1 00:00:00,000 --> 00:00:06,200 Welcome to the Azure Security Podcast, 2 00:00:06,200 --> 00:00:09,360 where we discuss topics relating to security, privacy, 3 00:00:09,360 --> 00:00:13,720 reliability, and compliance on the Microsoft Cloud Platform. 4 00:00:13,720 --> 00:00:17,200 Hey everybody, welcome to Episode 65. 5 00:00:17,200 --> 00:00:18,780 This week, we have a full house. 6 00:00:18,780 --> 00:00:19,800 We have myself, Michael, 7 00:00:19,800 --> 00:00:22,120 we have Sarah, Mark, and Gladys. 8 00:00:22,120 --> 00:00:23,360 We also have two guests this week. 9 00:00:23,360 --> 00:00:26,000 We have Rajuta Kapoor and Brandon Dixon, 10 00:00:26,000 --> 00:00:27,960 who are here to talk to us about 11 00:00:27,960 --> 00:00:30,120 Microsoft Defender for Threats Intelligence. 12 00:00:30,120 --> 00:00:32,480 But before we get to our guests, 13 00:00:32,480 --> 00:00:33,960 let's take a little lap around the news. 14 00:00:33,960 --> 00:00:36,560 It's been a while, so I'm going to kick things off this time. 15 00:00:36,560 --> 00:00:40,440 First one is we now have in general availability, 16 00:00:40,440 --> 00:00:42,040 there's now the ability to have 17 00:00:42,040 --> 00:00:46,080 a TLS minimum protocol version for Azure Service Bus. 18 00:00:46,080 --> 00:00:48,400 A lot of past services do this today. 19 00:00:48,400 --> 00:00:50,640 So for example, Azure SQL DB, 20 00:00:50,640 --> 00:00:52,440 let's just set like TLS 1.2, 21 00:00:52,440 --> 00:00:55,360 1.1, and 1.0 as the minimum protocol version. 22 00:00:55,360 --> 00:00:58,560 So that's now available in Azure Service Bus. 23 00:00:58,560 --> 00:01:02,040 The next one is in public preview, 24 00:01:02,040 --> 00:01:05,680 we have the ability to perform infrastructure encryption 25 00:01:05,680 --> 00:01:07,540 using customer managed keys in 26 00:01:07,540 --> 00:01:09,480 Postgres SQL flexible server. 27 00:01:09,480 --> 00:01:12,840 Again, this is something that's in my backyard these days. 28 00:01:12,840 --> 00:01:15,300 So that's good to see, especially the fact that there's 29 00:01:15,300 --> 00:01:18,080 now support for using customer managed keys. 30 00:01:18,080 --> 00:01:22,960 Next one is AMD Confidential VM Guest Attestation. 31 00:01:22,960 --> 00:01:25,160 Attestation is a critically important part 32 00:01:25,160 --> 00:01:27,240 of anything in confidential computing. 33 00:01:27,240 --> 00:01:29,560 It's essentially another process that 34 00:01:29,560 --> 00:01:33,360 validates the integrity and authenticity of something else. 35 00:01:33,360 --> 00:01:37,280 So for example, a confidential VM or a secure enclave, 36 00:01:37,280 --> 00:01:38,960 if you're running, say, 37 00:01:38,960 --> 00:01:42,440 Azure SQL Database with always encrypted and secure enclaves, 38 00:01:42,440 --> 00:01:44,440 then the attestation service will 39 00:01:44,440 --> 00:01:46,600 validate that the enclave is correct. 40 00:01:46,600 --> 00:01:51,080 So now we have that for AMD Confidential VM Guests, 41 00:01:51,080 --> 00:01:52,680 which is good to see. 42 00:01:52,680 --> 00:01:54,800 On the topic of confidential VMs, 43 00:01:54,800 --> 00:01:57,000 I'm really excited to see this, 44 00:01:57,000 --> 00:01:59,120 again, because it's in my backyard, 45 00:01:59,120 --> 00:02:01,160 is now we have general availability for 46 00:02:01,160 --> 00:02:06,120 confidential VMs for SQL servers on Azure virtual machines. 47 00:02:06,120 --> 00:02:10,360 So again, these are AMD VMs that 48 00:02:10,360 --> 00:02:13,440 have all the way down into the CPU. 49 00:02:13,440 --> 00:02:15,200 They basically have keys down there, 50 00:02:15,200 --> 00:02:17,600 there are ephemeral keys every time the VM boots. 51 00:02:17,600 --> 00:02:24,280 But you could run a SQL server inside of there, 52 00:02:24,280 --> 00:02:28,440 and so essentially the VM itself, 53 00:02:28,440 --> 00:02:32,000 all the way down to the CPU is encrypted. 54 00:02:32,000 --> 00:02:34,160 The keys are managed by the CPU, 55 00:02:34,160 --> 00:02:35,840 and there's also memory isolation too. 56 00:02:35,840 --> 00:02:37,720 Now, this is really important because 57 00:02:37,720 --> 00:02:41,120 the root of trust is actually not Azure, 58 00:02:41,120 --> 00:02:42,840 and it's not you as a customer. 59 00:02:42,840 --> 00:02:45,240 The root of trust is actually in this case AMD. 60 00:02:45,240 --> 00:02:47,680 This is incredibly important because it means that you're 61 00:02:47,680 --> 00:02:52,360 protecting against a potential rogue administrator in Azure. 62 00:02:52,360 --> 00:02:53,880 I'm not saying that exists, 63 00:02:53,880 --> 00:02:56,960 but the chance is never zero. 64 00:02:56,960 --> 00:03:00,200 So ultimately, you've got a root of trust that's 65 00:03:00,200 --> 00:03:02,280 down all the way down in the silicon, 66 00:03:02,280 --> 00:03:04,280 and in this case, it's AMD. 67 00:03:04,280 --> 00:03:07,960 Also, finally in GA is the ability to 68 00:03:07,960 --> 00:03:11,680 rotate the transparent data encryption protector key 69 00:03:11,680 --> 00:03:13,440 in Azure SQL Database. 70 00:03:13,440 --> 00:03:15,480 So for compliance purposes, 71 00:03:15,480 --> 00:03:17,760 you can rotate the actual protector. 72 00:03:17,760 --> 00:03:19,480 So you're not actually rotating data encryption key, 73 00:03:19,480 --> 00:03:21,640 you're essentially rotating the key encryption key, 74 00:03:21,640 --> 00:03:25,000 which is perfectly fine for most compliance programs. 75 00:03:25,000 --> 00:03:27,720 Key Vault has the ability to built into it to be able to 76 00:03:27,720 --> 00:03:29,600 rotate key encryption keys. 77 00:03:29,600 --> 00:03:33,080 So now all we're doing essentially in Azure SQL Database 78 00:03:33,080 --> 00:03:35,320 is automating that. 79 00:03:35,320 --> 00:03:37,520 So that last link to Azure Key Vault. 80 00:03:37,520 --> 00:03:39,840 So again, that's really great to see. 81 00:03:39,840 --> 00:03:41,880 With that, I'll hand it over to Gilles. 82 00:03:41,880 --> 00:03:42,600 What do you got? 83 00:03:42,600 --> 00:03:46,800 Well, I'm just going to focus more in Ignite announcement. 84 00:03:46,800 --> 00:03:50,640 But before I talk about workloads identity, 85 00:03:50,640 --> 00:03:52,960 I want to give a background. 86 00:03:52,960 --> 00:03:57,240 We are always talking about zero trust and conditional access 87 00:03:57,240 --> 00:03:59,680 and verifications to be done. 88 00:03:59,680 --> 00:04:03,880 But the truth is, many of the verifications available 89 00:04:03,880 --> 00:04:08,120 are focused more on user devices. 90 00:04:08,120 --> 00:04:10,960 Lately, I've been working heavily in critical 91 00:04:10,960 --> 00:04:13,600 infrastructures environment, especially, 92 00:04:13,600 --> 00:04:15,800 I don't know if I mentioned to you guys, 93 00:04:15,800 --> 00:04:19,440 lately I've been working with Azure Space and Azure Orbital. 94 00:04:19,440 --> 00:04:23,640 And these are systems applications and devices 95 00:04:23,640 --> 00:04:25,560 that are connecting one to another 96 00:04:25,560 --> 00:04:28,680 without not much user interaction. 97 00:04:28,680 --> 00:04:32,360 So we still have to align to the zero trust principles. 98 00:04:32,360 --> 00:04:37,240 So I've been looking at different ways of how we could align 99 00:04:37,240 --> 00:04:42,520 because these are more network driven type of environment. 100 00:04:42,520 --> 00:04:45,760 So as soon as I heard about workloads identities 101 00:04:45,760 --> 00:04:49,000 that were working as part of the Microsoft Entra, 102 00:04:49,000 --> 00:04:51,240 I got really excited. 103 00:04:51,240 --> 00:04:53,240 For those of you that do not know, 104 00:04:53,240 --> 00:04:56,920 workloads identity is an identity access management 105 00:04:56,920 --> 00:05:00,040 solution that manages and secure identities 106 00:05:00,040 --> 00:05:04,120 for digital workloads, such as apps, services, 107 00:05:04,120 --> 00:05:07,240 control access to cloud services. 108 00:05:07,240 --> 00:05:11,480 It will be generally available sometime in November. 109 00:05:11,480 --> 00:05:14,040 Customers can create risk based policy 110 00:05:14,040 --> 00:05:18,120 with conditional access to detective response 111 00:05:18,120 --> 00:05:22,280 to compromise workloads identity with identity protection 112 00:05:22,280 --> 00:05:27,480 and perform access reviews to enforce list privilege access 113 00:05:27,480 --> 00:05:30,560 to those workloads identity. 114 00:05:30,560 --> 00:05:32,400 The other thing that I wanted to talk about 115 00:05:32,400 --> 00:05:35,960 is certificate based authentication, which is now 116 00:05:35,960 --> 00:05:37,080 in preview. 117 00:05:37,080 --> 00:05:39,640 And actually, the identity team keeps saying, 118 00:05:39,640 --> 00:05:43,160 we want as many people already starting to use it. 119 00:05:43,160 --> 00:05:45,840 Basically, this capability enables customer 120 00:05:45,840 --> 00:05:50,360 to adopt easily the phishing resistant authentication 121 00:05:50,360 --> 00:05:54,400 with improved user experience for identifying 122 00:05:54,400 --> 00:05:57,560 certificate authentication factors. 123 00:05:57,560 --> 00:05:59,560 This is a key authentication method 124 00:05:59,560 --> 00:06:03,920 that meets the US executive order for cybersecurity. 125 00:06:03,920 --> 00:06:07,640 But so go and find out more information. 126 00:06:07,640 --> 00:06:12,800 And we're providing some links as part of our podcast website. 127 00:06:12,800 --> 00:06:14,920 The next one and last one that I wanted 128 00:06:14,920 --> 00:06:17,800 to talk about is something that I didn't know that we had. 129 00:06:17,800 --> 00:06:19,520 It's called computer vision. 130 00:06:19,520 --> 00:06:23,680 This is an AI service that analyzed content in images 131 00:06:23,680 --> 00:06:24,760 and video. 132 00:06:24,760 --> 00:06:28,200 Computer vision released two services in preview, 133 00:06:28,200 --> 00:06:30,600 one called image analysis. 134 00:06:30,600 --> 00:06:35,480 And the other one is a spatial analysis on the edge. 135 00:06:35,480 --> 00:06:38,080 Image analysis is an updated model 136 00:06:38,080 --> 00:06:41,880 designed to extract a wide variety of visual features 137 00:06:41,880 --> 00:06:46,280 from images to improve digital asset management 138 00:06:46,280 --> 00:06:48,200 and customer accessibility. 139 00:06:48,200 --> 00:06:51,640 The one that I was pleasantly surprised, I would say, 140 00:06:51,640 --> 00:06:54,520 is spatial analysis on the edge, which 141 00:06:54,520 --> 00:06:58,800 will improve safety and security by ingesting 142 00:06:58,800 --> 00:07:03,080 streaming video from camera, extracting insights, 143 00:07:03,080 --> 00:07:07,000 and generating events to be used by other systems. 144 00:07:07,000 --> 00:07:10,840 In many of the environments that I'm working on, 145 00:07:10,840 --> 00:07:14,600 we're working on how we could use video cameras in order 146 00:07:14,600 --> 00:07:16,560 to better security. 147 00:07:16,560 --> 00:07:19,280 There's some really cool stuff going on in Defender. 148 00:07:19,280 --> 00:07:23,520 They have officially, and Defender for DevOps is now 149 00:07:23,520 --> 00:07:24,360 available. 150 00:07:24,360 --> 00:07:26,960 So of course, if you're doing DevOps 151 00:07:26,960 --> 00:07:29,880 and you're using pipelines, you should really look at that. 152 00:07:29,880 --> 00:07:34,760 We've also got in Defender 365 automatic attack disruption 153 00:07:34,760 --> 00:07:36,520 for ransomware. 154 00:07:36,520 --> 00:07:37,760 Now I've seen that. 155 00:07:37,760 --> 00:07:40,120 I've seen a demo of that. 156 00:07:40,120 --> 00:07:41,160 It's very cool. 157 00:07:41,160 --> 00:07:44,360 So again, if you're using Defender 158 00:07:44,360 --> 00:07:46,680 and you're concerned about ransomware, 159 00:07:46,680 --> 00:07:50,120 which you should be because it's a threat for everybody, 160 00:07:50,120 --> 00:07:52,720 definitely go and check that out. 161 00:07:52,720 --> 00:07:54,360 I want to talk about something that 162 00:07:54,360 --> 00:07:56,760 seems to be coming up in my conversations more and more 163 00:07:56,760 --> 00:08:00,280 and more, which is data governance. 164 00:08:00,280 --> 00:08:03,360 There's been a lot of announcements 165 00:08:03,360 --> 00:08:07,080 this ignite for data governance and some of the things 166 00:08:07,080 --> 00:08:08,400 we have in Perview. 167 00:08:08,400 --> 00:08:13,520 So we now have an inside of risk management solution. 168 00:08:13,520 --> 00:08:19,360 We've also got some, they've also made it easier to discover 169 00:08:19,360 --> 00:08:22,120 and classify content because we know that's probably, 170 00:08:22,120 --> 00:08:24,240 when you want to put data protection rules in place, 171 00:08:24,240 --> 00:08:26,000 probably the hardest thing there is to do 172 00:08:26,000 --> 00:08:29,800 is actually know what data is there. 173 00:08:29,800 --> 00:08:32,520 And so Perview can help you with that. 174 00:08:32,520 --> 00:08:34,760 And we've also got lifecycle management. 175 00:08:34,760 --> 00:08:36,320 So there's retention. 176 00:08:36,320 --> 00:08:38,320 So now you can put retention labels on things 177 00:08:38,320 --> 00:08:41,120 and you can also retain certain versions of things. 178 00:08:41,120 --> 00:08:47,160 And as we know, for compliance and all kinds of other things, 179 00:08:47,160 --> 00:08:49,160 this kind of stuff can be really important. 180 00:08:49,160 --> 00:08:52,800 So yeah, as I said, I've just had a lot of conversations 181 00:08:52,800 --> 00:08:54,920 about data governance the last couple of weeks. 182 00:08:54,920 --> 00:08:59,800 And in my part of the world, you may or may not be aware. 183 00:08:59,800 --> 00:09:02,440 We've had a lot of big high-profile data 184 00:09:02,440 --> 00:09:04,920 breaches down here in Australia. 185 00:09:04,920 --> 00:09:08,480 So maybe that's why it's really top of mind at the moment. 186 00:09:08,480 --> 00:09:11,440 So yeah, I would go and have a look. 187 00:09:11,440 --> 00:09:12,920 There's the Ignite Book of News, 188 00:09:12,920 --> 00:09:15,360 which we'll link to in the show notes. 189 00:09:15,360 --> 00:09:17,280 Definitely go check out Perview. 190 00:09:17,280 --> 00:09:21,160 And then the last thing I should give a shout out to is Entra. 191 00:09:21,160 --> 00:09:25,080 So Entra Identity Governance Stuff, 192 00:09:25,080 --> 00:09:27,880 what I'm going to talk about is the bit formerly known as Cloud 193 00:09:27,880 --> 00:09:30,920 Knox that we acquired. 194 00:09:30,920 --> 00:09:33,160 So that is a seam thing. 195 00:09:33,160 --> 00:09:35,400 Obviously, we've talked about it on the show before, 196 00:09:35,400 --> 00:09:38,440 but it's now in Preview, so go check it out. 197 00:09:38,440 --> 00:09:40,080 And I'm going to stop there. 198 00:09:40,080 --> 00:09:42,160 Yeah, there are quite a few announcements from Ignite 199 00:09:42,160 --> 00:09:42,920 around security. 200 00:09:42,920 --> 00:09:47,120 So yeah, please make sure that you take a look at the, 201 00:09:47,120 --> 00:09:48,840 was it called again, the book of what? 202 00:09:48,840 --> 00:09:51,040 It's called the Ignite Book of News. 203 00:09:51,040 --> 00:09:52,040 Book of News, there we go. 204 00:09:52,040 --> 00:09:53,520 It is literally just called that. 205 00:09:53,520 --> 00:09:56,880 It's actually very easy to search. 206 00:09:56,880 --> 00:09:58,880 You can search by security as well. 207 00:09:58,880 --> 00:10:01,800 So yeah, you can go and have a look. 208 00:10:01,800 --> 00:10:07,280 So the big news that I've got is, I don't know how many 209 00:10:07,280 --> 00:10:11,360 of the old timers remember the old immutable laws of security. 210 00:10:11,360 --> 00:10:13,120 There's something that Microsoft published. 211 00:10:13,120 --> 00:10:17,400 I think the first version was sometime in like 2002 or 2003 212 00:10:17,400 --> 00:10:18,960 or something like that. 213 00:10:18,960 --> 00:10:22,120 And I think we updated about 10 years later. 214 00:10:22,120 --> 00:10:26,080 And as we kind of switched from the old TechNet platform 215 00:10:26,080 --> 00:10:29,720 to the Docs Now Learn platform, it 216 00:10:29,720 --> 00:10:31,440 ended up being one of those things that got lost 217 00:10:31,440 --> 00:10:33,160 for like a year or so. 218 00:10:33,160 --> 00:10:36,360 Recently, when back, found it, resurrected it, 219 00:10:36,360 --> 00:10:38,720 we actually made a small update to it 220 00:10:38,720 --> 00:10:40,920 because everything was bad guy, bad guy, bad guy. 221 00:10:40,920 --> 00:10:43,200 And we're like, there's women attacking stuff too. 222 00:10:43,200 --> 00:10:45,080 So we're going to go bad actor. 223 00:10:45,080 --> 00:10:46,880 So we did that. 224 00:10:46,880 --> 00:10:49,160 The other thing that we realized as we kind of went 225 00:10:49,160 --> 00:10:51,720 through that process was like, these are not, 226 00:10:51,720 --> 00:10:54,240 these are great as technical laws, right? 227 00:10:54,240 --> 00:10:56,400 Sort of absolute technical truths, 228 00:10:56,400 --> 00:10:58,200 kind of getting into that sort of root of trust 229 00:10:58,200 --> 00:11:01,800 kind of themes like Michael was talking about earlier. 230 00:11:01,800 --> 00:11:06,880 But there's also the reality that security isn't just 231 00:11:06,880 --> 00:11:07,840 a technical discipline. 232 00:11:07,840 --> 00:11:09,600 It's also a risk discipline. 233 00:11:09,600 --> 00:11:12,880 And it gets into all sorts of fuzzy human judgment things 234 00:11:12,880 --> 00:11:14,640 and challenges like that. 235 00:11:14,640 --> 00:11:17,480 And so we actually wrote a new set of laws, 236 00:11:17,480 --> 00:11:20,160 these 10 laws of cybersecurity risk, 237 00:11:20,160 --> 00:11:24,400 that kind of capture the sort of human dominated truths 238 00:11:24,400 --> 00:11:25,080 around that. 239 00:11:25,080 --> 00:11:28,600 And so things like, hey, security success is ruining 240 00:11:28,600 --> 00:11:31,520 the attackers ROI or return on investment. 241 00:11:31,520 --> 00:11:33,160 Not keeping up is falling behind. 242 00:11:33,160 --> 00:11:34,880 Productivity always wins. 243 00:11:34,880 --> 00:11:38,320 So we really wanted to sort of capture that essence of it. 244 00:11:38,320 --> 00:11:41,800 And of course, one of my favorites is attackers don't care. 245 00:11:41,800 --> 00:11:43,560 Like they really, they'll use anything, 246 00:11:43,560 --> 00:11:46,680 fish tank thermometer, PC server, IoT device, 247 00:11:46,680 --> 00:11:48,080 they just, they don't care. 248 00:11:48,080 --> 00:11:50,440 They're trying to get an objective done. 249 00:11:50,440 --> 00:11:52,080 And a lot of people are just kind of focused 250 00:11:52,080 --> 00:11:53,520 on the technology. 251 00:11:53,520 --> 00:11:57,840 And so we put those out there and very recently published 252 00:11:57,840 --> 00:11:58,560 those. 253 00:11:58,560 --> 00:12:01,560 And so those are out there for you to enjoy and apply. 254 00:12:01,560 --> 00:12:05,000 And like everything else, love to have any feedback. 255 00:12:05,000 --> 00:12:06,560 That's all I got. 256 00:12:06,560 --> 00:12:08,400 All right, so with the news out the way, 257 00:12:08,400 --> 00:12:10,880 let's switch to our guests. 258 00:12:10,880 --> 00:12:12,840 As I mentioned earlier, we have two guests this week. 259 00:12:12,840 --> 00:12:14,400 We have Regita Kapoor. 260 00:12:14,400 --> 00:12:17,400 And we have Brandon Dixon here to talk to us 261 00:12:17,400 --> 00:12:19,760 about Defender for Threats Intelligence. 262 00:12:19,760 --> 00:12:21,960 So two of you, why don't you introduce yourself? 263 00:12:21,960 --> 00:12:23,440 Regita, why don't you go first? 264 00:12:23,440 --> 00:12:25,160 Great, thank you so much, Michael. 265 00:12:25,160 --> 00:12:27,680 I am Regita Kapoor, Senior Program Manager 266 00:12:27,680 --> 00:12:29,560 for Microsoft Sentinel. 267 00:12:29,560 --> 00:12:33,040 I lead all the efforts for Threat Intelligence in Sentinel. 268 00:12:33,040 --> 00:12:37,120 So I live, breathe everything in Threat Intelligence 269 00:12:37,120 --> 00:12:38,440 and they out. 270 00:12:38,440 --> 00:12:40,120 My name is Brandon Dixon. 271 00:12:40,120 --> 00:12:42,600 Actually came into Microsoft through an acquisition, 272 00:12:42,600 --> 00:12:45,840 through the risk IQ acquisition and similar to Rejuta, 273 00:12:45,840 --> 00:12:47,920 I've been kind of living and breathing Threat Intelligence 274 00:12:47,920 --> 00:12:49,920 for many years in my career. 275 00:12:49,920 --> 00:12:51,560 Yeah, yeah, I love the space. 276 00:12:51,560 --> 00:12:53,160 Love seeing how it's advanced. 277 00:12:53,160 --> 00:12:55,680 All right, so first things first, 278 00:12:55,680 --> 00:12:57,480 who uses Threat Intel? 279 00:12:57,480 --> 00:12:58,920 You know, what is it? 280 00:12:58,920 --> 00:13:00,440 You know, what's sort of the benefits of it? 281 00:13:00,440 --> 00:13:01,600 I know it's a real basic question, 282 00:13:01,600 --> 00:13:04,160 but let's get the basic stuff out of the way. 283 00:13:04,160 --> 00:13:06,000 Yeah, I can take that one. 284 00:13:06,000 --> 00:13:08,000 So what is Threat Intelligence? 285 00:13:08,000 --> 00:13:10,800 Threat Intelligence is essentially anything 286 00:13:10,800 --> 00:13:13,840 that can help you protect your organization 287 00:13:13,840 --> 00:13:18,200 against threats, actors, they're all over the place. 288 00:13:18,200 --> 00:13:20,320 These days, Threat Intelligence 289 00:13:20,320 --> 00:13:23,440 really is that source that helps you 290 00:13:24,520 --> 00:13:28,920 quickly protect yourself against these actors and attacks. 291 00:13:28,920 --> 00:13:30,400 We've heard like, so, 292 00:13:30,400 --> 00:13:32,600 so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, 293 00:13:32,600 --> 00:13:35,920 there's been tons and tons of, you know, 294 00:13:35,920 --> 00:13:38,720 these attacks that are happening day in and day out. 295 00:13:38,720 --> 00:13:43,720 So anything starting from IPs, domains, URLs, file hashes 296 00:13:44,480 --> 00:13:47,600 that we know are malicious is, is fall, 297 00:13:47,600 --> 00:13:49,840 that falls under Threat Intelligence. 298 00:13:49,840 --> 00:13:52,320 Since we're talking about Threat Intelligence, 299 00:13:53,440 --> 00:13:56,000 I generally like to categorize Threat Intelligence 300 00:13:56,000 --> 00:13:57,880 in three buckets. 301 00:13:57,880 --> 00:14:00,840 There's tactical Threat Intelligence, operational, 302 00:14:00,840 --> 00:14:03,720 and then strategic Threat Intelligence. 303 00:14:03,720 --> 00:14:05,800 So what is tactical Threat Intelligence? 304 00:14:05,800 --> 00:14:07,440 You know, tactical Threat Intelligence 305 00:14:07,440 --> 00:14:11,080 is one of the most basic forms of TI. 306 00:14:11,080 --> 00:14:14,960 It is essentially, you know, indicators and observables, 307 00:14:14,960 --> 00:14:18,640 things like IPs, domains, URLs that I just mentioned, 308 00:14:18,640 --> 00:14:20,720 fall under that category. 309 00:14:20,720 --> 00:14:24,280 Operational Threat Intelligence is a step further, 310 00:14:24,280 --> 00:14:27,640 which is richer contextual information, 311 00:14:27,640 --> 00:14:32,320 more around tools and techniques, TTPs essentially, 312 00:14:32,320 --> 00:14:34,560 and then there's strategic Threat Intelligence, 313 00:14:34,560 --> 00:14:37,640 which tells us about who the actor is, 314 00:14:37,640 --> 00:14:41,200 who, what are their motivations, what are their intentions, 315 00:14:41,200 --> 00:14:44,000 what kind of vulnerabilities are they harnessing 316 00:14:44,000 --> 00:14:47,720 in order to get access to your environment and so forth. 317 00:14:47,720 --> 00:14:49,880 And do you have a question from earlier, Michael, 318 00:14:49,880 --> 00:14:52,600 who uses Threat Intelligence? 319 00:14:52,600 --> 00:14:55,760 Essentially, anybody like a SOC analyst 320 00:14:55,760 --> 00:14:57,320 can use Threat Intelligence. 321 00:14:57,320 --> 00:14:59,640 It can be used by SOC engineers 322 00:14:59,640 --> 00:15:02,920 in order to triage incidents quickly 323 00:15:02,920 --> 00:15:04,320 through automation, et cetera. 324 00:15:04,320 --> 00:15:06,720 So that would be my suggestion. 325 00:15:08,480 --> 00:15:11,400 So how does Threat Intelligence, you know, 326 00:15:11,400 --> 00:15:14,760 kind of bridge the gap between, you know, your traditional, 327 00:15:14,760 --> 00:15:18,920 you know, the different teams and functions within a SOC, 328 00:15:18,920 --> 00:15:21,320 like your sort of Threat Intel team, 329 00:15:21,320 --> 00:15:24,760 your Threat Hunting team, your instant response folks, 330 00:15:24,760 --> 00:15:28,720 like how does it kind of, you know, play in that space 331 00:15:28,720 --> 00:15:31,560 and, you know, in any other teams within security as well? 332 00:15:31,560 --> 00:15:33,200 I think I could take this one. 333 00:15:33,200 --> 00:15:35,320 So I look at Threat Intelligence 334 00:15:35,320 --> 00:15:37,280 as really cutting across all the boundaries 335 00:15:37,280 --> 00:15:39,080 of the different security functions 336 00:15:39,080 --> 00:15:40,840 or different departments. 337 00:15:40,840 --> 00:15:43,280 If we think about the SOC in particular, 338 00:15:43,280 --> 00:15:45,600 they're mostly focused on trying to keep up 339 00:15:45,600 --> 00:15:46,960 with the alerts that they have 340 00:15:46,960 --> 00:15:49,560 in their particular tool of choice or their SIM. 341 00:15:49,560 --> 00:15:51,280 And they're trying to prioritize those alerts 342 00:15:51,280 --> 00:15:53,880 in such a way that they are reacting to the ones 343 00:15:53,880 --> 00:15:55,360 that are of most importance 344 00:15:55,360 --> 00:15:57,720 or the biggest threat to the business. 345 00:15:57,720 --> 00:16:00,440 And so Threat Intelligence in that regard 346 00:16:00,440 --> 00:16:02,480 can really help operationally 347 00:16:02,480 --> 00:16:06,600 because what it will do is help the SOC analyst triage 348 00:16:06,600 --> 00:16:08,040 the incident they're looking at. 349 00:16:08,040 --> 00:16:11,800 For example, there might be an alert of suspicious activity, 350 00:16:11,800 --> 00:16:13,960 if there's indicators within that alert, 351 00:16:13,960 --> 00:16:16,080 then Threat Intelligence can help enrich that, 352 00:16:16,080 --> 00:16:19,040 providing that analyst with some automated information, 353 00:16:19,040 --> 00:16:22,680 say a little bit about the potential threat actor 354 00:16:22,680 --> 00:16:25,080 that is maybe associated with that 355 00:16:25,080 --> 00:16:27,960 or the infrastructure that's being communicated with, 356 00:16:27,960 --> 00:16:29,880 whether or not it's malicious or suspicious 357 00:16:29,880 --> 00:16:32,720 and why that's the case. 358 00:16:32,720 --> 00:16:35,600 And I think when you start to get into that world 359 00:16:35,600 --> 00:16:38,560 where you're beginning to prop up the SOC analyst 360 00:16:38,560 --> 00:16:41,040 and helping automate a portion of their job, 361 00:16:41,040 --> 00:16:44,320 you're effectively transforming them in a way 362 00:16:44,320 --> 00:16:46,080 to becoming a little bit more 363 00:16:46,080 --> 00:16:49,240 towards the threat hunting and proactive side. 364 00:16:49,240 --> 00:16:50,600 They're looking at these incidents, 365 00:16:50,600 --> 00:16:53,320 they're learning how the data itself 366 00:16:53,320 --> 00:16:56,480 can enrich the indicators that they're looking at, 367 00:16:56,480 --> 00:16:59,280 they're seeing TTPs play out amongst 368 00:16:59,280 --> 00:17:02,720 cyber threat actors, et cetera. 369 00:17:02,720 --> 00:17:04,560 And it allows them to kind of walk over 370 00:17:04,560 --> 00:17:08,000 to the threat hunting team or the incident response team 371 00:17:08,000 --> 00:17:10,560 with some real tactical information. 372 00:17:10,560 --> 00:17:12,880 Beyond just saying like I need to escalate this, 373 00:17:12,880 --> 00:17:15,400 that Threat Intelligence gives them context 374 00:17:15,400 --> 00:17:17,160 and they have a shared understanding. 375 00:17:17,160 --> 00:17:19,600 And that's how TI can then be used 376 00:17:19,600 --> 00:17:22,600 by the incident response team to further 377 00:17:22,600 --> 00:17:23,960 take those enriched indicators, 378 00:17:23,960 --> 00:17:25,480 search across the environment, 379 00:17:25,480 --> 00:17:27,800 place more traps across that environment, 380 00:17:27,800 --> 00:17:31,040 create more detections and kind of create that life cycle, 381 00:17:31,040 --> 00:17:33,200 drive the actual response effort. 382 00:17:33,200 --> 00:17:34,760 And when it comes to threat hunting, 383 00:17:34,760 --> 00:17:38,040 organizations that actually have teams 384 00:17:38,040 --> 00:17:39,640 that they've been able to fund 385 00:17:39,640 --> 00:17:41,160 and they're being more proactive, 386 00:17:41,160 --> 00:17:43,120 it sort of functions in the same way. 387 00:17:43,120 --> 00:17:45,400 Instead of being reactive, 388 00:17:45,400 --> 00:17:47,000 they're attempting to use that Threat Intelligence 389 00:17:47,000 --> 00:17:49,040 to be proactive. 390 00:17:49,040 --> 00:17:51,280 So looking for particular threat actors 391 00:17:51,280 --> 00:17:55,000 or nation states or campaigns that may impact them 392 00:17:55,000 --> 00:17:56,920 and making sure that they're prepared 393 00:17:56,920 --> 00:17:58,640 and hopefully not getting into a state 394 00:17:58,640 --> 00:18:00,720 where they need to call up the IR team. 395 00:18:00,720 --> 00:18:02,200 So look, I know this sounds really cynical, 396 00:18:02,200 --> 00:18:03,600 I don't mean it sounds cynical at all, 397 00:18:03,600 --> 00:18:06,400 but here we've got another defender product. 398 00:18:06,400 --> 00:18:08,480 I mean, is this, does it play well 399 00:18:08,480 --> 00:18:10,400 with other defender products? 400 00:18:10,400 --> 00:18:12,680 Where are we sort of at in the defender life cycle 401 00:18:12,680 --> 00:18:15,960 with the, with the end of a threat at all? 402 00:18:15,960 --> 00:18:17,400 Yeah, this is a great question. 403 00:18:17,400 --> 00:18:19,800 I mean, being new to Microsoft, 404 00:18:19,800 --> 00:18:22,280 coming in and taking a look at the product suite, 405 00:18:22,280 --> 00:18:24,440 it's, it can be overwhelming to some extent 406 00:18:24,440 --> 00:18:26,240 because there's just so many different solutions 407 00:18:26,240 --> 00:18:29,840 that we have, but also viewed as particularly exciting, 408 00:18:29,840 --> 00:18:32,360 especially as it relates to security solutions. 409 00:18:32,360 --> 00:18:35,480 We actually have a real great amount of telemetry 410 00:18:35,480 --> 00:18:38,720 and invisibility, I think that puts us in a really 411 00:18:38,720 --> 00:18:40,680 differentiated position. 412 00:18:40,680 --> 00:18:42,920 So as we, when we join the business, 413 00:18:44,040 --> 00:18:47,240 you know, integrating companies is challenging. 414 00:18:48,360 --> 00:18:50,880 You know, the acquisition itself is of course, 415 00:18:50,880 --> 00:18:52,160 you know, difficult to get done, 416 00:18:52,160 --> 00:18:55,320 but then you actually have the process of integrating, 417 00:18:55,320 --> 00:18:56,960 you know, potentially hundreds of people 418 00:18:56,960 --> 00:18:59,080 into a much larger organization 419 00:18:59,080 --> 00:19:01,720 who has really established processes. 420 00:19:01,720 --> 00:19:04,960 So when we were looking at bridging over 421 00:19:04,960 --> 00:19:07,400 our, you know, risk IQ illuminate product 422 00:19:07,400 --> 00:19:08,640 and risk IQ passive total, 423 00:19:08,640 --> 00:19:11,440 which was our threat intelligence products, 424 00:19:11,440 --> 00:19:14,880 we made the best assessment that we could operate faster 425 00:19:14,880 --> 00:19:17,840 by creating yet another portal. 426 00:19:17,840 --> 00:19:21,040 And I think that's, that's as early in our journey, 427 00:19:21,040 --> 00:19:23,200 you know, the way that we view threat intelligence 428 00:19:23,200 --> 00:19:26,600 is that it really adds and contributes value 429 00:19:26,600 --> 00:19:29,080 to all of the Microsoft solutions. 430 00:19:29,080 --> 00:19:30,360 You know, in the grand scheme of things, 431 00:19:30,360 --> 00:19:32,520 we ultimately see it folding into the, 432 00:19:32,520 --> 00:19:34,280 to the best solution within Microsoft 433 00:19:34,280 --> 00:19:36,560 and ensuring that customers have just that single pane 434 00:19:36,560 --> 00:19:38,560 of glass that they go to. 435 00:19:38,560 --> 00:19:41,600 But what it allowed us to do by having that portal 436 00:19:41,600 --> 00:19:44,880 be a bit independent is it lets us continue 437 00:19:44,880 --> 00:19:46,680 to show the great information that we have 438 00:19:46,680 --> 00:19:49,080 to our existing client base and our community of, 439 00:19:49,080 --> 00:19:51,600 you know, over a hundred thousand users, 440 00:19:51,600 --> 00:19:54,960 while also still servicing Microsoft products. 441 00:19:54,960 --> 00:19:57,800 And so today, you know, we launched the product 442 00:19:57,800 --> 00:20:01,440 back in August and it's been received really well. 443 00:20:01,440 --> 00:20:04,260 It's great that, you know, we already have some customers 444 00:20:04,260 --> 00:20:07,160 in the product as well that are coming through. 445 00:20:07,160 --> 00:20:10,120 And in terms of how we play nice with other products, 446 00:20:10,120 --> 00:20:13,720 you know, we have developed some mutual analytic rules 447 00:20:13,720 --> 00:20:16,960 with the Sentinel team, specifically with Brigida, 448 00:20:16,960 --> 00:20:19,320 where we're able to detect threats using some 449 00:20:19,320 --> 00:20:22,160 of the more tactical threat intelligence that we have. 450 00:20:23,160 --> 00:20:24,600 And then we're working with the, 451 00:20:25,680 --> 00:20:27,960 the M through 65 defender team to kind of enrich 452 00:20:27,960 --> 00:20:30,160 the instance that they have as well. 453 00:20:30,160 --> 00:20:33,160 And I'd say, you know, in the near future, 454 00:20:33,160 --> 00:20:36,040 you know, we're looking forward to trying to establish 455 00:20:36,040 --> 00:20:37,520 more stories with these other products 456 00:20:37,520 --> 00:20:40,480 and make sure that we really, really knock it out of the park. 457 00:20:40,480 --> 00:20:44,160 So Microsoft always mentions in a lot of things 458 00:20:44,160 --> 00:20:46,660 that we have embedded threat intelligence 459 00:20:46,660 --> 00:20:50,020 within our services and, you know, all our different products, 460 00:20:50,020 --> 00:20:53,020 but what does that mean? 461 00:20:53,020 --> 00:20:56,960 And also, how does that differ? 462 00:20:56,960 --> 00:20:59,480 Cause we've talked to the about that for a long time. 463 00:20:59,480 --> 00:21:02,280 How does the, what you're doing differ 464 00:21:02,280 --> 00:21:05,600 from, you know, what Microsoft has been talking about 465 00:21:05,600 --> 00:21:08,720 with regards to threat intelligence for some time. 466 00:21:08,720 --> 00:21:13,280 So for first part of the question, whereas, you know, 467 00:21:13,280 --> 00:21:16,080 Microsoft always says that they use threat intelligence 468 00:21:16,080 --> 00:21:19,520 in their security suite, which is true. 469 00:21:19,520 --> 00:21:21,880 Microsoft is one of those organizations 470 00:21:21,880 --> 00:21:24,760 that generates threat intelligence across the board. 471 00:21:24,760 --> 00:21:27,720 They're like tons and tons and tons of teams 472 00:21:27,720 --> 00:21:31,120 and Brandon would support me on that one 473 00:21:31,120 --> 00:21:33,920 that produce threat intelligence within Microsoft. 474 00:21:33,920 --> 00:21:36,960 Whether it's the Microsoft threat intelligence center 475 00:21:36,960 --> 00:21:40,840 in with, you know, the acquisition of risk IQ 476 00:21:40,840 --> 00:21:44,680 and it becoming MDTI, there's a plethora of threat intelligence 477 00:21:44,680 --> 00:21:48,440 that's available out in the world within Microsoft. 478 00:21:48,440 --> 00:21:51,840 So we do utilize all of this threat intelligence 479 00:21:51,840 --> 00:21:56,680 to protect our customers, mostly through detections. 480 00:21:56,680 --> 00:22:00,560 I can talk specifically about Sentinel in this case. 481 00:22:00,560 --> 00:22:04,880 We do have rules, detection rules that are available 482 00:22:04,880 --> 00:22:07,600 within Sentinel that Brandon had just mentioned about, 483 00:22:07,600 --> 00:22:09,600 which is called the Microsoft threat intelligence 484 00:22:09,600 --> 00:22:11,240 matching analytics. 485 00:22:11,240 --> 00:22:15,160 And essentially what it does is it takes your logs 486 00:22:15,160 --> 00:22:18,040 which are coming from your environment into Sentinel 487 00:22:18,040 --> 00:22:22,440 and match it with threat intelligence across Microsoft. 488 00:22:22,440 --> 00:22:24,640 One of the sources of this threat intelligence 489 00:22:24,640 --> 00:22:27,680 is Microsoft Defender TI or MDTI, 490 00:22:27,680 --> 00:22:30,760 which is risk IQ's new product, 491 00:22:31,920 --> 00:22:33,280 Microsoft branded product. 492 00:22:33,280 --> 00:22:37,480 So definitely it does protect you 493 00:22:37,480 --> 00:22:41,880 from different threats that Microsoft already knows about. 494 00:22:41,880 --> 00:22:46,480 And how is this different, especially in terms of Sentinel 495 00:22:46,480 --> 00:22:48,840 and how these detections are done? 496 00:22:48,840 --> 00:22:51,560 These detections are not just, 497 00:22:51,560 --> 00:22:54,760 we take a certain IP and match it against your logs. 498 00:22:54,760 --> 00:22:59,600 What we also do is we try to help you understand 499 00:22:59,600 --> 00:23:02,280 if this is an incident that your SOC team 500 00:23:02,280 --> 00:23:05,360 needs to really look at first thing in the morning 501 00:23:05,360 --> 00:23:07,040 when they log into Sentinel. 502 00:23:07,040 --> 00:23:10,760 And how we do that is by prioritizing these incidents 503 00:23:10,760 --> 00:23:15,760 on the basis of your log that it gets messed against. 504 00:23:15,760 --> 00:23:19,600 For example, if we're matching with a nation state indicator 505 00:23:19,600 --> 00:23:24,600 and it's log traffic, then you gotta know about it, 506 00:23:24,600 --> 00:23:27,240 but it would not be the first thing 507 00:23:27,240 --> 00:23:29,640 that your SOC needs to look at in the morning. 508 00:23:29,640 --> 00:23:31,200 Whereas if it is a log traffic, 509 00:23:31,200 --> 00:23:34,200 we'll raise its severity so that you know that, 510 00:23:34,200 --> 00:23:37,200 okay, this is the first thing my analyst needs to look at 511 00:23:37,200 --> 00:23:39,480 in the morning when they're available 512 00:23:39,480 --> 00:23:42,360 or around the clock if you have a global team. 513 00:23:42,360 --> 00:23:46,240 So this is how it is doing differently. 514 00:23:46,240 --> 00:23:48,760 One of the things that we're sensitive to 515 00:23:48,760 --> 00:23:51,120 when talking about threat intelligence, 516 00:23:51,120 --> 00:23:53,400 especially when we were introducing the product 517 00:23:53,400 --> 00:23:57,360 was to that question of don't we already do this? 518 00:23:57,360 --> 00:23:59,080 It's embedded in our products today, 519 00:23:59,080 --> 00:24:00,480 but really is the difference here, 520 00:24:00,480 --> 00:24:02,760 is the existing products that we're gonna have 521 00:24:02,760 --> 00:24:05,400 no longer gonna include threat intelligence? 522 00:24:05,400 --> 00:24:08,200 And so the way that I would consider this 523 00:24:08,200 --> 00:24:10,200 is that Microsoft does an incredible job 524 00:24:10,200 --> 00:24:13,200 of detecting bad or malicious activity 525 00:24:13,200 --> 00:24:14,800 across our environment. 526 00:24:14,800 --> 00:24:16,080 And the last thing that we wanna do 527 00:24:16,080 --> 00:24:18,640 is augment our security solutions in any way 528 00:24:18,640 --> 00:24:20,280 that puts our customers in a position 529 00:24:20,280 --> 00:24:23,160 where they're forced to pay some additional fee 530 00:24:23,160 --> 00:24:24,160 for that protection. 531 00:24:24,160 --> 00:24:26,120 That doesn't make a lot of sense. 532 00:24:26,120 --> 00:24:28,480 So when we were constructing the product itself, 533 00:24:28,480 --> 00:24:30,120 one of the things that was important to us 534 00:24:30,120 --> 00:24:31,480 was to really figure out like, 535 00:24:31,480 --> 00:24:34,720 what is the value of the work that we do? 536 00:24:34,720 --> 00:24:37,520 And merging that in within Microsoft. 537 00:24:37,520 --> 00:24:39,640 So for all intents and purposes, 538 00:24:39,640 --> 00:24:44,400 detection comes free across the Microsoft security suite. 539 00:24:44,400 --> 00:24:46,760 It's baked into the individual products, 540 00:24:46,760 --> 00:24:49,920 customers should know and expect that work 541 00:24:49,920 --> 00:24:52,880 is being done to make sure that malicious activity 542 00:24:52,880 --> 00:24:56,080 is being detected and triaged in these systems. 543 00:24:56,080 --> 00:24:58,120 For MDTI in particular, 544 00:24:58,120 --> 00:25:01,480 I think the differentiating aspect of this is that, 545 00:25:01,480 --> 00:25:04,480 it puts more of the signal directly available 546 00:25:04,480 --> 00:25:05,960 to our customers. 547 00:25:05,960 --> 00:25:10,960 So Microsoft mentions trillions of signals that they collect. 548 00:25:11,120 --> 00:25:14,000 We wanna get those in the hands of incident responders, 549 00:25:14,000 --> 00:25:17,160 sock analysts, threat hunters, et cetera, 550 00:25:17,160 --> 00:25:19,760 so that they can do their job more rapidly. 551 00:25:19,760 --> 00:25:21,160 And the other part of this, 552 00:25:21,160 --> 00:25:22,880 beyond the investigative component 553 00:25:22,880 --> 00:25:26,040 and using those signals is the context. 554 00:25:26,040 --> 00:25:29,000 And so our analysts produce great research. 555 00:25:29,000 --> 00:25:32,760 They have observations that other companies can't see 556 00:25:32,760 --> 00:25:34,680 and thus insight in the threat activity 557 00:25:34,680 --> 00:25:37,840 that often is not talked about. 558 00:25:37,840 --> 00:25:39,560 And MDTI is that conduit. 559 00:25:39,560 --> 00:25:41,080 It's the vessel, if you will, 560 00:25:41,080 --> 00:25:43,000 for getting that contextualized information 561 00:25:43,000 --> 00:25:44,600 out to our customers. 562 00:25:44,600 --> 00:25:46,800 And especially those who are potentially 563 00:25:46,800 --> 00:25:49,040 in a more strategic position to be more proactive 564 00:25:49,040 --> 00:25:51,040 in using that information. 565 00:25:51,040 --> 00:25:53,280 So our goal with the product is really 566 00:25:53,280 --> 00:25:56,640 to try and put our signal directly in the hands of you, 567 00:25:56,640 --> 00:26:00,760 the customer, and provide you with context 568 00:26:00,760 --> 00:26:02,560 as quickly as we possibly can 569 00:26:02,560 --> 00:26:06,800 from our analysts' observations to your security operations. 570 00:26:06,800 --> 00:26:09,000 That makes a lot of sense. 571 00:26:09,000 --> 00:26:12,800 And I have to do it because it's my baby. 572 00:26:12,800 --> 00:26:16,720 How does threat intelligence specifically benefit Sentinel 573 00:26:16,720 --> 00:26:19,440 because, well, there is already a threat 574 00:26:19,440 --> 00:26:21,640 Intel pain in Sentinel. 575 00:26:21,640 --> 00:26:24,920 So how is this all different? 576 00:26:24,920 --> 00:26:28,440 Or how does that fit in with what we've already got? 577 00:26:28,440 --> 00:26:30,040 It's kind of a same question, 578 00:26:30,040 --> 00:26:32,040 but very Sentinel specific. 579 00:26:32,040 --> 00:26:36,960 Yeah, for Sentinel, a lot of times when I talk to customers, 580 00:26:36,960 --> 00:26:38,760 one of the things I've heard is, 581 00:26:38,760 --> 00:26:42,600 hey, great Microsoft is using all their threat intelligence 582 00:26:42,600 --> 00:26:43,720 to protect us. 583 00:26:43,720 --> 00:26:47,360 But at the same time, there are organizations 584 00:26:47,360 --> 00:26:50,680 that generate threat intelligence. 585 00:26:50,680 --> 00:26:52,880 There are tons and tons of organizations 586 00:26:52,880 --> 00:26:56,400 that go to the threat connects and the reversing labs 587 00:26:56,400 --> 00:26:59,360 and the threat quotients of the world 588 00:26:59,360 --> 00:27:01,080 and go purchase threat intelligence. 589 00:27:01,080 --> 00:27:04,120 And they also want to utilize that threat intelligence 590 00:27:04,120 --> 00:27:08,040 to protect their own organization. 591 00:27:08,040 --> 00:27:10,520 So what we did at Sentinel specifically 592 00:27:10,520 --> 00:27:14,720 is we kind of categorized it into two categories. 593 00:27:14,720 --> 00:27:17,840 The first one is the whole BYOTI, 594 00:27:17,840 --> 00:27:20,840 which is bring your own threat intelligence journey, right? 595 00:27:20,840 --> 00:27:24,040 Where if you have threat intelligence, 596 00:27:24,040 --> 00:27:26,320 you get it from anywhere in the world, 597 00:27:26,320 --> 00:27:29,120 whether it's hosted on a stick taxi server, 598 00:27:29,120 --> 00:27:33,400 whether it's hosted in your tip, wherever you have it, 599 00:27:33,400 --> 00:27:36,080 you will be able to bring it into Sentinel 600 00:27:36,080 --> 00:27:39,560 through various mechanisms of our data connectors 601 00:27:39,560 --> 00:27:42,840 and utilize them for matching against your logs 602 00:27:42,840 --> 00:27:44,760 in terms of detections. 603 00:27:44,760 --> 00:27:48,960 And then the second category is all the Microsoft generated 604 00:27:48,960 --> 00:27:52,080 good TI as well, which includes Nation State 605 00:27:52,080 --> 00:27:56,080 and MDTI indicators, which are also doing work 606 00:27:56,080 --> 00:27:58,400 to protect your organization 607 00:27:58,400 --> 00:28:02,600 because you are part of our security community. 608 00:28:02,600 --> 00:28:05,360 So those are the two ways by which, 609 00:28:05,360 --> 00:28:08,520 you can protect your organization 610 00:28:08,520 --> 00:28:12,160 and how Sentinel sees threat intelligence as. 611 00:28:12,160 --> 00:28:16,240 So does that help, Sarah, answer your question? 612 00:28:16,240 --> 00:28:19,000 Yeah, no, that makes a lot of sense. 613 00:28:19,000 --> 00:28:22,440 You talked earlier about sticks and taxi. 614 00:28:22,440 --> 00:28:27,440 And I've been working heavily with government organizations 615 00:28:27,840 --> 00:28:32,320 and ISAC organizations that are trying 616 00:28:32,320 --> 00:28:34,640 to share threat intelligence. 617 00:28:34,640 --> 00:28:38,040 There's different ideas about data sharing 618 00:28:38,040 --> 00:28:42,400 and one of them is about using sticks taxi. 619 00:28:42,400 --> 00:28:44,800 Can you talk a little bit about 620 00:28:44,800 --> 00:28:48,600 how are we using a stick taxi, which version 621 00:28:48,600 --> 00:28:53,600 and what we expect from it in the future? 622 00:28:55,080 --> 00:28:58,240 Absolutely, that's a lovely question, Gladys. 623 00:28:59,280 --> 00:29:02,160 Early on when I started with my threat intelligence 624 00:29:02,160 --> 00:29:07,160 journey years ago, I realized that 625 00:29:07,200 --> 00:29:09,280 threat intelligence is one of those areas 626 00:29:09,280 --> 00:29:12,280 where there's a very important need of 627 00:29:14,200 --> 00:29:18,240 a constant mechanism to share threat intelligence. 628 00:29:18,240 --> 00:29:22,000 And Oasis has done a great job with sticks taxi. 629 00:29:22,000 --> 00:29:25,240 Sticks is the protocol, is the schema 630 00:29:25,240 --> 00:29:28,800 and taxi is the protocol for sharing threat intelligence. 631 00:29:28,800 --> 00:29:32,000 Within Sentinel specifically, 632 00:29:32,000 --> 00:29:37,000 me and my team have taken a huge bet on sticks taxi. 633 00:29:37,520 --> 00:29:39,920 I think two and a half, three years ago 634 00:29:39,920 --> 00:29:41,320 when we started our journey, 635 00:29:41,320 --> 00:29:46,320 we had two partners supporting sticks taxi, two TI vendors 636 00:29:46,720 --> 00:29:49,480 and as of today, we have 15 plus vendors. 637 00:29:49,480 --> 00:29:53,080 So we have come a long, long way in this journey. 638 00:29:53,080 --> 00:29:57,800 And how Sentinel does play a role in sticks taxi 639 00:29:57,800 --> 00:30:02,800 is we have built a taxi client within Sentinel 640 00:30:02,800 --> 00:30:06,520 that allows you to pull threat intelligence 641 00:30:06,520 --> 00:30:09,680 from any taxi server to your question, 642 00:30:09,680 --> 00:30:12,240 what versions of sticks taxi do we support? 643 00:30:12,240 --> 00:30:16,000 We support sticks 2.0 and 2.1. 644 00:30:16,000 --> 00:30:18,440 We don't support sticks one just because that was 645 00:30:18,440 --> 00:30:22,840 an XML based schema and it's a legacy schema. 646 00:30:22,840 --> 00:30:26,040 We do support both the versions of sticks two, 647 00:30:26,040 --> 00:30:27,960 which are JSON based. 648 00:30:27,960 --> 00:30:30,400 And essentially using this taxi client, 649 00:30:30,400 --> 00:30:33,400 you can connect to any taxi server out in the world 650 00:30:33,400 --> 00:30:36,600 and bring in threat intelligence into Sentinel. 651 00:30:36,600 --> 00:30:40,200 And it takes just like a five, 652 00:30:40,200 --> 00:30:42,400 it's like a five minute job to connect 653 00:30:42,400 --> 00:30:44,600 to any taxi server from within Sentinel. 654 00:30:44,600 --> 00:30:48,400 So within minutes, you are able to share threat intelligence. 655 00:30:49,240 --> 00:30:52,840 I myself have been working with a lot of Isaacs 656 00:30:52,840 --> 00:30:57,840 and partners, whether it's FS Isaac or Isaac or CISA 657 00:31:00,120 --> 00:31:04,280 or the Australian Cyber Security Center, 658 00:31:04,280 --> 00:31:06,560 which will make Sarah happy, 659 00:31:06,560 --> 00:31:09,320 probably to share threat intelligence 660 00:31:09,320 --> 00:31:12,840 and create a community using Sentinel as a platform 661 00:31:12,840 --> 00:31:15,960 to share threat intelligence bidirectionally 662 00:31:15,960 --> 00:31:20,600 from these organizations to different folks, 663 00:31:20,600 --> 00:31:23,920 as well as for people to be able to contribute TI 664 00:31:23,920 --> 00:31:26,920 to these associations and Isaacs 665 00:31:26,920 --> 00:31:29,360 for to help everybody in the world 666 00:31:29,360 --> 00:31:32,440 and make it a better place to protect ourselves. 667 00:31:32,440 --> 00:31:37,440 So I'm gonna spend a little bit of the question, 668 00:31:38,560 --> 00:31:41,120 mainly because as I mentioned, 669 00:31:41,120 --> 00:31:45,960 there's a lot of people that has strategies 670 00:31:45,960 --> 00:31:50,880 or their thought of how to share data. 671 00:31:50,880 --> 00:31:55,880 And I'm glad that we are betting on stick taxi version too. 672 00:31:56,000 --> 00:32:01,000 But I wanna ask you about the different strategies out there. 673 00:32:02,600 --> 00:32:05,480 There's organizations that are thinking that 674 00:32:06,680 --> 00:32:09,000 human providing input, 675 00:32:09,000 --> 00:32:11,920 whether this is good information to share 676 00:32:11,920 --> 00:32:16,920 may help in the threat intelligence data 677 00:32:17,720 --> 00:32:20,920 that is being shared. 678 00:32:20,920 --> 00:32:24,800 The one thing that I am concerned is, 679 00:32:24,800 --> 00:32:29,560 okay, is the persons providing the input 680 00:32:29,560 --> 00:32:34,480 have the right knowledge in order to share 681 00:32:34,480 --> 00:32:37,440 or understand whether that is a good threat 682 00:32:37,440 --> 00:32:42,000 and intelligent data to be shared in those 683 00:32:42,000 --> 00:32:44,280 that really hope any organization. 684 00:32:44,280 --> 00:32:48,480 Do you have Brandon or Rujiga? 685 00:32:48,480 --> 00:32:52,280 Did you have any comments regarding that? 686 00:32:52,280 --> 00:32:56,680 As I totally agree that Isaacs are a great place 687 00:32:56,680 --> 00:32:59,280 to explore the sharing opportunities. 688 00:33:00,240 --> 00:33:03,480 Also, even the cybersecurity centers, 689 00:33:03,480 --> 00:33:05,840 I know especially I've been working very closely 690 00:33:05,840 --> 00:33:09,840 with ACSC as I mentioned, the Australian Cyber Security Center. 691 00:33:09,840 --> 00:33:13,200 They have a whole program called the CITIS program 692 00:33:13,200 --> 00:33:16,560 which is Cyber Threat Intelligence Sharing Program. 693 00:33:16,560 --> 00:33:18,960 There is obviously they do due diligence 694 00:33:18,960 --> 00:33:21,040 of validating and making member, 695 00:33:21,040 --> 00:33:22,560 allowing you to be a member of that. 696 00:33:22,560 --> 00:33:27,560 So there is a little bit of validation that ACSC does there 697 00:33:27,960 --> 00:33:30,160 to make sure that the quality of TI 698 00:33:30,160 --> 00:33:33,040 that is being shared with them is validated 699 00:33:33,040 --> 00:33:36,280 and goes through vetting, for example. 700 00:33:36,280 --> 00:33:40,280 So there are avenues which can be utilized. 701 00:33:40,280 --> 00:33:43,440 And I know a lot of these organizations, 702 00:33:43,440 --> 00:33:44,880 whether it is the Isaacs 703 00:33:44,880 --> 00:33:48,680 or whether it is the cybersecurity centers 704 00:33:48,680 --> 00:33:50,000 of different countries, 705 00:33:50,000 --> 00:33:53,720 they're all taking a huge bet on Stixtaxi as well 706 00:33:53,720 --> 00:33:58,200 to help kind of make the sharing standard easy 707 00:33:58,200 --> 00:34:01,880 so that people talk the same language when it comes to TI 708 00:34:01,880 --> 00:34:04,480 and sharing just becomes easier and easier. 709 00:34:04,480 --> 00:34:07,560 I'm getting really heavy into threat intelligence. 710 00:34:07,560 --> 00:34:09,840 So I have two more questions. 711 00:34:09,840 --> 00:34:12,720 I promise I'm not gonna ask anymore. 712 00:34:12,720 --> 00:34:14,560 If I remember correctly, 713 00:34:14,560 --> 00:34:18,880 Sentinel has a way to compare threat intelligence 714 00:34:18,880 --> 00:34:21,960 and provide reports out there. 715 00:34:21,960 --> 00:34:25,280 Can you provide some information about that, Rujita? 716 00:34:26,160 --> 00:34:28,520 So Gladys, when you say reports, 717 00:34:28,520 --> 00:34:32,720 there are definitely ways by which Microsoft 718 00:34:32,720 --> 00:34:35,040 does publish reports. 719 00:34:35,880 --> 00:34:40,880 We do track a lot of actors and author up reports 720 00:34:42,960 --> 00:34:46,320 around each of these nation state actors. 721 00:34:46,320 --> 00:34:48,440 A lot of them are available in DTI 722 00:34:48,440 --> 00:34:51,760 and Brandon can talk a little bit more about that. 723 00:34:51,760 --> 00:34:56,400 And Sentinel does utilize a lot of these IOCs themselves 724 00:34:56,400 --> 00:35:00,800 for helping to figure out if you are under attack 725 00:35:00,800 --> 00:35:05,800 and you can read these reports through various avenues, 726 00:35:05,920 --> 00:35:08,920 whether it's the tech community blogs 727 00:35:08,920 --> 00:35:13,760 that are published by the Microsoft Threat Intelligence Center, 728 00:35:13,760 --> 00:35:16,960 there are a ton of avenues within MDTI 729 00:35:16,960 --> 00:35:19,240 and Brandon, I'll let you speak about that 730 00:35:19,240 --> 00:35:24,160 around how MDTI helps and has a plethora of these reports 731 00:35:24,160 --> 00:35:26,640 around threat actors, et cetera. 732 00:35:26,640 --> 00:35:29,440 So what should a customer expect to see 733 00:35:29,440 --> 00:35:33,240 with this new product offering in the future? 734 00:35:33,240 --> 00:35:35,040 All right, well, let's bring this episode 735 00:35:35,040 --> 00:35:36,480 to a bit of a close. 736 00:35:36,480 --> 00:35:38,680 So Rujita, why don't you go first? 737 00:35:38,680 --> 00:35:41,720 If you had one thought to leave our listeners with, 738 00:35:41,720 --> 00:35:42,560 what would it be? 739 00:35:43,640 --> 00:35:47,640 Yeah, one of the thoughts I would leave out listeners 740 00:35:47,640 --> 00:35:52,640 is that when we talk about threat intelligence, 741 00:35:54,200 --> 00:35:57,680 the data volume is huge out in the world. 742 00:35:58,920 --> 00:36:02,520 From my perspective, it does not matter 743 00:36:02,520 --> 00:36:05,760 how much threat intelligence you're consuming, 744 00:36:05,760 --> 00:36:08,280 it also matters around what is the quality 745 00:36:08,280 --> 00:36:11,800 of your threat intelligence, which is really important. 746 00:36:11,800 --> 00:36:14,840 And how much contextual information 747 00:36:14,840 --> 00:36:17,200 is your threat intelligence providing you? 748 00:36:17,200 --> 00:36:22,200 Is it even helping you feed up your incident triage process? 749 00:36:22,680 --> 00:36:26,120 Does it reduce your meantime to respond 750 00:36:26,120 --> 00:36:27,520 and meantime to detect? 751 00:36:27,520 --> 00:36:30,920 That is something that I really always think about 752 00:36:30,920 --> 00:36:35,920 and always encourage folks to kind of spend enough time 753 00:36:37,240 --> 00:36:40,400 in figuring out about the quality of threat intelligence 754 00:36:40,400 --> 00:36:44,160 that they are utilizing as well, not just the quantity. 755 00:36:44,160 --> 00:36:46,360 So that would be my last thought. 756 00:36:46,360 --> 00:36:48,760 And I think my last thought would be that 757 00:36:48,760 --> 00:36:50,560 it's worthy looking at, 758 00:36:50,560 --> 00:36:53,160 thinking about threat intelligence and its adoption 759 00:36:53,160 --> 00:36:55,120 along a maturity model. 760 00:36:55,120 --> 00:36:57,880 And it's okay that if you're not doing anything today 761 00:36:57,880 --> 00:37:00,440 to start from that basic level 762 00:37:01,720 --> 00:37:04,360 and work your way through the paces, 763 00:37:04,360 --> 00:37:06,040 but I think most businesses should have 764 00:37:06,040 --> 00:37:08,680 some sort of threat intelligence program, 765 00:37:08,680 --> 00:37:09,720 even if they're buying this, 766 00:37:09,720 --> 00:37:12,040 they need to have some institutional knowledge 767 00:37:12,040 --> 00:37:14,320 about the types of threats that might impact them 768 00:37:14,320 --> 00:37:18,000 and the gaps that may be occurring across their environment. 769 00:37:18,000 --> 00:37:21,040 And that does take some sort of resources. 770 00:37:21,040 --> 00:37:23,480 And so wherever you're at in the maturity model, 771 00:37:23,480 --> 00:37:25,200 it's never too late to get started 772 00:37:25,200 --> 00:37:27,960 and it's never too late to continue progressing. 773 00:37:27,960 --> 00:37:28,800 Fantastic. 774 00:37:28,800 --> 00:37:30,680 All right, hey, we're just from Brandon. 775 00:37:30,680 --> 00:37:32,480 Thanks so much for joining us this week. 776 00:37:32,480 --> 00:37:35,520 I'll be honest, it's not really an area of my expertise 777 00:37:35,520 --> 00:37:38,000 whatsoever, it's certainly fun listening to Gladys 778 00:37:38,000 --> 00:37:40,320 getting all geeked out about it though. 779 00:37:40,320 --> 00:37:41,560 So let's bring this to an end. 780 00:37:41,560 --> 00:37:42,840 So again, thank you for joining us. 781 00:37:42,840 --> 00:37:45,160 And to all our listeners out there, 782 00:37:45,160 --> 00:37:46,280 hope you found this useful. 783 00:37:46,280 --> 00:37:49,040 And again, thank you for listening, stay safe 784 00:37:49,040 --> 00:37:50,920 and we'll see you next time. 785 00:37:50,920 --> 00:37:53,800 Thanks for listening to the Azure Security Podcast. 786 00:37:53,800 --> 00:37:57,560 You can find show notes and other resources at our website, 787 00:37:57,560 --> 00:37:59,720 azsecuritypodcast.net. 788 00:38:00,600 --> 00:38:02,160 If you have any questions, 789 00:38:02,160 --> 00:38:04,480 please find us on Twitter at Azure SecPod. 790 00:38:05,360 --> 00:38:08,320 Background music is from ccmixter.com 791 00:38:08,320 --> 00:38:13,320 and licensed under the Creative Commons license.