1
00:00:00,000 --> 00:00:09,600
Welcome to the Azure Security Podcast where we discuss topics relating to security, privacy,

2
00:00:09,600 --> 00:00:13,280
reliability and compliance on the Microsoft Cloud Platform.

3
00:00:13,280 --> 00:00:17,920
Hey everybody, welcome to episode 73.

4
00:00:17,920 --> 00:00:21,000
This week is just myself, Michael and Gladys.

5
00:00:21,000 --> 00:00:22,440
And we have two guests this week.

6
00:00:22,440 --> 00:00:27,920
We have Boyan and Sean, who are here to talk to us about Microsoft Defender for Cloud as

7
00:00:27,920 --> 00:00:28,920
code.

8
00:00:28,920 --> 00:00:31,080
Hopefully that will become evidence as we go through this.

9
00:00:31,080 --> 00:00:34,120
I only have one news item this week.

10
00:00:34,120 --> 00:00:40,760
We've just announced in public preview more capabilities for migrating on-prem databases

11
00:00:40,760 --> 00:00:47,520
to Azure SQL database, most notably authentication and authorization steps, as well as TDE or

12
00:00:47,520 --> 00:00:49,880
transparent data encryption.

13
00:00:49,880 --> 00:00:55,000
Anything that reduces the friction of any kind of migration like this is always welcome.

14
00:00:55,000 --> 00:00:56,000
So this is great to see.

15
00:00:56,000 --> 00:01:00,800
And of course, it's also in my own backyard, which makes it even more exciting for me.

16
00:01:00,800 --> 00:01:03,960
So let's now turn our attention to our guests.

17
00:01:03,960 --> 00:01:09,560
So this week, as I mentioned, we have Boyan and Sean, who are here to talk to us about

18
00:01:09,560 --> 00:01:12,040
Defender for Cloud as code.

19
00:01:12,040 --> 00:01:13,920
Gentlemen, welcome to the podcast.

20
00:01:13,920 --> 00:01:17,760
Would you like to take a moment and introduce yourself to our listeners?

21
00:01:17,760 --> 00:01:18,760
Thanks so much, Michael.

22
00:01:18,760 --> 00:01:24,120
Boyan here, product manager with Microsoft on the customer experience engineering team

23
00:01:24,120 --> 00:01:26,720
for Defender for Cloud.

24
00:01:26,720 --> 00:01:32,080
I act as a subject matter expert on Defender for Cloud for a select set of Microsoft's

25
00:01:32,080 --> 00:01:37,440
largest customers and helping them not just deploy Defender for Cloud, but also capture

26
00:01:37,440 --> 00:01:42,960
quality feedback as to what we can do to further drive the evolution of the product.

27
00:01:42,960 --> 00:01:49,240
And I couldn't think of a better person to join me today than one of my close good colleagues,

28
00:01:49,240 --> 00:01:50,240
Sean.

29
00:01:50,240 --> 00:01:52,280
Great introduction, Boyan.

30
00:01:52,280 --> 00:01:53,280
Hello, everyone.

31
00:01:53,280 --> 00:01:58,920
My name is Sean Wasonga, and I am also a product manager with the customer experience engineering

32
00:01:58,920 --> 00:02:00,080
team.

33
00:02:00,080 --> 00:02:06,000
On top of covering solutions such as Defender for Cloud, I do have an array of experience

34
00:02:06,000 --> 00:02:12,160
with Microsoft security solutions such as Sentinel, Defender for IoT, and I'm now focused

35
00:02:12,160 --> 00:02:14,640
on Defender for threat intelligence.

36
00:02:14,640 --> 00:02:19,160
I work with customers and partners, and it's always interesting to see how we can have

37
00:02:19,160 --> 00:02:24,360
discussions that give them visibility of some of the things that we're seeing in the field.

38
00:02:24,360 --> 00:02:25,360
Fantastic.

39
00:02:25,360 --> 00:02:27,680
Actually, it's a really good job.

40
00:02:27,680 --> 00:02:30,680
Sarah's not here this week because he mentioned Sentinel, and she'll be getting all excited

41
00:02:30,680 --> 00:02:31,680
about it.

42
00:02:31,680 --> 00:02:34,000
So anyway, we'll stay focused on Defender for Cloud.

43
00:02:34,000 --> 00:02:35,560
All right, so let's just kick things off.

44
00:02:35,560 --> 00:02:41,480
Look, so a very good friend of our podcast is Yuri Diogenes, who is well known in the

45
00:02:41,480 --> 00:02:45,880
Defender, sort of Microsoft Defender arena.

46
00:02:45,880 --> 00:02:47,760
But it's been a while since we've had him on the podcast.

47
00:02:47,760 --> 00:02:53,560
So would you mind just spending a little bit of time kind of explaining what Defender for

48
00:02:53,560 --> 00:02:54,560
Cloud is?

49
00:02:54,560 --> 00:02:59,040
Because I know things have changed over the last few months.

50
00:02:59,040 --> 00:03:00,640
They certainly have, Mike.

51
00:03:00,640 --> 00:03:05,040
So the innovation is not stopping in the Defender for Cloud space.

52
00:03:05,040 --> 00:03:09,280
We're not just looking to add more capabilities, but we're looking to even address more use

53
00:03:09,280 --> 00:03:14,280
cases that we're seeing with the clients that we're engaged with, as well as the partners

54
00:03:14,280 --> 00:03:16,180
that Sean touched upon.

55
00:03:16,180 --> 00:03:24,120
So just to remind folks on this show, so Defender for Cloud is one of Microsoft security solutions.

56
00:03:24,120 --> 00:03:28,480
It's something that the market is referring to as a cloud native application protection

57
00:03:28,480 --> 00:03:30,200
platform or CNAP.

58
00:03:30,200 --> 00:03:35,860
And that's also important to recognize because it has a lot of other functionalities, most

59
00:03:35,860 --> 00:03:40,800
of which, however, can be divided into three buckets of functionalities, one being around

60
00:03:40,800 --> 00:03:47,200
providing continuous assessment for infrastructure service, as well as platform as a service,

61
00:03:47,200 --> 00:03:51,480
workloads that can be inside of Azure, that can be outside of Azure, and detecting any

62
00:03:51,480 --> 00:03:53,680
misconfigurations in them.

63
00:03:53,680 --> 00:03:59,440
And when the Defender for Cloud detects misconfiguration, it's able to then provide with security best

64
00:03:59,440 --> 00:04:04,320
practice guidance on how to harden those workloads and remediate them.

65
00:04:04,320 --> 00:04:10,640
The second kind of pillar or bucket of capabilities is all around threat detection.

66
00:04:10,640 --> 00:04:14,640
How it's important to remediate misconfigurations.

67
00:04:14,640 --> 00:04:20,320
It's equally important once best practice guidance has been applied and resources hardened,

68
00:04:20,320 --> 00:04:24,920
to also monitor the environments for potential signs of compromise, which is why we have

69
00:04:24,920 --> 00:04:28,240
also the second pillar of capabilities.

70
00:04:28,240 --> 00:04:33,920
And I'm also very, very excited about the third pillar of capabilities which we have,

71
00:04:33,920 --> 00:04:40,840
which is really around the DevSecOps space and how to centrally better manage DevOps

72
00:04:40,840 --> 00:04:41,840
security.

73
00:04:41,840 --> 00:04:46,360
So this comes in the form of something referred to as Defender for DevOps, which is a plan

74
00:04:46,360 --> 00:04:49,400
we announced in November of last year.

75
00:04:49,400 --> 00:04:53,200
And I know that sounds like super far away, but it was effectively only a couple of months

76
00:04:53,200 --> 00:04:54,200
ago.

77
00:04:54,200 --> 00:04:59,840
So a lot of excitement and a lot of capabilities and use cases that we also cover in that space.

78
00:04:59,840 --> 00:05:05,920
So all of those capabilities kind of put together make up what's nowadays Defender for Cloud

79
00:05:05,920 --> 00:05:09,880
and what Gartner refers to as a CNAP solution.

80
00:05:09,880 --> 00:05:14,480
And it's also very, very important to recognize we not just do this for Azure, but we obviously

81
00:05:14,480 --> 00:05:20,320
do it outside of Azure with native support, for example, for AWS and GCP.

82
00:05:20,320 --> 00:05:25,720
And we can even integrate with another Azure service called Azure Arc and also extend Defender

83
00:05:25,720 --> 00:05:28,640
for Cloud capabilities to hybrid.

84
00:05:28,640 --> 00:05:47,920
So just a quick whistle tour of what Defender for Cloud is and its latest positioning.

85
00:05:47,920 --> 00:05:49,400
Thanks for that question, Gladys.

86
00:05:49,400 --> 00:05:56,680
I think just to sort of state in terms of what area we're trying to resolve and basically

87
00:05:56,680 --> 00:06:00,480
address, it's more in line with our roles, right?

88
00:06:00,480 --> 00:06:01,720
Customer experience engineering.

89
00:06:01,720 --> 00:06:07,240
We're constantly hearing from the field, our engagement with customers and partners, how

90
00:06:07,240 --> 00:06:12,400
they can leverage all those functionalities that Boyan mentioned across the different

91
00:06:12,400 --> 00:06:13,400
workloads, right?

92
00:06:13,400 --> 00:06:18,760
And the different environments, whether it's on multi-cloud environments, on-prem leveraging

93
00:06:18,760 --> 00:06:19,760
Azure Arc.

94
00:06:19,760 --> 00:06:25,040
And in line with how they do their operations from a technology perspective, how can we

95
00:06:25,040 --> 00:06:29,160
help them programmatically deploy and manage our solution?

96
00:06:29,160 --> 00:06:34,960
Now, if you think about Defender for Cloud, we're supporting an array of different workloads,

97
00:06:34,960 --> 00:06:41,040
whether it's your storage, whether it's your networking, whether it's your compute, et

98
00:06:41,040 --> 00:06:42,040
cetera.

99
00:06:42,040 --> 00:06:47,920
And what's of interest from us, from our customers and partners is to understand leveraging the

100
00:06:47,920 --> 00:06:51,240
internal tools that they use and the internal processes.

101
00:06:51,240 --> 00:06:56,720
How can they leverage infrastructure as code to deploy and manage that defined solution?

102
00:06:56,720 --> 00:06:57,840
So why are we here?

103
00:06:57,840 --> 00:07:03,480
It's just basically to take our customers through that process in terms of using infrastructure

104
00:07:03,480 --> 00:07:05,800
as code in deploying and managing MDC.

105
00:07:05,800 --> 00:07:07,760
Let me make sure I get this correct.

106
00:07:07,760 --> 00:07:10,080
I want to make sure I get this fully understood.

107
00:07:10,080 --> 00:07:18,520
So essentially what you've got is the intersection of Microsoft Defender for Cloud with infrastructure

108
00:07:18,520 --> 00:07:25,720
as code so that you can deploy and monitor Microsoft Defender for Cloud, but using code

109
00:07:25,720 --> 00:07:27,760
as opposed to, say, for example, the portal.

110
00:07:27,760 --> 00:07:30,120
Is that a fair summary?

111
00:07:30,120 --> 00:07:31,240
Absolutely.

112
00:07:31,240 --> 00:07:35,820
So there are a couple of different advantages of using infrastructure as code.

113
00:07:35,820 --> 00:07:42,560
So at a very, very high level, it really allows organizations to describe to desired states

114
00:07:42,560 --> 00:07:45,000
of their public cloud infrastructure.

115
00:07:45,000 --> 00:07:49,920
So they can really programmatically describe as to how does good or how does best look

116
00:07:49,920 --> 00:07:54,520
like for them with regards to public cloud infrastructure that they're using.

117
00:07:54,520 --> 00:08:01,660
They can then use things such as templates and put those under version control touching

118
00:08:01,660 --> 00:08:07,680
upon the likes of, for example, Git to then make track changes made to those templates.

119
00:08:07,680 --> 00:08:13,400
And this is important because every time when they make a change to those templates, which

120
00:08:13,400 --> 00:08:17,440
describe their public cloud infrastructure, they can then programmatically deploy those

121
00:08:17,440 --> 00:08:20,400
changes to their public cloud environment.

122
00:08:20,400 --> 00:08:21,400
This can obviously be Azure.

123
00:08:21,400 --> 00:08:26,000
It can be also other public cloud environments as well.

124
00:08:26,000 --> 00:08:31,080
And here is where we then see that intersection happening between Defender for Cloud as well

125
00:08:31,080 --> 00:08:36,560
as infrastructure as code, where on one side they have infrastructure as code with templates

126
00:08:36,560 --> 00:08:41,240
that really programmatically describe of how do they want their public cloud infrastructure

127
00:08:41,240 --> 00:08:46,880
to look like, and they can then use tools like, for example, GitHub actions to ensure

128
00:08:46,880 --> 00:08:50,840
that those are programmatically deployed to their public cloud environment.

129
00:08:50,840 --> 00:08:54,280
And here is where it also applies then to Defender for Cloud.

130
00:08:54,280 --> 00:08:59,040
They're able to use it to configure different aspects of Defender for Cloud or to ensure

131
00:08:59,040 --> 00:09:06,160
that the desired state of their public cloud infrastructure is what they want it to be.

132
00:09:06,160 --> 00:09:09,080
So I just want to make one last comment and then I'll hand it over to Gladys.

133
00:09:09,080 --> 00:09:15,000
There's a comment that I made a long time ago, which is, if you're designing and developing

134
00:09:15,000 --> 00:09:18,320
and deploying solutions on Azure in Europe, so let's say a software developer, you've

135
00:09:18,320 --> 00:09:24,540
got to learn basic networking or that kind of stuff, or basic infrastructure controls.

136
00:09:24,540 --> 00:09:31,720
If you're an IT person who's used to doing management of solutions, you're going to have

137
00:09:31,720 --> 00:09:35,500
to learn basic programming or basic programming tooling.

138
00:09:35,500 --> 00:09:38,160
And here we see another example.

139
00:09:38,160 --> 00:09:40,680
Something that sort of says infrastructure is code.

140
00:09:40,680 --> 00:09:45,000
For example, this stuff we're talking about right now, you've got to know things like

141
00:09:45,000 --> 00:09:48,520
tooling and you've got to understand the basics of version control.

142
00:09:48,520 --> 00:09:52,400
And I mean, don't get me wrong, that maybe it will be configured for you.

143
00:09:52,400 --> 00:09:57,460
But all of a sudden you see yourself sitting inside of a code editor, and using, as you

144
00:09:57,460 --> 00:10:01,160
mentioned just now, using Git and GitHub actions and those sorts of things.

145
00:10:01,160 --> 00:10:05,240
So yeah, this is another great example of where, again, if you're an infrastructure

146
00:10:05,240 --> 00:10:10,320
person and you really want to progress your career, you really have to start skilling

147
00:10:10,320 --> 00:10:14,000
up on these kinds of tools because you're going to get left behind if you don't.

148
00:10:14,000 --> 00:10:19,120
And I'll hand it back, that's just a quick comment, but I'll hand it back to Gladys.

149
00:10:19,120 --> 00:10:24,800
Actually, before I ask the next question, I'm going to comment myself.

150
00:10:24,800 --> 00:10:34,520
I definitely agree on this because we always talk about embedding security with any infrastructure

151
00:10:34,520 --> 00:10:36,200
that is being built, right?

152
00:10:36,200 --> 00:10:41,920
So this is what this capability is enabling, right?

153
00:10:41,920 --> 00:10:48,520
From the get-go, get the different capabilities enabled with the infrastructure that is being

154
00:10:48,520 --> 00:10:50,220
built.

155
00:10:50,220 --> 00:10:55,720
So talking about that, then who is the intended audience for this?

156
00:10:55,720 --> 00:11:03,040
Who do you think would take the most advantage of this type of capability?

157
00:11:03,040 --> 00:11:04,640
Good question, Gladys.

158
00:11:04,640 --> 00:11:07,320
For us, we really think everyone, right?

159
00:11:07,320 --> 00:11:13,320
If you think about whether you are end customer, you are partner supporting end customers,

160
00:11:13,320 --> 00:11:19,920
you are managed security service provider, this whole element can actually support you

161
00:11:19,920 --> 00:11:26,160
to deliver your overall security operations and helping you scale and deploy Defender

162
00:11:26,160 --> 00:11:28,000
for Cloud with ease.

163
00:11:28,000 --> 00:11:34,560
It's something that it's really intended to help all these different personas in different

164
00:11:34,560 --> 00:11:35,560
ways.

165
00:11:35,560 --> 00:11:42,360
Whether it's a managed service provider that has multiple tenants and they need to, for

166
00:11:42,360 --> 00:11:50,640
example, deploy one specific detection threat analysis solution across different tenants,

167
00:11:50,640 --> 00:11:52,600
it can be done with ease.

168
00:11:52,600 --> 00:11:57,280
Whether it's a customer who has multiple tenants as well, or a customer needs to onboard new

169
00:11:57,280 --> 00:12:00,720
subscriptions, it basically works for everyone.

170
00:12:00,720 --> 00:12:07,520
And that was our intention in terms of coming up with this defined guide as well.

171
00:12:07,520 --> 00:12:13,480
I want to focus a little bit when you say multiple tenants, right?

172
00:12:13,480 --> 00:12:14,480
This is really important.

173
00:12:14,480 --> 00:12:20,800
It's not just multiple tenants, subscriptions, and resources overall, right?

174
00:12:20,800 --> 00:12:29,840
And now that organizations are keeping up and having multiple subscriptions to deliver

175
00:12:29,840 --> 00:12:38,040
a service or an application, I think this capability can be used tremendously to ensure

176
00:12:38,040 --> 00:12:43,760
that all the configuration is seamless across all those subscriptions.

177
00:12:43,760 --> 00:12:46,200
Am I misunderstanding this?

178
00:12:46,200 --> 00:12:52,520
No, you're capturing it quite well, Gladys, and if you think about it, even on the customer

179
00:12:52,520 --> 00:12:55,680
end, we live in a global village, right?

180
00:12:55,680 --> 00:13:02,760
Like an organization that's probably situated in the United States of America will probably

181
00:13:02,760 --> 00:13:09,560
have other areas in the UK, organizations that are still tied to them in the UK, in

182
00:13:09,560 --> 00:13:13,880
Africa, in South America, et cetera.

183
00:13:13,880 --> 00:13:19,080
And the solutions such as this can actually help you have a singular way in terms of how

184
00:13:19,080 --> 00:13:23,920
you deploy and manage your overall security solutions, specifically around Defender for

185
00:13:23,920 --> 00:13:26,720
cloud, but in a specific standard.

186
00:13:26,720 --> 00:13:31,320
So leveraging infrastructure as code is something that can help you do that.

187
00:13:31,320 --> 00:13:33,640
So how do I get started?

188
00:13:33,640 --> 00:13:39,400
That is a question that Sean and myself also asked ourselves when we started working with

189
00:13:39,400 --> 00:13:42,800
our clients and with our Microsoft partners as well.

190
00:13:42,800 --> 00:13:46,360
And what we realized is we had to Michael's point.

191
00:13:46,360 --> 00:13:50,240
So we invested time in being able to then write this code.

192
00:13:50,240 --> 00:13:54,600
And we already knew how do we want our public cloud infrastructure, especially Defender

193
00:13:54,600 --> 00:14:01,440
for cloud, to then be configured and to look like in those even global environments.

194
00:14:01,440 --> 00:14:07,720
The thing we just needed to then come to terms with is what vehicle do we then use to programmatically

195
00:14:07,720 --> 00:14:09,480
deploy these changes?

196
00:14:09,480 --> 00:14:16,800
So we opted for using GitHub actions and predominantly just because the code that we've written,

197
00:14:16,800 --> 00:14:22,180
so our infrastructure as code templates, they were already in GitHub to begin with.

198
00:14:22,180 --> 00:14:29,480
So it was a logical for us then to use the native GitHub tooling, which is GitHub actions

199
00:14:29,480 --> 00:14:34,900
for us to be able then to programmatically deploy our infrastructure as code templates

200
00:14:34,900 --> 00:14:39,600
to the Azure environment as well as then configure Defender for cloud.

201
00:14:39,600 --> 00:14:45,880
Now this is not to say that you all out there listening can't use something other than GitHub

202
00:14:45,880 --> 00:14:46,980
actions as well.

203
00:14:46,980 --> 00:14:50,280
So that's a little bit where the beauty in this also resides.

204
00:14:50,280 --> 00:14:55,920
So you can use things even like Azure DevOps, for example, you can even use non-Microsoft

205
00:14:55,920 --> 00:15:01,640
tooling because a lot of the guidance that Sean and I put together, you can even apply

206
00:15:01,640 --> 00:15:06,240
it to non-Microsoft tooling that you probably might be using as of today.

207
00:15:06,240 --> 00:15:12,320
So just to add on that, yes, we did advise that you can move towards GitHub actions.

208
00:15:12,320 --> 00:15:16,800
We have quite a number of tools that you can actually use.

209
00:15:16,800 --> 00:15:23,720
But in terms of the work that myself and Boyan did is we realized that sometimes you need

210
00:15:23,720 --> 00:15:27,160
a guided path in terms of how you can get this going.

211
00:15:27,160 --> 00:15:30,960
And we came up with three ways in terms of how we can actually deliver this in form of

212
00:15:30,960 --> 00:15:31,960
content.

213
00:15:31,960 --> 00:15:37,080
One, we did publish an article that can actually help you get started with the whole process

214
00:15:37,080 --> 00:15:41,160
of deploying and managing Defender for cloud as code.

215
00:15:41,160 --> 00:15:46,440
That article is publicly accessible and it provides a step-by-step guidance that's really

216
00:15:46,440 --> 00:15:52,880
extensive and not only does it focus on infrastructure as code, but it also provides guiding principles

217
00:15:52,880 --> 00:15:59,120
around Azure policy, REST APIs, and Azure CLI and PowerShell all in relation to what's

218
00:15:59,120 --> 00:16:02,520
deploying and managing Defender for cloud as code.

219
00:16:02,520 --> 00:16:09,120
Two, we did create a GitHub repository that actually contains example workflows that you

220
00:16:09,120 --> 00:16:16,400
can use as a starting point to kickstart your automation deployment for your Azure environment

221
00:16:16,400 --> 00:16:18,200
with GitHub actions.

222
00:16:18,200 --> 00:16:23,400
We do believe in community and we're really interested to see how many people can actually

223
00:16:23,400 --> 00:16:29,040
contribute towards that repository, adding more workflows and bettering our overall process.

224
00:16:29,040 --> 00:16:32,880
Last but not least, we did create a YouTube video.

225
00:16:32,880 --> 00:16:37,680
Now the video provides a live scenario in terms of how you can actually leverage what

226
00:16:37,680 --> 00:16:44,720
we created with GitHub actions and helps you to deploy Defender for cloud programmatically.

227
00:16:44,720 --> 00:16:49,960
Now if you combine the blog, what we have in the GitHub repository and video, you should

228
00:16:49,960 --> 00:16:55,760
be at a good spot in terms of leveraging infrastructure as code to deploy and manage MDC.

229
00:16:55,760 --> 00:17:01,600
All right, so you sort of covered off really briefly how to get started, but when the rubber

230
00:17:01,600 --> 00:17:06,200
hits the road, what sort of assets are you guys providing to help people really make

231
00:17:06,200 --> 00:17:07,640
some traction here?

232
00:17:07,640 --> 00:17:08,840
That's a really good point.

233
00:17:08,840 --> 00:17:15,840
So imagine if you're now a security engineer listening to this podcast, how do you actually

234
00:17:15,840 --> 00:17:17,200
get started?

235
00:17:17,200 --> 00:17:22,440
So we even see it as end-to-end journey between now using infrastructure as code, committing

236
00:17:22,440 --> 00:17:28,720
it to your repository, then using things like GitHub actions or Azure DevOps to then programmatically

237
00:17:28,720 --> 00:17:34,160
deploy it in your Azure environment for which you can then configure the different aspects

238
00:17:34,160 --> 00:17:35,780
of Defender for cloud.

239
00:17:35,780 --> 00:17:43,800
So what Sean and I put together is we wanted to really capture each step on this journey.

240
00:17:43,800 --> 00:17:49,080
So we provided even with the DevOps automation that can be used and step-by-step guidance

241
00:17:49,080 --> 00:17:55,680
on how to create an application identity in Azure, how to connect it to GitHub and even

242
00:17:55,680 --> 00:18:02,760
templates in GitHub for different GitHub actions that resemble specific aspects of either Defender

243
00:18:02,760 --> 00:18:08,080
for cloud that you can configure or different use cases that you can achieve.

244
00:18:08,080 --> 00:18:13,600
What we also did is because we realized working with organizations that there are a lot of

245
00:18:13,600 --> 00:18:18,580
different ways you can apply Defender for cloud because it has a lot of capabilities.

246
00:18:18,580 --> 00:18:24,200
We also wanted for simplicity sake to provide the guided inventory of what are the configurable

247
00:18:24,200 --> 00:18:30,040
components that you can then use this templates to configure Defender for cloud for.

248
00:18:30,040 --> 00:18:34,920
So that was also a big thing for us is really trying to simplify it as much as possible

249
00:18:34,920 --> 00:18:40,800
and providing folks with kind of bit-sized modules that they can apply to their Azure

250
00:18:40,800 --> 00:18:45,600
environment but also to their AWS and GCP environments, which is why as part of the

251
00:18:45,600 --> 00:18:51,120
guidance we also in addition to those modules added best practice guidance on how they can

252
00:18:51,120 --> 00:18:55,100
automate the whole deployment of Defender for cloud at scale.

253
00:18:55,100 --> 00:19:01,200
So even it covers things like enablement of Defender for cloud not just in Azure but also

254
00:19:01,200 --> 00:19:03,600
at scale outside of Azure.

255
00:19:03,600 --> 00:19:10,100
For example, onboarding once AWS and GCP environment to Defender for cloud and having that multi-cloud

256
00:19:10,100 --> 00:19:13,180
security insights all in a single dashboard.

257
00:19:13,180 --> 00:19:19,180
We also then want to make sure that we cover this process end to end, which is why we all

258
00:19:19,180 --> 00:19:26,240
put that all together in form of those three deliverables that Sean mentioned.

259
00:19:26,240 --> 00:19:28,840
So when should we use this?

260
00:19:28,840 --> 00:19:32,840
What are some of the use cases that can be covered?

261
00:19:32,840 --> 00:19:34,040
Great question Gladys.

262
00:19:34,040 --> 00:19:40,440
So I do have a couple of thoughts where we think this can actually be applied.

263
00:19:40,440 --> 00:19:42,920
I did mention a few.

264
00:19:42,920 --> 00:19:50,280
Top of mind, we talked about partners that manage security providers that are deploying

265
00:19:50,280 --> 00:19:55,920
Defender for cloud as a security solution across multiple customers and multiple tenants.

266
00:19:55,920 --> 00:19:58,120
This is something that's ideal.

267
00:19:58,120 --> 00:20:04,160
Having specific templates based off of specific standards and easily allowing you to start

268
00:20:04,160 --> 00:20:09,160
monitoring the environments, enabling these threat plans, starting getting alerts and

269
00:20:09,160 --> 00:20:12,120
actually responding to them comprehensively.

270
00:20:12,120 --> 00:20:18,760
That will be one of the key use cases that I would think of from the onset.

271
00:20:18,760 --> 00:20:21,800
Secondly, now this is on the customer base.

272
00:20:21,800 --> 00:20:26,000
Your new customer, multiple workloads, you're working on new subscriptions.

273
00:20:26,000 --> 00:20:31,440
You want to ensure your environment that's a multitude of different workloads, whether

274
00:20:31,440 --> 00:20:36,280
it's your compute, your storage, your DNS, your DevOps environments.

275
00:20:36,280 --> 00:20:41,280
And you want to ensure that it's actually covered towards a complete extent.

276
00:20:41,280 --> 00:20:47,080
You can actually leverage this across in terms of how you can ensure that every new subscription

277
00:20:47,080 --> 00:20:51,080
that's onboarded is protected and covered by Defender for cloud.

278
00:20:51,080 --> 00:20:56,440
Boyan, I don't know if you have another use case that you can think this would be practical

279
00:20:56,440 --> 00:20:57,440
for.

280
00:20:57,440 --> 00:21:03,040
I believe even Gladys touched upon it and it's all about how to then seamlessly configure

281
00:21:03,040 --> 00:21:06,440
and embed security into infrastructure.

282
00:21:06,440 --> 00:21:11,280
And I'd like to add that nowadays infrastructure doesn't need to reside just in one public

283
00:21:11,280 --> 00:21:12,280
cloud provider.

284
00:21:12,280 --> 00:21:16,720
We are seeing examples where organizations are using multiple, which obviously brings

285
00:21:16,720 --> 00:21:22,520
with itself a sort of complexity because there are things that differ between individual

286
00:21:22,520 --> 00:21:25,400
public cloud providers when you compare them.

287
00:21:25,400 --> 00:21:31,720
So it's also all about how to use this guidance to put something in place where you seamlessly

288
00:21:31,720 --> 00:21:38,760
then embed security, not just in Azure, but also in AWS as well as in GCP by using the

289
00:21:38,760 --> 00:21:40,160
vendor for cloud.

290
00:21:40,160 --> 00:21:44,600
And I believe that multi-cloud aspect is something also worthwhile just highlighting because

291
00:21:44,600 --> 00:21:49,880
we see it's also in the organizations that we work with, regardless if they are just

292
00:21:49,880 --> 00:21:54,760
Microsoft partners providing service to their customers or customers themselves looking

293
00:21:54,760 --> 00:21:56,720
to adopt Defender for cloud.

294
00:21:56,720 --> 00:21:59,360
I'm getting excited about this.

295
00:21:59,360 --> 00:22:09,240
As we have talked to our listeners before, one of my roles is helping engineering or

296
00:22:09,240 --> 00:22:15,640
developers teams within Microsoft to embed security with our services.

297
00:22:15,640 --> 00:22:23,160
And one of the things that I keep recommended is Defender for cloud, right?

298
00:22:23,160 --> 00:22:29,720
So if we had a Defender for cloud as code type of capability that now you are talking

299
00:22:29,720 --> 00:22:34,680
about it, I could basically give that to my engineering teams.

300
00:22:34,680 --> 00:22:37,480
But at one time you talk about version control.

301
00:22:37,480 --> 00:22:41,480
So can you talk a little bit about how that would work?

302
00:22:41,480 --> 00:22:46,080
Because there's different components of Defender for cloud.

303
00:22:46,080 --> 00:22:51,760
What about if I just want to deploy right now the free version and then eventually I

304
00:22:51,760 --> 00:22:59,160
want to add all the other components, how that version control will work?

305
00:22:59,160 --> 00:23:00,160
Happy to.

306
00:23:00,160 --> 00:23:05,040
So when we work with customers, when they start on this journey to onboard to Defender

307
00:23:05,040 --> 00:23:10,960
for cloud, some are even surprised by the amount of misconfigurations that Defender

308
00:23:10,960 --> 00:23:12,960
for cloud attacks.

309
00:23:12,960 --> 00:23:18,560
And on one hand, that's also a good thing because it allows them to evolve their thinking

310
00:23:18,560 --> 00:23:27,560
about how to better secure their resources and how to deploy those resources more securely

311
00:23:27,560 --> 00:23:33,280
going forward in Azure, but also across AWS as well as GCP.

312
00:23:33,280 --> 00:23:38,240
And version control allows us then if they need to make any changes to the infrastructure

313
00:23:38,240 --> 00:23:44,880
as code templates, that they use them to programmatically deploy those resources in their, for example,

314
00:23:44,880 --> 00:23:46,480
Azure environment.

315
00:23:46,480 --> 00:23:50,120
And they need to then further harden it.

316
00:23:50,120 --> 00:23:55,560
They're able to change the template and they're able then to even use version control to track

317
00:23:55,560 --> 00:23:57,640
any changes made to it.

318
00:23:57,640 --> 00:24:03,760
And also to your point Gladys, is the innovation in this space is not slowing down.

319
00:24:03,760 --> 00:24:06,240
So we're continuing to invest in Defender for cloud.

320
00:24:06,240 --> 00:24:12,520
We're continuing to bring out new capabilities in form of new plans, which is why we can

321
00:24:12,520 --> 00:24:20,200
then look to add those to the deployment guidance that Sean and I put together.

322
00:24:20,200 --> 00:24:25,040
We're able not just to configure different aspects of it that are currently available

323
00:24:25,040 --> 00:24:29,720
in the product, but they're obviously reflective of the new plans and capabilities that we're

324
00:24:29,720 --> 00:24:30,720
going to be looking to add.

325
00:24:30,720 --> 00:24:31,720
All right.

326
00:24:31,720 --> 00:24:32,720
This has been great.

327
00:24:32,720 --> 00:24:37,320
I'm always a big fan of infrastructure as code just because of my development roots,

328
00:24:37,320 --> 00:24:43,520
but it's nice to see this work being done to help people manage and monitor Microsoft

329
00:24:43,520 --> 00:24:44,520
Defender for cloud.

330
00:24:44,520 --> 00:24:45,520
All right.

331
00:24:45,520 --> 00:24:51,240
So one thing we ask our guests on every podcast episode is if you had one final thought to

332
00:24:51,240 --> 00:24:54,280
leave our listeners with, what would it be?

333
00:24:54,280 --> 00:24:58,240
From my side, I would encourage folks to give this a try.

334
00:24:58,240 --> 00:25:03,480
And a lot of organizations still believe that they need to have, let's say, a DevSecOps

335
00:25:03,480 --> 00:25:09,440
team of engineers to set these things up and we can't commit to it to do it today.

336
00:25:09,440 --> 00:25:13,640
We're going to do it next quarter or we're going to do it like next fiscal when we get

337
00:25:13,640 --> 00:25:15,200
the budget for it.

338
00:25:15,200 --> 00:25:21,120
So my kind of call to action to folks listening to this is just give it a try.

339
00:25:21,120 --> 00:25:29,000
It's surprising the value that you can get just by connecting, for example, your AWS

340
00:25:29,000 --> 00:25:34,400
GCP environment to Defender for cloud and having all of those insights in a single dashboard

341
00:25:34,400 --> 00:25:41,680
where you're able then to take those insights away with you, work with the internal teams,

342
00:25:41,680 --> 00:25:47,400
even the workload owners on remediating those misconfigurations because those in turn will

343
00:25:47,400 --> 00:25:51,480
make your environment and your organization more secure.

344
00:25:51,480 --> 00:25:54,960
On my side, it's more in regards to two things.

345
00:25:54,960 --> 00:26:00,720
It's not leaving you with a thought, but it's more of a statement and a call to action.

346
00:26:00,720 --> 00:26:07,840
So from a statement perspective, one thing that I can always depend on is the creativity

347
00:26:07,840 --> 00:26:14,080
and great insights that we usually get from our customers and partners.

348
00:26:14,080 --> 00:26:19,360
So my call to action would be we will be sharing the GitHub repository and the guide and the

349
00:26:19,360 --> 00:26:20,920
YouTube videos.

350
00:26:20,920 --> 00:26:27,520
So we're interested to see what sort of ideas our customers and partners can actually provide

351
00:26:27,520 --> 00:26:31,960
in forms of contribution towards those GitHub repositories.

352
00:26:31,960 --> 00:26:34,080
We shared a couple of workflows.

353
00:26:34,080 --> 00:26:38,360
We had a couple of ideas in terms of what you can enable automatically.

354
00:26:38,360 --> 00:26:42,120
And it's just basically focused on GitHub actions.

355
00:26:42,120 --> 00:26:48,120
If we can see contributions on Terraform, Bicep, Azure DevOps, I think it would be amazing.

356
00:26:48,120 --> 00:26:54,120
So my call to action is to the customers and partners go forward and contribute as much

357
00:26:54,120 --> 00:26:55,240
as you can.

358
00:26:55,240 --> 00:26:58,440
And I'll be looking forward to see what it can actually do.

359
00:26:58,440 --> 00:26:59,440
Yeah.

360
00:26:59,440 --> 00:27:03,840
And we'll have links to absolutely everything, including the GitHub repo in our show notes.

361
00:27:03,840 --> 00:27:06,600
So again, hey, thank you so much for joining us this week.

362
00:27:06,600 --> 00:27:08,840
Really appreciate you taking the time.

363
00:27:08,840 --> 00:27:11,200
And to all our listeners out there, thank you so much.

364
00:27:11,200 --> 00:27:13,360
We hope you found this episode of use.

365
00:27:13,360 --> 00:27:15,160
Stay safe and we'll see you next time.

366
00:27:15,160 --> 00:27:18,360
Thanks for listening to the Azure Security Podcast.

367
00:27:18,360 --> 00:27:25,200
You can find show notes and other resources at our website, azsecuritypodcast.net.

368
00:27:25,200 --> 00:27:30,360
If you have any questions, please find us on Twitter at Azure Setpod.

369
00:27:30,360 --> 00:27:45,720
All music is from ccmixtor.com and licensed under the Creative Commons license.