,240 --> 00:12:59,640
Last but not least, we've got our Microsoft threat experts who work with you to practically

185
00:12:59,640 --> 00:13:02,480
hunt for anomalies and malicious behavior in your environment.

186
00:13:02,480 --> 00:13:07,720
So all of that is lowering the risk, protecting your endpoints and detecting attacks.

187
00:13:07,720 --> 00:13:12,520
It's been a long history of product on Windows and Windows servers, but we've been making

188
00:13:12,520 --> 00:13:17,560
real strides over the last couple of years in cross-platforms, so it runs on Mac, Linux,

189
00:13:17,560 --> 00:13:18,560
and on your phone.

190
00:13:18,560 --> 00:13:22,640
So that's the whole universe very quickly of Microsoft Defender for Endpoint.

191
00:13:22,640 --> 00:13:32,960
The thing that I'm focused on is on the protection side with a specific focus on stopping advanced

192
00:13:32,960 --> 00:13:35,440
persistent threats like human-operated ransomware.

193
00:13:35,440 --> 00:13:44,080
And so recently in the latest Microsoft Signals, which was in August, it was a call-out.

194
00:13:44,080 --> 00:13:45,920
It was all about ransomware.

195
00:13:45,920 --> 00:13:49,360
And there's a quote here from Emily Hacker where she says, well, ransomware or double

196
00:13:49,360 --> 00:13:52,840
extortion can seem an inevitable outcome.

197
00:13:52,840 --> 00:13:54,280
Ransomware is an avoidable disaster.

198
00:13:54,280 --> 00:13:57,400
Reliance on security weaknesses by attacker means that investment in cyber hygiene go

199
00:13:57,400 --> 00:13:58,400
a long way.

200
00:13:58,400 --> 00:14:04,680
So Mark, once again, there's this idea of how do we keep ourselves safe by doing the

201
00:14:04,680 --> 00:14:06,880
sort of basics, the unglamorous things.

202
00:14:06,880 --> 00:14:15,000
And the call-out here is that 80% of ransomware attacks are exploiting configuration errors.

203
00:14:15,000 --> 00:14:20,240
So fundamentally, even though ransomware is an advanced persistent threat and it's very

204
00:14:20,240 --> 00:14:24,440
sophisticated, like at the end of the day, the things that keep people safe is getting

205
00:14:24,440 --> 00:14:28,240
their configuration right and getting their configuration locked down.

206
00:14:28,240 --> 00:14:35,440
And so tamper protection is the key way, key control that we have in Microsoft Defender

207
00:14:35,440 --> 00:14:39,760
for endpoint to keep the configuration safe from attackers.

208
00:14:39,760 --> 00:14:43,240
So I'm going to breeze now, but hopefully that answered your question.

209
00:14:43,240 --> 00:14:44,240
It does.

210
00:14:44,240 --> 00:14:47,160
I'm going to sort of build on that a little bit.

211
00:14:47,160 --> 00:14:52,160
But what problem are we solving with tamper protection?

212
00:14:52,160 --> 00:14:57,760
Like why should specifically anyone who's listening to this turn it on?

213
00:14:57,760 --> 00:15:02,760
So at the end of the day, there are settings in Defender.

214
00:15:02,760 --> 00:15:08,440
And those settings are configurable, and that gives people a lot of freedom to configure

215
00:15:08,440 --> 00:15:10,880
the service the way that we want.

216
00:15:10,880 --> 00:15:15,880
But what we realized is that there's a number of these settings that, you know, if you really

217
00:15:15,880 --> 00:15:22,200
want to have Defender running as your primary antivirus, then they should be in the default

218
00:15:22,200 --> 00:15:26,160
state and they shouldn't be turned off and they shouldn't be changed.

219
00:15:26,160 --> 00:15:32,160
And so what tamper protection does is it ensures that if it's your intention to have the antivirus

220
00:15:32,160 --> 00:15:37,440
running, which we believe it is, then these stay in these default settings and they prevent

221
00:15:37,440 --> 00:15:41,680
unauthorized users from making changes to those settings.

222
00:15:41,680 --> 00:15:47,680
So essentially what it does is it ensures that an attacker cannot simply turn off or

223
00:15:47,680 --> 00:15:51,520
disable Defender and put it in a non-operational state.

224
00:15:51,520 --> 00:15:52,520
It does.

225
00:15:52,520 --> 00:15:58,720
So what specific features or preventions are you actually trying to mitigate here?

226
00:15:58,720 --> 00:16:01,080
So let me just tell you a little story.

227
00:16:01,080 --> 00:16:05,840
I think the Statute Limitations has run out on this, but I'm not going to name any names.

228
00:16:05,840 --> 00:16:10,520
Probably about 20 years ago or so, there was a company who made some antivirus software

229
00:16:10,520 --> 00:16:14,280
and they, we were talking to them and they explained how you could never turn this off,

230
00:16:14,280 --> 00:16:17,160
not even admins could turn it off.

231
00:16:17,160 --> 00:16:18,160
And I said, all right.

232
00:16:18,160 --> 00:16:19,160
And they said, yeah, you can't see.

233
00:16:19,160 --> 00:16:24,320
We've got cryptographic this and cryptographic that and watchdog the other blah, blah, blah,

234
00:16:24,320 --> 00:16:25,320
blah, blah.

235
00:16:25,320 --> 00:16:28,440
So just for grins and giggles, I just went in and I just changed the ACL on one of the

236
00:16:28,440 --> 00:16:32,800
files to everyone deny and then restarted the machine.

237
00:16:32,800 --> 00:16:39,440
And yeah, the antivirus never started because it couldn't be read by the OS.

238
00:16:39,440 --> 00:16:40,440
So yeah.

239
00:16:40,440 --> 00:16:42,400
So I mean, what sort of things are you trying to mitigate here?

240
00:16:42,400 --> 00:16:43,400
I'm just really curious.

241
00:16:43,400 --> 00:16:45,360
Did they say that that was not fair?

242
00:16:45,360 --> 00:16:47,760
Was that an unfair thing that you did there, Michael?

243
00:16:47,760 --> 00:16:48,760
They weren't happy.

244
00:16:48,760 --> 00:16:49,760
They were happy with that.

245
00:16:49,760 --> 00:16:52,360
Because they spent like years trying to mitigate it.

246
00:16:52,360 --> 00:16:55,880
And my, you know, my attack was just done with in a bucket of rocks, right?

247
00:16:55,880 --> 00:16:57,360
It wasn't a sophisticated attack at all.

248
00:16:57,360 --> 00:17:01,400
I mean, it was a stupid, a stupid can be, but it works and that's what matters.

249
00:17:01,400 --> 00:17:02,400
Yeah.

250
00:17:02,400 --> 00:17:03,600
So, but it's a hard problem as well.

251
00:17:03,600 --> 00:17:04,600
Right.

252
00:17:04,600 --> 00:17:05,600
So really, really hard problems.

253
00:17:05,600 --> 00:17:08,480
I'm just interesting in sort of the, a bit more detail about what you're trying to protect

254
00:17:08,480 --> 00:17:09,480
against.

255
00:17:09,480 --> 00:17:12,280
First thing I would say is, you know, one of the great things I'm working at Microsoft

256
00:17:12,280 --> 00:17:17,000
is that, you know, you get to work with incredibly talented people.

257
00:17:17,000 --> 00:17:23,880
And so there's an army of security researchers who are every day putting enhancements into,

258
00:17:23,880 --> 00:17:27,000
you know, solving this problem.

259
00:17:27,000 --> 00:17:30,000
You know, they're doing the things that you would expect security researchers to do to

260
00:17:30,000 --> 00:17:33,840
sort of track the latest techniques and look at the data and things like that.

261
00:17:33,840 --> 00:17:39,600
And so it is a, it is a very hard yet important problem.

262
00:17:39,600 --> 00:17:48,480
And we see that when the tamper protection feature is on, it has a measurable impact in

263
00:17:48,480 --> 00:17:53,840
the overall effectiveness in keeping people safe from ransomware attacks.

264
00:17:53,840 --> 00:17:58,400
So just to be clear, if you turn tamper, if tamper protection is not on, it is incredibly

265
00:17:58,400 --> 00:18:03,760
trivial to do, and maybe this is what you're sort of asking, simply take defender and turn

266
00:18:03,760 --> 00:18:09,160
off real time protection or, you know, turn off our behavioral monitoring or disable our

267
00:18:09,160 --> 00:18:14,000
antivirus protection for, you know, for office or the cloud delivered protection, right?

268
00:18:14,000 --> 00:18:19,680
When we talked about this, the very sophisticated system that uses the cloud or removing security

269
00:18:19,680 --> 00:18:26,720
intelligence updates or hiding some of the UX prompts that someone would see when attacker

270
00:18:26,720 --> 00:18:30,360
is there or disabling scanning of network archives.

271
00:18:30,360 --> 00:18:38,160
So there's a list of things that bad guys do that more or less make the antivirus part

272
00:18:38,160 --> 00:18:40,280
of the platform ineffective.

273
00:18:40,280 --> 00:18:45,680
And by having tamper protection on, it prevents those things from accessing those registry

274
00:18:45,680 --> 00:18:50,240
settings and changing them from non default values, which has the impact of making the

275
00:18:50,240 --> 00:18:52,760
antivirus product significantly less effective.

276
00:18:52,760 --> 00:19:00,920
So Josh, we often want to make the work of configuring computers and endpoints better.

277
00:19:00,920 --> 00:19:04,680
And we provide, as you mentioned, registry.

278
00:19:04,680 --> 00:19:13,560
We provide GPOs, Intune has configurations in order to tweak the configuration of different

279
00:19:13,560 --> 00:19:16,800
products, including defender for endpoint.

280
00:19:16,800 --> 00:19:22,120
So what happened with these type of features now that you are enabling tamper protection?

281
00:19:22,120 --> 00:19:24,880
It's a really good question, Gladys.

282
00:19:24,880 --> 00:19:30,320
And so the tamper protection is, you know, it is a security feature.

283
00:19:30,320 --> 00:19:32,640
It is an essential security feature.

284
00:19:32,640 --> 00:19:36,320
It's critical that it's on for safety.

285
00:19:36,320 --> 00:19:45,800
And so when the feature was rolled out, the decision was made to, for some set of registry

286
00:19:45,800 --> 00:19:49,480
settings, the ones that are local, to actually block.

287
00:19:49,480 --> 00:19:53,760
So when tamper protection is on, and you attempt to, you know, let's say disable real time

288
00:19:53,760 --> 00:19:56,480
protection, you will get an error.

289
00:19:56,480 --> 00:20:04,000
But for things like the same setting, but making a change via GPO, or making a change

290
00:20:04,000 --> 00:20:09,080
via Microsoft Endpoint Manager, or one of the mobile device management platforms, the

291
00:20:09,080 --> 00:20:18,760
decision was made to basically allow the call to return to keep those things compatible.

292
00:20:18,760 --> 00:20:23,960
But then under the covers for the setting not to be changed from the default.

293
00:20:23,960 --> 00:20:29,720
And so this is some of the challenges in building a product like this, and some of the choice

294
00:20:29,720 --> 00:20:31,680
that we have to make.

295
00:20:31,680 --> 00:20:39,560
More and more, we're becoming more transparent about exactly the features that in the registry

296
00:20:39,560 --> 00:20:43,100
are protected, and we're working to update the documentation.

297
00:20:43,100 --> 00:20:48,000
So it's clearer about how tamper protection works in these managed scenarios.

298
00:20:48,000 --> 00:20:52,160
Because at the end of the day, what you're really trying to do is you're trying to ensure

299
00:20:52,160 --> 00:20:57,000
that only authorized changes are made to these critical settings.

300
00:20:57,000 --> 00:21:05,400
And so we continue to work with our partners in Intune and other management channels to

301
00:21:05,400 --> 00:21:09,880
make sure that they get an improved management experience.

302
00:21:09,880 --> 00:21:13,200
That having been said, the types of settings that we're protecting, we don't think there's

303
00:21:13,200 --> 00:21:15,600
a lot of good reasons for people to be changing them.

304
00:21:15,600 --> 00:21:24,280
I mean, probably the one exceptional use case there is a troubleshooting scenario.

305
00:21:24,280 --> 00:21:30,840
So antivirus has been around in the market for a long time, and there's a number of vendor

306
00:21:30,840 --> 00:21:37,280
products that say, hey, if you're having any sort of problems with performance in our product,

307
00:21:37,280 --> 00:21:41,320
why don't you just turn off the antivirus?

308
00:21:41,320 --> 00:21:42,320
It's reflexive.

309
00:21:42,320 --> 00:21:43,400
It's in their documentation.

310
00:21:43,400 --> 00:21:51,160
And so it's not uncommon in these lockdown environments for IT operators to make requests

311
00:21:51,160 --> 00:21:55,080
to say, look, even though this is locked down, I have tamper protection turned on, I really

312
00:21:55,080 --> 00:21:58,120
need to turn real-time protection off.

313
00:21:58,120 --> 00:22:01,200
I have to fundamentally disable the antivirus.

314
00:22:01,200 --> 00:22:06,720
And so that is one thing which has been hard to do in a lockdown environment.

315
00:22:06,720 --> 00:22:11,480
And so we recently, it's another feature that I'm responsible for.

316
00:22:11,480 --> 00:22:14,560
We recently gade a feature called troubleshooting mode.

317
00:22:14,560 --> 00:22:21,640
And what troubleshooting mode does is an administrator from the Microsoft Defender for Endpoint

318
00:22:21,640 --> 00:22:26,440
portal can put a device in what's called troubleshooting mode.

319
00:22:26,440 --> 00:22:33,000
And so what troubleshooting mode does is it allows temporarily for an administrator to,

320
00:22:33,000 --> 00:22:38,840
a local administrator to be able to turn off tamper protection and then allows them to

321
00:22:38,840 --> 00:22:42,880
turn off real-time protection so that they could troubleshoot potentially performance

322
00:22:42,880 --> 00:22:48,440
issue, which 99 times out of 100 actually isn't with Defender for Endpoint, but it's

323
00:22:48,440 --> 00:22:53,600
just the standard operating procedure and the way that people have talked about diagnosing

324
00:22:53,600 --> 00:22:54,960
these problems.

325
00:22:54,960 --> 00:23:01,320
So the management complexity, as hard as it is to get tamper protection, to protect things,

326
00:23:01,320 --> 00:23:06,560
you also really do have to consider the use case in these enterprise scenarios about manageability

327
00:23:06,560 --> 00:23:10,320
so that people can have both the sort of security of these things being through and on, but

328
00:23:10,320 --> 00:23:12,720
be able to actually run their businesses day to day.

329
00:23:12,720 --> 00:23:13,720
Yeah.

330
00:23:13,720 --> 00:23:17,400
There's a part of me that wants to laugh because the other one I always see is, what do you

331
00:23:17,400 --> 00:23:18,400
need to install this?

332
00:23:18,400 --> 00:23:19,400
Domain admin?

333
00:23:19,400 --> 00:23:20,400
No.

334
00:23:20,400 --> 00:23:22,400
What do you actually need to install this?

335
00:23:22,400 --> 00:23:24,720
Wouldn't it just be easier?

336
00:23:24,720 --> 00:23:26,480
Like that would just be easier.

337
00:23:26,480 --> 00:23:30,160
So yeah, I mean, the other one that's related there, Mark, is like the exclusions as well.

338
00:23:30,160 --> 00:23:31,840
I mean, we can probably do a whole, right?

339
00:23:31,840 --> 00:23:37,760
Because it's just like, hey, if you just exclude everything, then yeah, the antivirus won't

340
00:23:37,760 --> 00:23:38,760
get in the way.

341
00:23:38,760 --> 00:23:42,700
And I mean, that's probably another thing that as an industry, we need to really go figure

342
00:23:42,700 --> 00:23:49,120
out is how do we think about these exclusions in a way that are more sensible?

343
00:23:49,120 --> 00:23:56,360
Wide open antivirus exclusions are effectively blind spots that customers can figure.

344
00:23:56,360 --> 00:24:01,040
So I mean, one of the things that we're working on here is extending out tamper protection

345
00:24:01,040 --> 00:24:06,560
to exclusions to keep those sort of locked down for that very reason.

346
00:24:06,560 --> 00:24:12,280
But yeah, but it is a sort of endemic problem.

347
00:24:12,280 --> 00:24:18,200
And I don't think really based in fact anymore, Michael has been talking about an antivirus

348
00:24:18,200 --> 00:24:19,200
from two decades ago.

349
00:24:19,200 --> 00:24:25,320
And I think there was a period of time where this software really early days and...

350
00:24:25,320 --> 00:24:26,320
Yeah.

351
00:24:26,320 --> 00:24:31,000
Before all the APIs and Windows and whatnot, it was a very different world of random, random

352
00:24:31,000 --> 00:24:32,680
hooks and stuff like that.

353
00:24:32,680 --> 00:24:34,720
But we're way past that now.

354
00:24:34,720 --> 00:24:35,720
Totally.

355
00:24:35,720 --> 00:24:38,640
So if you're a vendor and you're listening, think about your exclusions.

356
00:24:38,640 --> 00:24:39,640
Yeah.

357
00:24:39,640 --> 00:24:40,640
And please update your docs.

358
00:24:40,640 --> 00:24:42,840
And update your docs and don't require domain admins.

359
00:24:42,840 --> 00:24:47,160
So one of the things I wanted to ask you was like, so where are we today?

360
00:24:47,160 --> 00:24:52,280
What is the current state and how does it behave sort of in existing situations and

361
00:24:52,280 --> 00:24:54,560
in new installs?

362
00:24:54,560 --> 00:24:55,720
How does that work?

363
00:24:55,720 --> 00:25:04,520
So Tampa Protection as a feature has been on by default and on for everyone in the consumer

364
00:25:04,520 --> 00:25:08,000
space for I would say years.

365
00:25:08,000 --> 00:25:14,440
We recently, I think it was about nine months ago, made the decision just based upon what

366
00:25:14,440 --> 00:25:21,000
we were seeing and the threat landscape to have Tampa Protection on by default for new

367
00:25:21,000 --> 00:25:23,520
enterprise customers.

368
00:25:23,520 --> 00:25:27,840
And we're now getting to the point, hopefully by the time this podcast airs, we'll be in

369
00:25:27,840 --> 00:25:36,600
public preview, is we're now getting to the point where for existing enterprise customers,

370
00:25:36,600 --> 00:25:42,240
if they haven't taken or haven't turned it on, which again, it seems like there wouldn't

371
00:25:42,240 --> 00:25:43,360
be that many of them.

372
00:25:43,360 --> 00:25:47,440
There's a lot of customers who actually given this setting have actually expressed no admin

373
00:25:47,440 --> 00:25:48,440
intent.

374
00:25:48,440 --> 00:25:50,880
We have no view of whether they want it on or off.

375
00:25:50,880 --> 00:25:54,520
That we are going to be turning it on for them.

376
00:25:54,520 --> 00:25:59,960
They'll be notified, notified through the message center, notified in product, but we're taking

377
00:25:59,960 --> 00:26:05,040
more of, I guess I would call it a sort of trusted advisor perspective here, which is

378
00:26:05,040 --> 00:26:09,920
to say, listen, this setting is really important and you didn't know it was there.

379
00:26:09,920 --> 00:26:11,520
You didn't know it was important.

380
00:26:11,520 --> 00:26:13,480
You didn't get to it like that's fine.

381
00:26:13,480 --> 00:26:16,560
30 days or now, it's going to go on.

382
00:26:16,560 --> 00:26:20,760
And then that way you're going to be a lot safer from ransomware going forward.

383
00:26:20,760 --> 00:26:22,880
Just the data is clear.

384
00:26:22,880 --> 00:26:27,120
When we look at the postmortems, having this tamper protection setting on is so important

385
00:26:27,120 --> 00:26:28,840
to keeping people safe.

386
00:26:28,840 --> 00:26:32,840
And for customers who haven't expressed a preference, we're going to be working to turn

387
00:26:32,840 --> 00:26:35,800
it on on their behalf unless they opt out.

388
00:26:35,800 --> 00:26:40,800
So it's a balancing act there in between sort of honoring admin intent, but it is just clear

389
00:26:40,800 --> 00:26:47,440
to us that without having tamper protection on, that customers are at dramatically increased

390
00:26:47,440 --> 00:26:53,600
risk from these attacks and we think that as a key provider for them and as a trusted

391
00:26:53,600 --> 00:26:57,800
partner that we need to do as much as we can to help keep them safe.

392
00:26:57,800 --> 00:27:00,400
Just one question for me.

393
00:27:00,400 --> 00:27:07,240
Is the troubleshooting mode potentially an avenue for attackers to abuse?

394
00:27:07,240 --> 00:27:12,720
All these things that we do, our do present an opportunity.

395
00:27:12,720 --> 00:27:22,000
And so the initial release of the feature, we've been very sort of conservative in our

396
00:27:22,000 --> 00:27:23,000
approach.

397
00:27:23,000 --> 00:27:27,080
So the first thing is there are limits in who can turn it on.

398
00:27:27,080 --> 00:27:34,760
There are limits in how long it can be turned on, both for an individual instance and for

399
00:27:34,760 --> 00:27:39,640
a given day because we really don't want this to be abused.

400
00:27:39,640 --> 00:27:44,600
So I think that the team has spent a lot of time in sort of engineering it.

401
00:27:44,600 --> 00:27:48,880
So we feel good about the fundamental security about it, but then beyond the sort of underlying

402
00:27:48,880 --> 00:27:54,160
mechanism, we've been very sort of cautious in the way in which we've rolled it out and

403
00:27:54,160 --> 00:27:59,680
we continue to sort of talk to customers and make sure that everything is sort of audited

404
00:27:59,680 --> 00:28:03,560
and that people feel good about the controls we put in a place and so that it doesn't actually

405
00:28:03,560 --> 00:28:05,280
get abused.

406
00:28:05,280 --> 00:28:10,200
But it's certainly something that we're aware of and thinking about kind of top of mind

407
00:28:10,200 --> 00:28:12,920
as we design the feature and roll it out going forward.

408
00:28:12,920 --> 00:28:16,440
All right, let's start to bring this episode to a close.

409
00:28:16,440 --> 00:28:22,800
So Josh, one question we always ask our guests is if you had just one final thought to leave

410
00:28:22,800 --> 00:28:24,920
our listeners with, what would it be?

411
00:28:24,920 --> 00:28:26,400
Temporal protection.

412
00:28:26,400 --> 00:28:27,400
Turn it on.

413
00:28:27,400 --> 00:28:28,400
Is that it?

414
00:28:28,400 --> 00:28:29,400
That's it.

415
00:28:29,400 --> 00:28:30,400
Fair enough.

416
00:28:30,400 --> 00:28:35,000
That would probably have to be the shortest go do ever, I think.

417
00:28:35,000 --> 00:28:36,960
But hey, congratulations.

418
00:28:36,960 --> 00:28:38,200
Thank you, Josh, for joining us this week.

419
00:28:38,200 --> 00:28:40,400
I really appreciate you taking the time.

420
00:28:40,400 --> 00:28:43,120
I know that you're incredibly busy.

421
00:28:43,120 --> 00:28:45,680
So again, thank you so much for joining us this week.

422
00:28:45,680 --> 00:28:49,440
And to all our listeners out there, thank you so much for listening.

423
00:28:49,440 --> 00:28:51,480
Stay safe and we'll see you next time.

424
00:28:51,480 --> 00:28:54,680
Thanks for listening to the Azure Security Podcast.

425
00:28:54,680 --> 00:29:01,480
You can find show notes and other resources at our website azsecuritypodcast.net.

426
00:29:01,480 --> 00:29:06,200
If you have any questions, please find us on Twitter at azuresetpod.

427
00:29:06,200 --> 00:29:34,920
Background music is from ccmixter.com and licensed under the Creative Commons license.